Prepare release v2.0.0-beta1

Fixed a typo in label.
Improve error on router without service.
2019-07-19 17:18:03 +02:00 · 2019-07-19 17:00:05 +02:00 · 2019-07-19 16:42:04 +02:00 · 2019-07-19 15:52:03 +02:00 · 2019-07-19 12:28:07 +02:00 · 2019-07-19 11:52:04 +02:00
804 changed files with 57773 additions and 32635 deletions
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -4,8 +4,7 @@ DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 The issue tracker is for reporting bugs and feature requests only.
 For end-user related support questions, please refer to one of the following:

- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
- the Traefik community Slack channel: https://slack.traefik.io
+- the Traefik community forum: https://community.containo.us/

 -->

--- a/.github/ISSUE_TEMPLATE/Bug_report.md
+++ b/.github/ISSUE_TEMPLATE/Bug_report.md
@@ -10,8 +10,7 @@ DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 The issue tracker is for reporting bugs and feature requests only.
 For end-user related support questions, please refer to one of the following:

- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
- the Traefik community Slack channel: https://slack.traefik.io
+- the Traefik community forum: https://community.containo.us/

 -->

--- a/.github/ISSUE_TEMPLATE/Feature_request.md
+++ b/.github/ISSUE_TEMPLATE/Feature_request.md
@@ -10,8 +10,7 @@ DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
 The issue tracker is for reporting bugs and feature requests only.
 For end-user related support questions, please refer to one of the following:

- Stack Overflow (using the "traefik" tag): https://stackoverflow.com/questions/tagged/traefik
- the Traefik community Slack channel: https://slack.traefik.io
+- the Traefik community forum: https://community.containo.us/

 -->

--- a/.golangci.toml
+++ b/.golangci.toml
@@ -36,8 +36,7 @@
    "scopelint",
    "gochecknoinits",
    "gochecknoglobals",
-    # uncomment when the CI will be updated
-    # "bodyclose", # Too many false-positive and panics.
+    "bodyclose", # Too many false-positive and panics.
  ]

 [issues]
--- a/.semaphoreci/setup.sh
+++ b/.semaphoreci/setup.sh
@@ -1,17 +1,22 @@
 #!/usr/bin/env bash
 set -e

-export DOCKER_VERSION=17.03.1
-
-# shellcheck source=/dev/null
+for s in apache2 cassandra elasticsearch memcached mysql mongod postgresql sphinxsearch rethinkdb rabbitmq-server redis-server; do sudo service $s stop; done
+sudo swapoff -a
+sudo dd if=/dev/zero of=/swapfile bs=1M count=3072
+sudo mkswap /swapfile
+sudo swapon /swapfile
+sudo rm -rf /home/runner/.rbenv
+#export DOCKER_VERSION=18.06.3
 source .semaphoreci/vars
-
-if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/containous/traefik/pull/"${PULL_REQUEST_NUMBER}".diff | patch --dry-run -p1 -R); fi
-
+if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/containous/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R || true); fi
+echo ${SHOULD_TEST}
 if [ -n "$TEMP_STORAGE" ]; then SHOULD_TEST=$(echo "$TEMP_STORAGE" | grep -Ev '(.md|.yaml|.yml)' || :); fi
-
-if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
-
-if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
-
-if [ -n "$SHOULD_TEST" ]; then  docker version; fi
+echo ${TEMP_STORAGE}
+echo ${SHOULD_TEST}
+#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
+#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
+if [ -n "$SHOULD_TEST" ]; then   docker version; fi
+if [ -f "./.semaphoreci/golang.sh" ]; then ./.semaphoreci/golang.sh; fi
+if [ -f "./.semaphoreci/golang.sh" ]; then export GOROOT="/usr/local/golang/1.12/go"; fi
+if [ -f "./.semaphoreci/golang.sh" ]; then export GOTOOLDIR="/usr/local/golang/1.12/go/pkg/tool/linux_amd64"; fi
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,69 @@
 # Change Log

+## [v2.0.0-beta1](https://github.com/containous/traefik/tree/v2.0.0-beta1) (2019-07-19)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha8...v2.0.0-beta1)
+
+**Enhancements:**
+- **[acme]** Certificate resolvers. ([#5116](https://github.com/containous/traefik/pull/5116) by [ldez](https://github.com/ldez))
+- **[api,provider]** Enhance REST provider ([#5072](https://github.com/containous/traefik/pull/5072) by [dtomcej](https://github.com/dtomcej))
+- **[api]** Deal with multiple errors and their criticality ([#5070](https://github.com/containous/traefik/pull/5070) by [mpl](https://github.com/mpl))
+- **[api]** API: remove configuration of Entrypoint and Middlewares ([#5119](https://github.com/containous/traefik/pull/5119) by [mpl](https://github.com/mpl))
+- **[api]** Improve API endpoints ([#5080](https://github.com/containous/traefik/pull/5080) by [ldez](https://github.com/ldez))
+- **[api]** Manage status for TCP element in the endpoint overview. ([#5108](https://github.com/containous/traefik/pull/5108) by [ldez](https://github.com/ldez))
+- **[file]** Restrict traefik.toml to static configuration. ([#5090](https://github.com/containous/traefik/pull/5090) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/crd]** Add scheme to IngressRoute. ([#5062](https://github.com/containous/traefik/pull/5062) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/ingress]** Renamed `kubernetes` provider in `kubernetesIngress` provider ([#5068](https://github.com/containous/traefik/pull/5068) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[logs]** Improve error on router without service. ([#5126](https://github.com/containous/traefik/pull/5126) by [ldez](https://github.com/ldez))
+- **[metrics]** Add Metrics ([#5111](https://github.com/containous/traefik/pull/5111) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Disable RateLimit temporarily ([#5123](https://github.com/containous/traefik/pull/5123) by [juliens](https://github.com/juliens))
+- **[tls]** TLSOptions: handle conflict: same host name, different TLS options ([#5056](https://github.com/containous/traefik/pull/5056) by [mpl](https://github.com/mpl))
+- **[tls]** Expand Client Auth Type configuration ([#5078](https://github.com/containous/traefik/pull/5078) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[tracing]** Add Jaeger collector endpoint ([#5082](https://github.com/containous/traefik/pull/5082) by [rmfitzpatrick](https://github.com/rmfitzpatrick))
+- **[webui]** refactor(webui): use @vue/cli to bootstrap new ui ([#5091](https://github.com/containous/traefik/pull/5091) by [Slashgear](https://github.com/Slashgear))
+- **[webui]** feat(webui/dashboard): init new dashboard ([#5105](https://github.com/containous/traefik/pull/5105) by [Slashgear](https://github.com/Slashgear))
+- Move dynamic config into a dedicated package. ([#5075](https://github.com/containous/traefik/pull/5075) by [ldez](https://github.com/ldez))
+
+**Bug fixes:**
+- **[file]** fix: TLS configuration from directory. ([#5118](https://github.com/containous/traefik/pull/5118) by [ldez](https://github.com/ldez))
+- **[middleware]** Remove X-Forwarded-(Uri, Method, Tls-Client-Cert and Tls-Client-Cert-Info) from untrusted IP ([#5012](https://github.com/containous/traefik/pull/5012) by [stffabi](https://github.com/stffabi))
+- **[middleware]** Properly add response headers for CORS ([#4857](https://github.com/containous/traefik/pull/4857) by [dtomcej](https://github.com/dtomcej))
+
+**Documentation:**
+- **[acme]** Lets encrypt documentation typo ([#5127](https://github.com/containous/traefik/pull/5127) by [juliens](https://github.com/juliens))
+- **[docker,marathon]** Update Dynamic Configuration Reference for both Docker and Marathon ([#5100](https://github.com/containous/traefik/pull/5100) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s,k8s/ingress]** Add documentation about Kubernetes Ingress provider ([#5112](https://github.com/containous/traefik/pull/5112) by [mpl](https://github.com/mpl))
+- **[k8s/crd]** user guide: fix a mistake in the deployment definition ([#5096](https://github.com/containous/traefik/pull/5096) by [ldez](https://github.com/ldez))
+- **[middleware]** Fixed a typo in label. ([#5128](https://github.com/containous/traefik/pull/5128) by [jamct](https://github.com/jamct))
+- **[provider]** Improve providers documentation. ([#5050](https://github.com/containous/traefik/pull/5050) by [ldez](https://github.com/ldez))
+- **[tracing]** Improve tracing documentation ([#5102](https://github.com/containous/traefik/pull/5102) by [mmatur](https://github.com/mmatur))
+- Add a basic Traefik install guide ([#5117](https://github.com/containous/traefik/pull/5117) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+**Misc:**
+- Cherry pick v1.7 into v2.0 ([#5115](https://github.com/containous/traefik/pull/5115) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+## [v2.0.0-alpha8](https://github.com/containous/traefik/tree/v2.0.0-alpha8) (2019-07-01)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha7...v2.0.0-alpha8)
+
+**Enhancements:**
+- **[api]** Adding content-header to api endpoints ([#5019](https://github.com/containous/traefik/pull/5019) by [dalanmiller](https://github.com/dalanmiller))
+- **[file]** Support YAML for the dynamic configuration. ([#5024](https://github.com/containous/traefik/pull/5024) by [ldez](https://github.com/ldez))
+- **[logs]** Drop headers by default in access logs. ([#5034](https://github.com/containous/traefik/pull/5034) by [ldez](https://github.com/ldez))
+- **[middleware,k8s/crd]** Handle cross-provider middleware in kubernetes CRD ([#5009](https://github.com/containous/traefik/pull/5009) by [mpl](https://github.com/mpl))
+- **[server]** Use h2c from x/net to handle h2c requests ([#5045](https://github.com/containous/traefik/pull/5045) by [juliens](https://github.com/juliens))
+- **[server]** Make HTTP Keep-Alive timeout configurable for backend connections ([#4983](https://github.com/containous/traefik/pull/4983) by [mszabo-wikia](https://github.com/mszabo-wikia))
+- **[tls]** Define a TLS section to group TLS, TLSOptions, and TLSStores. ([#5031](https://github.com/containous/traefik/pull/5031) by [ldez](https://github.com/ldez))
+- **[tracing]** Improve tracing ([#5010](https://github.com/containous/traefik/pull/5010) by [mmatur](https://github.com/mmatur))
+
+**Bug fixes:**
+- **[cli]** Change the loading resource order ([#5007](https://github.com/containous/traefik/pull/5007) by [ldez](https://github.com/ldez))
+- **[logs]** fix: error log message. ([#5020](https://github.com/containous/traefik/pull/5020) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** doc/crd-acme: specify required kubectl version ([#5015](https://github.com/containous/traefik/pull/5015) by [mpl](https://github.com/mpl))
+- **[middleware]** Improve middleware documentation. ([#5003](https://github.com/containous/traefik/pull/5003) by [ldez](https://github.com/ldez))
+- **[server]** Add gRPC user guide ([#5042](https://github.com/containous/traefik/pull/5042) by [ldez](https://github.com/ldez))
+- Use the same case everywhere ([#5043](https://github.com/containous/traefik/pull/5043) by [ldez](https://github.com/ldez))
+
 ## [v2.0.0-alpha7](https://github.com/containous/traefik/tree/v2.0.0-alpha7) (2019-06-21)
 [All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha6...v2.0.0-alpha7)

--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -701,7 +701,7 @@
  version = "v1.41.0"

 [[projects]]
-  digest = "1:9e53c5e9ee65a2c587d6ade11761ef2f976abfcd9599c5016b7046e63c1f7fb2"
+  digest = "1:bed40e7a58536b77890de9fc4911a1322a31cd2495bbcad8446d182063eb1ae4"
  name = "github.com/go-kit/kit"
  packages = [
    "log",
@@ -716,8 +716,8 @@
    "util/conn",
  ]
  pruneopts = "NUT"
-  revision = "ca4112baa34cb55091301bdc13b1420a122b1b9e"
-  version = "v0.7.0"
+  revision = "150a65a7ec6156b4b640c1fd55f26fd3d475d656"
+  version = "v0.9.0"

 [[projects]]
  digest = "1:341a7df38da99fe91ed40e4008c13cc5d02dcc98ed1a094360cb7d5df26d6d26"
@@ -735,14 +735,6 @@
  revision = "d4920dcf5b7689548a6db640278a9b35a5b48ec6"
  version = "v1.9.1"

-[[projects]]
-  digest = "1:8cf58169eb0a8c009ed3a4c36486980d602ab4cc4e478130493d6cd0404f889b"
-  name = "github.com/go-stack/stack"
-  packages = ["."]
-  pruneopts = "NUT"
-  revision = "54be5f394ed2c3e19dac9134a40a95ba5a017f7b"
-  version = "v1.5.4"
-
 [[projects]]
  digest = "1:6689652ec1f6e30455551da19c707f2bfac75e4df5c7bbe3f0ad7b49b9aa2cfc"
  name = "github.com/gogo/protobuf"
@@ -938,16 +930,16 @@
  version = "0.2.4"

 [[projects]]
-  digest = "1:9813d5a93abcc5690fa5830bf7186c835493516986be7a2b11b46e7b12e13317"
-  name = "github.com/influxdata/influxdb"
+  branch = "master"
+  digest = "1:50708c8fc92aec981df5c446581cf9f90ba9e2a5692118e0ce75d4534aaa14a2"
+  name = "github.com/influxdata/influxdb1-client"
  packages = [
-    "client/v2",
    "models",
    "pkg/escape",
+    "v2",
  ]
  pruneopts = "NUT"
-  revision = "2d474a3089bcfce6b472779be9470a1f0ef3d5e4"
-  version = "v1.3.7"
+  revision = "8ff2fc3824fcb533795f9a2f233275f0bb18d6c5"

 [[projects]]
  digest = "1:78efd72f12ed0244e5fbe82bd0ecdbaf3e21402ee9176525ef1138a2fc0d3b17"
@@ -1362,14 +1354,16 @@
  version = "v1.0.0"

 [[projects]]
-  digest = "1:d05ebef91c056e176dc4dfe905002bd3dd7b1dc8703b53bf6e88761053236a75"
+  digest = "1:097cc61836050f45cbb712ae3bb45d66fba464c16b8fac09907fa3c1f753eff6"
  name = "github.com/prometheus/client_golang"
  packages = [
    "prometheus",
+    "prometheus/internal",
    "prometheus/promhttp",
  ]
  pruneopts = "NUT"
-  revision = "08fd2e12372a66e68e30523c7642e0cbc3e4fbde"
+  revision = "4ab88e80c249ed361d3299e2930427d9ac43ef8d"
+  version = "v1.0.0"

 [[projects]]
  digest = "1:32d10bdfa8f09ecf13598324dba86ab891f11db3c538b6a34d1c3b5b99d7c36b"
@@ -1379,7 +1373,7 @@
  revision = "6f3806018612930941127f2a7c6c453ba2c527d2"

 [[projects]]
-  digest = "1:65f12bb82877d6e049a41b5feec5f79f11e3e0ea5748f677d68f206ac408c403"
+  digest = "1:d03ca24670416dc8fccc78b05d6736ec655416ca7db0a028e8fb92cfdfe3b55e"
  name = "github.com/prometheus/common"
  packages = [
    "expfmt",
@@ -1387,17 +1381,19 @@
    "model",
  ]
  pruneopts = "NUT"
-  revision = "49fee292b27bfff7f354ee0f64e1bc4850462edf"
+  revision = "31bed53e4047fd6c510e43a941f90cb31be0972a"
+  version = "v0.6.0"

 [[projects]]
-  digest = "1:60d19aad385900a8aa4a755524e68965fcb31b444ec30e673812e06c98674f2e"
+  digest = "1:19305fc369377c111c865a7a01e11c675c57c52a932353bbd4ea360bd5b72d99"
  name = "github.com/prometheus/procfs"
  packages = [
    ".",
-    "xfs",
+    "internal/fs",
  ]
  pruneopts = "NUT"
-  revision = "a1dba9ce8baed984a2495b658c82687f8157b98f"
+  revision = "3f98efb27840a48a7a2898ec80be07674d19f9c8"
+  version = "v0.0.3"

 [[projects]]
  branch = "containous-fork"
@@ -1677,7 +1673,7 @@

 [[projects]]
  branch = "master"
-  digest = "1:62afa19ba5d4c75369a1d6446688e33ef3c04a40aeedd819cf044a509747b563"
+  digest = "1:4d0fb9f19b2af3461e900a526395330403b39d839f126b66312215f153892ccc"
  name = "golang.org/x/net"
  packages = [
    "bpf",
@@ -1685,6 +1681,7 @@
    "context/ctxhttp",
    "http/httpguts",
    "http2",
+    "http2/h2c",
    "http2/hpack",
    "idna",
    "internal/iana",
@@ -1699,7 +1696,7 @@
    "websocket",
  ]
  pruneopts = "NUT"
-  revision = "e514e69ffb8bc3c76a71ae40de0118d794855992"
+  revision = "da137c7871d730100384dbcf36e6f8fa493aef5b"

 [[projects]]
  branch = "master"
@@ -1856,7 +1853,7 @@
  version = "v1.20.1"

 [[projects]]
-  digest = "1:b49eceff862a3048ec28dad1fce40bcbdc1703119dbad35d7e5f1beb4f9a4527"
+  digest = "1:d732242a429138da899dfecea82b3c65b4157bdf0b5317c229d9c559b6c3450e"
  name = "gopkg.in/DataDog/dd-trace-go.v1"
  packages = [
    "ddtrace",
@@ -1865,10 +1862,12 @@
    "ddtrace/opentracer",
    "ddtrace/tracer",
    "internal/globalconfig",
+    "internal/log",
+    "internal/version",
  ]
  pruneopts = "NUT"
-  revision = "c19e9e56d5b5b71b6507ce1b0ec06d85aa3705a1"
-  version = "v1.14.0"
+  revision = "8d2998bc69008aa4553846ac9a044aa730bd4ce4"
+  version = "v1.15.0"

 [[projects]]
  digest = "1:c970218a20933dd0a2eb2006de922217fa9276f57d25009b2a934eb1c50031cc"
@@ -2262,7 +2261,7 @@
    "github.com/google/go-github/github",
    "github.com/gorilla/websocket",
    "github.com/hashicorp/go-version",
-    "github.com/influxdata/influxdb/client/v2",
+    "github.com/influxdata/influxdb1-client/v2",
    "github.com/instana/go-sensor",
    "github.com/libkermit/compose/check",
    "github.com/libkermit/docker",
@@ -2301,9 +2300,8 @@
    "github.com/vulcand/oxy/roundrobin",
    "github.com/vulcand/oxy/utils",
    "github.com/vulcand/predicate",
-    "golang.org/x/net/http/httpguts",
    "golang.org/x/net/http2",
-    "golang.org/x/net/http2/hpack",
+    "golang.org/x/net/http2/h2c",
    "golang.org/x/net/websocket",
    "google.golang.org/grpc",
    "google.golang.org/grpc/credentials",
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -111,7 +111,11 @@ required = [

 [[constraint]]
  name = "github.com/go-kit/kit"
-  version = "0.7.0"
+  version = "v0.9.0"
+
+[[constraint]]
+  name = "github.com/prometheus/client_golang"
+  version = "v1.0.0"

 [[constraint]]
  branch = "master"
@@ -121,10 +125,6 @@ required = [
 #  name = "github.com/hashicorp/consul"
 #  version = "1.0.6"

-[[constraint]]
-  name = "github.com/influxdata/influxdb"
-  version = "1.3.7"
-
 #[[constraint]]
 #  branch = "master"
 #  name = "github.com/jjcollinge/servicefabric"
@@ -273,7 +273,7 @@ required = [

 [[constraint]]
  name = "gopkg.in/DataDog/dd-trace-go.v1"
-  version = "1.13.0"
+  version = "1.15.0"

 [[constraint]]
  name = "github.com/instana/go-sensor"
--- a/2
+++ b/2
@@ -58,7 +58,7 @@ build-webui-image:
 generate-webui: build-webui-image
 	if [ ! -d "static" ]; then \
 		mkdir -p static; \
-		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build; \
+		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build:nc; \
 		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ../static; \
 		echo 'For more informations show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
 	fi
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@
 [![Go Report Card](https://goreportcard.com/badge/containous/traefik)](http://goreportcard.com/report/containous/traefik)
 [![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/containous/traefik/blob/master/LICENSE.md)
-[![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
+[![Join the community support forum at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)


@@ -103,8 +103,7 @@ A collection of contributions around Traefik can be found at [https://awesome.tr
 ## Support

 To get community support, you can:
- join the Traefik community Slack channel: [![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
- use [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
+- join the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)

 If you need commercial support, please contact [Containo.us](https://containo.us) by mail: <mailto:support@containo.us>.

--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -6,15 +6,15 @@ RUN apk --update upgrade \
    && rm -rf /var/cache/apk/*

 # Download golangci-lint and misspell binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.15.0 \
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.17.1 \
    && go get github.com/client9/misspell/cmd/misspell

 # Download goreleaser binary to bin folder in $GOPATH
 RUN curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh

 # Which docker version to test on
-ARG DOCKER_VERSION=17.03.2
-ARG DEP_VERSION=0.5.0
+ARG DOCKER_VERSION=18.09.7
+ARG DEP_VERSION=0.5.4

 # Download go-bindata binary to bin folder in $GOPATH
 RUN mkdir -p /usr/local/bin \
@@ -28,7 +28,7 @@ RUN mkdir -p /usr/local/bin \

 # Download docker
 RUN mkdir -p /usr/local/bin \
-    && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}-ce.tgz \
+    && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz \
    | tar -xzC /usr/local/bin --transform 's#^.+/##x'

 WORKDIR /go/src/github.com/containous/traefik
--- a/cmd/healthcheck/healthcheck.go
+++ b/cmd/healthcheck/healthcheck.go
@@ -24,7 +24,7 @@ func NewCmd(traefikConfiguration *static.Configuration, loaders []cli.ResourceLo

 func runCmd(traefikConfiguration *static.Configuration) func(_ []string) error {
 	return func(_ []string) error {
-		traefikConfiguration.SetEffectiveConfiguration("")
+		traefikConfiguration.SetEffectiveConfiguration()

 		resp, errPing := Do(*traefikConfiguration)
 		if resp != nil {
@@ -51,7 +51,7 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 		return nil, errors.New("please enable `ping` to use health check")
 	}

-	pingEntryPoint, ok := staticConfiguration.EntryPoints[staticConfiguration.Ping.EntryPoint]
+	pingEntryPoint, ok := staticConfiguration.EntryPoints["traefik"]
 	if !ok {
 		return nil, errors.New("missing `ping` entrypoint")
 	}
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -17,9 +17,10 @@ import (
 	cmdVersion "github.com/containous/traefik/cmd/version"
 	"github.com/containous/traefik/pkg/cli"
 	"github.com/containous/traefik/pkg/collector"
-	"github.com/containous/traefik/pkg/config"
+	"github.com/containous/traefik/pkg/config/dynamic"
 	"github.com/containous/traefik/pkg/config/static"
 	"github.com/containous/traefik/pkg/log"
+	"github.com/containous/traefik/pkg/provider/acme"
 	"github.com/containous/traefik/pkg/provider/aggregator"
 	"github.com/containous/traefik/pkg/safe"
 	"github.com/containous/traefik/pkg/server"
@@ -44,7 +45,7 @@ func main() {
 	// traefik config inits
 	tConfig := cmd.NewTraefikConfiguration()

-	loaders := []cli.ResourceLoader{&cli.FileLoader{}, &cli.EnvLoader{}, &cli.FlagLoader{}}
+	loaders := []cli.ResourceLoader{&cli.FileLoader{}, &cli.FlagLoader{}, &cli.EnvLoader{}}

 	cmdTraefik := &cli.Command{
 		Name: "traefik",
@@ -53,7 +54,7 @@ Complete documentation is available at https://traefik.io`,
 		Configuration: tConfig,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			return runCmd(&tConfig.Configuration, cli.GetConfigFile(loaders))
+			return runCmd(&tConfig.Configuration)
 		},
 	}

@@ -78,7 +79,7 @@ Complete documentation is available at https://traefik.io`,
 	os.Exit(0)
 }

-func runCmd(staticConfiguration *static.Configuration, configFile string) error {
+func runCmd(staticConfiguration *static.Configuration) error {
 	configureLogging(staticConfiguration)

 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
@@ -87,8 +88,10 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) error
 		log.WithoutContext().Errorf("Could not set roundrobin default weight: %v", err)
 	}

-	staticConfiguration.SetEffectiveConfiguration(configFile)
-	staticConfiguration.ValidateConfiguration()
+	staticConfiguration.SetEffectiveConfiguration()
+	if err := staticConfiguration.ValidateConfiguration(); err != nil {
+		return err
+	}

 	log.WithoutContext().Infof("Traefik version %s built on %s", version.Version, version.BuildDate)

@@ -112,15 +115,9 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) error

 	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)

-	acmeProvider, err := staticConfiguration.InitACMEProvider()
-	if err != nil {
-		log.WithoutContext().Errorf("Unable to initialize ACME provider: %v", err)
-	} else if acmeProvider != nil {
-		if err := providerAggregator.AddProvider(acmeProvider); err != nil {
-			log.WithoutContext().Errorf("Unable to add ACME provider to the providers list: %v", err)
-			acmeProvider = nil
-		}
-	}
+	tlsManager := traefiktls.NewManager()
+
+	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)

 	serverEntryPointsTCP := make(server.TCPEntryPoints)
 	for entryPointName, config := range staticConfiguration.EntryPoints {
@@ -129,27 +126,31 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) error
 		if err != nil {
 			return fmt.Errorf("error while building entryPoint %s: %v", entryPointName, err)
 		}
-		serverEntryPointsTCP[entryPointName].RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProvider)
+		serverEntryPointsTCP[entryPointName].RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProviders)

 	}

-	tlsManager := traefiktls.NewManager()
-
-	if acmeProvider != nil {
-		acmeProvider.SetTLSManager(tlsManager)
-		if acmeProvider.TLSChallenge != nil &&
-			acmeProvider.HTTPChallenge == nil &&
-			acmeProvider.DNSChallenge == nil {
-			tlsManager.TLSAlpnGetter = acmeProvider.GetTLSALPNCertificate
-		}
-	}
-
 	svr := server.NewServer(*staticConfiguration, providerAggregator, serverEntryPointsTCP, tlsManager)

-	if acmeProvider != nil && acmeProvider.OnHostRule {
-		acmeProvider.SetConfigListenerChan(make(chan config.Configuration))
-		svr.AddListener(acmeProvider.ListenConfiguration)
+	resolverNames := map[string]struct{}{}
+
+	for _, p := range acmeProviders {
+		resolverNames[p.ResolverName] = struct{}{}
+		svr.AddListener(p.ListenConfiguration)
 	}
+
+	svr.AddListener(func(config dynamic.Configuration) {
+		for rtName, rt := range config.HTTP.Routers {
+			if rt.TLS == nil || rt.TLS.CertResolver == "" {
+				continue
+			}
+
+			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
+				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
+			}
+		}
+	})
+
 	ctx := cmd.ContextWithSignal(context.Background())

 	if staticConfiguration.Ping != nil {
@@ -196,6 +197,40 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) error
 	return nil
 }

+// initACMEProvider creates an acme provider from the ACME part of globalConfiguration
+func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager) []*acme.Provider {
+	challengeStore := acme.NewLocalChallengeStore()
+	localStores := map[string]*acme.LocalStore{}
+
+	var resolvers []*acme.Provider
+	for name, resolver := range c.CertificatesResolvers {
+		if resolver.ACME != nil {
+			if localStores[resolver.ACME.Storage] == nil {
+				localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
+			}
+
+			p := &acme.Provider{
+				Configuration:  resolver.ACME,
+				Store:          localStores[resolver.ACME.Storage],
+				ChallengeStore: challengeStore,
+				ResolverName:   name,
+			}
+
+			if err := providerAggregator.AddProvider(p); err != nil {
+				log.WithoutContext().Errorf("Unable to add ACME provider to the providers list: %v", err)
+				continue
+			}
+			p.SetTLSManager(tlsManager)
+			if p.TLSChallenge != nil {
+				tlsManager.TLSAlpnGetter = p.GetTLSALPNCertificate
+			}
+			p.SetConfigListenerChan(make(chan dynamic.Configuration))
+			resolvers = append(resolvers, p)
+		}
+	}
+	return resolvers
+}
+
 func configureLogging(staticConfiguration *static.Configuration) {
 	// configure default log flags
 	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
--- a/docs/.markdownlint.json
+++ b/docs/.markdownlint.json
@@ -3,6 +3,7 @@
    "MD007": { "indent": 4 },
    "MD009": false,
    "MD013": false,
+    "MD024": false,
    "MD026": false,
    "MD033": false,
    "MD034": false,
--- a/docs/content/assets/img/user-guides/grpc.svg
+++ b/docs/content/assets/img/user-guides/grpc.svg
--- a/docs/content/assets/js/hljs/highlight.pack.js
+++ b/docs/content/assets/js/hljs/highlight.pack.js
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@@ -123,7 +123,7 @@ If you happen to update the provider's templates (located in `/templates`), you
 The [dep](https://github.com/golang/dep) command is not required for building;
 however, it is necessary if you need to update the dependencies (i.e., add, update, or remove third-party packages).

-You need [dep](https://github.com/golang/dep) >= 0.5.0.
+You need [dep](https://github.com/golang/dep) >= 0.5.4.

 If you want to add a dependency, use `dep ensure -add` to have [dep](https://github.com/golang/dep) put it into the vendor folder and update the dep manifest/lock files (`Gopkg.toml` and `Gopkg.lock`, respectively).

--- a/docs/content/contributing/data-collection.md
+++ b/docs/content/contributing/data-collection.md
@@ -14,9 +14,9 @@ For this very reason, the sendAnonymousUsage option is mandatory: we want you to
 ??? example "Enabling Data Collection with TOML"

    ```toml
-    [Global]
-        # Send anonymous usage data
-        sendAnonymousUsage = true
+    [global]
+      # Send anonymous usage data
+      sendAnonymousUsage = true
    ```

 ??? example "Enabling Data Collection with the CLI"
@@ -51,24 +51,23 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col

    ```toml
    [entryPoints]
-        [entryPoints.web]
-           address = ":80"
+      [entryPoints.web]
+         address = ":80"
    
    [api]
    
-    [Docker]
+    [providers.docker]
      endpoint = "tcp://10.10.10.10:2375"
-      domain = "foo.bir"
      exposedByDefault = true
      swarmMode = true
    
-      [Docker.TLS]
+      [providers.docker.TLS]
        ca = "dockerCA"
        cert = "dockerCert"
        key = "dockerKey"
        insecureSkipVerify = true
    
-    [ECS]
+    [providers.ecs]
      domain = "foo.bar"
      exposedByDefault = true
      clusters = ["foo-bar"]
@@ -81,24 +80,24 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col

    ```toml
    [entryPoints]
-        [entryPoints.web]
-           address = ":80"
+      [entryPoints.web]
+        address = ":80"
    
    [api]
    
-    [Docker]
+    [providers.docker]
      endpoint = "xxxx"
      domain = "xxxx"
      exposedByDefault = true
      swarmMode = true
    
-      [Docker.TLS]
+      [providers.docker.TLS]
        ca = "xxxx"
        cert = "xxxx"
        key = "xxxx"
        insecureSkipVerify = false
    
-    [ECS]
+    [providers.ecs]
      domain = "xxxx"
      exposedByDefault = true
      clusters = []
--- a/docs/content/contributing/maintainers.md
+++ b/docs/content/contributing/maintainers.md
@@ -28,7 +28,7 @@
 * Modifying an issue or a pull request (labels, assignees, milestone) is only possible:
    * During the Contributions Daily Meeting
    * By an assigned maintainer
-    * In case of emergency, if a change proposal is approved by 2 other maintainers (on Slack, Discord, etc)
+    * In case of emergency, if a change proposal is approved by 2 other maintainers (on Slack, Discord, Discourse, etc)

 ## PR review process:

--- a/docs/content/contributing/submitting-issues.md
+++ b/docs/content/contributing/submitting-issues.md
@@ -11,11 +11,10 @@ To save us some time and get quicker feedback, be sure to follow the guide lines
 !!! important "Getting Help Vs Reporting an Issue"

    The issue tracker is not a general support forum, but a place to report bugs and asks for new features.
-    
+
    For end-user related support questions, try using first:
-    
-    - the Traefik community Slack channel: [![Join the chat at https://slack.traefik.io](https://img.shields.io/badge/style-register-green.svg?style=social&label=Slack)](https://slack.traefik.io)
-    - [Stack Overflow](https://stackoverflow.com/questions/tagged/traefik) (using the `traefik` tag)
+
+    - the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)

 ## Issue Title

--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -6,7 +6,7 @@ How the Magic Happens
 ![Configuration](../assets/img/static-dynamic-configuration.png)

 Configuration in Traefik can refer to two different things:
-   
+
 - The fully dynamic routing configuration (referred to as the _dynamic configuration_)
 - The startup configuration (referred to as the _static configuration_)

@@ -24,7 +24,7 @@ This configuration can change and is seamlessly hot-reloaded, without any reques
 Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file. Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../providers/overview.md).

 !!! Note 
-   
+
    In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers.
    
 !!! Note
@@ -36,8 +36,8 @@ Traefik gets its _dynamic configuration_ from [providers](../providers/overview.
 There are three different, mutually exclusive, ways to define static configuration options in Traefik:

 - In a configuration file
- As environment variables
 - In the command-line arguments
+- As environment variables

 These ways are evaluated in the order listed above.

@@ -49,7 +49,12 @@ Once positioned, this option sets (and resets) all the default values of the sub
    
 ### Configuration File

-At startup, Traefik searches for a file named `traefik.toml` in `/etc/traefik/`, `$XDG_CONFIG_HOME/`, `$HOME/.config/`, and `.` (_the working directory_).
+At startup, Traefik searches for a file named `traefik.toml` (or `traefik.yml` or `traefik.yaml`) in:
+
+- `/etc/traefik/`
+- `$XDG_CONFIG_HOME/`
+- `$HOME/.config/`
+- `.` (_the working directory_).

 You can override this using the `configFile` argument.

--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -0,0 +1,70 @@
+# Install Traefik
+
+You can install Traefik with the following flavors:
+
+* [Use the official Docker image](./#use-the-official-docker-image)
+* [Use the binary distribution](./#use-the-binary-distribution)
+* [Compile your binary from the sources](./#compile-your-binary-from-the-sources)
+
+## Use the Official Docker Image
+
+Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/containous/traefik/master/traefik.sample.toml):
+
+```shell
+docker run -d -p 8080:8080 -p 80:80 \
+    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.0
+```
+
+For more details, go to the [Docker provider documentation](../providers/docker.md)
+
+!!! tip
+
+    * Prefer a fixed version than the latest that could be an unexpected version.
+    ex: `traefik:v2.0.0`
+    * Docker images comes in 2 flavors: scratch based or alpine based.
+    * All the orchestrator using docker images could fetch the official Traefik docker image.
+
+## Use the Binary Distribution
+
+Grab the latest binary from the [releases](https://github.com/containous/traefik/releases) page.
+
+??? tip "Check the integrity of the downloaded file"
+
+    ```bash tab="Linux"
+    # Compare this value to the one found in traefik-${traefik_version}_checksums.txt
+    sha256sum ./traefik_${traefik_version}_linux_${arch}.tar.gz
+    ```
+
+    ```bash tab="macOS"
+    # Compare this value to the one found in traefik-${traefik_version}_checksums.txt
+    shasum -a256 ./traefik_${traefik_version}_darwin_amd64.tar.gz
+    ```
+
+    ```powershell tab="Windows PowerShell"
+    # Compare this value to the one found in traefik-${traefik_version}_checksums.txt
+    Get-FileHash ./traefik_${traefik_version}_windows_${arch}.zip -Algorithm SHA256
+    ```
+
+??? tip "Extract the downloaded archive"
+
+    ```bash tab="Linux"
+    tar -zxvf traefik_${traefik_version}_linux_${arch}.tar.gz
+    ```
+
+    ```bash tab="macOS"
+    tar -zxvf ./traefik_${traefik_version}_darwin_amd64.tar.gz
+    ```
+
+    ```powershell tab="Windows PowerShell"
+    Expand-Archive traefik_${traefik_version}_windows_${arch}.zip
+    ```
+
+And run it:
+
+```bash
+./traefik --help
+```
+
+## Compile your Binary from the Sources
+
+All the details are available in the [Contributing Guide](../contributing/building-testing.md)
--- a/docs/content/getting-started/quick-start.md
+++ b/docs/content/getting-started/quick-start.md
@@ -14,13 +14,18 @@ version: '3'

 services:
  reverse-proxy:
-    image: traefik:v2.0 # The official v2.0 Traefik docker image
-    command: --api --providers.docker # Enables the web UI and tells Traefik to listen to docker
+    # The official v2.0 Traefik docker image
+    image: traefik:v2.0
+    # Enables the web UI and tells Traefik to listen to docker
+    command: --api --providers.docker
    ports:
-      - "80:80"     # The HTTP port
-      - "8080:8080" # The Web UI (enabled by --api)
+      # The HTTP port
+      - "80:80"
+      # The Web UI (enabled by --api)
+      - "8080:8080"
    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
+      # So that Traefik can listen to the Docker events
+      - /var/run/docker.sock:/var/run/docker.sock
 ```

 **That's it. Now you can launch Traefik!**
@@ -42,7 +47,8 @@ Edit your `docker-compose.yml` file and add the following at the end of your fil
 ```yaml
 # ...
  whoami:
-    image: containous/whoami # A container that exposes an API to show its IP address
+    # A container that exposes an API to show its IP address
+    image: containous/whoami
    labels:
      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
 ```
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -11,57 +11,73 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
 ## Configuration Examples

 ??? example "Enabling ACME"
-
-    ```toml
-    [entryPoints]
-      [entryPoints.web]
-         address = ":80"
    
-      [entryPoints.http-tls]
-         address = ":443"
-    
-    [acme] # every router with TLS enabled will now be able to use ACME for its certificates
-       email = "your-email@your-domain.org"
-       storage = "acme.json"
-       onHostRule = true # dynamic generation based on the Host() & HostSNI() matchers
-       [acme.httpChallenge]
-          entryPoint = "web" # used during the challenge
-    ```
-
-??? example "Configuring Wildcard Certificates"
-
-    ```toml
+    ```toml tab="File (TOML)"
    [entryPoints]
      [entryPoints.web]
        address = ":80"
-
-      [entryPoints.http-tls]
+    
+      [entryPoints.web-secure]
        address = ":443"
-
-    [acme]
+    
+    [certificatesResolvers.sample.acme]
      email = "your-email@your-domain.org"
      storage = "acme.json"
-      [acme.dnsChallenge]
-        provider = "xxx"
-
-      [[acme.domains]]
-        main = "*.mydomain.com"
-        sans = ["mydomain.com"]
+      [acme.httpChallenge]
+        # used during the challenge
+        entryPoint = "web"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+    
+      web-secure:
+        address: ":443"
+    
+    certificatesResolvers:
+      sample:
+        acme:
+          email: your-email@your-domain.org
+          storage: acme.json
+          httpChallenge:
+            # used during the challenge
+            entryPoint: web
+    ```
+    
+    ```bash tab="CLI"
+    --entryPoints.web.address=":80"
+    --entryPoints.websecure.address=":443"
+    # ...
+    --certificatesResolvers.sample.acme.email: your-email@your-domain.org
+    --certificatesResolvers.sample.acme.storage: acme.json
+    # used during the challenge
+    --certificatesResolvers.sample.acme.httpChallenge.entryPoint: web
    ```

 ??? note "Configuration Reference"
    
-    There are many available options for ACME. For a quick glance at what's possible, browse the configuration reference:
+    There are many available options for ACME.
+    For a quick glance at what's possible, browse the configuration reference:
    
-    ```toml
+    ```toml tab="File (TOML)"
    --8<-- "content/https/ref-acme.toml"
    ```
+    
+    ```yaml tab="File (YAML)"
+    --8<-- "content/https/ref-acme.yaml"
+    ```
+    
+    ```bash tab="CLI"
+    --8<-- "content/https/ref-acme.txt"
+    ```

 ## Automatic Renewals

 Traefik automatically tracks the expiry date of ACME certificates it generates.

-If there are less than 30 days remaining before the certificate expires, Traefik will attempt to rewnew it automatically.
+If there are less than 30 days remaining before the certificate expires, Traefik will attempt to renew it automatically.

 !!! note
    Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
@@ -77,25 +93,69 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry

 ??? example "Configuring the `tlsChallenge`"

-    ```toml
-    [acme]
-       [acme.tlsChallenge]
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.sample.acme]
+      # ...
+      [certificatesResolvers.sample.acme.tlsChallenge]
+    ```
+
+    ```yaml tab="File (YAML)"
+    certificatesResolvers:
+      sample:
+        acme:
+          # ...
+          tlsChallenge: {}
    ```
    
+    ```bash tab="CLI"
+    # ...
+    --certificatesResolvers.sample.acme.tlsChallenge
+    ```
+
 ### `httpChallenge`

 Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.

 As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
-when using the `HTTP-01` challenge, `acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
+when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.

 ??? example "Using an EntryPoint Called http for the `httpChallenge`"

-    ```toml
-    [acme]
-       # ...
-       [acme.httpChallenge]
-          entryPoint = "http"
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+      
+      [entryPoints.web-secure]
+        address = ":443"
+    
+    [certificatesResolvers.sample.acme]
+      # ...
+      [certificatesResolvers.sample.acme.httpChallenge]
+        entryPoint = "web"
+    ```
+
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+    
+      web-secure:
+        address: ":443"
+    
+    certificatesResolvers:
+      sample:
+        acme:
+          # ...
+          httpChallenge:
+            entryPoint: web
+    ```
+    
+    ```bash tab="CLI"
+    --entryPoints.web.address=":80"
+    --entryPoints.websecure.address=":443"
+    # ...
+    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
    ```

 !!! note
@@ -107,12 +167,30 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni

 ??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"

-    ```toml
-    [acme]
-       # ...
-       [acme.dnsChallenge]
-          provider = "digitalocean"
-          delayBeforeCheck = 0
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.sample.acme]
+      # ...
+      [certificatesResolvers.sample.acme.dnsChallenge]
+        provider = "digitalocean"
+        delayBeforeCheck = 0
+    # ...
+    ```
+    
+    ```yaml tab="File (YAML)"
+    certificatesResolvers:
+      sample:
+        acme:
+          # ...
+          dnsChallenge:
+            provider: digitalocean
+            delayBeforeCheck: 0
+        # ...
+    ```
+    
+    ```bash tab="CLI"
+    # ...
+    --certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
+    --certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
    # ...
    ```

@@ -131,7 +209,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | Provider Name                                               | Provider Code  | Environment Variables                                                                                                                       |                                                                             |
 |-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
 | [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)     |
-| [Alibaba Cloud](https://www.vultr.com)                      | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
+| [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
 | [Auroradns](https://www.pcextreme.com/aurora/dns)           | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
 | [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)        |
 | [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)      |
@@ -162,7 +240,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)    |
 | [Linode](https://www.linode.com)                            | `linode`       | `LINODE_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
 | [Linode v4](https://www.linode.com)                         | `linodev4`     | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linodev4)     |
-| manual                                                      | -              | none, but you need to run Traefik interactively [^4], turn on `acmeLogging` to see instructions and press <kbd>Enter</kbd>.                 |                                                                                               |
+| manual                                                      | -              | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                 |                                                                                               |
 | [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
 | [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)    |
 | [name.com](https://www.name.com/)                           | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)   |
@@ -200,12 +278,29 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used

 Use custom DNS servers to resolve the FQDN authority.

-```toml
-[acme]
-   # ...
-   [acme.dnsChallenge]
+```toml tab="File (TOML)"
+[certificatesResolvers.sample.acme]
+  # ...
+  [certificatesResolvers.sample.acme.dnsChallenge]
+    # ...
+    resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
+```
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  sample:
+    acme:
      # ...
-      resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
+      dnsChallenge:
+        # ...
+        resolvers:
+        - "1.1.1.1:53"
+        - "8.8.8.8:53"
+```
+
+```bash tab="CLI"
+# ...
+--certificatesResolvers.sample.acme.dnsChallenge.resolvers:="1.1.1.1:53,8.8.8.8:53"
 ```

 #### Wildcard Domains
@@ -213,98 +308,61 @@ Use custom DNS servers to resolve the FQDN authority.
 [ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
 As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).

-```toml
-[acme]
-   # ...
-   [[acme.domains]]
-      main = "*.local1.com"
-      sans = ["local1.com"]
-
-# ...
-```
-
-!!! note "Double Wildcard Certificates"
-    It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`).
-
-Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 `DNS-01` challenges are executed.
-In this case the generated DNS TXT record for both domains is the same.
-Even though this behavior is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant,
-it can lead to problems as all DNS providers keep DNS records cached for a given time (TTL) and this TTL can be greater than the challenge timeout making the `DNS-01` challenge fail.
-
-The Traefik ACME client library [LEGO](https://github.com/go-acme/lego) supports some but not all DNS providers to work around this issue.
-The [Supported `provider` table](#providers) indicates if they allow generating certificates for a wildcard domain and its root domain.
-
-## Known Domains, SANs
-
-You can set SANs (alternative domains) for each main domain.
-Every domain must have A/AAAA records pointing to Traefik.
-Each domain & SAN will lead to a certificate request.
-
-```toml
-[acme]
-   # ...
-   [[acme.domains]]
-      main = "local1.com"
-      sans = ["test1.local1.com", "test2.local1.com"]
-   [[acme.domains]]
-      main = "local2.com"
-   [[acme.domains]]
-      main = "*.local3.com"
-      sans = ["local3.com", "test1.test1.local3.com"]
-# ...
-```
-
-!!! important
-    The certificates for the domains listed in `acme.domains` are negotiated at Traefik startup only.
-
-!!! note
-    Wildcard certificates can only be verified through a `DNS-01` challenge.
-
 ## `caServer`

 ??? example "Using the Let's Encrypt staging server"

-    ```toml
-    [acme]
-       # ...
-       caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
-       # ...
+    ```toml tab="File (TOML)"
+    [certificatesResolvers.sample.acme]
+      # ...
+      caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
+      # ...
+    ```
+    
+    ```yaml tab="File (YAML)"
+    certificatesResolvers:
+      sample:
+        acme:
+          # ...
+          caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+          # ...
    ```

-## `onHostRule`
-
-Enable certificate generation on [routers](../routing/routers/index.md) `Host` & `HostSNI` rules.
-
-This will request a certificate from Let's Encrypt for each router with a Host rule.
-
-```toml
-[acme]
-   # ...
-   onHostRule = true
-   # ...
-```
-
-!!! note "Multiple Hosts in a Rule"
-    The rule `Host(test1.traefik.io,test2.traefik.io)` will request a certificate with the main domain `test1.traefik.io` and SAN `test2.traefik.io`.
-
-!!! warning
-    `onHostRule` option can not be used to generate wildcard certificates. Refer to [wildcard generation](#wildcard-domains) for further information.
+    ```bash tab="CLI"
+    # ...
+    --certificatesResolvers.sample.acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
+    # ...
+    ```

 ## `storage`

 The `storage` option sets the location where your ACME certificates are saved to.

-```toml
-[acme]
-   # ...
-   storage = "acme.json"
-   # ...
+```toml tab="File (TOML)"
+[certificatesResolvers.sample.acme]
+  # ...
+  storage = "acme.json"
+  # ...
 ```

-The value can refer to two kinds of storage:
+```toml tab="File (TOML)"
+certificatesResolvers:
+  sample:
+    acme:
+      # ...
+      storage: acme.json
+      # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesResolvers.sample.acme.storage=acme.json
+# ...
+```
+
+The value can refer to some kinds of storage:

 - a JSON file
- a KV store entry

 ### In a File

@@ -323,19 +381,6 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 !!! warning
    For concurrency reason, this file cannot be shared across multiple instances of Traefik. Use a key value store entry instead.

-### In a a Key Value Store Entry
-
-ACME certificates can be stored in a key-value store entry.
-
-```toml
-storage = "traefik/acme/account"
-```
-
-!!! note "Storage Size"
-
-    Because key-value stores have limited entry size, the certificates list is compressed _before_ it is saved.
-    For example, it is possible to store up to _approximately_ 100 ACME certificates in Consul.
-
 ## Fallback

 If Let's Encrypt is not reachable, the following certificates will apply:
--- a/docs/content/https/ref-acme.toml
+++ b/docs/content/https/ref-acme.toml
@@ -1,150 +1,89 @@
 # Enable ACME (Let's Encrypt): automatic SSL.
-[acme]
+[certificatesResolvers.sample.acme]

-# Email address used for registration.
-#
-# Required
-#
-email = "test@traefik.io"
-
-# File used for certificates storage.
-#
-# Optional (Deprecated)
-#
-#storageFile = "acme.json"
-
-# File or key used for certificates storage.
-#
-# Required
-#
-storage = "acme.json"
-# or `storage = "traefik/acme/account"` if using KV store.
-
-# Deprecated, replaced by [acme.dnsChallenge].
-#
-# Optional.
-#
-# dnsProvider = "digitalocean"
-
-# Deprecated, replaced by [acme.dnsChallenge.delayBeforeCheck].
-#
-# Optional
-# Default: 0
-#
-# delayDontCheckDNS = 0
-
-# If true, display debug log messages from the acme client library.
-#
-# Optional
-# Default: false
-#
-# acmeLogging = true
-
-# If true, override certificates in key-value store when using storeconfig.
-#
-# Optional
-# Default: false
-#
-# overrideCertificates = true
-
-# Deprecated. Enable on demand certificate generation.
-#
-# Optional
-# Default: false
-#
-# onDemand = true
-
-# Enable certificate generation on frontends host rules.
-#
-# Optional
-# Default: false
-#
-# onHostRule = true
-
-# CA server to use.
-# Uncomment the line to use Let's Encrypt's staging server,
-# leave commented to go to prod.
-#
-# Optional
-# Default: "https://acme-v02.api.letsencrypt.org/directory"
-#
-# caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
-
-# KeyType to use.
-#
-# Optional
-# Default: "RSA4096"
-#
-# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
-#
-# KeyType = "RSA4096"
-
-# Use a TLS-ALPN-01 ACME challenge.
-#
-# Optional (but recommended)
-#
-[acme.tlsChallenge]
-
-# Use a HTTP-01 ACME challenge.
-#
-# Optional
-#
-# [acme.httpChallenge]
-
-  # EntryPoint to use for the HTTP-01 challenges.
+  # Email address used for registration.
  #
  # Required
  #
-  # entryPoint = "http"
+  email = "test@traefik.io"

-# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
-# Note: mandatory for wildcard certificate generation.
-#
-# Optional
-#
-# [acme.dnsChallenge]
-
-  # DNS provider used.
+  # File or key used for certificates storage.
  #
  # Required
  #
-  # provider = "digitalocean"
+  storage = "acme.json"

-  # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
-  # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
-  # Useful if internal networks block external DNS queries.
+  # CA server to use.
+  # Uncomment the line to use Let's Encrypt's staging server,
+  # leave commented to go to prod.
  #
  # Optional
-  # Default: 0
+  # Default: "https://acme-v02.api.letsencrypt.org/directory"
  #
-  # delayBeforeCheck = 0
+  # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

-  # Use following DNS servers to resolve the FQDN authority.
+  # KeyType to use.
  #
  # Optional
-  # Default: empty
+  # Default: "RSA4096"
  #
-  # resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
+  # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
+  #
+  # keyType = "RSA4096"

-  # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
+  # Use a TLS-ALPN-01 ACME challenge.
  #
-  # NOT RECOMMENDED:
-  # Increase the risk of reaching Let's Encrypt's rate limits.
+  # Optional (but recommended)
+  #
+  [certificatesResolvers.sample.acme.tlsChallenge]
+
+  # Use a HTTP-01 ACME challenge.
  #
  # Optional
-  # Default: false
  #
-  # disablePropagationCheck = true
+  # [certificatesResolvers.sample.acme.httpChallenge]

-# Domains list.
-# Only domains defined here can generate wildcard certificates.
-# The certificates for these domains are negotiated at traefik startup only.
-#
-# [[acme.domains]]
-#   main = "local1.com"
-#   sans = ["test1.local1.com", "test2.local1.com"]
-# [[acme.domains]]
-#   main = "local2.com"
-# [[acme.domains]]
-#   main = "*.local3.com"
-#   sans = ["local3.com", "test1.test1.local3.com"]
+    # EntryPoint to use for the HTTP-01 challenges.
+    #
+    # Required
+    #
+    # entryPoint = "web"
+
+  # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
+  # Note: mandatory for wildcard certificate generation.
+  #
+  # Optional
+  #
+  # [certificatesResolvers.sample.acme.dnsChallenge]
+
+    # DNS provider used.
+    #
+    # Required
+    #
+    # provider = "digitalocean"
+
+    # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
+    # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
+    # Useful if internal networks block external DNS queries.
+    #
+    # Optional
+    # Default: 0
+    #
+    # delayBeforeCheck = 0
+
+    # Use following DNS servers to resolve the FQDN authority.
+    #
+    # Optional
+    # Default: empty
+    #
+    # resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
+
+    # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
+    #
+    # NOT RECOMMENDED:
+    # Increase the risk of reaching Let's Encrypt's rate limits.
+    #
+    # Optional
+    # Default: false
+    #
+    # disablePropagationCheck = true
--- a/docs/content/https/ref-acme.txt
+++ b/docs/content/https/ref-acme.txt
@@ -0,0 +1,89 @@
+# Enable ACME (Let's Encrypt): automatic SSL.
+--certificatesResolvers.sample.acme
+
+# Email address used for registration.
+#
+# Required
+#
+--certificatesResolvers.sample.acme.email="test@traefik.io"
+
+# File or key used for certificates storage.
+#
+# Required
+#
+--certificatesResolvers.sample.acme.storage="acme.json"
+
+# CA server to use.
+# Uncomment the line to use Let's Encrypt's staging server,
+# leave commented to go to prod.
+#
+# Optional
+# Default: "https://acme-v02.api.letsencrypt.org/directory"
+#
+--certificatesResolvers.sample.acme.caServer="https://acme-staging-v02.api.letsencrypt.org/directory"
+
+# KeyType to use.
+#
+# Optional
+# Default: "RSA4096"
+#
+# Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
+#
+--certificatesResolvers.sample.acme.keyType=RSA4096
+
+# Use a TLS-ALPN-01 ACME challenge.
+#
+# Optional (but recommended)
+#
+--certificatesResolvers.sample.acme.tlsChallenge
+
+# Use a HTTP-01 ACME challenge.
+#
+# Optional
+#
+--certificatesResolvers.sample.acme.httpChallenge
+
+# EntryPoint to use for the HTTP-01 challenges.
+#
+# Required
+#
+--certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+
+# Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
+# Note: mandatory for wildcard certificate generation.
+#
+# Optional
+#
+--certificatesResolvers.sample.acme.dnsChallenge
+
+# DNS provider used.
+#
+# Required
+#
+--certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
+
+# By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
+# If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
+# Useful if internal networks block external DNS queries.
+#
+# Optional
+# Default: 0
+#
+--certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+
+# Use following DNS servers to resolve the FQDN authority.
+#
+# Optional
+# Default: empty
+#
+--certificatesResolvers.sample.acme.dnsChallenge.resolvers="1.1.1.1:53,8.8.8.8:53"
+
+# Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
+#
+# NOT RECOMMENDED:
+# Increase the risk of reaching Let's Encrypt's rate limits.
+#
+# Optional
+# Default: false
+#
+--certificatesResolvers.sample.acme.dnsChallenge.disablePropagationCheck=true
--- a/docs/content/https/ref-acme.yaml
+++ b/docs/content/https/ref-acme.yaml
@@ -0,0 +1,93 @@
+certificatesResolvers:
+  sample:
+    # Enable ACME (Let's Encrypt): automatic SSL.
+    acme:
+
+      # Email address used for registration.
+      #
+      # Required
+      #
+      email: "test@traefik.io"
+
+      # File or key used for certificates storage.
+      #
+      # Required
+      #
+      storage: "acme.json"
+
+      # CA server to use.
+      # Uncomment the line to use Let's Encrypt's staging server,
+      # leave commented to go to prod.
+      #
+      # Optional
+      # Default: "https://acme-v02.api.letsencrypt.org/directory"
+      #
+      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+
+      # KeyType to use.
+      #
+      # Optional
+      # Default: "RSA4096"
+      #
+      # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
+      #
+      # keyType: RSA4096
+
+      # Use a TLS-ALPN-01 ACME challenge.
+      #
+      # Optional (but recommended)
+      #
+      tlsChallenge:
+
+      # Use a HTTP-01 ACME challenge.
+      #
+      # Optional
+      #
+      # httpChallenge:
+
+        # EntryPoint to use for the HTTP-01 challenges.
+        #
+        # Required
+        #
+        # entryPoint: web
+
+      # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
+      # Note: mandatory for wildcard certificate generation.
+      #
+      # Optional
+      #
+      # dnsChallenge:
+
+        # DNS provider used.
+        #
+        # Required
+        #
+        # provider: digitalocean
+
+        # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
+        # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
+        # Useful if internal networks block external DNS queries.
+        #
+        # Optional
+        # Default: 0
+        #
+        # delayBeforeCheck: 0
+
+        # Use following DNS servers to resolve the FQDN authority.
+        #
+        # Optional
+        # Default: empty
+        #
+        # resolvers
+        # - "1.1.1.1:53"
+        # - "8.8.8.8:53"
+
+        # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
+        #
+        # NOT RECOMMENDED:
+        # Increase the risk of reaching Let's Encrypt's rate limits.
+        #
+        # Optional
+        # Default: false
+        #
+        # disablePropagationCheck: true
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -11,18 +11,25 @@ See the [Let's Encrypt](./acme.md) page.

 ### User defined

-To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls]]` section:
+To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls.certificates]]` section:

-```toml
-[[tls]]
-  [tls.certificate]
-    certFile = "/path/to/domain.cert"
-    keyFile = "/path/to/domain.key"
+```toml tab="TOML"
+[[tls.certificates]]
+  certFile = "/path/to/domain.cert"
+  keyFile = "/path/to/domain.key"

-[[tls]]
-  [tls.certificate]
-    certFile = "/path/to/other-domain.cert"
-    keyFile = "/path/to/other-domain.key"
+[[tls.certificates]]
+  certFile = "/path/to/other-domain.cert"
+  keyFile = "/path/to/other-domain.key"
+```
+
+```yaml tab="YAML"
+tls:
+  certificates:
+  - certFile: /path/to/domain.cert
+    keyFile: /path/to/domain.key
+  - certFile: /path/to/other-domain.cert
+    keyFile: /path/to/other-domain.key
 ```

 !!! important "File Provider Only"
@@ -34,9 +41,15 @@ To add / remove TLS certificates, even when Traefik is already running, their de

 In Traefik, certificates are grouped together in certificates stores, which are defined as such:

-```toml
-[tlsStores]
-  [tlsStores.default]
+```toml tab="TOML"
+[tls.stores]
+  [tls.stores.default]
+```
+
+```yaml tab="YAML"
+tls:
+  stores:
+    default: {}
 ```

 !!! important "Alpha restriction"
@@ -44,21 +57,32 @@ In Traefik, certificates are grouped together in certificates stores, which are
    During the alpha version, any store definition other than the default one (named `default`) will be ignored,
    and there is thefore only one globally available TLS store.

-In the `[[tls]]` section, a list of stores can then be specified to indicate where the certificates should be stored:
+In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:

-```toml
-[[tls]]
+```toml tab="TOML"
+[[tls.certificates]]
+  certFile = "/path/to/domain.cert"
+  keyFile = "/path/to/domain.key"
  stores = ["default"]
-  [tls.certificate]
-    certFile = "/path/to/domain.cert"
-    keyFile = "/path/to/domain.key"

-[[tls]]
+[[tls.certificates]]
  # Note that since no store is defined,
  # the certificate below will be stored in the `default` store.
-  [tls.certificate]
-    certFile = "/path/to/other-domain.cert"
-    keyFile = "/path/to/other-domain.key"
+  certFile = "/path/to/other-domain.cert"
+  keyFile = "/path/to/other-domain.key"
+```
+
+```yaml tab="YAML"
+tls:
+  certificates:
+  - certFile: /path/to/domain.cert
+    keyFile: /path/to/domain.key
+    stores:
+    - default
+  # Note that since no store is defined,
+  # the certificate below will be stored in the `default` store.
+  - certFile: /path/to/other-domain.cert
+    keyFile: /path/to/other-domain.key
 ```

 !!! important "Alpha restriction"
@@ -70,14 +94,23 @@ In the `[[tls]]` section, a list of stores can then be specified to indicate whe
 Traefik can use a default certificate for connections without a SNI, or without a matching domain.
 This default certificate should be defined in a TLS store:

-```toml
-[tlsStores]
-  [tlsStores.default]
-    [tlsStores.default.defaultCertificate]
+```toml tab="TOML"
+[tls.stores]
+  [tls.stores.default]
+    [tls.stores.default.defaultCertificate]
      certFile = "path/to/cert.crt"
      keyFile  = "path/to/cert.key"
 ```

+```yaml tab="YAML"
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: path/to/cert.crt
+        keyFile: path/to/cert.key
+```
+
 If no default certificate is provided, Traefik generates and uses a self-signed certificate.

 ## TLS Options
@@ -86,55 +119,97 @@ The TLS options allow one to configure some parameters of the TLS connection.

 ### Minimum TLS Version

-```toml
-[tlsOptions]
+```toml tab="TOML"
+[tls.options]

-  [tlsOptions.default]
+  [tls.options.default]
    minVersion = "VersionTLS12"

-  [tlsOptions.mintls13]
+  [tls.options.mintls13]
    minVersion = "VersionTLS13"
 ```

-### Mutual Authentication
+```yaml tab="YAML"
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12

-Traefik supports both optional and strict (which is the default) mutual authentication, though the `ClientCA.files` section.
-If present, connections from clients without a certificate will be rejected.
+    mintls13:
+      minVersion: VersionTLS13
+```

-For clients with a certificate, the `optional` option governs the behaviour as follows:
+### Client Authentication (mTLS)

- When `optional = false`, Traefik accepts connections only from clients presenting a certificate signed by a CA listed in `ClientCA.files`.
- When `optional = true`, Traefik authorizes connections from clients presenting a certificate signed by an unknown CA.
+Traefik supports mutual authentication, through the `ClientAuth` section.

-```toml
-[tlsOptions]
-  [tlsOptions.default]
-    [tlsOptions.default.ClientCA]
+For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in `ClientAuth.caFiles`.
+ 
+The `ClientAuth.clientAuthType` option governs the behaviour as follows:
+
+- `NoClientCert`: disregards any client certificate.
+- `RequestClientCert`: asks for a certificate but proceeds anyway if none is provided.
+- `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `ClientAuth.caFiles`.
+- `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `ClientAuth.caFiles`. Otherwise proceeds without any certificate.
+- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `ClientAuth.caFiles`. 
+
+```toml tab="TOML"
+[tls.options]
+  [tls.options.default]
+    [tls.options.default.clientAuth]
      # in PEM format. each file can contain multiple CAs.
-      files = ["tests/clientca1.crt", "tests/clientca2.crt"]
-      optional = false
+      caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
+      clientAuthType = "RequireAndVerifyClientCert"
+```
+
+```yaml tab="YAML"
+tls:
+  options:
+    default:
+      clientAuth:
+        # in PEM format. each file can contain multiple CAs.
+        caFiles:
+        - tests/clientca1.crt
+        - tests/clientca2.crt
+        clientAuthType: RequireAndVerifyClientCert
 ```

 ### Cipher Suites

 See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.

-```toml
-[tlsOptions]
-  [tlsOptions.default]
+```toml tab="TOML"
+[tls.options]
+  [tls.options.default]
    cipherSuites = [
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_RSA_WITH_AES_256_GCM_SHA384"
    ]
 ```

+```yaml tab="YAML"
+tls:
+  options:
+    default:
+      cipherSuites:
+      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+      - TLS_RSA_WITH_AES_256_GCM_SHA384
+```
+
 ### Strict SNI Checking

 With strict SNI checking, Traefik won't allow connections from clients connections
 that do not specify a server_name extension.

-```toml
-[tlsOptions]
-  [tlsOptions.default]
+```toml tab="TOML"
+[tls.options]
+  [tls.options.default]
    sniStrict = true
 ```
+
+```yaml tab="YAML"
+tls:
+  options:
+    default:
+      sniStrict: true
+```
--- a/docs/content/middlewares/addprefix.md
+++ b/docs/content/middlewares/addprefix.md
@@ -41,8 +41,8 @@ labels:
 ```toml tab="File"
 # Prefixing with /foo
 [http.middlewares]
-  [http.middlewares.add-foo.AddPrefix]
-     prefix = "/foo"
+  [http.middlewares.add-foo.addPrefix]
+    prefix = "/foo"
 ```

 ## Configuration Options
--- a/docs/content/middlewares/basicauth.md
+++ b/docs/content/middlewares/basicauth.md
@@ -47,7 +47,7 @@ labels:
 ```toml tab="File"
 # Declaring the user list
 [http.middlewares]
-  [http.middlewares.test-auth.basicauth]
+  [http.middlewares.test-auth.basicAuth]
  users = [
    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
@@ -61,7 +61,7 @@ labels:
 Passwords must be encoded using MD5, SHA1, or BCrypt.

 !!! tip 
-   
+
    Use `htpasswd` to generate the passwords.

 ### `users`
@@ -120,7 +120,7 @@ spec:
 ```

 ```toml tab="File"
-[http.middlewares.my-auth.basicauth]
+[http.middlewares.my-auth.basicAuth]
  # ...
  headerField = "X-WebAuth-User"
 ```
--- a/docs/content/middlewares/buffering.md
+++ b/docs/content/middlewares/buffering.md
@@ -46,7 +46,7 @@ labels:
 # Sets the maximum request body to 2Mb
 [http.middlewares]
  [http.middlewares.limit.buffering]
-      maxRequestBodyBytes = 250000
+    maxRequestBodyBytes = 250000
 ```

 ## Configuration Options
--- a/docs/content/middlewares/chain.md
+++ b/docs/content/middlewares/chain.md
@@ -111,27 +111,27 @@ labels:
 ```toml tab="File"
 # ...    
 [http.routers]
-    [http.routers.router1]
-        service = "service1"
-        middlewares = ["secured"]
-        rule = "Host(`mydomain`)"
+  [http.routers.router1]
+    service = "service1"
+    middlewares = ["secured"]
+    rule = "Host(`mydomain`)"

 [http.middlewares]
-    [http.middlewares.secured.Chain]
-        middlewares = ["https-only", "known-ips", "auth-users"]
+  [http.middlewares.secured.chain]
+    middlewares = ["https-only", "known-ips", "auth-users"]

-    [http.middlewares.auth-users.BasicAuth]
-        users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
+  [http.middlewares.auth-users.basicAuth]
+    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]

-    [http.middlewares.https-only.redirectScheme]
-        scheme = "https"
+  [http.middlewares.https-only.redirectScheme]
+    scheme = "https"

-    [http.middlewares.known-ips.ipWhiteList]
-        sourceRange = ["192.168.1.7", "127.0.0.1/32"]
+  [http.middlewares.known-ips.ipWhiteList]
+    sourceRange = ["192.168.1.7", "127.0.0.1/32"]

 [http.services]
  [http.services.service1]
-    [http.services.service1.LoadBalancer]
-      [[http.services.service1.LoadBalancer.Servers]]
-        URL = "http://127.0.0.1:80"
+    [http.services.service1.loadBalancer]
+      [[http.services.service1.loadBalancer.servers]]
+        url = "http://127.0.0.1:80"
 ```
--- a/docs/content/middlewares/circuitbreaker.md
+++ b/docs/content/middlewares/circuitbreaker.md
@@ -55,8 +55,8 @@ labels:
 ```toml tab="File"
 # Latency Check
 [http.middlewares]
-   [http.middlewares.latency-check.circuitBreaker]
-      expression = "LatencyAtQuantileMS(50.0) > 100"
+  [http.middlewares.latency-check.circuitBreaker]
+    expression = "LatencyAtQuantileMS(50.0) > 100"
 ```

 ## Possible States
@@ -66,7 +66,7 @@ There are three possible states for your circuit breaker:
 - Close (your service operates normally)
 - Open (the fallback mechanism takes over your service)
 - Recovering (the circuit breaker tries to resume normal operations by progressively sending requests to your service)
-   
+
 ### Close

 While close, the circuit breaker only collects metrics to analyze the behavior of the requests.
@@ -95,7 +95,7 @@ The `expression` can check three different metrics:
 - The network error ratio (`NetworkErrorRatio`)
 - The status code ratio (`ResponseCodeRatio`)
 - The latency at quantile, in milliseconds (`LatencyAtQuantileMS`)
-   
+
 #### `NetworkErrorRatio`

 If you want the circuit breaker to trigger at a 30% ratio of network errors, the expression will be `NetworkErrorRatio() > 0.30`
@@ -151,7 +151,7 @@ Here is the list of supported operators:
 ### Fallback mechanism

 The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service). This behavior cannot be configured. 
-   
+
 ### `CheckPeriod`

 The interval used to evaluate `expression` and decide if the state of the circuit breaker must change. By default, `CheckPeriod` is 100Ms. This value cannot be configured.
--- a/docs/content/middlewares/compress.md
+++ b/docs/content/middlewares/compress.md
@@ -40,7 +40,7 @@ labels:
 ```toml tab="File"
 # Enable gzip compression
 [http.middlewares]
-  [http.middlewares.test-compress.Compress]
+  [http.middlewares.test-compress.compress]
 ```

 ## Notes
--- a/docs/content/middlewares/digestauth.md
+++ b/docs/content/middlewares/digestauth.md
@@ -53,7 +53,7 @@ labels:

 ## Configuration Options

-### `Users`
+### `users`

 The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.

@@ -61,7 +61,7 @@ The `users` option is an array of authorized users. Each user will be declared u
    
    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.

-### `UsersFile`
+### `usersFile`

 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.

@@ -78,11 +78,11 @@ The file content is a list of `name:realm:encoded-password`.
    
    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.

-### `Realm`
+### `realm`

 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 

-### `HeaderField`
+### `headerField`

 You can customize the header field for the authenticated user using the `headerField`option.

@@ -121,6 +121,6 @@ labels:
  headerField = "X-WebAuth-User"
 ```

-### `RemoveHeader`
+### `removeHeader`

 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
--- a/docs/content/middlewares/errorpages.md
+++ b/docs/content/middlewares/errorpages.md
@@ -52,7 +52,7 @@ labels:
 ```toml tab="File"
 # Custom Error Page for 5XX
 [http.middlewares]
-  [http.middlewares.test-errorpage.Errors]
+  [http.middlewares.test-errorpage.errors]
    status = ["500-599"]
    service = "serviceError"
    query = "/{status}.html"
--- a/docs/content/middlewares/forwardauth.md
+++ b/docs/content/middlewares/forwardauth.md
@@ -14,14 +14,14 @@ Otherwise, the response from the authentication server is returned.
 ```yaml tab="Docker"
 # Forward authentication to authserver.com
 labels:
- "traefik.http.middlewares.test-auth.ForwardAuth.Address=https://authserver.com/auth"
- "traefik.http.middlewares.test-auth.ForwardAuth.AuthResponseHeaders=X-Auth-User, X-Secret"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CA=path/to/local.crt"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CAOptional=true"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Cert=path/to/foo.cert"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.InsecureSkipVerify=true"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Key=path/to/foo.key"
- "traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader=true"
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify=true"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+- "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```

 ```yaml tab="Kubernetes"
@@ -45,28 +45,28 @@ spec:

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-auth.ForwardAuth.Address": "https://authserver.com/auth",
-  "traefik.http.middlewares.test-auth.ForwardAuth.AuthResponseHeaders": "X-Auth-User,X-Secret",
-  "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CA": "path/to/local.crt",
-  "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CAOptional": "true",
-  "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Cert": "path/to/foo.cert",
-  "traefik.http.middlewares.test-auth.ForwardAuth.TLS.InsecureSkipVerify": "true",
-  "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Key": "path/to/foo.key",
-  "traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader": "true"
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://authserver.com/auth",
+  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders": "X-Auth-User,X-Secret",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional": "true",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify": "true",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key",
+  "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader": "true"
 }
 ```

 ```yaml tab="Rancher"
 # Forward authentication to authserver.com
 labels:
- "traefik.http.middlewares.test-auth.ForwardAuth.Address=https://authserver.com/auth"
- "traefik.http.middlewares.test-auth.ForwardAuth.AuthResponseHeaders=X-Auth-User, X-Secret"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CA=path/to/local.crt"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CAOptional=true"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Cert=path/to/foo.cert"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.InsecureSkipVerify=true"
- "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Key=path/to/foo.key"
- "traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader=true"
+- "traefik.http.middlewares.test-auth.forwardauth.address=https://authserver.com/auth"
+- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.InisecureSkipVerify=true"
+- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+- "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```

 ```toml tab="File"
@@ -77,7 +77,7 @@ labels:
    trustForwardHeader = true
    authResponseHeaders = ["X-Auth-User", "X-Secret"]

-    [http.middlewares.test-auth.forwardauth.tls]
+    [http.middlewares.test-auth.forwardAuth.tls]
      ca = "path/to/local.crt"
      caOptional = true
      cert = "path/to/foo.cert"
@@ -92,7 +92,7 @@ The `address` option defines the authentication server address.

 ### `trustForwardHeader`

-Set the `trustForwardHeader` option to true to trust all the existing X-Forwarded-* headers.
+Set the `trustForwardHeader` option to `true` to trust all the existing `X-Forwarded-*` headers.

 ### `authResponseHeaders`

@@ -100,4 +100,4 @@ The `authResponseHeaders` option is the list of the headers to copy from the aut

 ### `tls`

-The `tls` option is the tls configuration from Traefik to the authentication server.
+The `tls` option is the TLS configuration from Traefik to the authentication server.
--- a/docs/content/middlewares/headers.md
+++ b/docs/content/middlewares/headers.md
@@ -15,8 +15,8 @@ Add the `X-Script-Name` header to the proxied request and the `X-Custom-Response

 ```yaml tab="Docker"
 labels:
- "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test"
- "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True"
+- "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Script-Name=test"
+- "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=True"
 ```

 ```yaml tab="Kubernetes"
@@ -34,23 +34,23 @@ spec:

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name": "test",
-  "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header": "True"
+  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
+  "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "True"
 }
 ```

 ```yaml tab="Rancher"
 labels:
- "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test"
- "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True"
+- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=True"
 ```

 ```toml tab="File"
 [http.middlewares]
  [http.middlewares.testHeader.headers]
-    [http.middlewares.testHeader.headers.CustomRequestHeaders]
+    [http.middlewares.testHeader.headers.customRequestHeaders]
        X-Script-Name = "test"
-    [http.middlewares.testHeader.headers.CustomResponseHeaders]
+    [http.middlewares.testHeader.headers.customResponseHeaders]
        X-Custom-Response-Header = "True"
 ```

@@ -77,22 +77,22 @@ spec:

 ```yaml tab="Rancher"
 labels:
-  - "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test"
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name": "test",
+  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
 }
 ```

 ```toml tab="File"    
 [http.middlewares]
  [http.middlewares.testHeader.headers]
-    [http.middlewares.testHeader.headers.CustomRequestHeaders]
+    [http.middlewares.testHeader.headers.customRequestHeaders]
        X-Script-Name = "test" # Adds
        X-Custom-Request-Header = "" # Removes
-    [http.middlewares.testHeader.headers.CustomResponseHeaders]
+    [http.middlewares.testHeader.headers.customResponseHeaders]
        X-Custom-Response-Header = "" # Removes
 ```

@@ -103,8 +103,8 @@ This functionality allows for some easy security features to quickly be set.

 ```yaml tab="Docker"
 labels:
-  - "traefik.http.middlewares.testHeader.Headers.FrameDeny=true"
-  - "traefik.http.middlewares.testHeader.Headers.SSLRedirect=true"
+  - "traefik.http.middlewares.testHeader.headers.framedeny=true"
+  - "traefik.http.middlewares.testHeader.headers.sslredirect=true"
 ```

 ```yaml tab="Kubernetes"
@@ -120,14 +120,14 @@ spec:

 ```yaml tab="Rancher"
 labels:
-  - "traefik.http.middlewares.testHeader.Headers.FrameDeny=true"
-  - "traefik.http.middlewares.testHeader.Headers.SSLRedirect=true"
+  - "traefik.http.middlewares.testheader.headers.framedeny=true"
+  - "traefik.http.middlewares.testheader.headers.sslredirect=true"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.testHeader.Headers.FrameDeny": "true",
-  "traefik.http.middlewares.testHeader.Headers.SSLRedirect": "true"
+  "traefik.http.middlewares.testheader.headers.framedeny": "true",
+  "traefik.http.middlewares.testheader.headers.sslredirect": "true"
 }
 ```

@@ -145,10 +145,10 @@ This functionality allows for more advanced security features to quickly be set.

 ```yaml tab="Docker"
 labels:
-  - "traefik.http.middlewares.testHeader.Headers.AccessControlAllowMethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testHeader.Headers.AccessControlAllowOrigin=origin-list-or-null"
-  - "traefik.http.middlewares.testHeader.Headers.AccessControlMaxAge=100"
-  - "traefik.http.middlewares.testHeader.Headers.AddVaryHeader=true"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
+  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```

 ```yaml tab="Kubernetes"
@@ -158,39 +158,39 @@ metadata:
  name: testHeader
 spec:
  headers:
-    AccessControlAllowMethods:
+    accessControlAllowMethods:
      - "GET"
      - "OPTIONS"
      - "PUT"
-    AccessControlAllowOrigin: "origin-list-or-null"
-    AccessControlMaxAge: 100
-    AddVaryHeader: "true"
+    accessControlAllowOrigin: "origin-list-or-null"
+    accessControlMaxAge: 100
+    addVaryHeader: "true"
 ```

 ```yaml tab="Rancher"
 labels:
-  - "traefik.http.middlewares.testHeader.Headers.AccessControlAllowMethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testHeader.Headers.AccessControlAllowOrigin=origin-list-or-null"
-  - "traefik.http.middlewares.testHeader.Headers.AccessControlMaxAge=100"
-  - "traefik.http.middlewares.testHeader.Headers.AddVaryHeader=true"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
+  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.testHeader.Headers.AccessControlAllowMethods": "GET,OPTIONS,PUT",
-  "traefik.http.middlewares.testHeader.Headers.AccessControlAllowOrigin": "origin-list-or-null",
-  "traefik.http.middlewares.testHeader.Headers.AccessControlMaxAge": "100",
-  "traefik.http.middlewares.testHeader.Headers.AddVaryHeader": "true"
+  "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
+  "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin": "origin-list-or-null",
+  "traefik.http.middlewares.testheader.headers.accesscontrolmaxage": "100",
+  "traefik.http.middlewares.testheader.headers.addvaryheader": "true"
 }
 ```

 ```toml tab="File"    
 [http.middlewares]
  [http.middlewares.testHeader.headers]
-    AccessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
-    AccessControlAllowOrigin = "origin-list-or-null"
-    AccessControlMaxAge = 100
-    AddVaryHeader = true
+    accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
+    accessControlAllowOrigin = "origin-list-or-null"
+    accessControlMaxAge = 100
+    addVaryHeader = true
 ```

 ## Configuration Options
@@ -225,7 +225,8 @@ The  `accessControlAllowMethods` indicates which methods can be used during requ

 ### `accessControlAllowOrigin`

-The `accessControlAllowOrigin` indicates whether a resource can be shared by returning different values. The three options for this value are:
+The `accessControlAllowOrigin` indicates whether a resource can be shared by returning different values.
+The three options for this value are:

 - `origin-list-or-null`
 - `*`
@@ -261,11 +262,12 @@ Set the `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302

 ### `sslHost` 

-The `SSLHost` option is the host name that is used to redirect http requests to https.
+The `sslHost` option is the host name that is used to redirect http requests to https.

 ### `sslProxyHeaders` 

-The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request. Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
+The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request.
+Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.

 ### `sslForceHost` 

@@ -273,7 +275,8 @@ Set `sslForceHost` to true and set SSLHost to forced requests to use `SSLHost` e

 ### `stsSeconds` 

-The `stsSeconds` is the max-age of the Strict-Transport-Security header. If set to 0, would NOT include the header.
+The `stsSeconds` is the max-age of the Strict-Transport-Security header.
+If set to 0, would NOT include the header.

 ### `stsIncludeSubdomains` 

@@ -281,11 +284,11 @@ The `stsIncludeSubdomains` is set to true, the `includeSubdomains` will be appen

 ### `stsPreload` 

-Set `STSPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
+Set `stsPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.

 ### `forceSTSHeader`

-Set `ForceSTSHeader` to true, to add the STS header even when the connection is HTTP.
+Set `forceSTSHeader` to true, to add the STS header even when the connection is HTTP.

 ### `frameDeny` 

@@ -293,7 +296,8 @@ Set `frameDeny` to true to add the `X-Frame-Options` header with the value of `D
 
 ### `customFrameOptionsValue` 

-The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value. This overrides the FrameDeny option.
+The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value.
+This overrides the FrameDeny option.

 ### `contentTypeNosniff`

@@ -301,11 +305,12 @@ Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with

 ### `browserXssFilter`

-Set `BrowserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.
+Set `browserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.

 ### `customBrowserXSSValue`

-The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the BrowserXssFilter option.
+The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value.
+This overrides the BrowserXssFilter option.

 ### `contentSecurityPolicy`

@@ -321,5 +326,7 @@ The `referrerPolicy` allows sites to control when browsers will pass the Referer

 ### `isDevelopment`

-Set `isDevelopment` to true when developing. The AllowedHosts, SSL, and STS options can cause some unwanted effects. Usually testing happens on http, not https, and on localhost, not your production domain.  
+Set `isDevelopment` to true when developing.
+The AllowedHosts, SSL, and STS options can cause some unwanted effects.
+Usually testing happens on http, not https, and on localhost, not your production domain.  
 If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false.
--- a/docs/content/middlewares/ipwhitelist.md
+++ b/docs/content/middlewares/ipwhitelist.md
@@ -12,7 +12,7 @@ IPWhitelist accepts / refuses requests based on the client IP.
 ```yaml tab="Docker"
 # Accepts request from defined IP
 labels:
- "traefik.http.middlewares.test-ipwhitelist.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="Kubernetes"
@@ -29,14 +29,14 @@ spec:

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-ipwhitelist.IPWhiteList.SourceRange": "127.0.0.1/32,192.168.1.7"
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
 }
 ```

 ```yaml tab="Rancher"
 # Accepts request from defined IP
 labels:
- "traefik.http.middlewares.test-ipwhitelist.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```toml tab="File"
@@ -75,7 +75,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
    ```yaml tab="Docker"
    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
    labels:
-        - "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
+        - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
        - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
    ```
    
@@ -87,23 +87,23 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
      name: testIPwhitelist
    spec:
      ipWhiteList:
-        SourceRange:
+        sourceRange:
        - 127.0.0.1/32
        - 192.168.1.7
-        ipstrategy:
+        ipStrategy:
          depth: 2
    ```
    
    ```yaml tab="Rancher"
    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
    labels:
-        - "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
+        - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
        - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
    ```
    
    ```json tab="Marathon"
    "labels": {
-        "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange": "127.0.0.1/32, 192.168.1.7",
+        "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
        "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
    }
    ```
@@ -114,7 +114,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
      [http.middlewares.test-ipwhitelist.ipWhiteList]
        sourceRange = ["127.0.0.1/32", "192.168.1.7"]
        [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
-            depth = 2
+          depth = 2
    ```

 !!! note
@@ -142,7 +142,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 ```yaml tab="Docker"
 # Exclude from `X-Forwarded-For`
 labels:
-    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
+    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="Kubernetes"
@@ -153,7 +153,7 @@ metadata:
  name: test-ipwhitelist
 spec:
  ipWhiteList:
-    ipstrategy:
+    ipStrategy:
      excludedIPs:
      - 127.0.0.1/32
      - 192.168.1.7
@@ -162,12 +162,12 @@ spec:
 ```yaml tab="Rancher"
 # Exclude from `X-Forwarded-For`
 labels:
-    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
+    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

 ```json tab="Marathon"
 "labels": {
-    "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedIPs": "127.0.0.1/32, 192.168.1.7"
+    "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
 }
 ```

--- a/docs/content/middlewares/maxconnection.md
+++ b/docs/content/middlewares/maxconnection.md
@@ -40,8 +40,8 @@ labels:
 ```toml tab="File"
 # Limiting to 10 simultaneous connections
 [http.middlewares]
-  [http.middlewares.test-maxconn.maxconn]
-  amount = 10 
+  [http.middlewares.test-maxconn.maxConn]
+    amount = 10 
 ```

 ## Configuration Options
--- a/docs/content/middlewares/overview.md
+++ b/docs/content/middlewares/overview.md
@@ -16,9 +16,13 @@ Pieces of middleware can be combined in chains to fit every scenario.
 ```yaml tab="Docker"
 # As a Docker Label
 whoami:
-  image: containous/whoami  # A container that exposes an API to show its IP address
+  #  A container that exposes an API to show its IP address
+  image: containous/whoami
  labels:
+    # Create a middleware named `foo-add-prefix`
    - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+    # Apply the middleware named `foo-add-prefix` to the router named `router1`
+    - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
 ```

 ```yaml tab="Kubernetes"
@@ -42,7 +46,7 @@ kind: Middleware
 metadata:
  name: stripprefix
 spec:
-  stripprefix:
+  stripPrefix:
    prefixes:
      - /stripit

@@ -61,100 +65,102 @@ spec:

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo"
+  "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
+  "traefik.http.router.router1.middlewares": "foo-add-prefix@marathon"
 }
 ```

 ```yaml tab="Rancher"
 # As a Rancher Label
 labels:
+  # Create a middleware named `foo-add-prefix`
  - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
-```
-
-```toml tab="File"
-[tlsOptions]
-    [tlsOptions.default]
-        minVersion = "VersionTLS12"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: tlsoptions.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: TLSOption
-    plural: tlsoptions
-    singular: tlsoption
-  scope: Namespaced
-
---
-apiVersion: traefik.containo.us/v1alpha1
-kind: TLSOption
-metadata:
-  name: mytlsoption
-  namespace: default
-
-spec:
-  minversion: VersionTLS12
+  # Apply the middleware named `foo-add-prefix` to the router named `router1`
+  - "traefik.http.router.router1.middlewares=foo-add-prefix@rancher"
 ```

 ```toml tab="File"
 # As Toml Configuration File
-[providers]
-   [providers.file]
-
 [http.routers]
  [http.routers.router1]
-    Service = "myService"
-    Middlewares = ["foo-add-prefix"]
-    Rule = "Host(`example.com`)"
+    service = "myService"
+    middlewares = ["foo-add-prefix"]
+    rule = "Host(`example.com`)"

 [http.middlewares]
- [http.middlewares.foo-add-prefix.AddPrefix]
+  [http.middlewares.foo-add-prefix.addPrefix]
    prefix = "/foo"

 [http.services]
- [http.services.service1]
-   [http.services.service1.LoadBalancer]
+  [http.services.service1]
+    [http.services.service1.loadBalancer]

-     [[http.services.service1.LoadBalancer.Servers]]
-       URL = "http://127.0.0.1:80"
+      [[http.services.service1.loadBalancer.servers]]
+        url = "http://127.0.0.1:80"
 ```

-## Advanced Configuration
+## Provider Namespace

-When you declare a middleware, it lives in its `provider` namespace.
-For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker `provider` namespace.
+When you declare a middleware, it lives in its provider namespace.
+For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker provider namespace.

-If you use multiple `providers` and wish to reference a middleware declared in another `provider`, then you'll have to prefix the middleware name with the `provider` name.
+If you use multiple providers and wish to reference a middleware declared in another provider
+(aka referencing a cross-provider middleware),
+then you'll have to append to the middleware name, the `@` separator, followed by the provider name.

-??? abstract "Referencing a Middleware from Another Provider"
+```text
+<resource-name>@<provider-name>
+```
+
+!!! important "Kubernetes Namespace"
+
+	As Kubernetes also has its own notion of namespace, one should not confuse the "provider namespace"
+with the "kubernetes namespace" of a resource when in the context of a cross-provider usage.
+In this case, since the definition of the middleware is not in kubernetes,
+specifying a "kubernetes namespace" when referring to the resource does not make any sense,
+and therefore this specification would be ignored even if present.
+
+!!! abstract "Referencing a Middleware from Another Provider"

    Declaring the add-foo-prefix in the file provider.

    ```toml
-    [providers]
-       [providers.file]
-
    [http.middlewares]
-     [http.middlewares.add-foo-prefix.AddPrefix]
+      [http.middlewares.add-foo-prefix.addPrefix]
        prefix = "/foo"
    ```

-    Using the add-foo-prefix middleware from docker.
+    Using the add-foo-prefix middleware from other providers:

-    ```yaml
+    ```yaml tab="Docker"
    your-container: #
-        image: your-docker-image
+      image: your-docker-image

-        labels:
-          # Attach add-foo-prefix@file middleware (declared in file)
-          - "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
+      labels:
+        # Attach add-foo-prefix@file middleware (declared in file)
+        - "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
+    ```
+
+    ```yaml tab="Kubernetes"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: ingressroutestripprefix
+
+    spec:
+      entryPoints:
+        - web
+      routes:
+        - match: Host(`bar.com`)
+          kind: Rule
+        services:
+          - name: whoami
+            port: 80
+        middlewares:
+          - name: add-foo-prefix@file
+          # namespace: bar
+          # A namespace specification such as above is ignored
+          # when the cross-provider syntax is used.
    ```

 ## Available Middlewares
--- a/docs/content/middlewares/passtlsclientcert.md
+++ b/docs/content/middlewares/passtlsclientcert.md
@@ -23,7 +23,7 @@ kind: Middleware
 metadata:
  name: addprefix
 spec:
-  passtlsclientcert:
+  passTLSClientCert:
    pem: true
 ```

@@ -42,7 +42,7 @@ labels:
 ```toml tab="File"
 # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
 [http.middlewares]
-  [http.middlewares.test-passtlsclientcert.passtlsclientcert]
+  [http.middlewares.test-passtlsclientcert.passTLSClientCert]
    pem = true
 ```

@@ -77,7 +77,7 @@ labels:
    metadata:
      name: test-passtlsclientcert
    spec:
-      passtlsclientcert:
+      passTLSClientCert:
        info:
          notAfter: true
          notBefore: true
@@ -147,12 +147,12 @@ labels:
    ```toml tab="File"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    [http.middlewares]
-      [http.middlewares.test-passtlsclientcert.passtlsclientcert]
-        [http.middlewares.test-passtlsclientcert.passtlsclientcert.info]
+      [http.middlewares.test-passtlsclientcert.passTLSClientCert]
+        [http.middlewares.test-passtlsclientcert.passTLSClientCert.info]
          notAfter = true
          notBefore = true
          sans = true
-          [http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject]
+          [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.subject]
            country = true
            province = true
            locality = true
@@ -160,7 +160,7 @@ labels:
            commonName = true
            serialNumber = true
            domainComponent = true
-          [http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer]
+          [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.issuer]
            country = true
            province = true
            locality = true
@@ -360,9 +360,9 @@ Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TO

    If there are more than one certificate, they are separated by a `;`.

-#### `info.notafter`
+#### `info.notAfter`

-Set the `info.notafter` option to `true` to add the `Not After` information from the `Validity` part.
+Set the `info.notAfter` option to `true` to add the `Not After` information from the `Validity` part.

 The data are taken from the following certificate part:      

@@ -371,15 +371,15 @@ The data are taken from the following certificate part:
        Not After : Dec  5 11:10:16 2020 GMT            
 ```

-The escape `notafter` info part will be like:
+The escape `notAfter` info part will be like:

 ```text
 NA=1607166616
 ```

-#### `info.notbefore`
+#### `info.notBefore`

-Set the `info.notafter` option to `true` to add the `Not Before` information from the `Validity` part.
+Set the `info.notBefore` option to `true` to add the `Not Before` information from the `Validity` part.

 The data are taken from the following certificate part:

@@ -388,7 +388,7 @@ Validity
    Not Before: Dec  6 11:10:16 2018 GMT
 ```

-The escape `notafter` info part will be like:
+The escape `notBefore` info part will be like:

 ```text
 NB=1544094616
@@ -471,9 +471,9 @@ The escape organization info in the subject part will be like :
 O=Cheese,O=Cheese 2
 ```

-##### `info.subject.commonname`
+##### `info.subject.commonName`

-Set the `info.subject.commonname` option to true to add the `commonname` information into the subject.
+Set the `info.subject.commonName` option to true to add the `commonName` information into the subject.
  
 The data are taken from the subject part with the `CN` key.

@@ -483,9 +483,9 @@ The escape common name info in the subject part will be like :
 CN=*.cheese.com
 ```

-##### `info.subject.serialnumber`
+##### `info.subject.serialNumber`

-Set the `info.subject.serialnumber` option to true to add the `serialnumber` information into the subject.
+Set the `info.subject.serialNumber` option to true to add the `serialNumber` information into the subject.
  
 The data are taken from the subject part with the `SN` key.

@@ -495,9 +495,9 @@ The escape serial number info in the subject part will be like :
 SN=1234567890
 ```

-##### `info.subject.domaincomponent`
+##### `info.subject.domainComponent`

-Set the `info.subject.domaincomponent` option to true to add the `domaincomponent` information into the subject.
+Set the `info.subject.domainComponent` option to true to add the `domainComponent` information into the subject.
  
 The data are taken from the subject part with the `DC` key.

@@ -563,9 +563,9 @@ The escape organization info in the issuer part will be like :
 O=Cheese,O=Cheese 2
 ```

-##### `info.issuer.commonname`
+##### `info.issuer.commonName`

-Set the `info.issuer.commonname` option to true to add the `commonname` information into the issuer.
+Set the `info.issuer.commonName` option to true to add the `commonName` information into the issuer.
  
 The data are taken from the issuer part with the `CN` key.

@@ -575,9 +575,9 @@ The escape common name info in the issuer part will be like :
 CN=Simple Signing CA 2
 ```

-##### `info.issuer.serialnumber`
+##### `info.issuer.serialNumber`

-Set the `info.issuer.serialnumber` option to true to add the `serialnumber` information into the issuer.
+Set the `info.issuer.serialNumber` option to true to add the `serialNumber` information into the issuer.
  
 The data are taken from the issuer part with the `SN` key.

@@ -587,9 +587,9 @@ The escape serial number info in the issuer part will be like :
 SN=1234567890
 ```

-##### `info.issuer.domaincomponent`
+##### `info.issuer.domainComponent`

-Set the `info.issuer.domaincomponent` option to true to add the `domaincomponent` information into the issuer.
+Set the `info.issuer.domainComponent` option to true to add the `domainComponent` information into the issuer.
  
 The data are taken from the issuer part with the `DC` key.

--- a/docs/content/middlewares/ratelimit.md
+++ b/docs/content/middlewares/ratelimit.md
@@ -1,5 +1,8 @@
 # RateLimit

+!!! warning
+    This middleware is disable for now.
+
 Protection from Too Many Calls
 {: .subtitle }

@@ -33,7 +36,7 @@ metadata:
 spec:
  rateLimit:
    extractorFunc: client.ip
-    rateset:
+    rateSet:
      rate0:
          period: 10s
          average: 100
@@ -74,15 +77,15 @@ labels:
 # Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.
 # These can "burst" up to 10 and 200 in each period, respectively.
 [http.middlewares]
-  [http.middlewares.test-ratelimit.ratelimit]
+  [http.middlewares.test-ratelimit.rateLimit]
    extractorfunc = "client.ip"
    
-    [http.middlewares.test-ratelimit.ratelimit.rateset.rate0]
+    [http.middlewares.test-ratelimit.rateLimit.rateSet.rate0]
      period = "10s"
      average = 100
      burst = 200
    
-    [http.middlewares.test-ratelimit.ratelimit.rateset.rate1]
+    [http.middlewares.test-ratelimit.rateLimit.rateSet.rate1]
      period = "3s"
      average = 5
      burst = 10
@@ -100,7 +103,7 @@ The possible values are:
 - `client.ip` categorizes requests based on the client ip.
 - `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value.

-### `ratelimit`
+### `rateSet`

 You can combine multiple rate limits. 
 The rate limit will trigger with the first reached limit.
--- a/docs/content/middlewares/redirectregex.md
+++ b/docs/content/middlewares/redirectregex.md
@@ -45,7 +45,7 @@ labels:
 ```toml tab="File"
 # Redirect with domain replacement
 [http.middlewares]
-  [http.middlewares.test-redirectregex.redirectregex]
+  [http.middlewares.test-redirectregex.redirectRegex]
    regex = "^http://localhost/(.*)"
    replacement = "http://mydomain/$1"
 ```
@@ -58,7 +58,7 @@ Set the `permanent` option to `true` to apply a permanent redirection.

 ### `regex`

-The `Regex` option is the regular expression to match and capture elements from the request URL.
+The `regex` option is the regular expression to match and capture elements from the request URL.

 !!! warning

--- a/docs/content/middlewares/redirectscheme.md
+++ b/docs/content/middlewares/redirectscheme.md
@@ -41,7 +41,7 @@ labels:
 ```toml tab="File"
 # Redirect to https
 [http.middlewares]
-  [http.middlewares.test-redirectscheme.redirectscheme]
+  [http.middlewares.test-redirectscheme.redirectScheme]
    scheme = "https"
 ```

--- a/docs/content/middlewares/replacepath.md
+++ b/docs/content/middlewares/replacepath.md
@@ -41,8 +41,8 @@ labels:
 ```toml tab="File"
 # Replace the path by /foo
 [http.middlewares]
-  [http.middlewares.test-replacepath.ReplacePath]
-     path = "/foo"
+  [http.middlewares.test-replacepath.replacePath]
+    path = "/foo"
 ```

 ## Configuration Options
--- a/docs/content/middlewares/replacepathregex.md
+++ b/docs/content/middlewares/replacepathregex.md
@@ -61,7 +61,7 @@ The ReplacePathRegex middleware will:

 ### `regex`

-The `Regex` option is the regular expression to match and capture the path from the request URL.
+The `regex` option is the regular expression to match and capture the path from the request URL.

 !!! warning

--- a/docs/content/middlewares/retry.md
+++ b/docs/content/middlewares/retry.md
@@ -41,7 +41,7 @@ labels:
 ```toml tab="File"
 # Retry to send request 4 times
 [http.middlewares]
-  [http.middlewares.test-retry.Retry]
+  [http.middlewares.test-retry.retry]
     attempts = 4
 ```

--- a/docs/content/middlewares/stripprefix.md
+++ b/docs/content/middlewares/stripprefix.md
@@ -43,8 +43,8 @@ labels:
 ```toml tab="File"
 # Strip prefix /foobar and /fiibar
 [http.middlewares]
-  [http.middlewares.test-stripprefix.StripPrefix]
-     prefixes = ["/foobar", "/fiibar"]
+  [http.middlewares.test-stripprefix.stripPrefix]
+    prefixes = ["/foobar", "/fiibar"]
 ```

 ## Configuration Options
--- a/docs/content/middlewares/stripprefixregex.md
+++ b/docs/content/middlewares/stripprefixregex.md
@@ -41,7 +41,7 @@ labels:
 ```toml tab="File"
 # Replace the path by /foo
 [http.middlewares]
-  [http.middlewares.test-stripprefixregex.StripPrefixRegex]
+  [http.middlewares.test-stripprefixregex.stripPrefixRegex]
     regex: "^/foo/(.*)"
 ```

@@ -56,7 +56,7 @@ The StripPrefixRegex middleware will:

 !!! tip
    
-    Use a `StripPrefixRegex` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
+    Use a `stripPrefixRegex` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.

 ### `regex`

--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -5,51 +5,57 @@ Who Calls Whom?

 By default, logs are written to stdout, in text format.

-## Configuration Examples
+## Configuration 

-??? example "Enabling Access Logs"
+To enable the access logs:

-    ```toml
-    [accessLog]
-    ```
+```toml tab="File"
+[accessLog]
+```

-## Configuration Options 
+```bash tab="CLI"
+--accesslog
+```

-### filePath
+### `filePath`

 By default access logs are written to the standard output.
 To write the logs into a log file, use the `filePath` option.

 in the Common Log Format (CLF), extended with additional fields.

-### format
+### `format`
 
 By default, logs are written using the Common Log Format (CLF).
 To write logs in JSON, use `json` in the `format` option.

 !!! note "Common Log Format"
-
-#### CLF - Common Log Format
-
+    
    ```html
    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms 
    ```

-#### bufferingSize
+### `bufferingSize`

 To write the logs in an asynchronous fashion, specify a  `bufferingSize` option.
 This option represents the number of log lines Traefik will keep in memory before writing them to the selected output.
 In some cases, this option can greatly help performances.

-??? example "Configuring a buffer of 100 lines"
+```toml tab="File"
+# Configuring a buffer of 100 lines
+[accessLog]
+  filePath = "/path/to/access.log"
+  bufferingSize = 100
+```

-    ```toml
-    [accessLog]
-    filePath = "/path/to/access.log"
-    bufferingSize = 100
-    ```
+```bash tab="CLI"
+# Configuring a buffer of 100 lines
+--accesslog
+--accesslog.filepath="/path/to/access.log"
+--accesslog.bufferingsize=100
+```

-#### Filtering
+### Filtering

 To filter logs, you can specify a set of filters which are logically "OR-connected". 
 Thus, specifying multiple filters will keep more access logs than specifying only one.
@@ -60,20 +66,29 @@ The available filters are:
 - `retryAttempts`, to keep the access logs when at least one retry has happened
 - `minDuration`, to keep access logs when requests take longer than the specified duration

-??? example "Configuring Multiple Filters"
+```toml tab="File"
+# Configuring Multiple Filters
+[accessLog]
+filePath = "/path/to/access.log"
+format = "json"

-    ```toml
-    [accessLog]
-    filePath = "/path/to/access.log"
-    format = "json"
-    
-      [accessLog.filters]    
-        statusCodes = ["200", "300-302"]
-        retryAttempts = true
-        minDuration = "10ms"
-    ```
+  [accessLog.filters]    
+    statusCodes = ["200", "300-302"]
+    retryAttempts = true
+    minDuration = "10ms"
+```

-#### Limiting the Fields
+```bash tab="CLI"
+# Configuring Multiple Filters
+--accesslog
+--accesslog.filepath="/path/to/access.log"
+--accesslog.format="json"
+--accesslog.filters.statuscodes="200, 300-302"
+--accesslog.filters.retryattempts
+--accesslog.filters.minduration="10ms"
+```
+
+### Limiting the Fields

 You can decide to limit the logged fields/headers to a given list with the `fields.names` and `fields.header` options

@@ -83,31 +98,42 @@ Each field can be set to:
 - `drop` to drop the value
 - `redact` to replace the value with "redacted"

-??? example "Limiting the Logs to Specific Fields"
+The `defaultMode` for `fields.header` is `drop`.

-    ```toml
-    [accessLog]
-        filePath = "/path/to/access.log"
-        format = "json"
-        
-        [accessLog.filters]
-            statusCodes = ["200", "300-302"]
-    
-        [accessLog.fields]
-            defaultMode = "keep"
-    
-            [accessLog.fields.names]
-                "ClientUsername" = "drop"
+```toml tab="File"
+# Limiting the Logs to Specific Fields
+[accessLog]
+  filePath = "/path/to/access.log"
+  format = "json"
+
+  [accessLog.fields]
+    defaultMode = "keep"
+
+    [accessLog.fields.names]
+      "ClientUsername" = "drop"
+
+    [accessLog.fields.headers]
+      defaultMode = "keep"
+  
+      [accessLog.fields.headers.names]
+        "User-Agent" = "redact"
+        "Authorization" = "drop"
+        "Content-Type" = "keep"
+```
+
+```bash tab="CLI"
+# Limiting the Logs to Specific Fields
+--accesslog
+--accesslog.filepath="/path/to/access.log"
+--accesslog.format="json"
+--accesslog.fields.defaultmode="keep"
+--accesslog.fields.names.ClientUsername="drop"
+--accesslog.fields.headers.defaultmode="keep"
+--accesslog.fields.headers.names.User-Agent="redact"
+--accesslog.fields.headers.names.Authorization="drop"
+--accesslog.fields.headers.names.Content-Type="keep"
+```

-            [accessLog.fields.headers]
-                defaultMode = "keep"
-        
-                [accessLog.fields.headers.names]
-                    "User-Agent" = "redact"
-                    "Authorization" = "drop"
-                    "Content-Type" = "keep"
-    ```
-    
 ??? list "Available Fields"

    | Field                   | Description                                                                                                                                                         |
--- a/docs/content/observability/metrics/datadog.md
+++ b/docs/content/observability/metrics/datadog.md
@@ -0,0 +1,106 @@
+# DataDog
+
+To enable the DataDog:
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.dataDog]
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.datadog
+```
+
+#### `address`
+
+_Required, Default="127.0.0.1:8125"_
+
+Address instructs exporter to send metrics to datadog-agent at this address.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.dataDog]
+    address = "127.0.0.1:8125"
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  dataDog:
+    address: 127.0.0.1:8125
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.datadog.address="127.0.0.1:8125"
+```
+
+#### `addEntryPointsLabels`
+
+_Optional, Default=true_
+
+Enable metrics on entry points.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.dataDog]
+    addEntryPointsLabels = true
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  dataDog:
+    addEntryPointsLabels: true
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.datadog.addEntryPointsLabels=true
+```
+
+#### `addServicesLabels`
+
+_Optional, Default=true_
+
+Enable metrics on services.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.dataDog]
+    addServicesLabels = true
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  dataDog:
+    addServicesLabels: true
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.datadog.addServicesLabels=true
+```
+
+#### `pushInterval`
+
+_Optional, Default=10s_
+
+The interval used by the exporter to push metrics to datadog-agent.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.dataDog]
+    pushInterval = 10s
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  dataDog:
+    pushInterval: 10s
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.datadog.pushInterval=10s
+```
+
--- a/docs/content/observability/metrics/influxdb.md
+++ b/docs/content/observability/metrics/influxdb.md
@@ -0,0 +1,225 @@
+# InfluxDB
+
+To enable the InfluxDB:
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  influxdb: {}
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.influxdb
+```
+
+#### `address`
+
+_Required, Default="localhost:8089"_
+
+Address instructs exporter to send metrics to influxdb at this address.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    address = "localhost:8089"
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  influxdb:
+    address: localhost:8089
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.influxdb.address="localhost:8089"
+```
+
+#### `protocol`
+
+_Required, Default="udp"_
+
+InfluxDB's address protocol (udp or http).
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    protocol = "upd"
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  influxdb:
+    protocol: udp
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.influxdb.protocol="udp"
+```
+
+#### `database`
+
+_Optional, Default=""_
+
+InfluxDB database used when protocol is http.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    database = ""
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  influxdb:
+    database: ""
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.influxdb.database=""
+```
+
+#### `retentionPolicy`
+
+_Optional, Default=""_
+
+InfluxDB retention policy used when protocol is http.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    retentionPolicy = ""
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  influxdb:
+    retentionPolicy: ""
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.influxdb.retentionPolicy=""
+```
+
+#### `username`
+
+_Optional, Default=""_
+
+InfluxDB username (only with http).
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    username = ""
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  influxdb:
+    username: ""
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.influxdb.username=""
+```
+
+#### `password`
+
+_Optional, Default=""_
+
+InfluxDB password (only with http).
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    password = ""
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  influxdb:
+    password: ""
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.influxdb.password=""
+```
+
+#### `addEntryPointsLabels`
+
+_Optional, Default=true_
+
+Enable metrics on entry points.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    addEntryPointsLabels = true
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  influxdb:
+    addEntryPointsLabels: true
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.influxdb.addEntryPointsLabels=true
+```
+
+#### `addServicesLabels`
+
+_Optional, Default=true_
+
+Enable metrics on services.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    addServicesLabels = true
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  influxdb:
+    addServicesLabels: true
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.influxdb.addServicesLabels=true
+```
+
+#### `pushInterval`
+
+_Optional, Default=10s_
+
+The interval used by the exporter to push metrics to influxdb.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxdb]
+    pushInterval = 10s
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  influxdb:
+    pushInterval: 10s
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.influxdb.pushInterval=10s
+```
--- a/docs/content/observability/metrics/overview.md
+++ b/docs/content/observability/metrics/overview.md
@@ -0,0 +1,26 @@
+# Metrics
+Metrics system
+{: .subtitle }
+
+Traefik supports 4 metrics backends:
+
+- [DataDog](./datadog.md)
+- [InfluxDB](./influxdb.md)
+- [Prometheus](./prometheus.md)
+- [StatsD](./statsd.md)
+
+## Configuration
+
+To enable metrics:
+
+```toml tab="File (TOML)"
+[metrics]
+```
+
+```yaml tab="File (TOML)"
+metrics: {}
+```
+
+```bash tab="CLI"
+--metrics
+```
--- a/docs/content/observability/metrics/prometheus.md
+++ b/docs/content/observability/metrics/prometheus.md
@@ -0,0 +1,91 @@
+# Prometheus
+
+To enable the Prometheus:
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  prometheus: {}
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.prometheus
+```
+
+#### `buckets`
+
+_Optional, Default="0.100000, 0.300000, 1.200000, 5.000000"_
+
+Buckets for latency metrics.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    buckets = [0.1,0.3,1.2,5.0]
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  prometheus:
+    buckets:
+    - 0.1
+    - 0.3
+    - 1.2
+    - 5.0
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000
+```
+
+#### `addEntryPointsLabels`
+
+_Optional, Default=true_
+
+Enable metrics on entry points.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    addEntryPointsLabels = true
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  prometheus:
+    addEntryPointsLabels: true
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.prometheus.addEntryPointsLabels=true
+```
+
+#### `addServicesLabels`
+
+_Optional, Default=true_
+
+Enable metrics on services.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    addServicesLabels = true
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  prometheus:
+    addServicesLabels: true
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.prometheus.addServicesLabels=true
+```
--- a/docs/content/observability/metrics/statsd.md
+++ b/docs/content/observability/metrics/statsd.md
@@ -0,0 +1,110 @@
+# StatsD
+
+To enable the Statsd:
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsd]
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  statsd: {}
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.statsd
+```
+
+#### `address`
+
+_Required, Default="localhost:8125"_
+
+Address instructs exporter to send metrics to statsd at this address.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsd]
+    address = "localhost:8125"
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  statsd:
+    address: localhost:8125
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.statsd.address="localhost:8125"
+```
+
+#### `addEntryPointsLabels`
+
+_Optional, Default=true_
+
+Enable metrics on entry points.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsd]
+    addEntryPointsLabels = true
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  statsd:
+    addEntryPointsLabels: true
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.statsd.addEntryPointsLabels=true
+```
+
+#### `addServicesLabels`
+
+_Optional, Default=true_
+
+Enable metrics on services.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsd]
+    addServicesLabels = true
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  statsd:
+    addServicesLabels: true
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.statsd.addServicesLabels=true
+```
+
+#### `pushInterval`
+
+_Optional, Default=10s_
+
+The interval used by the exporter to push metrics to statsD.
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsd]
+    pushInterval = 10s
+```
+
+```yaml tab="File (TOML)"
+metrics:
+  statsd:
+    pushInterval: 10s
+```
+
+```bash tab="CLI"
+--metrics
+--metrics.statsd.pushInterval=10s
+```
--- a/docs/content/observability/tracing.md
+++ b/docs/content/observability/tracing.md
@@ -1,234 +0,0 @@
-# Tracing
-
-Visualize the Requests Flow
-{: .subtitle }
-
-The tracing system allows developers to visualize call flows in their infrastructure.
-
-Traefik uses OpenTracing, an open standard designed for distributed tracing.
-
-Traefik supports four tracing backends: Jaeger, Zipkin, DataDog, and Instana.
-
-## Configuration Reference
-
-??? example "With Jaeger" 
-
-    ```toml
-    # Tracing definition
-    [tracing]
-      # Backend name used to send tracing data
-      #
-      # Default: "jaeger"
-      #
-      backend = "jaeger"
-    
-      # Service name used in Jaeger backend
-      #
-      # Default: "traefik"
-      #
-      serviceName = "traefik"
-        
-      # Span name limit allows for name truncation in case of very long Frontend/Backend names
-      # This can prevent certain tracing providers to drop traces that exceed their length limits
-      #
-      # Default: 0 - no truncation will occur
-      # 
-      spanNameLimit = 0
-    
-      [tracing.jaeger]
-        # Sampling Server URL is the address of jaeger-agent's HTTP sampling server
-        #
-        # Default: "http://localhost:5778/sampling"
-        #
-        samplingServerURL = "http://localhost:5778/sampling"
-    
-        # Sampling Type specifies the type of the sampler: const, probabilistic, rateLimiting
-        #
-        # Default: "const"
-        #
-        samplingType = "const"
-    
-        # Sampling Param is a value passed to the sampler.
-        # Valid values for Param field are:
-        #   - for "const" sampler, 0 or 1 for always false/true respectively
-        #   - for "probabilistic" sampler, a probability between 0 and 1
-        #   - for "rateLimiting" sampler, the number of spans per second
-        #
-        # Default: 1.0
-        #
-        samplingParam = 1.0
-    
-        # Local Agent Host Port instructs reporter to send spans to jaeger-agent at this address
-        #
-        # Default: "127.0.0.1:6831"
-        #
-        localAgentHostPort = "127.0.0.1:6831"
-       
-        # Generate 128-bit trace IDs, compatible with OpenCensus
-        #
-        # Default: false
-        gen128Bit = true
-       
-        # Set the propagation header type. This can be either:
-        #   - "jaeger", jaeger's default trace header.
-        #   - "b3", compatible with OpenZipkin
-        #
-        # Default: "jaeger"
-        propagation = "jaeger"
-        
-        # Trace Context Header Name is the http header name used to propagate tracing context.
-        # This must be in lower-case to avoid mismatches when decoding incoming headers.
-        #
-        # Default: "uber-trace-id"
-        #
-        traceContextHeaderName = "uber-trace-id"
-    ```
-
-    !!! warning
-        Traefik is only able to send data over the compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent).
-
-??? example "With Zipkin"
-
-    ```toml
-    # Tracing definition
-    [tracing]
-      # Backend name used to send tracing data
-      #
-      # Default: "jaeger"
-      #
-      backend = "zipkin"
-    
-      # Service name used in Zipkin backend
-      #
-      # Default: "traefik"
-      #
-      serviceName = "traefik"
-        
-      # Span name limit allows for name truncation in case of very long Frontend/Backend names
-      # This can prevent certain tracing providers to drop traces that exceed their length limits
-      #
-      # Default: 0 - no truncation will occur
-      # 
-      spanNameLimit = 150
-    
-      [tracing.zipkin]
-        # Zipkin HTTP endpoint used to send data
-        #
-        # Default: "http://localhost:9411/api/v1/spans"
-        #
-        httpEndpoint = "http://localhost:9411/api/v1/spans"
-    
-        # Enable Zipkin debug
-        #
-        # Default: false
-        #
-        debug = false
-    
-        # Use Zipkin SameSpan RPC style traces
-        #
-        # Default: false
-        #
-        sameSpan = false
-    
-        # Use Zipkin 128 bit root span IDs
-        #
-        # Default: true
-        #
-        id128Bit = true
-    
-        # The rate between 0.0 and 1.0 of requests to trace.
-        #
-        # Default: 1.0
-        #
-        sampleRate = 0.2
-    ```
-
-??? example "With DataDog"
-
-    ```toml
-    # Tracing definition
-    [tracing]
-      # Backend name used to send tracing data
-      #
-      # Default: "jaeger"
-      #
-      backend = "datadog"
-    
-      # Service name used in DataDog backend
-      #
-      # Default: "traefik"
-      #
-      serviceName = "traefik"
-      
-      # Span name limit allows for name truncation in case of very long Frontend/Backend names
-      # This can prevent certain tracing providers to drop traces that exceed their length limits
-      #
-      # Default: 0 - no truncation will occur
-      # 
-      spanNameLimit = 100
-    
-      [tracing.datadog]
-        # Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent at this address
-        #
-        # Default: "127.0.0.1:8126"
-        #
-        localAgentHostPort = "127.0.0.1:8126"
-    
-        # Enable DataDog debug
-        #
-        # Default: false
-        #
-        debug = false
-    
-        # Apply shared tag in a form of Key:Value to all the traces
-        #
-        # Default: ""
-        #
-        globalTag = ""
-        
-        # Enable priority sampling. When using distributed tracing, this option must be enabled in order
-        # to get all the parts of a distributed trace sampled.
-        #
-        # Default: false
-        #
-        prioritySampling = false
-
-    ```
-    
-??? example "With Instana"
-
-    ```toml
-    # Tracing definition
-    [tracing]
-      # Backend name used to send tracing data
-      #
-      # Default: "jaeger"
-      #
-      backend = "instana"
-      # Service name used in Instana backend
-      #
-      # Default: "traefik"
-      #
-      serviceName = "traefik"
-      [tracing.instana]
-        # Local Agent Host instructs reporter to send spans to instana-agent at this address
-        #
-        # Default: "127.0.0.1"
-        #
-        localAgentHost = "127.0.0.1"
-        # Local Agent port instructs reporter to send spans to the instana-agent at this port
-        # 
-        # Default: 42699
-        #
-        localAgentPort = 42699
-        # Set Instana tracer log level
-        #
-        # Default: info
-        # Valid values for logLevel field are:
-        #   - error
-        #   - warn
-        #   - debug
-        #   - info
-        #
-        logLevel = "info"
-    ``` 
--- a/docs/content/observability/tracing/datadog.md
+++ b/docs/content/observability/tracing/datadog.md
@@ -0,0 +1,111 @@
+# DataDog
+
+To enable the DataDog:
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.dataDog]
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  dataDog: {}
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.datadog
+```
+
+#### `localAgentHostPort`
+
+_Required, Default="127.0.0.1:8126"_
+
+Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent at this address.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.dataDog]
+    localAgentHostPort = "127.0.0.1:8126"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  dataDog:
+    localAgentHostPort: 127.0.0.1:8126
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.datadog.localAgentHostPort="127.0.0.1:8126"
+```
+
+#### `debug`
+
+_Optional, Default=false_
+
+Enable DataDog debug.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.dataDog]
+    debug = true
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  dataDog:
+    debug: true
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.datadog.debug=true
+```
+
+#### `globalTag`
+
+_Optional, Default=empty_
+
+Apply shared tag in a form of Key:Value to all the traces.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.dataDog]
+    globalTag = "sample"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  dataDog:
+    globalTag: sample
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.datadog.globalTag="sample"
+```
+
+#### `prioritySampling`
+
+_Optional, Default=false_
+
+Enable priority sampling. When using distributed tracing,
+this option must be enabled in order to get all the parts of a distributed trace sampled.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.dataDog]
+    prioritySampling = true
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  dataDog:
+    prioritySampling: true
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.datadog.prioritySampling=true
+```
--- a/docs/content/observability/tracing/haystack.md
+++ b/docs/content/observability/tracing/haystack.md
@@ -0,0 +1,180 @@
+# Haystack
+
+To enable the Haystack:
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  haystack: {}
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.haystack
+```
+
+#### `localAgentHost`
+
+_Require, Default="127.0.0.1"_
+
+Local Agent Host instructs reporter to send spans to haystack-agent at this address.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    localAgentHost = "127.0.0.1"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    localAgentHost: 127.0.0.1
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.haystack.localAgentHost="127.0.0.1"
+```
+
+#### `localAgentPort`
+
+_Require, Default=42699_
+
+Local Agent port instructs reporter to send spans to the haystack-agent at this port.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    localAgentPort = 42699
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    localAgentPort: 42699
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.haystack.localAgentPort=42699
+```
+
+#### `globalTag`
+
+_Optional, Default=empty_
+
+Apply shared tag in a form of Key:Value to all the traces.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    globalTag = "sample:test"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    globalTag: sample:test
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.haystack.globalTag="sample:test"
+```
+
+#### `traceIDHeaderName`
+
+_Optional, Default=empty_
+
+Specifies the header name that will be used to store the trace ID.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    traceIDHeaderName = "sample"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    traceIDHeaderName: sample
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.haystack.traceIDHeaderName="sample"
+```
+
+#### `parentIDHeaderName`
+
+_Optional, Default=empty_
+
+Specifies the header name that will be used to store the span ID.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    parentIDHeaderName = "sample"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    parentIDHeaderName: "sample"
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.haystack.parentIDHeaderName="sample"
+```
+
+#### `spanIDHeaderName`
+
+_Optional, Default=empty_
+
+Apply shared tag in a form of Key:Value to all the traces.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    spanIDHeaderName = "sample:test"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    spanIDHeaderName: "sample:test"
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.haystack.spanIDHeaderName=sample:test
+```
+
+#### `baggagePrefixHeaderName`
+
+_Optional, Default=empty_
+
+Specifies the header name prefix that will be used to store baggage items in a map.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.haystack]
+    baggagePrefixHeaderName = "sample"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  haystack:
+    baggagePrefixHeaderName: "sample"
+```
+
+
+```bash tab="CLI"
+--tracing
+--tracing.haystack.baggagePrefixHeaderName="sample"
+```
--- a/docs/content/observability/tracing/instana.md
+++ b/docs/content/observability/tracing/instana.md
@@ -0,0 +1,94 @@
+# Instana
+
+To enable the Instana:
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.instana]
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  instana: {}
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.instana
+```
+
+#### `localAgentHost`
+
+_Require, Default="127.0.0.1"_
+
+Local Agent Host instructs reporter to send spans to instana-agent at this address.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.instana]
+    localAgentHost = "127.0.0.1"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  instana:
+    localAgentHost: 127.0.0.1
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.instana.localAgentHost="127.0.0.1"
+```
+
+#### `localAgentPort`
+
+_Require, Default=42699_
+
+Local Agent port instructs reporter to send spans to the instana-agent at this port.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.instana]
+    localAgentPort = 42699
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  instana:
+    localAgentPort: 42699
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.instana.localAgentPort=42699
+```
+
+#### `logLevel`
+
+_Require, Default="info"_
+
+Set Instana tracer log level.
+
+Valid values for logLevel field are:
+
+- `error`
+- `warn`
+- `debug`
+- `info`
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.instana]
+    logLevel = "info"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  instana:
+    logLevel: info
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.instana.logLevel="info"
+```
--- a/docs/content/observability/tracing/jaeger.md
+++ b/docs/content/observability/tracing/jaeger.md
@@ -0,0 +1,267 @@
+# Jaeger
+
+To enable the Jaeger:
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger: {}
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.jaeger
+```
+
+!!! warning
+    Traefik is able to send data over the compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent)
+    or a [Jaeger collector](https://www.jaegertracing.io/docs/deployment/#collectors).
+
+#### `samplingServerURL`
+
+_Required, Default="http://localhost:5778/sampling"_
+
+Sampling Server URL is the address of jaeger-agent's HTTP sampling server.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    samplingServerURL = "http://localhost:5778/sampling"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    samplingServerURL: http://localhost:5778/sampling
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.jaeger.samplingServerURL="http://localhost:5778/sampling"
+```
+
+#### `samplingType`
+
+_Required, Default="const"_
+
+Sampling Type specifies the type of the sampler: `const`, `probabilistic`, `rateLimiting`.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    samplingType = "const"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    samplingType: const
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.jaeger.samplingType="const"
+```
+
+#### `samplingParam`
+
+_Required, Default=1.0_
+
+Sampling Param is a value passed to the sampler.
+
+Valid values for Param field are:
+
+- for `const` sampler, 0 or 1 for always false/true respectively
+- for `probabilistic` sampler, a probability between 0 and 1
+- for `rateLimiting` sampler, the number of spans per second
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    samplingParam = 1.0
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    samplingParam: 1.0
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.jaeger.samplingParam="1.0"
+```
+
+#### `localAgentHostPort`
+
+_Required, Default="127.0.0.1:6831"_
+
+Local Agent Host Port instructs reporter to send spans to jaeger-agent at this address.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    localAgentHostPort = "127.0.0.1:6831"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    localAgentHostPort: 127.0.0.1:6831
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.jaeger.localAgentHostPort="127.0.0.1:6831"
+```
+
+#### `gen128Bit`
+
+_Optional, Default=false_
+
+Generate 128-bit trace IDs, compatible with OpenCensus.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    gen128Bit = true
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    gen128Bit: true
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.jaeger.gen128Bit
+```
+
+#### `propagation`
+
+_Required, Default="jaeger"_
+
+Set the propagation header type.
+This can be either:
+
+- `jaeger`, jaeger's default trace header.
+- `b3`, compatible with OpenZipkin
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    propagation = "jaeger"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    propagation: jaeger
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.jaeger.propagation="jaeger"
+```
+
+#### `traceContextHeaderName`
+
+_Required, Default="uber-trace-id"_
+
+Trace Context Header Name is the http header name used to propagate tracing context.
+This must be in lower-case to avoid mismatches when decoding incoming headers.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger]
+    traceContextHeaderName = "uber-trace-id"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    traceContextHeaderName: uber-trace-id
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.jaeger.traceContextHeaderName="uber-trace-id"
+```
+
+### `collector`
+#### `endpoint`
+
+_Optional, Default=""_
+
+Collector Endpoint instructs reporter to send spans to jaeger-collector at this URL.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger.collector]
+    endpoint = "http://127.0.0.1:14268/api/traces?format=jaeger.thrift"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    collector:
+        endpoint: http://127.0.0.1:14268/api/traces?format=jaeger.thrift
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.jaeger.collector.endpoint="http://127.0.0.1:14268/api/traces?format=jaeger.thrift"
+```
+
+#### `user`
+
+_Optional, Default=""_
+
+User instructs reporter to include a user for basic http authentication when sending spans to jaeger-collector.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger.collector]
+    user = "my-user"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    collector:
+        user: my-user
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.jaeger.collector.user="my-user"
+```
+
+#### `password`
+
+_Optional, Default=""_
+
+Password instructs reporter to include a password for basic http authentication when sending spans to jaeger-collector.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.jaeger.collector]
+    password = "my-password"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  jaeger:
+    collector:
+        password: my-password
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.jaeger.collector.password="my-password"
+```
--- a/docs/content/observability/tracing/overview.md
+++ b/docs/content/observability/tracing/overview.md
@@ -0,0 +1,81 @@
+# Tracing
+
+Visualize the Requests Flow
+{: .subtitle }
+
+The tracing system allows developers to visualize call flows in their infrastructure.
+
+Traefik uses OpenTracing, an open standard designed for distributed tracing.
+
+Traefik supports five tracing backends:
+
+- [Jaeger](./jaeger.md)
+- [Zipkin](./zipkin.md)
+- [DataDog](./datadog.md)
+- [Instana](./instana.md)
+- [Haystack](./haystack.md)
+
+## Configuration
+
+By default, Traefik uses Jaeger as tracing backend.
+
+To enable the tracing:
+
+```toml tab="File (TOML)"
+[tracing]
+```
+
+```yaml tab="File (YAML)"
+tracing: {}
+```
+
+```bash tab="CLI"
+--tracing
+```
+
+### Common Options
+
+#### `serviceName`
+
+_Required, Default="traefik"_
+
+Service name used in selected backend.
+
+```toml tab="File (TOML)"
+[tracing]
+  serviceName = "traefik"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  serviceName: traefik
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.serviceName="traefik"
+```
+
+#### `spanNameLimit`
+
+_Required, Default=0_
+
+Span name limit allows for name truncation in case of very long names.
+This can prevent certain tracing providers to drop traces that exceed their length limits.
+
+`0` means no truncation will occur.
+
+```toml tab="File (TOML)"
+[tracing]
+  spanNameLimit = 150
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  spanNameLimit: 150
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.spanNameLimit=150
+```
--- a/docs/content/observability/tracing/zipkin.md
+++ b/docs/content/observability/tracing/zipkin.md
@@ -0,0 +1,133 @@
+# Zipkin
+
+To enable the Zipkin:
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.zipkin]
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  zipkin: {}
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.zipkin
+```
+
+#### `httpEndpoint`
+
+_Required, Default="http://localhost:9411/api/v1/spans"_
+
+Zipkin HTTP endpoint used to send data.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.zipkin]
+    httpEndpoint = "http://localhost:9411/api/v1/spans"
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  zipkin:
+    httpEndpoint: http://localhost:9411/api/v1/spans
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.zipkin.httpEndpoint="http://localhost:9411/api/v1/spans"
+```
+
+#### `debug`
+
+_Optional, Default=false_
+
+Enable Zipkin debug.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.zipkin]
+    debug = true
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  zipkin:
+    debug: true
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.zipkin.debug=true
+```
+
+#### `sameSpan`
+
+_Optional, Default=false_
+
+Use Zipkin SameSpan RPC style traces.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.zipkin]
+    sameSpan = true
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  zipkin:
+    sameSpan: true
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.zipkin.sameSpan=true
+```
+
+#### `id128Bit`
+
+_Optional, Default=true_
+
+Use Zipkin 128 bit root span IDs.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.zipkin]
+    id128Bit = false
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  zipkin:
+    id128Bit: false
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.zipkin.id128Bit=false
+```
+
+#### `sampleRate`
+
+_Required, Default=1.0_
+
+The rate between 0.0 and 1.0 of requests to trace.
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.zipkin]
+    sampleRate = 0.2
+```
+
+```yaml tab="File (YAML)"
+tracing:
+  zipkin:
+    sampleRate: 0.2
+```
+
+```bash tab="CLI"
+--tracing
+--tracing.zipkin.sampleRate="0.2"
+```
--- a/docs/content/operations/api.md
+++ b/docs/content/operations/api.md
@@ -1,5 +1,8 @@
 # API

+!!! important
+    In the beta version, you can't configure middlewares (basic authentication or white listing) anymore, but as security is important, this will change before the RC version.
+
 Traefik exposes a number of information through an API handler, such as the configuration of all routers, services, middlewares, etc.

 As with all features of Traefik, this handler can be enabled with the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
@@ -14,14 +17,14 @@ In production, it should be at least secured by authentication and authorization
 A good sane default (non exhaustive) set of recommendations
 would be to apply the following protection mechanisms:

-* At the application level:  
-  securing with middlewares such as [basic authentication](../middlewares/basicauth.md) or [white listing](../middlewares/ipwhitelist.md).
-
 * At the transport level:  
  NOT publicly exposing the API's port,
  keeping it restricted to internal networks
  (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).

+!!! important
+    In the beta version, you can't configure middlewares (basic authentication or white listing) anymore, but as security is important, this will change before the RC version.
+
 ## Configuration

 To enable the API handler:
@@ -49,37 +52,6 @@ Enable the dashboard. More about the dashboard features [here](./dashboard.md).
 --api.dashboard
 ```

-### `entrypoint`
-
-_Optional, Default="traefik"_
-
-The entry point that the API handler will be bound to.
-The default ("traefik") is an internal entry point (which is always defined).
-
-```toml tab="File"
-[api]
-  entrypoint = "web"
-```
-
-```bash tab="CLI"
--api.entrypoint="web"
-```
-
-### `middlewares`
-
-_Optional, Default=empty_
-
-The list of [middlewares](../middlewares/overview.md) applied to the API handler.
-
-```toml tab="File"
-[api]
-  middlewares = ["api-auth", "api-prefix"]
-```
-
-```bash tab="CLI"
--api.middlewares="api-auth,api-prefix"
-```
-
 ### `debug`

 _Optional, Default=false_
@@ -111,6 +83,8 @@ All the following endpoints must be accessed with a `GET` HTTP request.
 | `/api/tcp/routers/{name}`      | Returns the information of the TCP router specified by `name`.                            |
 | `/api/tcp/services`            | Lists all the TCP services information.                                                   |
 | `/api/tcp/services/{name}`     | Returns the information of the TCP service specified by `name`.                           |
+| `/api/entrypoints`             | Lists all the entry points information.                                                   |
+| `/api/entrypoints/{name}`      | Returns the information of the entry point specified by `name`.                           |
 | `/api/version`                 | Returns information about Traefik version.                                                |
 | `/debug/vars`                  | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                        |
 | `/debug/pprof/`                | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation.     |
@@ -118,51 +92,3 @@ All the following endpoints must be accessed with a `GET` HTTP request.
 | `/debug/pprof/profile`         | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation. |
 | `/debug/pprof/symbol`          | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation.   |
 | `/debug/pprof/trace`           | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation.     |
-
-## Common Configuration Use Cases
-
-### Address / Port
-
-You can define a custom address/port like this:
-
-```toml
-[entryPoints]
-  [entryPoints.web]
-  address = ":80"
-
-  [entryPoints.foo]
-  address = ":8082"
-
-  [entryPoints.bar]
-  address = ":8083"
-
-[ping]
-entryPoint = "foo"
-
-[api]
-entryPoint = "bar"
-```
-
-In the above example, you would access a service at /foo, an api endpoint, or the health-check as follows:
-
-* Service: `http://hostname:80/foo`
-* API: `http://hostname:8083/api/http/routers`
-* Ping URL: `http://hostname:8082/ping`
-
-### Authentication
-
-To restrict access to the API handler, one can add authentication with the [basic auth middleware](../middlewares/basicauth.md).
-
-```toml
-[api]
-  middlewares=["api-auth"]
-```
-
-```toml
-[http.middlewares]
-  [http.middlewares.api-auth.basicauth]
-  users = [
-    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
-    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
-  ]
-```
--- a/docs/content/operations/dashboard.md
+++ b/docs/content/operations/dashboard.md
@@ -10,13 +10,13 @@ The dashboard is the central place that shows you the current active routes hand
    Therefore, the dashboard is currently not working.

 <figure>
-   <img src="../../assets/img/dashboard-main.png" alt="Dashboard - Providers" />
-   <figcaption>The dashboard in action with Traefik listening to 3 different providers</figcaption>
+    <img src="../../assets/img/dashboard-main.png" alt="Dashboard - Providers" />
+    <figcaption>The dashboard in action with Traefik listening to 3 different providers</figcaption>
 </figure>

 <figure>
-   <img src="../../assets/img/dashboard-health.png" alt="Dashboard - Health" />
-   <figcaption>The dashboard shows the health of the system.</figcaption>
+    <img src="../../assets/img/dashboard-health.png" alt="Dashboard - Health" />
+    <figcaption>The dashboard shows the health of the system.</figcaption>
 </figure>

 By default, the dashboard is available on `/` on port `:8080`.
--- a/docs/content/operations/ping.md
+++ b/docs/content/operations/ping.md
@@ -11,26 +11,10 @@ Checking the Health of Your Traefik Instances
    [ping]
    ```

-??? example "Enabling /ping on a dedicated EntryPoint"
-    
-    ```toml
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-      
-      [entryPoints.ping]
-        address = ":8082"
-    
-    [ping]
-        entryPoint = "ping"
-    ```
-
 | Path    | Method        | Description                                                                                         |
 |---------|---------------|-----------------------------------------------------------------------------------------------------|
 | `/ping` | `GET`, `HEAD` | A simple endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |

 ## Configuration Options

-The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
-
-You can customize the `entryPoint` where the `/ping` is active with the `entryPoint` option (default value: `traefik`)
+The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -15,10 +15,18 @@ Attach labels to your containers and let Traefik do the rest!
 ??? example "Configuring Docker & Deploying / Exposing Services"

    Enabling the docker provider
-
-    ```toml
+    
+    ```toml tab="File (TOML)"
    [providers.docker]
-    endpoint = "unix:///var/run/docker.sock"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      docker: {}
+    ```
+    
+    ```bash tab="CLI"
+    --providers.docker
    ```

    Attaching labels to containers (in your docker compose file)
@@ -36,13 +44,28 @@ Attach labels to your containers and let Traefik do the rest!

    Enabling the docker provider (Swarm Mode)

-    ```toml
+    ```toml tab="File (TOML)"
    [providers.docker]
-    # swarm classic (1.12-)
-    # endpoint = "tcp://127.0.0.1:2375"
-    # docker swarm mode (1.12+)
-    endpoint = "tcp://127.0.0.1:2377"
-    swarmMode = true
+      # swarm classic (1.12-)
+      # endpoint = "tcp://127.0.0.1:2375"
+      # docker swarm mode (1.12+)
+      endpoint = "tcp://127.0.0.1:2377"
+      swarmMode = true
+    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        # swarm classic (1.12-)
+        # endpoint = "tcp://127.0.0.1:2375"
+        # docker swarm mode (1.12+)
+        endpoint: "tcp://127.0.0.1:2375"
+        swarmMode: true
+    ```
+    
+    ```bash tab="CLI"
+    --providers.docker.endpoint="tcp://127.0.0.1:2375"
+    --providers.docker.swarmMode
    ```

    Attach labels to services (not to containers) while in Swarm mode (in your docker compose file)
@@ -67,6 +90,23 @@ Attach labels to your containers and let Traefik do the rest!

 ### `endpoint`

+_Required, Default="unix:///var/run/docker.sock"_
+
+```toml tab="File (TOML)"
+[providers.docker]
+  endpoint = "unix:///var/run/docker.sock"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+```
+
+```bash tab="CLI"
+--providers.docker.endpoint="unix:///var/run/docker.sock"
+```
+
 Traefik requires access to the docker socket to get its dynamic configuration.

 ??? warning "Security Notes"
@@ -94,14 +134,10 @@ Traefik requires access to the docker socket to get its dynamic configuration.
    It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:

    - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/https/)
-
    - Authorization with the [Docker Authorization Plugin Mechanism](https://docs.docker.com/engine/extend/plugins_authorization/)
-
    - Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
-
    - Accounting at container level, by exposing the socket on a another container than Traefik's.
      With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
-
    - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).

    ??? tip "Additional Resources"
@@ -133,19 +169,48 @@ Traefik requires access to the docker socket to get its dynamic configuration.

    We specify the docker.sock in traefik's configuration file.

-    ```toml
+    ```toml tab="File (TOML)"
+    [providers.docker]
+      endpoint = "unix:///var/run/docker.sock"
+      # ...
+    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        endpoint: "unix:///var/run/docker.sock"
+         # ...
+    ```
+    
+    ```bash tab="CLI"
+    --providers.docker.endpoint="unix:///var/run/docker.sock"
    # ...
-    [providers]
-       [providers.docker]
-          endpoint = "unix:///var/run/docker.sock"
    ```

-### `usebindportip`
+### `useBindPortIP`

 _Optional, Default=false_

+```toml tab="File (TOML)"
+[providers.docker]
+  useBindPortIP = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    useBindPortIP: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.useBindPortIP=true
+# ...
+```
+
 Traefik routes requests to the IP/Port of the matching container.
-When setting `usebindportip=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.
+When setting `useBindPortIP=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.

 When used in conjunction with the `traefik.http.services.XXX.loadbalancer.server.port` label (that tells Traefik to route requests to a specific port),
 Traefik tries to find a binding on port `traefik.http.services.XXX.loadbalancer.server.port`.
@@ -171,12 +236,50 @@ but still uses the `traefik.http.services.XXX.loadbalancer.server.port` that is

 _Optional, Default=true_

+```toml tab="File (TOML)"
+[providers.docker]
+  exposedByDefault = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    exposedByDefault: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.exposedByDefault=false
+# ...
+```
+
 Expose containers by default through Traefik.
 If set to false, containers that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.

+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ### `network`

-_Optional_
+_Optional, Default=empty_
+
+```toml tab="File (TOML)"
+[providers.docker]
+  network = "test"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    network: test
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.network=test
+# ...
+```

 Defines a default docker network to use for connections to all containers.

@@ -186,39 +289,100 @@ This option can be overridden on a container basis with the `traefik.docker.netw

 _Optional, Default=```Host(`{{ normalize .Name }}`)```_

+```toml tab="File (TOML)"
+[providers.docker]
+  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+# ...
+```
+
 For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
 It must be a valid [Go template](https://golang.org/pkg/text/template/),
 augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
 The container service name can be accessed as the `Name` identifier,
 and the template has access to all the labels defined on this container.

-```toml tab="File"
-[providers.docker]
-defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-# ...
-```
-
-```txt tab="CLI"
--providers.docker
--providers.docker.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-```
-
 ### `swarmMode`

 _Optional, Default=false_

+```toml tab="File (TOML)"
+[providers.docker]
+  swarmMode = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    swarmMode: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.swarmMode
+# ...
+```
+
 Activates the Swarm Mode.

 ### `swarmModeRefreshSeconds`

 _Optional, Default=15_

+```toml tab="File (TOML)"
+[providers.docker]
+  swarmModeRefreshSeconds = "30s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    swarmModeRefreshSeconds: "30s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.swarmModeRefreshSeconds=30s
+# ...
+```
+
 Defines the polling interval (in seconds) in Swarm Mode.

 ### `constraints`

 _Optional, Default=""_

+```toml tab="File (TOML)"
+[providers.docker]
+  constraints = "Label(`a.label.name`, `foo`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    constraints: "Label(`a.label.name`, `foo`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.constraints="Label(`a.label.name`, `foo`)"
+# ...
+```
+
 Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
 That is to say, if none of the container's labels match the expression, no route for the container is created.
 If the expression is empty, all detected containers are included.
@@ -257,6 +421,8 @@ The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp(
    constraints = "LabelRegexp(`a.label.name`, `a.+`)"
    ```

+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ## Routing Configuration Options

 ### General
--- a/docs/content/providers/file.md
+++ b/docs/content/providers/file.md
@@ -3,10 +3,9 @@
 Good Old Configuration File
 {: .subtitle } 

-The file provider lets you define the [dynamic configuration](./overview.md) in a `toml` file.
+The file provider lets you define the [dynamic configuration](./overview.md) in a TOML or YAML file.
 You can write these configuration elements:

-* At the end of the main Traefik configuration file (by default: `traefik.toml`).
 * In [a dedicated file](#filename)
 * In [several dedicated files](#directory)

@@ -20,10 +19,26 @@ You can write these configuration elements:

 ??? example "Declaring Routers, Middlewares & Services"

-    ``` toml
-    # Enabling the file provider
-    [providers.file]
+    Enabling the file provider:
    
+    ```toml tab="File (TOML)"
+    [providers.file]
+      filename = "/my/path/to/dynamic-conf.toml"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      file:
+        filename: "/my/path/to/dynamic-conf.yml"
+    ```
+    
+    ```bash tab="CLI"
+    --providers.file.filename=/my/path/to/dynamic_conf.toml
+    ```
+    
+    Declaring Routers, Middlewares & Services:
+    
+    ```toml tab="TOML"
    [http]
      # Add the router
      [http.routers]
@@ -35,7 +50,7 @@ You can write these configuration elements:
    
        # Add the middleware
        [http.middlewares]    
-          [http.middlewares.my-basic-auth.BasicAuth]
+          [http.middlewares.my-basic-auth.basicAuth]
            users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
                      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
            usersFile = "etc/traefik/.htpasswd"
@@ -43,12 +58,43 @@ You can write these configuration elements:
        # Add the service
        [http.services]
          [http.services.service-foo]
-            [http.services.service-foo.LoadBalancer]
-              [[http.services.service-foo.LoadBalancer.Servers]]
+            [http.services.service-foo.loadBalancer]
+              [[http.services.service-foo.loadBalancer.servers]]
                url = "http://foo/"
-              [[http.services.service-foo.LoadBalancer.Servers]]
+              [[http.services.service-foo.loadBalancer.servers]]
                url = "http://bar/"
    ```
+    
+    ```yaml tab="YAML"
+    http:
+      # Add the router
+      routers:
+        router0:
+          entryPoints:
+          - web
+          middlewares:
+          - my-basic-auth
+          service: service-foo
+          rule: Path(`foo`)
+      
+      # Add the middleware
+      middlewares:
+        my-basic-auth:
+          basicAuth:
+            users:
+            - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
+            - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
+            usersFile: etc/traefik/.htpasswd
+      
+      # Add the service
+      services:
+        service-foo:
+          loadBalancer:
+            servers:
+            - url: http://foo/
+            - url: http://bar/
+            passHostHeader: false
+    ```

 ## Provider Configuration Options

@@ -61,10 +107,20 @@ _Optional_

 Defines the path of the configuration file.

-```toml
+```toml tab="File (TOML)"
 [providers]
  [providers.file]
-    filename = "rules.toml"
+    filename = "dynamic_conf.toml"
+```
+
+```yaml tab="File (YAML)"
+providers:
+  file:
+    filename: dynamic_conf.yml
+```
+
+```bash tab="CLI"
+--providers.file.filename=dynamic_conf.toml
 ```

 ### `directory`
@@ -73,12 +129,22 @@ _Optional_

 Defines the directory that contains the configuration files.

-```toml
+```toml tab="File (TOML)"
 [providers]
  [providers.file]
    directory = "/path/to/config"
 ```

+```yaml tab="File (YAML)"
+providers:
+  file:
+    directory: /path/to/config
+```
+
+```bash tab="CLI"
+--providers.file.directory=/path/to/config
+```
+
 ### `watch`

 _Optional_
@@ -86,24 +152,37 @@ _Optional_
 Set the `watch` option to `true` to allow Traefik to automatically watch for file changes.  
 It works with both the `filename` and the `directory` options.

-```toml
+```toml tab="File (TOML)"
 [providers]
  [providers.file]
-    filename = "rules.toml"
+    filename = "dynamic_conf.toml"
    watch = true
 ```

-### TOML Templating
+```yaml tab="File (YAML)"
+providers:
+  file:
+    filename: dynamic_conf.yml
+    watch: true
+```
+
+```bash tab="CLI"
+--providers.file.filename=dynamic_conf.toml
+--providers.file.watch=true
+```
+
+### Go Templating

 !!! warning
-    TOML templating only works along with dedicated configuration files. Templating does not work in the Traefik main configuration file.
+    Go Templating only works along with dedicated configuration files.
+    Templating does not work in the Traefik main configuration file.

-Traefik allows using TOML templating.  
+Traefik allows using Go templating.  
 Thus, it's possible to define easily lot of routers, services and TLS certificates as described in the file `template-rules.toml` :

 ??? example "Configuring Using Templating"
-
-    ```toml
+    
+    ```toml tab="TOML"
    # template-rules.toml
    [http]
    
@@ -114,7 +193,7 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
      {{ end }}  
      
      
-      [http.Services]
+      [http.services]
      {{ range $i, $e := until 100 }}
          [http.services.service{{ $e }}]
          # ...
@@ -129,23 +208,62 @@ Thus, it's possible to define easily lot of routers, services and TLS certificat
      {{ end }}  
      
      
-      [tcp.Services]
+      [tcp.services]
      {{ range $i, $e := until 100 }}
          [http.services.service{{ $e }}]
          # ...
      {{ end }}  
    
    {{ range $i, $e := until 10 }}
-    [[TLS]]
-      Store = ["my-store-foo-{{ $e }}", "my-store-bar-{{ $e }}"]
-      [TLS.Certificate]
-        CertFile = "/etc/traefik/cert-{{ $e }}.pem"
-        KeyFile = "/etc/traefik/cert-{{ $e }}.key"
+    [[tls.certificates]]
+      certFile = "/etc/traefik/cert-{{ $e }}.pem"
+      keyFile = "/etc/traefik/cert-{{ $e }}.key"
+      store = ["my-store-foo-{{ $e }}", "my-store-bar-{{ $e }}"]
    {{ end }}
    
-    [TLSConfig]
+    [tls.config]
    {{ range $i, $e := until 10 }}
-      [TLSConfig.TLS{{ $e }}]
+      [tls.config.TLS{{ $e }}]
      # ...
    {{ end }}
    ```
+    
+    ```yaml tab="YAML"
+    http:
+    
+    {{range $i, $e := until 100 }}
+      routers:
+        router{{ $e }:
+          # ...
+    {{end}}
+    
+    {{range $i, $e := until 100 }}
+      services:
+        application{{ $e }}:
+          # ...
+    {{end}}
+    
+    tcp:
+    
+    {{range $i, $e := until 100 }}
+      routers:
+        router{{ $e }:
+          # ...
+    {{end}}
+    
+    {{range $i, $e := until 100 }}
+      services:
+        service{{ $e }}:
+          # ...
+    {{end}}
+    
+    {{ range $i, $e := until 10 }}
+    tls:
+      certificates:
+      - certFile: "/etc/traefik/cert-{{ $e }}.pem"
+        keyFile: "/etc/traefik/cert-{{ $e }}.key"
+        store:
+        - "my-store-foo-{{ $e }}"
+        - "my-store-bar-{{ $e }}"
+    {{end}}
+    ```
--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -3,12 +3,7 @@
 The Kubernetes Ingress Controller, The Custom Resource Way.
 {: .subtitle }

-<!--
- TODO (Link "Kubernetes Ingress controller" to ./kubernetes-ingress.md)
- -->
-
-The Traefik Kubernetes provider used to be a Kubernetes Ingress controller in the strict sense of the term; that is to say,
-it would manage access to a cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.
+Traefik used to support Kubernetes only through the [Kubernetes Ingress provider](./kubernetes-ingress.md), which is a Kubernetes Ingress controller in the strict sense of the term.

 However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
 we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
@@ -19,6 +14,23 @@ we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/co

 _Optional, Default=empty_

+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  endpoint = "http://localhost:8080"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    endpoint = "http://localhost:8080"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetescrd.endpoint="http://localhost:8080"
+```
+
 The Kubernetes server endpoint as URL.

 When deployed into Kubernetes, Traefik will read the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
@@ -32,109 +44,130 @@ When the environment variables are not found, Traefik will try to connect to the
 In this case, the endpoint is required.
 Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.

-```toml tab="File"
-[Providers.KubernetesCRD]
-  endpoint = "http://localhost:8080"
-  # ...
-```
-
-```txt tab="CLI"
--providers.kubernetescrd
--providers.kubernetescrd.endpoint="http://localhost:8080"
-```
-
 ### `token`

 _Optional, Default=empty_

-Bearer token used for the Kubernetes client configuration.
-
-```toml tab="File"
-[Providers.KubernetesCRD]
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
  token = "mytoken"
  # ...
 ```

-```txt tab="CLI"
--providers.kubernetescrd
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    token = "mytoken"
+    # ...
+```
+
+```bash tab="CLI"
 --providers.kubernetescrd.token="mytoken"
 ```

+Bearer token used for the Kubernetes client configuration.
+
 ### `certAuthFilePath`

 _Optional, Default=empty_

-Path to the certificate authority file.
-Used for the Kubernetes client configuration.
-
-```toml tab="File"
-[Providers.KubernetesCRD]
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
  certAuthFilePath = "/my/ca.crt"
  # ...
 ```

-```txt tab="CLI"
--providers.kubernetescrd
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    certAuthFilePath: "/my/ca.crt"
+    # ...
+```
+
+```bash tab="CLI"
 --providers.kubernetescrd.certauthfilepath="/my/ca.crt"
 ```

+Path to the certificate authority file.
+Used for the Kubernetes client configuration.
+
 ### `namespaces`

 _Optional, Default: all namespaces (empty array)_

-Array of namespaces to watch.
-
-```toml tab="File"
-[Providers.KubernetesCRD]
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
  namespaces = ["default", "production"]
  # ...
 ```

-```txt tab="CLI"
--providers.kubernetescrd
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    namespaces:
+    - "default"
+    - "production"
+    # ...
+```
+
+```bash tab="CLI"
 --providers.kubernetescrd.namespaces="default,production"
 ```

+Array of namespaces to watch.
+
 ### `labelselector`

 _Optional,Default: empty (process all Ingresses)_

+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  labelselector = "A and not B"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    labelselector: "A and not B"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetescrd.labelselector="A and not B"
+```
+
 By default, Traefik processes all Ingress objects in the configured namespaces.
 A label selector can be defined to filter on specific Ingress objects only.

 See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.

-```toml tab="File"
-[Providers.KubernetesCRD]
-  labelselector = "A and not B"
-  # ...
-```
-
-```txt tab="CLI"
--providers.kubernetescrd
--providers.kubernetescrd.labelselector="A and not B"
-```
-
 ### `ingressClass`

 _Optional, Default: empty_

+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  ingressClass = "traefik-internal"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    ingressClass: "traefik-internal"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetescrd.ingressclass="traefik-internal"
+```
+
 Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.

 If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
 Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.

-```toml tab="File"
-[Providers.KubernetesCRD]
-  ingressClass = "traefik-internal"
-  # ...
-```
-
-```txt tab="CLI"
--providers.kubernetescrd
--providers.kubernetescrd.ingressclass="traefik-internal"
-```
-
 ## Resource Configuration

 If you're in a hurry, maybe you'd rather go through the [dynamic](../reference/dynamic-configuration/kubernetes-crd.md) configuration reference.
@@ -203,6 +236,7 @@ apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: stripprefix
+  namespace: foo

 spec:
  stripPrefix:
@@ -226,13 +260,21 @@ spec:
      port: 80
    middlewares:
    - name: stripprefix
+      namespace: foo
 ```

+!!! important "Cross-provider namespace"
+
+	As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource
+(in the reference to the middleware) with the [provider namespace](../middlewares/overview.md#provider-namespace),
+when the definition of the middleware is from another provider.
+In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored.
+
 More information about available middlewares in the dedicated [middlewares section](../middlewares/overview.md).

-### Traefik TLS Option Definition
+### TLS Option

-Additionally, to allow for the use of tls options in an IngressRoute, we defined the CRD below for the TLSOption kind.
+Additionally, to allow for the use of TLS options in an IngressRoute, we defined the CRD below for the TLSOption kind.
 More information about TLS Options is available in the dedicated [TLS Configuration Options](../../https/tls/#tls-options).

 ```yaml
@@ -249,7 +291,7 @@ metadata:
  namespace: default

 spec:
-  minversion: VersionTLS12
+  minVersion: VersionTLS12

 ---
 apiVersion: traefik.containo.us/v1alpha1
@@ -272,9 +314,15 @@ spec:
      namespace: default
 ```

-!!! note "TLS Option reference and namespace"
+!!! important "References and namespaces"
+
    If the optional `namespace` attribute is not set, the configuration will be applied with the namespace of the IngressRoute.

+	Additionally, when the definition of the TLS option is from another provider,
+the cross-provider syntax (`middlewarename@provider`) should be used to refer to the TLS option,
+just as in the [middleware case](../middlewares/overview.md#provider-namespace).
+Specifying a namespace attribute in this case would not make any sense, and will be ignored.
+
 ### TLS

 To allow for TLS, we made use of the `Secret` kind, as it was already defined, and it can be directly used in an `IngressRoute`:
--- a/docs/content/providers/kubernetes-ingress.md
+++ b/docs/content/providers/kubernetes-ingress.md
@@ -1,6 +1,310 @@
 # Traefik & Kubernetes

-Kubernetes Ingress.
+The Kubernetes Ingress Controller.
 {: .subtitle }

-TODO
+The Traefik Kubernetes Ingress provider is a Kubernetes Ingress controller; that is to say,
+it manages access to a cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.
+
+## Enabling and using the provider
+
+As usual, the provider is enabled through the static configuration:
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress: {}
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress
+```
+
+The provider then watches for incoming ingresses events, such as the example below, and derives the corresponding dynamic configuration from it, which in turn will create the resulting routers, services, handlers, etc.
+
+```yaml tab="File (YAML)"
+kind: Ingress
+apiVersion: extensions/v1beta1
+metadata:
+  name: "foo"
+  namespace: production
+
+spec:
+  rules:
+  - host: foo.com
+    http:
+      paths:
+      - path: /bar
+        backend:
+          serviceName: service1
+          servicePort: 80
+      - path: /foo
+        backend:
+          serviceName: service1
+          servicePort: 80
+```
+
+## Provider Configuration Options
+
+!!! tip "Browse the Reference"
+    If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration/overview.md) configuration reference.
+
+### `endpoint`
+
+_Optional, Default=empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  endpoint = "http://localhost:8080"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    endpoint = "http://localhost:8080"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.endpoint="http://localhost:8080"
+```
+
+The Kubernetes server endpoint as URL, which is only used when the behavior based on environment variables described below does not apply.
+
+When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
+
+The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
+They are both provided automatically as mounts in the pod where Traefik is deployed.
+
+When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
+In which case, the endpoint is required.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
+
+### `token`
+
+_Optional, Default=empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  token = "mytoken"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    token = "mytoken"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.token="mytoken"
+```
+
+Bearer token used for the Kubernetes client configuration.
+
+### `certAuthFilePath`
+
+_Optional, Default=empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  certAuthFilePath = "/my/ca.crt"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    certAuthFilePath: "/my/ca.crt"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.certauthfilepath="/my/ca.crt"
+```
+
+Path to the certificate authority file.
+Used for the Kubernetes client configuration.
+
+### `disablePassHostHeaders`
+
+_Optional, Default=false_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  disablePassHostHeaders = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    disablePassHostHeaders: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.disablepasshostheaders=true
+```
+
+Whether to disable PassHost Headers.
+
+### `namespaces`
+
+_Optional, Default: all namespaces (empty array)_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  namespaces = ["default", "production"]
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    namespaces:
+    - "default"
+    - "production"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.namespaces="default,production"
+```
+
+Array of namespaces to watch.
+
+### `labelSelector`
+
+_Optional,Default: empty (process all Ingresses)_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  labelSelector = "A and not B"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    labelselector: "A and not B"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.labelselector="A and not B"
+```
+
+By default, Traefik processes all Ingress objects in the configured namespaces.
+A label selector can be defined to filter on specific Ingress objects only.
+
+See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
+
+### `ingressClass`
+
+_Optional, Default: empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  ingressClass = "traefik-internal"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    ingressClass: "traefik-internal"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.ingressclass="traefik-internal"
+```
+
+Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
+
+If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
+Otherwise, Ingresses missing the annotation, having an empty value, or with the value `traefik` are processed.
+
+### `ingressEndpoint`
+
+#### `hostname`
+
+_Optional, Default: empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress.ingressEndpoint]
+  hostname = "foo.com"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    ingressEndpoint:
+      hostname: "foo.com"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.ingressendpoint.hostname="foo.com"
+```
+
+Hostname used for Kubernetes Ingress endpoints.
+
+#### `ip`
+
+_Optional, Default: empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress.ingressEndpoint]
+  ip = "1.2.3.4"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    ingressEndpoint:
+      ip: "1.2.3.4"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.ingressendpoint.ip="1.2.3.4"
+```
+
+IP used for Kubernetes Ingress endpoints.
+
+#### `publishedService`
+
+_Optional, Default: empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress.ingressEndpoint]
+  publishedService = "foo-service"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    ingressEndpoint:
+      publishedService: "foo-service"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.ingressendpoint.publishedservice="foo-service"
+```
+
+Published Kubernetes Service to copy status from.
+
+## Further
+
+If one wants to know more about the various aspects of the Ingress spec that Traefik supports, many examples of Ingresses definitions are located in the tests [data](https://github.com/containous/traefik/tree/v2.0/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
--- a/docs/content/providers/marathon.md
+++ b/docs/content/providers/marathon.md
@@ -11,14 +11,17 @@ See also [Marathon user guide](../user-guides/marathon.md).

    Enabling the marathon provider

-    ```toml tab="File"
+    ```toml tab="File (TOML)"
    [providers.marathon]
-    endpoint = "http://127.0.0.1:8080"
    ```
    
-    ```txt tab="CLI"
+    ```yaml tab="File (YAML)"
+    providers:
+      marathon: {}
+    ```
+    
+    ```bash tab="CLI"
    --providers.marathon
-    --providers.marathon.endpoint="http://127.0.0.1:8080"
    ```

    Attaching labels to marathon applications
@@ -55,43 +58,74 @@ See also [Marathon user guide](../user-guides/marathon.md).

 _Optional_

-Enables Marathon basic authentication.
-
-```toml tab="File"
-[marathon.basic]
-httpBasicAuthUser = "foo"
-httpBasicPassword = "bar"
+```toml tab="File (TOML)"
+[providers.marathon.basic]
+  httpBasicAuthUser = "foo"
+  httpBasicPassword = "bar"
 ```

-```txt tab="CLI"
--providers.marathon
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    basic:
+      httpBasicAuthUser: foo
+      httpBasicPassword: bar
+```
+
+```bash tab="CLI"
 --providers.marathon.basic.httpbasicauthuser="foo"
 --providers.marathon.basic.httpbasicpassword="bar"
 ```

+Enables Marathon basic authentication.
+
 ### `dcosToken`

 _Optional_

+```toml tab="File (TOML)"
+[providers.marathon]
+  dcosToken = "xxxxxx"
+  # ...
+```
+
+```toml tab="File (YAML)"
+providers:
+  marathon:
+    dcosToken: "xxxxxx"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.dcosToken="xxxxxx"
+```
+
 DCOSToken for DCOS environment.

 If set, it overrides the Authorization header.

-```toml tab="File"
-[providers.marathon]
-dcosToken = "xxxxxx"
-# ...
-```
-
-```txt tab="CLI"
--providers.marathon
--providers.marathon.dcosToken="xxxxxx"
-```
-
 ### `defaultRule`

 _Optional, Default=```Host(`{{ normalize .Name }}`)```_

+```toml tab="File (TOML)"
+[providers.marathon]
+  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+# ...
+```
+
 For a given application if no routing rule was defined by a label, it is defined by this defaultRule instead.

 It must be a valid [Go template](https://golang.org/pkg/text/template/),
@@ -100,21 +134,27 @@ augmented with the [sprig template functions](http://masterminds.github.io/sprig
 The app ID can be accessed as the Name identifier,
 and the template has access to all the labels defined on this Marathon application.

-```toml tab="File"
-[providers.marathon]
-defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-# ...
-```
-
-```txt tab="CLI"
--providers.marathon
--providers.marathon.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-```
-
 ### `dialerTimeout`

 _Optional, Default=5s_

+```toml tab="File (TOML)"
+[providers.marathon]
+  dialerTimeout = "10s"
+  # ...
+```
+
+```toml tab="File (YAML)"
+providers:
+  marathon:
+    dialerTimeout: "10s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.dialerTimeout=10s
+```
+
 Overrides DialerTimeout.

 Amount of time the Marathon provider should wait before timing out,
@@ -127,33 +167,77 @@ or directly as a number of seconds.

 _Optional, Default=http://127.0.0.1:8080_

+```toml tab="File (TOML)"
+[providers.marathon]
+  endpoint = "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
+  # ...
+```
+
+```toml tab="File (YAML)"
+providers:
+  marathon:
+    endpoint: "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.endpoint="http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
+```
+
 Marathon server endpoint.

 You can optionally specify multiple endpoints:

-```toml tab="File"
-[providers.marathon]
-endpoint = "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
-# ...
-```
-
-```txt tab="CLI"
--providers.marathon
--providers.marathon.endpoint="http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
-```
-
 ### `exposedByDefault`

 _Optional, Default=true_

+```toml tab="File (TOML)"
+[providers.marathon]
+  exposedByDefault = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    exposedByDefault: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.exposedByDefault=false
+# ...
+```
+
 Exposes Marathon applications by default through Traefik.

 If set to false, applications that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.

+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ### `constraints`

 _Optional, Default=""_

+```toml tab="File (TOML)"
+[providers.marathon]
+  constraints = "Label(`a.label.name`, `foo`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    constraints: "Label(`a.label.name`, `foo`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.constraints="Label(`a.label.name`, `foo`)"
+# ...
+```
+
 Constraints is an expression that Traefik matches against the application's labels to determine whether to create any route for that application.
 That is to say, if none of the application's labels match the expression, no route for the application is created.
 In addition, the expression also matched against the application's constraints, such as described in [Marathon constraints](https://mesosphere.github.io/marathon/docs/constraints.html).
@@ -204,10 +288,30 @@ In addition, to match against marathon constraints, the function `MarathonConstr
    constraints = "MarathonConstraint(`A:B:C`) && Label(`a.label.name`, `value`)"
    ```

+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ### `forceTaskHostname`

 _Optional, Default=false_

+```toml tab="File (TOML)"
+[providers.marathon]
+  forceTaskHostname = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    forceTaskHostname: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.forceTaskHostname=true
+# ...
+```
+
 By default, a task's IP address (as returned by the Marathon API) is used as backend server if an IP-per-task configuration can be found;
 otherwise, the name of the host running the task is used.
 The latter behavior can be enforced by enabling this switch.
@@ -216,6 +320,24 @@ The latter behavior can be enforced by enabling this switch.

 _Optional, Default=10s_

+```toml tab="File (TOML)"
+[providers.marathon]
+  keepAlive = "30s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    keepAlive: "30s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.keepAlive=30s
+# ...
+```
+
 Set the TCP Keep Alive interval for the Marathon HTTP Client.
 Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
 or directly as a number of seconds.
@@ -224,6 +346,24 @@ or directly as a number of seconds.

 _Optional, Default=false_

+```toml tab="File (TOML)"
+[providers.marathon]
+  respectReadinessChecks = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    respectReadinessChecks: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.respectReadinessChecks=true
+# ...
+```
+
 Applications may define readiness checks which are probed by Marathon during deployments periodically, and these check results are exposed via the API.
 Enabling respectReadinessChecks causes Traefik to filter out tasks whose readiness checks have not succeeded.
 Note that the checks are only valid at deployment times.
@@ -234,6 +374,24 @@ See the Marathon guide for details.

 _Optional, Default=60s_

+```toml tab="File (TOML)"
+[providers.marathon]
+  responseHeaderTimeout = "66s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    responseHeaderTimeout: "66s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.responseHeaderTimeout="66s"
+# ...
+```
+
 Overrides ResponseHeaderTimeout.
 Amount of time the Marathon provider should wait before timing out,
 when waiting for the first response header from a Marathon master.
@@ -244,29 +402,57 @@ Can be provided in a format supported by [time.ParseDuration](https://golang.org

 _Optional_

-TLS client configuration. [tls/#Config](https://golang.org/pkg/crypto/tls/#Config).
-
-```toml tab="File"
-[marathon.TLS]
-CA = "/etc/ssl/ca.crt"
-Cert = "/etc/ssl/marathon.cert"
-Key = "/etc/ssl/marathon.key"
-insecureSkipVerify = true
+```toml tab="File (TOML)"
+[providers.marathon.tls]
+  ca = "/etc/ssl/ca.crt"
+  cert = "/etc/ssl/marathon.cert"
+  key = "/etc/ssl/marathon.key"
+  insecureSkipVerify = true
 ```

-```txt tab="CLI"
--providers.marathon.tls
+```yaml tab="File (YAML)"
+providers:
+  marathon
+    tls:
+      ca: "/etc/ssl/ca.crt"
+      cert: "/etc/ssl/marathon.cert"
+      key: "/etc/ssl/marathon.key"
+      insecureSkipVerify:  true
+```
+
+```bash tab="CLI"
 --providers.marathon.tls.ca="/etc/ssl/ca.crt"
 --providers.marathon.tls.cert="/etc/ssl/marathon.cert"
 --providers.marathon.tls.key="/etc/ssl/marathon.key"
 --providers.marathon.tls.insecureskipverify=true
 ```

-### `TLSHandshakeTimeout`
+TLS client configuration. [tls/#Config](https://golang.org/pkg/crypto/tls/#Config).
+
+### `tlsHandshakeTimeout`

 _Optional, Default=5s_

+```toml tab="File (TOML)"
+[providers.marathon]
+  responseHeaderTimeout = "10s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    responseHeaderTimeout: "10s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.responseHeaderTimeout="10s"
+# ...
+```
+
 Overrides TLSHandshakeTimeout.
+
 Amount of time the Marathon provider should wait before timing out,
 when waiting for the TLS handshake to complete.
 Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
@@ -276,12 +462,48 @@ or directly as a number of seconds.

 _Optional, Default=false_

+```toml tab="File (TOML)"
+[providers.marathon]
+  trace = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    trace: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.trace=true
+# ...
+```
+
 Displays additional provider logs (if available).

 ### `watch`

 _Optional, Default=true_

+```toml tab="File (TOML)"
+[providers.marathon]
+  watch = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  marathon:
+    watch: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.marathon.watch=false
+# ...
+```
+
 Enables watching for Marathon changes.

 ## Routing Configuration Options
@@ -296,23 +518,23 @@ and the router automatically gets a rule defined by defaultRule (if no rule for
 ### Routers

 To update the configuration of the Router automatically attached to the application,
-add labels starting with `traefik.HTTP.Routers.{router-name-of-your-choice}.` and followed by the option you want to change.
-For example, to change the routing rule, you could add the label ```traefik.HTTP.Routers.Routername.Rule=Host(`my-domain`)```.
+add labels starting with `traefik.http.routers.{router-name-of-your-choice}.` and followed by the option you want to change.
+For example, to change the routing rule, you could add the label ```traefik.http.routers.routername.rule=Host(`my-domain`)```.

 Every [Router](../routing/routers/index.md) parameter can be updated this way.

 ### Services

 To update the configuration of the Service automatically attached to the container,
-add labels starting with `traefik.HTTP.Services.{service-name-of-your-choice}.`, followed by the option you want to change.
-For example, to change the passhostheader behavior, you'd add the label `traefik.HTTP.Services.Servicename.LoadBalancer.PassHostHeader=false`.
+add labels starting with `traefik.http.services.{service-name-of-your-choice}.`, followed by the option you want to change.
+For example, to change the passHostHeader behavior, you'd add the label `traefik.http.services.servicename.loadbalancer.passhostheader=false`.

 Every [Service](../routing/services/index.md) parameter can be updated this way.

 ### Middleware

-You can declare pieces of middleware using labels starting with `traefik.HTTP.Middlewares.{middleware-name-of-your-choice}.`, followed by the middleware type/options.
-For example, to declare a middleware [`redirectscheme`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.HTTP.Middlewares.my-redirect.RedirectScheme.Scheme: https`.
+You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{middleware-name-of-your-choice}.`, followed by the middleware type/options.
+For example, to declare a middleware [`redirectscheme`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.

 ??? example "Declaring and Referencing a Middleware"

--- a/docs/content/providers/rancher.md
+++ b/docs/content/providers/rancher.md
@@ -18,8 +18,17 @@ Attach labels to your services and let Traefik do the rest!

    Enabling the rancher provider

-    ```toml
-    [Providers.Rancher]
+    ```toml tab="File (TOML)"
+    [providers.rancher]
+    ```
+    
+    ```yaml tab="File (YAML)"
+    providers:
+      rancher: {}
+    ```
+    
+    ```bash tab="CLI"
+    --providers.rancher
    ```

    Attaching labels to services
@@ -34,21 +43,67 @@ Attach labels to your services and let Traefik do the rest!
 ??? tip "Browse the Reference"
    If you're in a hurry, maybe you'd rather go through the configuration reference:
    
-    ```toml
+    ```toml tab="File (TOML)"
    --8<-- "content/providers/rancher.toml"
    ```
+    
+    ```yaml tab="File (YAML)"
+    --8<-- "content/providers/rancher.yml"
+    ```
+    
+    ```bash tab="CLI"
+    --8<-- "content/providers/rancher.txt"
+    ```

-### `ExposedByDefault`
+### `exposedByDefault`

 _Optional, Default=true_

+```toml tab="File (TOML)"
+[providers.rancher]
+  exposedByDefault = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  rancher:
+    exposedByDefault: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.rancher.exposedByDefault=false
+# ...
+```
+
 Expose Rancher services by default in Traefik.
 If set to false, services that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.

-### `DefaultRule`
+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
+### `defaultRule`

 _Optional, Default=```Host(`{{ normalize .Name }}`)```_

+```toml tab="File (TOML)"
+[providers.rancher]
+  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  rancher:
+    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.rancher.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+# ...
+```
+
 The default host rule for all services.

 For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
@@ -57,48 +112,127 @@ augmented with the [sprig template functions](http://masterminds.github.io/sprig
 The service name can be accessed as the `Name` identifier,
 and the template has access to all the labels defined on this container.

-```toml tab="File"
-[Providers.Rancher]
-defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-# ...
-```
-
-```txt tab="CLI"
--providers.rancher
--providers.rancher.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-```
-
 This option can be overridden on a container basis with the `traefik.http.routers.Router1.rule` label.

-### `EnableServiceHealthFilter`
+### `enableServiceHealthFilter`

 _Optional, Default=true_

+```toml tab="File (TOML)"
+[providers.rancher]
+  enableServiceHealthFilter = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  rancher:
+    enableServiceHealthFilter: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.rancher.enableServiceHealthFilter=false
+# ...
+```
+
 Filter services with unhealthy states and inactive states.

-### `RefreshSeconds`
+### `refreshSeconds`

 _Optional, Default=15_

+```toml tab="File (TOML)"
+[providers.rancher]
+  refreshSeconds = 30
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  rancher:
+    refreshSeconds: 30
+    # ...
+```
+
+```bash tab="CLI"
+--providers.rancher.refreshSeconds=30
+# ...
+```
+
 Defines the polling interval (in seconds).

-### `IntervalPoll`
+### `intervalPoll`

 _Optional, Default=false_

+```toml tab="File (TOML)"
+[providers.rancher]
+  intervalPoll = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  rancher:
+    intervalPoll: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.rancher.intervalPoll=true
+# ...
+```
+
 Poll the Rancher metadata service for changes every `rancher.refreshSeconds`,
 which is less accurate than the default long polling technique which will provide near instantaneous updates to Traefik.

-### `Prefix`
+### `prefix`

 _Optional, Default=/latest_

+```toml tab="File (TOML)"
+[providers.rancher]
+  prefix = "/test"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  rancher:
+    prefix: "/test"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.rancher.prefix="/test"
+# ...
+```
+
 Prefix used for accessing the Rancher metadata service

 ### `constraints`

 _Optional, Default=""_

+```toml tab="File (TOML)"
+[providers.rancher]
+  constraints = "Label(`a.label.name`, `foo`)"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  rancher:
+    constraints: "Label(`a.label.name`, `foo`)"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.rancher.constraints="Label(`a.label.name`, `foo`)"
+# ...
+```
+
 Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
 That is to say, if none of the container's labels match the expression, no route for the container is created.
 If the expression is empty, all detected containers are included.
@@ -137,6 +271,8 @@ The expression syntax is based on the `Label("key", "value")`, and `LabelRegexp(
    constraints = "LabelRegexp(`a.label.name`, `a.+`)"
    ```

+See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
 ## Routing Configuration Options

 ### General
--- a/docs/content/providers/rancher.toml
+++ b/docs/content/providers/rancher.toml
@@ -1,20 +1,20 @@
 # Enable Rancher Provider.
-[Providers.Rancher]
+[providers.rancher]

  # Expose Rancher services by default in Traefik.
-  ExposedByDefault = true
+  exposedByDefault = true

  # Enable watch Rancher changes.
-  Watch = true
+  watch = true

  # Filter services with unhealthy states and inactive states.
-  EnableServiceHealthFilter = true
+  enableServiceHealthFilter = true

  # Defines the polling interval (in seconds).
-  RefreshSeconds = true
+  refreshSeconds = true

  # Poll the Rancher metadata service for changes every `rancher.refreshSeconds`, which is less accurate
-  IntervalPoll = false
+  intervalPoll = false

  # Prefix used for accessing the Rancher metadata service
-  Prefix = "/latest"
+  prefix = "/latest"
--- a/docs/content/providers/rancher.txt
+++ b/docs/content/providers/rancher.txt
@@ -0,0 +1,20 @@
+# Enable Rancher Provider.
+--providers.rancher
+
+# Expose Rancher services by default in Traefik.
+--providers.rancher.exposedByDefault=true
+
+# Enable watch Rancher changes.
+--providers.rancher.watch=true
+
+# Filter services with unhealthy states and inactive states.
+--providers.rancher.enableServiceHealthFilter=true
+
+# Defines the polling interval (in seconds).
+--providers.rancher.refreshSeconds=true
+
+# Poll the Rancher metadata service for changes every `rancher.refreshSeconds`, which is less accurate
+--providers.rancher.intervalPoll=false
+
+# Prefix used for accessing the Rancher metadata service
+--providers.rancher.prefix="/latest"
--- a/docs/content/providers/rancher.yml
+++ b/docs/content/providers/rancher.yml
@@ -0,0 +1,21 @@
+# Enable Rancher Provider.
+providers:
+  rancher:
+
+  # Expose Rancher services by default in Traefik.
+  exposedByDefault: true
+
+  # Enable watch Rancher changes.
+  watch: true
+
+  # Filter services with unhealthy states and inactive states.
+  enableServiceHealthFilter: true
+
+  # Defines the polling interval (in seconds).
+  refreshSeconds: true
+
+  # Poll the Rancher metadata service for changes every `rancher.refreshSeconds`, which is less accurate
+  intervalPoll: false
+
+  # Prefix used for accessing the Rancher metadata service
+  prefix: "/latest"
--- a/docs/content/reference/dynamic-configuration/docker.md
+++ b/docs/content/reference/dynamic-configuration/docker.md
@@ -3,6 +3,10 @@
 Dynamic configuration with Docker Labels
 {: .subtitle }

+The labels are case insensitive.
+
 ```yaml
+labels:
+--8<-- "content/reference/dynamic-configuration/docker.yml"
 --8<-- "content/reference/dynamic-configuration/labels.yml"
 ```
--- a/docs/content/reference/dynamic-configuration/docker.yml
+++ b/docs/content/reference/dynamic-configuration/docker.yml
@@ -0,0 +1,3 @@
+  - "traefik.enable=true"
+  - "traefik.docker.network=foobar"
+  - "traefik.docker.lbswarm=true"
--- a/docs/content/reference/dynamic-configuration/file.md
+++ b/docs/content/reference/dynamic-configuration/file.md
@@ -1,8 +1,12 @@
 # File Configuration Reference

-Dynamic configuration with toml files
+Dynamic configuration with files
 {: .subtitle }

-```toml
+```toml  tab="TOML"
 --8<-- "content/reference/dynamic-configuration/file.toml"
 ```
+
+```yml  tab="YAML"
+--8<-- "content/reference/dynamic-configuration/file.yaml"
+```
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@@ -1,261 +1,284 @@
-[HTTP]
-
-  [HTTP.Routers]
-
-    [HTTP.Routers.Router0]
-      EntryPoints = ["foobar", "foobar"]
-      Middlewares = ["foobar", "foobar"]
-      Service = "foobar"
-      Rule = "foobar"
+[http]
+  [http.routers]
+    [http.routers.Router0]
+      entryPoints = ["foobar", "foobar"]
+      middlewares = ["foobar", "foobar"]
+      service = "foobar"
+      rule = "foobar"
      priority = 42
-      [HTTP.Routers.Router0.tls]
-        options = "TLS0"
+      [http.routers.Router0.tls]
+        options = "foobar"
+    [http.routers.Router1]
+      entryPoints = ["foobar", "foobar"]
+      middlewares = ["foobar", "foobar"]
+      service = "foobar"
+      rule = "foobar"
+      priority = 42
+      [http.routers.Router1.tls]
+        options = "foobar"
+  [http.services]
+    [http.services.Service0]
+      [http.services.Service0.loadBalancer]
+        passHostHeader = true
+        [http.services.Service0.loadBalancer.stickiness]
+          cookieName = "foobar"
+          secureCookie = true
+          httpOnlyCookie = true

-  [HTTP.Middlewares]
+        [[http.services.Service0.loadBalancer.servers]]
+          url = "foobar"

-      [HTTP.Middlewares.Middleware0.AddPrefix]
-        Prefix = "foobar"
-
-      [HTTP.Middlewares.Middleware1.StripPrefix]
-        Prefixes = ["foobar", "foobar"]
-
-      [HTTP.Middlewares.Middleware2.StripPrefixRegex]
-        Regex = ["foobar", "foobar"]
-
-      [HTTP.Middlewares.Middleware3.ReplacePath]
-        Path = "foobar"
-
-      [HTTP.Middlewares.Middleware4.ReplacePathRegex]
-        Regex = "foobar"
-        Replacement = "foobar"
-
-      [HTTP.Middlewares.Middleware5.Chain]
-        Middlewares = ["foobar", "foobar"]
-
-      [HTTP.Middlewares.Middleware6.IPWhiteList]
-        SourceRange = ["foobar", "foobar"]
-
-        [HTTP.Middlewares.Middleware7.IPWhiteList.IPStrategy]
-          Depth = 42
-          ExcludedIPs = ["foobar", "foobar"]
-
-      [HTTP.Middlewares.Middleware8.Headers]
-        AccessControlAllowCredentials = true
-        AccessControlAllowHeaders = ["foobar", "foobar"]
-        AccessControlAllowMethods = ["foobar", "foobar"]
-        AccessControlAllowOrigin = "foobar"
-        AccessControlExposeHeaders = ["foobar", "foobar"]
-        AccessControlMaxAge = 42
-        AddVaryHeader = true
-        AllowedHosts = ["foobar", "foobar"]
-        HostsProxyHeaders = ["foobar", "foobar"]
-        SSLRedirect = true
-        SSLTemporaryRedirect = true
-        SSLHost = "foobar"
-        SSLForceHost = true
-        STSSeconds = 42
-        STSIncludeSubdomains = true
-        STSPreload = true
-        ForceSTSHeader = true
-        FrameDeny = true
-        CustomFrameOptionsValue = "foobar"
-        ContentTypeNosniff = true
-        BrowserXSSFilter = true
-        CustomBrowserXSSValue = "foobar"
-        ContentSecurityPolicy = "foobar"
-        PublicKey = "foobar"
-        ReferrerPolicy = "foobar"
-        IsDevelopment = true
-        [HTTP.Middlewares.Middleware8.Headers.CustomRequestHeaders]
-          name0 = "foobar"
-          name1 = "foobar"
-        [HTTP.Middlewares.Middleware8.Headers.CustomResponseHeaders]
-          name0 = "foobar"
-          name1 = "foobar"
-        [HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders]
-          name0 = "foobar"
-          name1 = "foobar"
-
-      [HTTP.Middlewares.Middleware9.Errors]
-        Status = ["foobar", "foobar"]
-        Service = "foobar"
-        Query = "foobar"
-
-      [HTTP.Middlewares.Middleware10.RateLimit]
-        ExtractorFunc = "foobar"
-        [HTTP.Middlewares.Middleware10.RateLimit.RateSet]
-          [HTTP.Middlewares.Middleware10.RateLimit.RateSet.Rate0]
-            Period = 42
-            Average = 42
-            Burst = 42
-          [HTTP.Middlewares.Middleware10.RateLimit.RateSet.Rate1]
-            Period = 42
-            Average = 42
-            Burst = 42
-
-      [HTTP.Middlewares.Middleware11.RedirectRegex]
-        Regex = "foobar"
-        Replacement = "foobar"
-        Permanent = true
-
-      [HTTP.Middlewares.Middleware12.RedirectScheme]
-        Scheme = "foobar"
-        Port = "foobar"
-        Permanent = true
-
-      [HTTP.Middlewares.Middleware13.BasicAuth]
-        Users = ["foobar", "foobar"]
-        UsersFile = "foobar"
-        Realm = "foobar"
-        RemoveHeader = true
-        HeaderField = "foobar"
-
-      [HTTP.Middlewares.Middleware14.DigestAuth]
-        Users = ["foobar", "foobar"]
-        UsersFile = "foobar"
-        RemoveHeader = true
-        Realm = "foobar"
-        HeaderField = "foobar"
-
-      [HTTP.Middlewares.Middleware15.ForwardAuth]
-        Address = "foobar"
-        TrustForwardHeader = true
-        AuthResponseHeaders = ["foobar", "foobar"]
-        [HTTP.Middlewares.Middleware15.ForwardAuth.TLS]
-          CA = "foobar"
-          CAOptional = true
-          Cert = "foobar"
-          Key = "foobar"
-          InsecureSkipVerify = true
-
-      [HTTP.Middlewares.Middleware16.MaxConn]
-        Amount = 42
-        ExtractorFunc = "foobar"
-
-      [HTTP.Middlewares.Middleware17.Buffering]
-        MaxRequestBodyBytes = 42
-        MemRequestBodyBytes = 42
-        MaxResponseBodyBytes = 42
-        MemResponseBodyBytes = 42
-        RetryExpression = "foobar"
-
-      [HTTP.Middlewares.Middleware18.CircuitBreaker]
-        Expression = "foobar"
-
-      [HTTP.Middlewares.Middleware19.Compress]
-
-      [HTTP.Middlewares.Middleware20.PassTLSClientCert]
-        PEM = true
-        [HTTP.Middlewares.Middleware20.PassTLSClientCert.Info]
-          NotAfter = true
-          NotBefore = true
-          Sans = true
-          [HTTP.Middlewares.Middleware20.PassTLSClientCert.Info.Subject]
-            Country = true
-            Province = true
-            Locality = true
-            Organization = true
-            CommonName = true
-            SerialNumber = true
-            DomainComponent = true
-          [HTTP.Middlewares.Middleware20.PassTLSClientCert.Info.Issuer]
-            Country = true
-            Province = true
-            Locality = true
-            Organization = true
-            CommonName = true
-            SerialNumber = true
-            DomainComponent = true
-
-      [HTTP.Middlewares.Middleware21.Retry]
-        Attempts = 42
-
-  [HTTP.Services]
-    [HTTP.Services.Service0]
-      [HTTP.Services.Service0.LoadBalancer]
-        PassHostHeader = true
-
-        [[HTTP.Services.Service0.LoadBalancer.Servers]]
-          URL = "foobar"
-
-        [HTTP.Services.Service0.LoadBalancer.Stickiness]
-          CookieName = "foobar"
-
-        [[HTTP.Services.Service0.LoadBalancer.Servers]]
-          URL = "foobar"
-
-        [HTTP.Services.Service0.LoadBalancer.HealthCheck]
-          Scheme = "foobar"
-          Path = "foobar"
-          Port = 42
-          Interval = "foobar"
-          Timeout = "foobar"
-          Hostname = "foobar"
-          [HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers]
+        [[http.services.Service0.loadBalancer.servers]]
+          url = "foobar"
+        [http.services.Service0.loadBalancer.healthCheck]
+          scheme = "foobar"
+          path = "foobar"
+          port = 42
+          interval = "foobar"
+          timeout = "foobar"
+          hostname = "foobar"
+          [http.services.Service0.loadBalancer.healthCheck.headers]
            name0 = "foobar"
            name1 = "foobar"
-        [HTTP.Services.Service0.LoadBalancer.ResponseForwarding]
-          FlushInterval = "foobar"
+        [http.services.Service0.loadBalancer.responseForwarding]
+          flushInterval = "foobar"
+    [http.services.Service1]
+      [http.services.Service1.loadBalancer]
+        passHostHeader = true
+        [http.services.Service1.loadBalancer.stickiness]
+          cookieName = "foobar"
+          secureCookie = true
+          httpOnlyCookie = true

-[TCP]
+        [[http.services.Service1.loadBalancer.servers]]
+          url = "foobar"

-  [TCP.Routers]
+        [[http.services.Service1.loadBalancer.servers]]
+          url = "foobar"
+        [http.services.Service1.loadBalancer.healthCheck]
+          scheme = "foobar"
+          path = "foobar"
+          port = 42
+          interval = "foobar"
+          timeout = "foobar"
+          hostname = "foobar"
+          [http.services.Service1.loadBalancer.healthCheck.headers]
+            name0 = "foobar"
+            name1 = "foobar"
+        [http.services.Service1.loadBalancer.responseForwarding]
+          flushInterval = "foobar"
+  [http.middlewares]
+    [http.middlewares.Middleware00]
+      [http.middlewares.Middleware00.addPrefix]
+        prefix = "foobar"
+    [http.middlewares.Middleware01]
+      [http.middlewares.Middleware01.basicAuth]
+        users = ["foobar", "foobar"]
+        usersFile = "foobar"
+        realm = "foobar"
+        removeHeader = true
+        headerField = "foobar"
+    [http.middlewares.Middleware02]
+      [http.middlewares.Middleware02.buffering]
+        maxRequestBodyBytes = 42
+        memRequestBodyBytes = 42
+        maxResponseBodyBytes = 42
+        memResponseBodyBytes = 42
+        retryExpression = "foobar"
+    [http.middlewares.Middleware03]
+      [http.middlewares.Middleware03.chain]
+        middlewares = ["foobar", "foobar"]
+    [http.middlewares.Middleware04]
+      [http.middlewares.Middleware04.circuitBreaker]
+        expression = "foobar"
+    [http.middlewares.Middleware05]
+      [http.middlewares.Middleware05.compress]
+    [http.middlewares.Middleware06]
+      [http.middlewares.Middleware06.digestAuth]
+        users = ["foobar", "foobar"]
+        usersFile = "foobar"
+        removeHeader = true
+        realm = "foobar"
+        headerField = "foobar"
+    [http.middlewares.Middleware07]
+      [http.middlewares.Middleware07.errors]
+        status = ["foobar", "foobar"]
+        service = "foobar"
+        query = "foobar"
+    [http.middlewares.Middleware08]
+      [http.middlewares.Middleware08.forwardAuth]
+        address = "foobar"
+        trustForwardHeader = true
+        authResponseHeaders = ["foobar", "foobar"]
+        [http.middlewares.Middleware08.forwardAuth.tls]
+          ca = "foobar"
+          caOptional = true
+          cert = "foobar"
+          key = "foobar"
+          insecureSkipVerify = true
+    [http.middlewares.Middleware09]
+      [http.middlewares.Middleware09.headers]
+        accessControlAllowCredentials = true
+        accessControlAllowHeaders = ["foobar", "foobar"]
+        accessControlAllowMethods = ["foobar", "foobar"]
+        accessControlAllowOrigin = "foobar"
+        accessControlExposeHeaders = ["foobar", "foobar"]
+        accessControlMaxAge = 42
+        addVaryHeader = true
+        allowedHosts = ["foobar", "foobar"]
+        hostsProxyHeaders = ["foobar", "foobar"]
+        sslRedirect = true
+        sslTemporaryRedirect = true
+        sslHost = "foobar"
+        sslForceHost = true
+        stsSeconds = 42
+        stsIncludeSubdomains = true
+        stsPreload = true
+        forceSTSHeader = true
+        frameDeny = true
+        customFrameOptionsValue = "foobar"
+        contentTypeNosniff = true
+        browserXssFilter = true
+        customBrowserXSSValue = "foobar"
+        contentSecurityPolicy = "foobar"
+        publicKey = "foobar"
+        referrerPolicy = "foobar"
+        isDevelopment = true
+        [http.middlewares.Middleware09.headers.customRequestHeaders]
+          name0 = "foobar"
+          name1 = "foobar"
+        [http.middlewares.Middleware09.headers.customResponseHeaders]
+          name0 = "foobar"
+          name1 = "foobar"
+        [http.middlewares.Middleware09.headers.sslProxyHeaders]
+          name0 = "foobar"
+          name1 = "foobar"
+    [http.middlewares.Middleware10]
+      [http.middlewares.Middleware10.ipWhiteList]
+        sourceRange = ["foobar", "foobar"]
+        [http.middlewares.Middleware10.ipWhiteList.ipStrategy]
+          depth = 42
+          excludedIPs = ["foobar", "foobar"]
+    [http.middlewares.Middleware11]
+      [http.middlewares.Middleware11.maxConn]
+        amount = 42
+        extractorFunc = "foobar"
+    [http.middlewares.Middleware12]
+      [http.middlewares.Middleware12.passTLSClientCert]
+        pem = true
+        [http.middlewares.Middleware12.passTLSClientCert.info]
+          notAfter = true
+          notBefore = true
+          sans = true
+          [http.middlewares.Middleware12.passTLSClientCert.info.subject]
+            country = true
+            province = true
+            locality = true
+            organization = true
+            commonName = true
+            serialNumber = true
+            domainComponent = true
+          [http.middlewares.Middleware12.passTLSClientCert.info.issuer]
+            country = true
+            province = true
+            locality = true
+            organization = true
+            commonName = true
+            serialNumber = true
+            domainComponent = true
+    [http.middlewares.Middleware14]
+      [http.middlewares.Middleware14.redirectRegex]
+        regex = "foobar"
+        replacement = "foobar"
+        permanent = true
+    [http.middlewares.Middleware15]
+      [http.middlewares.Middleware15.redirectScheme]
+        scheme = "foobar"
+        port = "foobar"
+        permanent = true
+    [http.middlewares.Middleware16]
+      [http.middlewares.Middleware16.replacePath]
+        path = "foobar"
+    [http.middlewares.Middleware17]
+      [http.middlewares.Middleware17.replacePathRegex]
+        regex = "foobar"
+        replacement = "foobar"
+    [http.middlewares.Middleware18]
+      [http.middlewares.Middleware18.retry]
+        attempts = 42
+    [http.middlewares.Middleware19]
+      [http.middlewares.Middleware19.stripPrefix]
+        prefixes = ["foobar", "foobar"]
+    [http.middlewares.Middleware20]
+      [http.middlewares.Middleware20.stripPrefixRegex]
+        regex = ["foobar", "foobar"]

-    [TCP.Routers.TCPRouter0]
-      EntryPoints = ["foobar", "foobar"]
-      Service = "foobar"
-      Rule = "foobar"
-      [TCP.Routers.TCPRouter0.tls]
+[tcp]
+  [tcp.routers]
+    [tcp.routers.TCPRouter0]
+      entryPoints = ["foobar", "foobar"]
+      service = "foobar"
+      rule = "foobar"
+      [tcp.routers.TCPRouter0.tls]
        passthrough = true
-        options = "TLS1"
+        options = "foobar"
+    [tcp.routers.TCPRouter1]
+      entryPoints = ["foobar", "foobar"]
+      service = "foobar"
+      rule = "foobar"
+      [tcp.routers.TCPRouter1.tls]
+        passthrough = true
+        options = "foobar"
+  [tcp.services]
+    [tcp.services.TCPService0]
+      [tcp.services.TCPService0.loadBalancer]

-  [TCP.Services]
+        [[tcp.services.TCPService0.loadBalancer.servers]]
+          address = "foobar"

-    [TCP.Services.TCPService0]
-      [TCP.Services.TCPService0.LoadBalancer]
+        [[tcp.services.TCPService0.loadBalancer.servers]]
+          address = "foobar"
+    [tcp.services.TCPService1]
+      [tcp.services.TCPService1.loadBalancer]

-        [[TCP.Services.TCPService0.LoadBalancer.Servers]]
-          Address = "foobar"
+        [[tcp.services.TCPService1.loadBalancer.servers]]
+          address = "foobar"

-        [[TCP.Services.TCPService0.LoadBalancer.Servers]]
-          Address = "foobar"
+        [[tcp.services.TCPService1.loadBalancer.servers]]
+          address = "foobar"

-[[TLS]]
-  Stores = ["foobar", "foobar"]
-  [TLS.Certificate]
-    CertFile = "foobar"
-    KeyFile = "foobar"
+[tls]

-[[TLS]]
-  Stores = ["foobar", "foobar"]
-  [TLS.Certificate]
-    CertFile = "foobar"
-    KeyFile = "foobar"
+  [[tls.certificates]]
+    certFile = "foobar"
+    keyFile = "foobar"
+    stores = ["foobar", "foobar"]

-[TLSOptions]
-
-  [TLSOptions.TLS0]
-    MinVersion = "foobar"
-    CipherSuites = ["foobar", "foobar"]
-    SniStrict = true
-    [TLSOptions.TLS0.ClientCA]
-      Files = ["foobar", "foobar"]
-      Optional = true
-  [TLSOptions.TLS1]
-    MinVersion = "foobar"
-    CipherSuites = ["foobar", "foobar"]
-    SniStrict = true
-    [TLSOptions.TLS1.ClientCA]
-      Files = ["foobar", "foobar"]
-      Optional = true
-
-[TLSStores]
-
-  [TLSStores.Store0]
-    [TLSStores.Store0.DefaultCertificate]
-      CertFile = "foobar"
-      KeyFile = "foobar"
-  [TLSStores.Store1]
-    [TLSStores.Store1.DefaultCertificate]
-      CertFile = "foobar"
-      KeyFile = "foobar"
+  [[tls.certificates]]
+    certFile = "foobar"
+    keyFile = "foobar"
+    stores = ["foobar", "foobar"]
+  [tls.options]
+    [tls.options.Options0]
+      minVersion = "foobar"
+      cipherSuites = ["foobar", "foobar"]
+      sniStrict = true
+      [tls.options.Options0.clientAuth]
+        caFiles = ["foobar", "foobar"]
+        clientAuthType = "VerifyClientCertIfGiven"
+    [tls.options.Options1]
+      minVersion = "foobar"
+      cipherSuites = ["foobar", "foobar"]
+      sniStrict = true
+      [tls.options.Options1.clientAuth]
+        caFiles = ["foobar", "foobar"]
+        clientAuthType = "VerifyClientCertIfGiven"
+  [tls.stores]
+    [tls.stores.Store0]
+      [tls.stores.Store0.defaultCertificate]
+        certFile = "foobar"
+        keyFile = "foobar"
+    [tls.stores.Store1]
+      [tls.stores.Store1.defaultCertificate]
+        certFile = "foobar"
+        keyFile = "foobar"
--- a/docs/content/reference/dynamic-configuration/file.yaml
+++ b/docs/content/reference/dynamic-configuration/file.yaml
@@ -0,0 +1,319 @@
+http:
+  routers:
+    Router0:
+      entryPoints:
+      - foobar
+      - foobar
+      middlewares:
+      - foobar
+      - foobar
+      service: foobar
+      rule: foobar
+      priority: 42
+      tls:
+        options: foobar
+    Router1:
+      entryPoints:
+      - foobar
+      - foobar
+      middlewares:
+      - foobar
+      - foobar
+      service: foobar
+      rule: foobar
+      priority: 42
+      tls:
+        options: foobar
+  services:
+    Service0:
+      loadBalancer:
+        stickiness:
+          cookieName: foobar
+          secureCookie: true
+          httpOnlyCookie: true
+        servers:
+        - url: foobar
+        - url: foobar
+        healthCheck:
+          scheme: foobar
+          path: foobar
+          port: 42
+          interval: foobar
+          timeout: foobar
+          hostname: foobar
+          headers:
+            name0: foobar
+            name1: foobar
+        passHostHeader: true
+        responseForwarding:
+          flushInterval: foobar
+    Service1:
+      loadBalancer:
+        stickiness:
+          cookieName: foobar
+          secureCookie: true
+          httpOnlyCookie: true
+        servers:
+        - url: foobar
+        - url: foobar
+        healthCheck:
+          scheme: foobar
+          path: foobar
+          port: 42
+          interval: foobar
+          timeout: foobar
+          hostname: foobar
+          headers:
+            name0: foobar
+            name1: foobar
+        passHostHeader: true
+        responseForwarding:
+          flushInterval: foobar
+  middlewares:
+    Middleware00:
+      addPrefix:
+        prefix: foobar
+    Middleware01:
+      basicAuth:
+        users:
+        - foobar
+        - foobar
+        usersFile: foobar
+        realm: foobar
+        removeHeader: true
+        headerField: foobar
+    Middleware02:
+      buffering:
+        maxRequestBodyBytes: 42
+        memRequestBodyBytes: 42
+        maxResponseBodyBytes: 42
+        memResponseBodyBytes: 42
+        retryExpression: foobar
+    Middleware03:
+      chain:
+        middlewares:
+        - foobar
+        - foobar
+    Middleware04:
+      circuitBreaker:
+        expression: foobar
+    Middleware05:
+      compress: {}
+    Middleware06:
+      digestAuth:
+        users:
+        - foobar
+        - foobar
+        usersFile: foobar
+        removeHeader: true
+        realm: foobar
+        headerField: foobar
+    Middleware07:
+      errors:
+        status:
+        - foobar
+        - foobar
+        service: foobar
+        query: foobar
+    Middleware08:
+      forwardAuth:
+        address: foobar
+        tls:
+          ca: foobar
+          caOptional: true
+          cert: foobar
+          key: foobar
+          insecureSkipVerify: true
+        trustForwardHeader: true
+        authResponseHeaders:
+        - foobar
+        - foobar
+    Middleware09:
+      headers:
+        customRequestHeaders:
+          name0: foobar
+          name1: foobar
+        customResponseHeaders:
+          name0: foobar
+          name1: foobar
+        accessControlAllowCredentials: true
+        accessControlAllowHeaders:
+        - foobar
+        - foobar
+        accessControlAllowMethods:
+        - foobar
+        - foobar
+        accessControlAllowOrigin: foobar
+        accessControlExposeHeaders:
+        - foobar
+        - foobar
+        accessControlMaxAge: 42
+        addVaryHeader: true
+        allowedHosts:
+        - foobar
+        - foobar
+        hostsProxyHeaders:
+        - foobar
+        - foobar
+        sslRedirect: true
+        sslTemporaryRedirect: true
+        sslHost: foobar
+        sslProxyHeaders:
+          name0: foobar
+          name1: foobar
+        sslForceHost: true
+        stsSeconds: 42
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        frameDeny: true
+        customFrameOptionsValue: foobar
+        contentTypeNosniff: true
+        browserXssFilter: true
+        customBrowserXSSValue: foobar
+        contentSecurityPolicy: foobar
+        publicKey: foobar
+        referrerPolicy: foobar
+        isDevelopment: true
+    Middleware10:
+      ipWhiteList:
+        sourceRange:
+        - foobar
+        - foobar
+        ipStrategy:
+          depth: 42
+          excludedIPs:
+          - foobar
+          - foobar
+    Middleware11:
+      maxConn:
+        amount: 42
+        extractorFunc: foobar
+    Middleware12:
+      passTLSClientCert:
+        pem: true
+        info:
+          notAfter: true
+          notBefore: true
+          sans: true
+          subject:
+            country: true
+            province: true
+            locality: true
+            organization: true
+            commonName: true
+            serialNumber: true
+            domainComponent: true
+          issuer:
+            country: true
+            province: true
+            locality: true
+            organization: true
+            commonName: true
+            serialNumber: true
+            domainComponent: true
+    Middleware14:
+      redirectRegex:
+        regex: foobar
+        replacement: foobar
+        permanent: true
+    Middleware15:
+      redirectScheme:
+        scheme: foobar
+        port: foobar
+        permanent: true
+    Middleware16:
+      replacePath:
+        path: foobar
+    Middleware17:
+      replacePathRegex:
+        regex: foobar
+        replacement: foobar
+    Middleware18:
+      retry:
+        attempts: 42
+    Middleware19:
+      stripPrefix:
+        prefixes:
+        - foobar
+        - foobar
+    Middleware20:
+      stripPrefixRegex:
+        regex:
+        - foobar
+        - foobar
+tcp:
+  routers:
+    TCPRouter0:
+      entryPoints:
+      - foobar
+      - foobar
+      service: foobar
+      rule: foobar
+      tls:
+        passthrough: true
+        options: foobar
+    TCPRouter1:
+      entryPoints:
+      - foobar
+      - foobar
+      service: foobar
+      rule: foobar
+      tls:
+        passthrough: true
+        options: foobar
+  services:
+    TCPService0:
+      loadBalancer:
+        servers:
+        - address: foobar
+        - address: foobar
+    TCPService1:
+      loadBalancer:
+        servers:
+        - address: foobar
+        - address: foobar
+tls:
+  certificates:
+  - certFile: foobar
+    keyFile: foobar
+    stores:
+    - foobar
+    - foobar
+  - certFile: foobar
+    keyFile: foobar
+    stores:
+    - foobar
+    - foobar
+  options:
+    Options0:
+      minVersion: foobar
+      cipherSuites:
+      - foobar
+      - foobar
+      clientAuth:
+        caFiles:
+        - foobar
+        - foobar
+        clientAuthType: VerifyClientCertIfGiven
+      sniStrict: true
+    Options1:
+      minVersion: foobar
+      cipherSuites:
+      - foobar
+      - foobar
+      clientAuth:
+        caFiles:
+        - foobar
+        - foobar
+        clientAuthType: VerifyClientCertIfGiven
+      sniStrict: true
+  stores:
+    Store0:
+      defaultCertificate:
+        certFile: foobar
+        keyFile: foobar
+    Store1:
+      defaultCertificate:
+        certFile: foobar
+        keyFile: foobar
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd.yml
@@ -97,6 +97,12 @@ spec:
      middlewares:
        - name: stripprefix
        - name: addprefix
+    - match: PathPrefix(`/misc`)
+      services:
+        - name: s3
+          port: 8443
+          # scheme allow to override the scheme for the service. (ex: https or h2c)
+          scheme: https
  # use an empty tls object for TLS with Let's Encrypt
  tls:
    secretName: supersecret
--- a/docs/content/reference/dynamic-configuration/labels.yml
+++ b/docs/content/reference/dynamic-configuration/labels.yml
@@ -1,154 +1,157 @@
-labels:
- "traefik.HTTP.Middlewares.Middleware0.AddPrefix.Prefix=foobar"
- "traefik.HTTP.Middlewares.Middleware1.BasicAuth.HeaderField=foobar"
- "traefik.HTTP.Middlewares.Middleware1.BasicAuth.Realm=foobar"
- "traefik.HTTP.Middlewares.Middleware1.BasicAuth.RemoveHeader=true"
- "traefik.HTTP.Middlewares.Middleware1.BasicAuth.Users=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware1.BasicAuth.UsersFile=foobar"
- "traefik.HTTP.Middlewares.Middleware2.Buffering.MaxRequestBodyBytes=42"
- "traefik.HTTP.Middlewares.Middleware2.Buffering.MaxResponseBodyBytes=42"
- "traefik.HTTP.Middlewares.Middleware2.Buffering.MemRequestBodyBytes=42"
- "traefik.HTTP.Middlewares.Middleware2.Buffering.MemResponseBodyBytes=42"
- "traefik.HTTP.Middlewares.Middleware2.Buffering.RetryExpression=foobar"
- "traefik.HTTP.Middlewares.Middleware3.Chain.Middlewares=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware4.CircuitBreaker.Expression=foobar"
- "traefik.HTTP.Middlewares.Middleware5.DigestAuth.HeaderField=foobar"
- "traefik.HTTP.Middlewares.Middleware5.DigestAuth.Realm=foobar"
- "traefik.HTTP.Middlewares.Middleware5.DigestAuth.RemoveHeader=true"
- "traefik.HTTP.Middlewares.Middleware5.DigestAuth.Users=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware5.DigestAuth.UsersFile=foobar"
- "traefik.HTTP.Middlewares.Middleware6.Errors.Query=foobar"
- "traefik.HTTP.Middlewares.Middleware6.Errors.Service=foobar"
- "traefik.HTTP.Middlewares.Middleware6.Errors.Status=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.Address=foobar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.AuthResponseHeaders=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CA=foobar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CAOptional=true"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Cert=foobar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.InsecureSkipVerify=true"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Key=foobar"
- "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TrustForwardHeader=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowCredentials=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowHeaders=X-foobar, X-fiibar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowMethods=GET, PUT"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowOrigin=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlExposeHeaders=X-foobar, X-fiibar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlMaxAge=200"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AddVaryHeader=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.AllowedHosts=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.BrowserXSSFilter=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.ContentSecurityPolicy=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.ContentTypeNosniff=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomBrowserXSSValue=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomFrameOptionsValue=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomRequestHeaders.name0=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomRequestHeaders.name1=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomResponseHeaders.name0=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.CustomResponseHeaders.name1=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.ForceSTSHeader=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.FrameDeny=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.HostsProxyHeaders=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.IsDevelopment=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.PublicKey=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.ReferrerPolicy=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLForceHost=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLHost=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name0=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name1=foobar"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLRedirect=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.SSLTemporaryRedirect=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.STSIncludeSubdomains=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.STSPreload=true"
- "traefik.HTTP.Middlewares.Middleware8.Headers.STSSeconds=42"
- "traefik.HTTP.Middlewares.Middleware9.IPWhiteList.IPStrategy.Depth=42"
- "traefik.HTTP.Middlewares.Middleware9.IPWhiteList.IPStrategy.ExcludedIPs=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware9.IPWhiteList.SourceRange=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware10.MaxConn.Amount=42"
- "traefik.HTTP.Middlewares.Middleware10.MaxConn.ExtractorFunc=foobar"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.NotAfter=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.NotBefore=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Sans=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Country=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Province=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Locality=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Organization=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.CommonName=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.SerialNumber=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.DomainComponent=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Country=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Province=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Locality=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Organization=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.CommonName=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.SerialNumber=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.DomainComponent=true"
- "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.PEM=true"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.ExtractorFunc=foobar"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate0.Average=42"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate0.Burst=42"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate0.Period=42"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate1.Average=42"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate1.Burst=42"
- "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate1.Period=42"
- "traefik.HTTP.Middlewares.Middleware13.RedirectRegex.Regex=foobar"
- "traefik.HTTP.Middlewares.Middleware13.RedirectRegex.Replacement=foobar"
- "traefik.HTTP.Middlewares.Middleware13.RedirectRegex.Permanent=true"
- "traefik.HTTP.Middlewares.Middleware13b.RedirectScheme.Scheme=https"
- "traefik.HTTP.Middlewares.Middleware13b.RedirectScheme.Port=80"
- "traefik.HTTP.Middlewares.Middleware13b.RedirectScheme.Permanent=true"
- "traefik.HTTP.Middlewares.Middleware14.ReplacePath.Path=foobar"
- "traefik.HTTP.Middlewares.Middleware15.ReplacePathRegex.Regex=foobar"
- "traefik.HTTP.Middlewares.Middleware15.ReplacePathRegex.Replacement=foobar"
- "traefik.HTTP.Middlewares.Middleware16.Retry.Attempts=42"
- "traefik.HTTP.Middlewares.Middleware17.StripPrefix.Prefixes=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware18.StripPrefixRegex.Regex=foobar, fiibar"
- "traefik.HTTP.Middlewares.Middleware19.Compress=true"
- "traefik.HTTP.Routers.Router0.EntryPoints=foobar, fiibar"
- "traefik.HTTP.Routers.Router0.Middlewares=foobar, fiibar"
- "traefik.HTTP.Routers.Router0.Priority=42"
- "traefik.HTTP.Routers.Router0.Rule=foobar"
- "traefik.HTTP.Routers.Router0.Service=foobar"
- "traefik.HTTP.Routers.Router0.TLS=true"
- "traefik.HTTP.Routers.Router0.TLS.options=foo"
- "traefik.HTTP.Routers.Router1.EntryPoints=foobar, fiibar"
- "traefik.HTTP.Routers.Router1.Middlewares=foobar, fiibar"
- "traefik.HTTP.Routers.Router1.Priority=42"
- "traefik.HTTP.Routers.Router1.Rule=foobar"
- "traefik.HTTP.Routers.Router1.Service=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name0=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name1=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Hostname=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Interval=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Path=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Port=42"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Scheme=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Timeout=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.PassHostHeader=true"
- "traefik.HTTP.Services.Service0.LoadBalancer.ResponseForwarding.FlushInterval=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.server.Port=8080"
- "traefik.HTTP.Services.Service0.LoadBalancer.server.Scheme=foobar"
- "traefik.HTTP.Services.Service0.LoadBalancer.Stickiness.CookieName=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Headers.name0=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Headers.name1=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Hostname=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Interval=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Path=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Port=42"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Scheme=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Timeout=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.PassHostHeader=true"
- "traefik.HTTP.Services.Service1.LoadBalancer.ResponseForwarding.FlushInterval=foobar"
- "traefik.HTTP.Services.Service1.LoadBalancer.server.Port=8080"
- "traefik.HTTP.Services.Service1.LoadBalancer.server.Scheme=foobar"
- "traefik.TCP.Routers.Router0.Rule=foobar"
- "traefik.TCP.Routers.Router0.EntryPoints=foobar, fiibar"
- "traefik.TCP.Routers.Router0.Service=foobar"
- "traefik.TCP.Routers.Router0.TLS.Passthrough=false"
- "traefik.TCP.Routers.Router0.TLS.options=bar"
- "traefik.TCP.Routers.Router1.Rule=foobar"
- "traefik.TCP.Routers.Router1.EntryPoints=foobar, fiibar"
- "traefik.TCP.Routers.Router1.Service=foobar"
- "traefik.TCP.Routers.Router1.TLS.Passthrough=false"
- "traefik.TCP.Routers.Router1.TLS.options=foobar"
- "traefik.TCP.Services.Service0.LoadBalancer.server.Port=42"
- "traefik.TCP.Services.Service1.LoadBalancer.server.Port=42"
+  - "traefik.http.middlewares.middleware00.addprefix.prefix=foobar"
+  - "traefik.http.middlewares.middleware01.basicauth.headerfield=foobar"
+  - "traefik.http.middlewares.middleware01.basicauth.realm=foobar"
+  - "traefik.http.middlewares.middleware01.basicauth.removeheader=true"
+  - "traefik.http.middlewares.middleware01.basicauth.users=foobar, foobar"
+  - "traefik.http.middlewares.middleware01.basicauth.usersfile=foobar"
+  - "traefik.http.middlewares.middleware02.buffering.maxrequestbodybytes=42"
+  - "traefik.http.middlewares.middleware02.buffering.maxresponsebodybytes=42"
+  - "traefik.http.middlewares.middleware02.buffering.memrequestbodybytes=42"
+  - "traefik.http.middlewares.middleware02.buffering.memresponsebodybytes=42"
+  - "traefik.http.middlewares.middleware02.buffering.retryexpression=foobar"
+  - "traefik.http.middlewares.middleware03.chain.middlewares=foobar, foobar"
+  - "traefik.http.middlewares.middleware04.circuitbreaker.expression=foobar"
+  - "traefik.http.middlewares.middleware05.compress=true"
+  - "traefik.http.middlewares.middleware06.digestauth.headerfield=foobar"
+  - "traefik.http.middlewares.middleware06.digestauth.realm=foobar"
+  - "traefik.http.middlewares.middleware06.digestauth.removeheader=true"
+  - "traefik.http.middlewares.middleware06.digestauth.users=foobar, foobar"
+  - "traefik.http.middlewares.middleware06.digestauth.usersfile=foobar"
+  - "traefik.http.middlewares.middleware07.errors.query=foobar"
+  - "traefik.http.middlewares.middleware07.errors.service=foobar"
+  - "traefik.http.middlewares.middleware07.errors.status=foobar, foobar"
+  - "traefik.http.middlewares.middleware08.forwardauth.address=foobar"
+  - "traefik.http.middlewares.middleware08.forwardauth.authresponseheaders=foobar, foobar"
+  - "traefik.http.middlewares.middleware08.forwardauth.tls.ca=foobar"
+  - "traefik.http.middlewares.middleware08.forwardauth.tls.caoptional=true"
+  - "traefik.http.middlewares.middleware08.forwardauth.tls.cert=foobar"
+  - "traefik.http.middlewares.middleware08.forwardauth.tls.insecureskipverify=true"
+  - "traefik.http.middlewares.middleware08.forwardauth.tls.key=foobar"
+  - "traefik.http.middlewares.middleware08.forwardauth.trustforwardheader=true"
+  - "traefik.http.middlewares.middleware09.headers.accesscontrolallowcredentials=true"
+  - "traefik.http.middlewares.middleware09.headers.accesscontrolallowheaders=foobar, foobar"
+  - "traefik.http.middlewares.middleware09.headers.accesscontrolallowmethods=foobar, foobar"
+  - "traefik.http.middlewares.middleware09.headers.accesscontrolalloworigin=foobar"
+  - "traefik.http.middlewares.middleware09.headers.accesscontrolexposeheaders=foobar, foobar"
+  - "traefik.http.middlewares.middleware09.headers.accesscontrolmaxage=42"
+  - "traefik.http.middlewares.middleware09.headers.addvaryheader=true"
+  - "traefik.http.middlewares.middleware09.headers.allowedhosts=foobar, foobar"
+  - "traefik.http.middlewares.middleware09.headers.browserxssfilter=true"
+  - "traefik.http.middlewares.middleware09.headers.contentsecuritypolicy=foobar"
+  - "traefik.http.middlewares.middleware09.headers.contenttypenosniff=true"
+  - "traefik.http.middlewares.middleware09.headers.custombrowserxssvalue=foobar"
+  - "traefik.http.middlewares.middleware09.headers.customframeoptionsvalue=foobar"
+  - "traefik.http.middlewares.middleware09.headers.customrequestheaders.name0=foobar"
+  - "traefik.http.middlewares.middleware09.headers.customrequestheaders.name1=foobar"
+  - "traefik.http.middlewares.middleware09.headers.customresponseheaders.name0=foobar"
+  - "traefik.http.middlewares.middleware09.headers.customresponseheaders.name1=foobar"
+  - "traefik.http.middlewares.middleware09.headers.forcestsheader=true"
+  - "traefik.http.middlewares.middleware09.headers.framedeny=true"
+  - "traefik.http.middlewares.middleware09.headers.hostsproxyheaders=foobar, foobar"
+  - "traefik.http.middlewares.middleware09.headers.isdevelopment=true"
+  - "traefik.http.middlewares.middleware09.headers.publickey=foobar"
+  - "traefik.http.middlewares.middleware09.headers.referrerpolicy=foobar"
+  - "traefik.http.middlewares.middleware09.headers.sslforcehost=true"
+  - "traefik.http.middlewares.middleware09.headers.sslhost=foobar"
+  - "traefik.http.middlewares.middleware09.headers.sslproxyheaders.name0=foobar"
+  - "traefik.http.middlewares.middleware09.headers.sslproxyheaders.name1=foobar"
+  - "traefik.http.middlewares.middleware09.headers.sslredirect=true"
+  - "traefik.http.middlewares.middleware09.headers.ssltemporaryredirect=true"
+  - "traefik.http.middlewares.middleware09.headers.stsincludesubdomains=true"
+  - "traefik.http.middlewares.middleware09.headers.stspreload=true"
+  - "traefik.http.middlewares.middleware09.headers.stsseconds=42"
+  - "traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.depth=42"
+  - "traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
+  - "traefik.http.middlewares.middleware10.ipwhitelist.sourcerange=foobar, foobar"
+  - "traefik.http.middlewares.middleware11.maxconn.amount=42"
+  - "traefik.http.middlewares.middleware11.maxconn.extractorfunc=foobar"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.commonname=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.country=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.domaincomponent=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.locality=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.organization=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.province=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.serialnumber=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.notafter=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.notbefore=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.sans=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.commonname=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.country=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.domaincomponent=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.locality=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.organization=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.province=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.serialnumber=true"
+  - "traefik.http.middlewares.middleware12.passtlsclientcert.pem=true"
+  - "traefik.http.middlewares.middleware14.redirectregex.permanent=true"
+  - "traefik.http.middlewares.middleware14.redirectregex.regex=foobar"
+  - "traefik.http.middlewares.middleware14.redirectregex.replacement=foobar"
+  - "traefik.http.middlewares.middleware15.redirectscheme.permanent=true"
+  - "traefik.http.middlewares.middleware15.redirectscheme.port=foobar"
+  - "traefik.http.middlewares.middleware15.redirectscheme.scheme=foobar"
+  - "traefik.http.middlewares.middleware16.replacepath.path=foobar"
+  - "traefik.http.middlewares.middleware17.replacepathregex.regex=foobar"
+  - "traefik.http.middlewares.middleware17.replacepathregex.replacement=foobar"
+  - "traefik.http.middlewares.middleware18.retry.attempts=42"
+  - "traefik.http.middlewares.middleware19.stripprefix.prefixes=foobar, foobar"
+  - "traefik.http.middlewares.middleware20.stripprefixregex.regex=foobar, foobar"
+  - "traefik.http.routers.router0.entrypoints=foobar, foobar"
+  - "traefik.http.routers.router0.middlewares=foobar, foobar"
+  - "traefik.http.routers.router0.priority=42"
+  - "traefik.http.routers.router0.rule=foobar"
+  - "traefik.http.routers.router0.service=foobar"
+  - "traefik.http.routers.router0.tls=true"
+  - "traefik.http.routers.router0.tls.options=foobar"
+  - "traefik.http.routers.router1.entrypoints=foobar, foobar"
+  - "traefik.http.routers.router1.middlewares=foobar, foobar"
+  - "traefik.http.routers.router1.priority=42"
+  - "traefik.http.routers.router1.rule=foobar"
+  - "traefik.http.routers.router1.service=foobar"
+  - "traefik.http.routers.router1.tls=true"
+  - "traefik.http.routers.router1.tls.options=foobar"
+  - "traefik.http.services.service0.loadbalancer.healthcheck.headers.name0=foobar"
+  - "traefik.http.services.service0.loadbalancer.healthcheck.headers.name1=foobar"
+  - "traefik.http.services.service0.loadbalancer.healthcheck.hostname=foobar"
+  - "traefik.http.services.service0.loadbalancer.healthcheck.interval=foobar"
+  - "traefik.http.services.service0.loadbalancer.healthcheck.path=foobar"
+  - "traefik.http.services.service0.loadbalancer.healthcheck.port=42"
+  - "traefik.http.services.service0.loadbalancer.healthcheck.scheme=foobar"
+  - "traefik.http.services.service0.loadbalancer.healthcheck.timeout=foobar"
+  - "traefik.http.services.service0.loadbalancer.passhostheader=true"
+  - "traefik.http.services.service0.loadbalancer.responseforwarding.flushinterval=foobar"
+  - "traefik.http.services.service0.loadbalancer.stickiness=true"
+  - "traefik.http.services.service0.loadbalancer.stickiness.cookiename=foobar"
+  - "traefik.http.services.service0.loadbalancer.stickiness.httponlycookie=true"
+  - "traefik.http.services.service0.loadbalancer.stickiness.securecookie=true"
+  - "traefik.http.services.service0.loadbalancer.server.port=foobar"
+  - "traefik.http.services.service0.loadbalancer.server.scheme=foobar"
+  - "traefik.http.services.service1.loadbalancer.healthcheck.headers.name0=foobar"
+  - "traefik.http.services.service1.loadbalancer.healthcheck.headers.name1=foobar"
+  - "traefik.http.services.service1.loadbalancer.healthcheck.hostname=foobar"
+  - "traefik.http.services.service1.loadbalancer.healthcheck.interval=foobar"
+  - "traefik.http.services.service1.loadbalancer.healthcheck.path=foobar"
+  - "traefik.http.services.service1.loadbalancer.healthcheck.port=42"
+  - "traefik.http.services.service1.loadbalancer.healthcheck.scheme=foobar"
+  - "traefik.http.services.service1.loadbalancer.healthcheck.timeout=foobar"
+  - "traefik.http.services.service1.loadbalancer.passhostheader=true"
+  - "traefik.http.services.service1.loadbalancer.responseforwarding.flushinterval=foobar"
+  - "traefik.http.services.service1.loadbalancer.stickiness=true"
+  - "traefik.http.services.service1.loadbalancer.stickiness.cookiename=foobar"
+  - "traefik.http.services.service1.loadbalancer.stickiness.httponlycookie=true"
+  - "traefik.http.services.service1.loadbalancer.stickiness.securecookie=true"
+  - "traefik.http.services.service1.loadbalancer.server.port=foobar"
+  - "traefik.http.services.service1.loadbalancer.server.scheme=foobar"
+  - "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"
+  - "traefik.tcp.routers.tcprouter0.rule=foobar"
+  - "traefik.tcp.routers.tcprouter0.service=foobar"
+  - "traefik.tcp.routers.tcprouter0.tls=true"
+  - "traefik.tcp.routers.tcprouter0.tls.options=foobar"
+  - "traefik.tcp.routers.tcprouter0.tls.passthrough=true"
+  - "traefik.tcp.routers.tcprouter1.entrypoints=foobar, foobar"
+  - "traefik.tcp.routers.tcprouter1.rule=foobar"
+  - "traefik.tcp.routers.tcprouter1.service=foobar"
+  - "traefik.tcp.routers.tcprouter1.tls=true"
+  - "traefik.tcp.routers.tcprouter1.tls.options=foobar"
+  - "traefik.tcp.routers.tcprouter1.tls.passthrough=true"
+  - "traefik.tcp.services.tcpservice0.loadbalancer.server.port=foobar"
+  - "traefik.tcp.services.tcpservice1.loadbalancer.server.port=foobar"
--- a/docs/content/reference/dynamic-configuration/marathon.md
+++ b/docs/content/reference/dynamic-configuration/marathon.md
@@ -4,5 +4,7 @@ Dynamic configuration with Marathon Labels
 {: .subtitle }

 ```yaml
+labels:
+--8<-- "content/reference/dynamic-configuration/marathon.yml"
 --8<-- "content/reference/dynamic-configuration/labels.yml"
 ```
--- a/docs/content/reference/dynamic-configuration/marathon.yml
+++ b/docs/content/reference/dynamic-configuration/marathon.yml
@@ -0,0 +1,2 @@
+  - "traefik.enable=true"
+  - "traefik.marathon.ipaddressidx=42"
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@@ -0,0 +1,577 @@
+<!--
+CODE GENERATED AUTOMATICALLY
+THIS FILE MUST NOT BE EDITED BY HAND
+-->
+
+`--accesslog`:  
+Access log settings. (Default: ```false```)
+
+`--accesslog.bufferingsize`:  
+Number of access log lines to process in a buffered way. (Default: ```0```)
+
+`--accesslog.fields.defaultmode`:  
+Default mode for fields: keep | drop (Default: ```keep```)
+
+`--accesslog.fields.headers.defaultmode`:  
+Default mode for fields: keep | drop | redact (Default: ```drop```)
+
+`--accesslog.fields.headers.names.<name>`:  
+Override mode for headers
+
+`--accesslog.fields.names.<name>`:  
+Override mode for fields
+
+`--accesslog.filepath`:  
+Access log file path. Stdout is used when omitted or empty.
+
+`--accesslog.filters.minduration`:  
+Keep access logs when request took longer than the specified duration. (Default: ```0```)
+
+`--accesslog.filters.retryattempts`:  
+Keep access logs when at least one retry happened. (Default: ```false```)
+
+`--accesslog.filters.statuscodes`:  
+Keep access logs with status codes in the specified range.
+
+`--accesslog.format`:  
+Access log format: json | common (Default: ```common```)
+
+`--api`:  
+Enable api/dashboard. (Default: ```false```)
+
+`--api.dashboard`:  
+Activate dashboard. (Default: ```true```)
+
+`--api.debug`:  
+Enable additional endpoints for debugging and profiling. (Default: ```false```)
+
+`--certificatesresolvers.<name>`:  
+Certificates resolvers configuration. (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.caserver`:  
+CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge`:  
+Activate DNS-01 Challenge. (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.delaybeforecheck`:  
+Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.disablepropagationcheck`:  
+Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.dnschallenge.provider`:  
+Use a DNS-01 based challenge provider rather than HTTPS.
+
+`--certificatesresolvers.<name>.acme.dnschallenge.resolvers`:  
+Use following DNS servers to resolve the FQDN authority.
+
+`--certificatesresolvers.<name>.acme.email`:  
+Email address used for registration.
+
+`--certificatesresolvers.<name>.acme.httpchallenge`:  
+Activate HTTP-01 Challenge. (Default: ```false```)
+
+`--certificatesresolvers.<name>.acme.httpchallenge.entrypoint`:  
+HTTP challenge EntryPoint
+
+`--certificatesresolvers.<name>.acme.keytype`:  
+KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: ```RSA4096```)
+
+`--certificatesresolvers.<name>.acme.storage`:  
+Storage to use. (Default: ```acme.json```)
+
+`--certificatesresolvers.<name>.acme.tlschallenge`:  
+Activate TLS-ALPN-01 Challenge. (Default: ```true```)
+
+`--entrypoints.<name>`:  
+Entry points definition. (Default: ```false```)
+
+`--entrypoints.<name>.address`:  
+Entry point address.
+
+`--entrypoints.<name>.forwardedheaders.insecure`:  
+Trust all forwarded headers. (Default: ```false```)
+
+`--entrypoints.<name>.forwardedheaders.trustedips`:  
+Trust only forwarded headers from selected IPs.
+
+`--entrypoints.<name>.proxyprotocol`:  
+Proxy-Protocol configuration. (Default: ```false```)
+
+`--entrypoints.<name>.proxyprotocol.insecure`:  
+Trust all. (Default: ```false```)
+
+`--entrypoints.<name>.proxyprotocol.trustedips`:  
+Trust only selected IPs.
+
+`--entrypoints.<name>.transport.lifecycle.gracetimeout`:  
+Duration to give active requests a chance to finish before Traefik stops. (Default: ```10```)
+
+`--entrypoints.<name>.transport.lifecycle.requestacceptgracetimeout`:  
+Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure. (Default: ```0```)
+
+`--entrypoints.<name>.transport.respondingtimeouts.idletimeout`:  
+IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. (Default: ```180```)
+
+`--entrypoints.<name>.transport.respondingtimeouts.readtimeout`:  
+ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. (Default: ```0```)
+
+`--entrypoints.<name>.transport.respondingtimeouts.writetimeout`:  
+WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. (Default: ```0```)
+
+`--global.checknewversion`:  
+Periodically check if a new version has been released. (Default: ```false```)
+
+`--global.sendanonymoususage`:  
+Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```)
+
+`--hostresolver`:  
+Enable CNAME Flattening. (Default: ```false```)
+
+`--hostresolver.cnameflattening`:  
+A flag to enable/disable CNAME flattening (Default: ```false```)
+
+`--hostresolver.resolvconfig`:  
+resolv.conf used for DNS resolving (Default: ```/etc/resolv.conf```)
+
+`--hostresolver.resolvdepth`:  
+The maximal depth of DNS recursive resolving (Default: ```5```)
+
+`--log`:  
+Traefik log settings. (Default: ```false```)
+
+`--log.filepath`:  
+Traefik log file path. Stdout is used when omitted or empty.
+
+`--log.format`:  
+Traefik log format: json | common (Default: ```common```)
+
+`--log.level`:  
+Log level set to traefik logs. (Default: ```ERROR```)
+
+`--metrics.datadog`:  
+DataDog metrics exporter type. (Default: ```false```)
+
+`--metrics.datadog.addentrypointslabels`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`--metrics.datadog.address`:  
+DataDog's address. (Default: ```localhost:8125```)
+
+`--metrics.datadog.addserviceslabels`:  
+Enable metrics on services. (Default: ```true```)
+
+`--metrics.datadog.pushinterval`:  
+DataDog push interval. (Default: ```10```)
+
+`--metrics.influxdb`:  
+InfluxDB metrics exporter type. (Default: ```false```)
+
+`--metrics.influxdb.addentrypointslabels`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`--metrics.influxdb.address`:  
+InfluxDB address. (Default: ```localhost:8089```)
+
+`--metrics.influxdb.addserviceslabels`:  
+Enable metrics on services. (Default: ```true```)
+
+`--metrics.influxdb.database`:  
+InfluxDB database used when protocol is http.
+
+`--metrics.influxdb.password`:  
+InfluxDB password (only with http).
+
+`--metrics.influxdb.protocol`:  
+InfluxDB address protocol (udp or http). (Default: ```udp```)
+
+`--metrics.influxdb.pushinterval`:  
+InfluxDB push interval. (Default: ```10```)
+
+`--metrics.influxdb.retentionpolicy`:  
+InfluxDB retention policy used when protocol is http.
+
+`--metrics.influxdb.username`:  
+InfluxDB username (only with http).
+
+`--metrics.prometheus`:  
+Prometheus metrics exporter type. (Default: ```false```)
+
+`--metrics.prometheus.addentrypointslabels`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`--metrics.prometheus.addserviceslabels`:  
+Enable metrics on services. (Default: ```true```)
+
+`--metrics.prometheus.buckets`:  
+Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000```)
+
+`--metrics.statsd`:  
+StatsD metrics exporter type. (Default: ```false```)
+
+`--metrics.statsd.addentrypointslabels`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`--metrics.statsd.address`:  
+StatsD address. (Default: ```localhost:8125```)
+
+`--metrics.statsd.addserviceslabels`:  
+Enable metrics on services. (Default: ```true```)
+
+`--metrics.statsd.pushinterval`:  
+StatsD push interval. (Default: ```10```)
+
+`--ping`:  
+Enable ping. (Default: ```true```)
+
+`--providers.docker`:  
+Enable Docker backend with default settings. (Default: ```false```)
+
+`--providers.docker.constraints`:  
+Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
+
+`--providers.docker.defaultrule`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`--providers.docker.endpoint`:  
+Docker server endpoint. Can be a tcp or a unix socket endpoint. (Default: ```unix:///var/run/docker.sock```)
+
+`--providers.docker.exposedbydefault`:  
+Expose containers by default. (Default: ```true```)
+
+`--providers.docker.network`:  
+Default Docker network used.
+
+`--providers.docker.swarmmode`:  
+Use Docker on Swarm Mode. (Default: ```false```)
+
+`--providers.docker.swarmmoderefreshseconds`:  
+Polling interval for swarm mode. (Default: ```15```)
+
+`--providers.docker.tls.ca`:  
+TLS CA
+
+`--providers.docker.tls.caoptional`:  
+TLS CA.Optional (Default: ```false```)
+
+`--providers.docker.tls.cert`:  
+TLS cert
+
+`--providers.docker.tls.insecureskipverify`:  
+TLS insecure skip verify (Default: ```false```)
+
+`--providers.docker.tls.key`:  
+TLS key
+
+`--providers.docker.usebindportip`:  
+Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
+
+`--providers.docker.watch`:  
+Watch provider. (Default: ```true```)
+
+`--providers.file.debugloggeneratedtemplate`:  
+Enable debug logging of generated configuration template. (Default: ```false```)
+
+`--providers.file.directory`:  
+Load configuration from one or more .toml files in a directory.
+
+`--providers.file.filename`:  
+Override default configuration template. For advanced users :)
+
+`--providers.file.watch`:  
+Watch provider. (Default: ```true```)
+
+`--providers.kubernetescrd`:  
+Enable Kubernetes backend with default settings. (Default: ```false```)
+
+`--providers.kubernetescrd.certauthfilepath`:  
+Kubernetes certificate authority file path (not needed for in-cluster client).
+
+`--providers.kubernetescrd.disablepasshostheaders`:  
+Kubernetes disable PassHost Headers. (Default: ```false```)
+
+`--providers.kubernetescrd.endpoint`:  
+Kubernetes server endpoint (required for external cluster client).
+
+`--providers.kubernetescrd.ingressclass`:  
+Value of kubernetes.io/ingress.class annotation to watch for.
+
+`--providers.kubernetescrd.labelselector`:  
+Kubernetes label selector to use.
+
+`--providers.kubernetescrd.namespaces`:  
+Kubernetes namespaces.
+
+`--providers.kubernetescrd.token`:  
+Kubernetes bearer token (not needed for in-cluster client).
+
+`--providers.kubernetesingress`:  
+Enable Kubernetes backend with default settings. (Default: ```false```)
+
+`--providers.kubernetesingress.certauthfilepath`:  
+Kubernetes certificate authority file path (not needed for in-cluster client).
+
+`--providers.kubernetesingress.disablepasshostheaders`:  
+Kubernetes disable PassHost Headers. (Default: ```false```)
+
+`--providers.kubernetesingress.endpoint`:  
+Kubernetes server endpoint (required for external cluster client).
+
+`--providers.kubernetesingress.ingressclass`:  
+Value of kubernetes.io/ingress.class annotation to watch for.
+
+`--providers.kubernetesingress.ingressendpoint.hostname`:  
+Hostname used for Kubernetes Ingress endpoints.
+
+`--providers.kubernetesingress.ingressendpoint.ip`:  
+IP used for Kubernetes Ingress endpoints.
+
+`--providers.kubernetesingress.ingressendpoint.publishedservice`:  
+Published Kubernetes Service to copy status from.
+
+`--providers.kubernetesingress.labelselector`:  
+Kubernetes Ingress label selector to use.
+
+`--providers.kubernetesingress.namespaces`:  
+Kubernetes namespaces.
+
+`--providers.kubernetesingress.token`:  
+Kubernetes bearer token (not needed for in-cluster client).
+
+`--providers.marathon`:  
+Enable Marathon backend with default settings. (Default: ```false```)
+
+`--providers.marathon.basic.httpbasicauthuser`:  
+Basic authentication User.
+
+`--providers.marathon.basic.httpbasicpassword`:  
+Basic authentication Password.
+
+`--providers.marathon.constraints`:  
+Constraints is an expression that Traefik matches against the application's labels to determine whether to create any route for that application.
+
+`--providers.marathon.dcostoken`:  
+DCOSToken for DCOS environment, This will override the Authorization header.
+
+`--providers.marathon.defaultrule`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`--providers.marathon.dialertimeout`:  
+Set a dialer timeout for Marathon. (Default: ```5```)
+
+`--providers.marathon.endpoint`:  
+Marathon server endpoint. You can also specify multiple endpoint for Marathon. (Default: ```http://127.0.0.1:8080```)
+
+`--providers.marathon.exposedbydefault`:  
+Expose Marathon apps by default. (Default: ```true```)
+
+`--providers.marathon.forcetaskhostname`:  
+Force to use the task's hostname. (Default: ```false```)
+
+`--providers.marathon.keepalive`:  
+Set a TCP Keep Alive time. (Default: ```10```)
+
+`--providers.marathon.respectreadinesschecks`:  
+Filter out tasks with non-successful readiness checks during deployments. (Default: ```false```)
+
+`--providers.marathon.responseheadertimeout`:  
+Set a response header timeout for Marathon. (Default: ```60```)
+
+`--providers.marathon.tls.ca`:  
+TLS CA
+
+`--providers.marathon.tls.caoptional`:  
+TLS CA.Optional (Default: ```false```)
+
+`--providers.marathon.tls.cert`:  
+TLS cert
+
+`--providers.marathon.tls.insecureskipverify`:  
+TLS insecure skip verify (Default: ```false```)
+
+`--providers.marathon.tls.key`:  
+TLS key
+
+`--providers.marathon.tlshandshaketimeout`:  
+Set a TLS handshake timeout for Marathon. (Default: ```5```)
+
+`--providers.marathon.trace`:  
+Display additional provider logs. (Default: ```false```)
+
+`--providers.marathon.watch`:  
+Watch provider. (Default: ```true```)
+
+`--providers.providersthrottleduration`:  
+Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. (Default: ```0```)
+
+`--providers.rancher`:  
+Enable Rancher backend with default settings. (Default: ```false```)
+
+`--providers.rancher.constraints`:  
+Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
+
+`--providers.rancher.defaultrule`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`--providers.rancher.enableservicehealthfilter`:  
+Filter services with unhealthy states and inactive states. (Default: ```true```)
+
+`--providers.rancher.exposedbydefault`:  
+Expose containers by default. (Default: ```true```)
+
+`--providers.rancher.intervalpoll`:  
+Poll the Rancher metadata service every 'rancher.refreshseconds' (less accurate). (Default: ```false```)
+
+`--providers.rancher.prefix`:  
+Prefix used for accessing the Rancher metadata service. (Default: ```latest```)
+
+`--providers.rancher.refreshseconds`:  
+Defines the polling interval in seconds. (Default: ```15```)
+
+`--providers.rancher.watch`:  
+Watch provider. (Default: ```true```)
+
+`--providers.rest`:  
+Enable Rest backend with default settings. (Default: ```true```)
+
+`--serverstransport.forwardingtimeouts.dialtimeout`:  
+The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
+
+`--serverstransport.forwardingtimeouts.idleconntimeout`:  
+The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself (Default: ```90```)
+
+`--serverstransport.forwardingtimeouts.responseheadertimeout`:  
+The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. (Default: ```0```)
+
+`--serverstransport.insecureskipverify`:  
+Disable SSL certificate verification. (Default: ```false```)
+
+`--serverstransport.maxidleconnsperhost`:  
+If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used (Default: ```0```)
+
+`--serverstransport.rootcas`:  
+Add cert file for self-signed certificate.
+
+`--tracing`:  
+OpenTracing configuration. (Default: ```false```)
+
+`--tracing.datadog`:  
+Settings for DataDog. (Default: ```false```)
+
+`--tracing.datadog.bagageprefixheadername`:  
+Specifies the header name prefix that will be used to store baggage items in a map.
+
+`--tracing.datadog.debug`:  
+Enable DataDog debug. (Default: ```false```)
+
+`--tracing.datadog.globaltag`:  
+Key:Value tag to be set on all the spans.
+
+`--tracing.datadog.localagenthostport`:  
+Set datadog-agent's host:port that the reporter will used. (Default: ```localhost:8126```)
+
+`--tracing.datadog.parentidheadername`:  
+Specifies the header name that will be used to store the parent ID.
+
+`--tracing.datadog.prioritysampling`:  
+Enable priority sampling. When using distributed tracing, this option must be enabled in order to get all the parts of a distributed trace sampled. (Default: ```false```)
+
+`--tracing.datadog.samplingpriorityheadername`:  
+Specifies the header name that will be used to store the sampling priority.
+
+`--tracing.datadog.traceidheadername`:  
+Specifies the header name that will be used to store the trace ID.
+
+`--tracing.haystack`:  
+Settings for Haystack. (Default: ```false```)
+
+`--tracing.haystack.baggageprefixheadername`:  
+Specifies the header name prefix that will be used to store baggage items in a map.
+
+`--tracing.haystack.globaltag`:  
+Key:Value tag to be set on all the spans.
+
+`--tracing.haystack.localagenthost`:  
+Set haystack-agent's host that the reporter will used. (Default: ```LocalAgentHost```)
+
+`--tracing.haystack.localagentport`:  
+Set haystack-agent's port that the reporter will used. (Default: ```35000```)
+
+`--tracing.haystack.parentidheadername`:  
+Specifies the header name that will be used to store the parent ID.
+
+`--tracing.haystack.spanidheadername`:  
+Specifies the header name that will be used to store the span ID.
+
+`--tracing.haystack.traceidheadername`:  
+Specifies the header name that will be used to store the trace ID.
+
+`--tracing.instana`:  
+Settings for Instana. (Default: ```false```)
+
+`--tracing.instana.localagenthost`:  
+Set instana-agent's host that the reporter will used. (Default: ```localhost```)
+
+`--tracing.instana.localagentport`:  
+Set instana-agent's port that the reporter will used. (Default: ```42699```)
+
+`--tracing.instana.loglevel`:  
+Set instana-agent's log level. ('error','warn','info','debug') (Default: ```info```)
+
+`--tracing.jaeger`:  
+Settings for Jaeger. (Default: ```false```)
+
+`--tracing.jaeger.collector.endpoint`:  
+Instructs reporter to send spans to jaeger-collector at this URL.
+
+`--tracing.jaeger.collector.password`:  
+Password for basic http authentication when sending spans to jaeger-collector.
+
+`--tracing.jaeger.collector.user`:  
+User for basic http authentication when sending spans to jaeger-collector.
+
+`--tracing.jaeger.gen128bit`:  
+Generate 128 bit span IDs. (Default: ```false```)
+
+`--tracing.jaeger.localagenthostport`:  
+Set jaeger-agent's host:port that the reporter will used. (Default: ```127.0.0.1:6831```)
+
+`--tracing.jaeger.propagation`:  
+Which propagation format to use (jaeger/b3). (Default: ```jaeger```)
+
+`--tracing.jaeger.samplingparam`:  
+Set the sampling parameter. (Default: ```1.000000```)
+
+`--tracing.jaeger.samplingserverurl`:  
+Set the sampling server url. (Default: ```http://localhost:5778/sampling```)
+
+`--tracing.jaeger.samplingtype`:  
+Set the sampling type. (Default: ```const```)
+
+`--tracing.jaeger.tracecontextheadername`:  
+Set the header to use for the trace-id. (Default: ```uber-trace-id```)
+
+`--tracing.servicename`:  
+Set the name for this service. (Default: ```traefik```)
+
+`--tracing.spannamelimit`:  
+Set the maximum character limit for Span names (default 0 = no limit). (Default: ```0```)
+
+`--tracing.zipkin`:  
+Settings for Zipkin. (Default: ```false```)
+
+`--tracing.zipkin.debug`:  
+Enable Zipkin debug. (Default: ```false```)
+
+`--tracing.zipkin.httpendpoint`:  
+HTTP Endpoint to report traces to. (Default: ```http://localhost:9411/api/v1/spans```)
+
+`--tracing.zipkin.id128bit`:  
+Use Zipkin 128 bit root span IDs. (Default: ```true```)
+
+`--tracing.zipkin.samespan`:  
+Use Zipkin SameSpan RPC style traces. (Default: ```false```)
+
+`--tracing.zipkin.samplerate`:  
+The rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)
--- a/docs/content/reference/static-configuration/cli.md
+++ b/docs/content/reference/static-configuration/cli.md
@@ -1,5 +1,4 @@
 # Static Configuration: CLI

-```txt
--8<-- "content/reference/static-configuration/cli.txt"
-```
+--8<-- "content/reference/static-configuration/cli-ref.md"
+
--- a/docs/content/reference/static-configuration/cli.txt
+++ b/docs/content/reference/static-configuration/cli.txt
@@ -1,608 +0,0 @@
--accesslog  (Default: "false")
-    Access log settings.
-
--accesslog.bufferingsize  (Default: "0")
-    Number of access log lines to process in a buffered way.
-
--accesslog.fields.defaultmode  (Default: "keep")
-    Default mode for fields: keep | drop
-
--accesslog.fields.headers.defaultmode  (Default: "keep")
-    Default mode for fields: keep | drop | redact
-
--accesslog.fields.headers.names.<name>  (Default: "")
-    Override mode for headers
-
--accesslog.fields.names.<name>  (Default: "")
-    Override mode for fields
-
--accesslog.filepath  (Default: "")
-    Access log file path. Stdout is used when omitted or empty.
-
--accesslog.filters.minduration  (Default: "0")
-    Keep access logs when request took longer than the specified duration.
-
--accesslog.filters.retryattempts  (Default: "false")
-    Keep access logs when at least one retry happened.
-
--accesslog.filters.statuscodes  (Default: "")
-    Keep access logs with status codes in the specified range.
-
--accesslog.format  (Default: "common")
-    Access log format: json | common
-
--acme.acmelogging  (Default: "false")
-    Enable debug logging of ACME actions.
-
--acme.caserver  (Default: "https://acme-v02.api.letsencrypt.org/directory")
-    CA server to use.
-
--acme.dnschallenge  (Default: "false")
-    Activate DNS-01 Challenge.
-
--acme.dnschallenge.delaybeforecheck  (Default: "0")
-    Assume DNS propagates after a delay in seconds rather than finding and querying
-    nameservers.
-
--acme.dnschallenge.disablepropagationcheck  (Default: "false")
-    Disable the DNS propagation checks before notifying ACME that the DNS challenge
-    is ready. [not recommended]
-
--acme.dnschallenge.provider  (Default: "")
-    Use a DNS-01 based challenge provider rather than HTTPS.
-
--acme.dnschallenge.resolvers  (Default: "")
-    Use following DNS servers to resolve the FQDN authority.
-
--acme.domains  (Default: "")
-    The list of domains for which certificates are generated on startup. Wildcard
-    domains only accepted with DNSChallenge.
-
--acme.domains[n].main  (Default: "")
-    Default subject name.
-
--acme.domains[n].sans  (Default: "")
-    Subject alternative names.
-
--acme.email  (Default: "")
-    Email address used for registration.
-
--acme.entrypoint  (Default: "")
-    EntryPoint to use.
-
--acme.httpchallenge  (Default: "false")
-    Activate HTTP-01 Challenge.
-
--acme.httpchallenge.entrypoint  (Default: "")
-    HTTP challenge EntryPoint
-
--acme.keytype  (Default: "RSA4096")
-    KeyType used for generating certificate private key. Allow value 'EC256',
-    'EC384', 'RSA2048', 'RSA4096', 'RSA8192'.
-
--acme.onhostrule  (Default: "false")
-    Enable certificate generation on router Host rules.
-
--acme.storage  (Default: "acme.json")
-    Storage to use.
-
--acme.tlschallenge  (Default: "true")
-    Activate TLS-ALPN-01 Challenge.
-
--api  (Default: "false")
-    Enable api/dashboard.
-
--api.dashboard  (Default: "true")
-    Activate dashboard.
-
--api.debug  (Default: "false")
-    Enable additional endpoints for debugging and profiling.
-
--api.entrypoint  (Default: "traefik")
-    The entry point that the API handler will be bound to.
-
--api.middlewares  (Default: "")
-    Middleware list.
-
--api.statistics  (Default: "false")
-    Enable more detailed statistics.
-
--api.statistics.recenterrors  (Default: "10")
-    Number of recent errors logged.
-
--configfile  (Default: "")
-    Configuration file to use. If specified all other flags are ignored.
-
--entrypoints.<name>  (Default: "false")
-    Entry points definition.
-
--entrypoints.<name>.address  (Default: "")
-    Entry point address.
-
--entrypoints.<name>.forwardedheaders.insecure  (Default: "false")
-    Trust all forwarded headers.
-
--entrypoints.<name>.forwardedheaders.trustedips  (Default: "")
-    Trust only forwarded headers from selected IPs.
-
--entrypoints.<name>.proxyprotocol  (Default: "false")
-    Proxy-Protocol configuration.
-
--entrypoints.<name>.proxyprotocol.insecure  (Default: "false")
-    Trust all.
-
--entrypoints.<name>.proxyprotocol.trustedips  (Default: "")
-    Trust only selected IPs.
-
--entrypoints.<name>.transport.lifecycle.gracetimeout  (Default: "10")
-    Duration to give active requests a chance to finish before Traefik stops.
-
--entrypoints.<name>.transport.lifecycle.requestacceptgracetimeout  (Default: "0")
-    Duration to keep accepting requests before Traefik initiates the graceful
-    shutdown procedure.
-
--entrypoints.<name>.transport.respondingtimeouts.idletimeout  (Default: "180")
-    IdleTimeout is the maximum amount duration an idle (keep-alive) connection will
-    remain idle before closing itself. If zero, no timeout is set.
-
--entrypoints.<name>.transport.respondingtimeouts.readtimeout  (Default: "0")
-    ReadTimeout is the maximum duration for reading the entire request, including
-    the body. If zero, no timeout is set.
-
--entrypoints.<name>.transport.respondingtimeouts.writetimeout  (Default: "0")
-    WriteTimeout is the maximum duration before timing out writes of the response.
-    If zero, no timeout is set.
-
--global.checknewversion  (Default: "true")
-    Periodically check if a new version has been released.
-
--global.sendanonymoususage
-    Periodically send anonymous usage statistics. If the option is not specified, it
-    will be enabled by default.
-
--hostresolver  (Default: "false")
-    Enable CNAME Flattening.
-
--hostresolver.cnameflattening  (Default: "false")
-    A flag to enable/disable CNAME flattening
-
--hostresolver.resolvconfig  (Default: "/etc/resolv.conf")
-    resolv.conf used for DNS resolving
-
--hostresolver.resolvdepth  (Default: "5")
-    The maximal depth of DNS recursive resolving
-
--log  (Default: "false")
-    Traefik log settings.
-
--log.filepath  (Default: "")
-    Traefik log file path. Stdout is used when omitted or empty.
-
--log.format  (Default: "common")
-    Traefik log format: json | common
-
--log.level  (Default: "ERROR")
-    Log level set to traefik logs.
-
--metrics.datadog  (Default: "false")
-    DataDog metrics exporter type.
-
--metrics.datadog.address  (Default: "localhost:8125")
-    DataDog's address.
-
--metrics.datadog.pushinterval  (Default: "10")
-    DataDog push interval.
-
--metrics.influxdb  (Default: "false")
-    InfluxDB metrics exporter type.
-
--metrics.influxdb.address  (Default: "localhost:8089")
-    InfluxDB address.
-
--metrics.influxdb.database  (Default: "")
-    InfluxDB database used when protocol is http.
-
--metrics.influxdb.password  (Default: "")
-    InfluxDB password (only with http).
-
--metrics.influxdb.protocol  (Default: "udp")
-    InfluxDB address protocol (udp or http).
-
--metrics.influxdb.pushinterval  (Default: "10")
-    InfluxDB push interval.
-
--metrics.influxdb.retentionpolicy  (Default: "")
-    InfluxDB retention policy used when protocol is http.
-
--metrics.influxdb.username  (Default: "")
-    InfluxDB username (only with http).
-
--metrics.prometheus  (Default: "false")
-    Prometheus metrics exporter type.
-
--metrics.prometheus.buckets  (Default: "0.100000, 0.300000, 1.200000, 5.000000")
-    Buckets for latency metrics.
-
--metrics.prometheus.entrypoint  (Default: "traefik")
-    EntryPoint.
-
--metrics.prometheus.middlewares  (Default: "")
-    Middlewares.
-
--metrics.statsd  (Default: "false")
-    StatsD metrics exporter type.
-
--metrics.statsd.address  (Default: "localhost:8125")
-    StatsD address.
-
--metrics.statsd.pushinterval  (Default: "10")
-    StatsD push interval.
-
--ping  (Default: "false")
-    Enable ping.
-
--ping.entrypoint  (Default: "traefik")
-    Ping entryPoint.
-
--ping.middlewares  (Default: "")
-    Middleware list.
-
--providers.docker  (Default: "false")
-    Enable Docker backend with default settings.
-
--providers.docker.constraints  (Default: "")
-    Constraints is an expression that Traefik matches against the container's labels
-    to determine whether to create any route for that container.
-
--providers.docker.defaultrule  (Default: "Host(`{{ normalize .Name }}`)")
-    Default rule.
-
--providers.docker.endpoint  (Default: "unix:///var/run/docker.sock")
-    Docker server endpoint. Can be a tcp or a unix socket endpoint.
-
--providers.docker.exposedbydefault  (Default: "true")
-    Expose containers by default.
-
--providers.docker.network  (Default: "")
-    Default Docker network used.
-
--providers.docker.swarmmode  (Default: "false")
-    Use Docker on Swarm Mode.
-
--providers.docker.swarmmoderefreshseconds  (Default: "15")
-    Polling interval for swarm mode.
-
--providers.docker.tls.ca  (Default: "")
-    TLS CA
-
--providers.docker.tls.caoptional  (Default: "false")
-    TLS CA.Optional
-
--providers.docker.tls.cert  (Default: "")
-    TLS cert
-
--providers.docker.tls.insecureskipverify  (Default: "false")
-    TLS insecure skip verify
-
--providers.docker.tls.key  (Default: "")
-    TLS key
-
--providers.docker.usebindportip  (Default: "false")
-    Use the ip address from the bound port, rather than from the inner network.
-
--providers.docker.watch  (Default: "true")
-    Watch provider.
-
--providers.file  (Default: "false")
-    Enable File backend with default settings.
-
--providers.file.debugloggeneratedtemplate  (Default: "false")
-    Enable debug logging of generated configuration template.
-
--providers.file.directory  (Default: "")
-    Load configuration from one or more .toml files in a directory.
-
--providers.file.filename  (Default: "")
-    Override default configuration template. For advanced users :)
-
--providers.file.watch  (Default: "true")
-    Watch provider.
-
--providers.kubernetes  (Default: "false")
-    Enable Kubernetes backend with default settings.
-
--providers.kubernetes.certauthfilepath  (Default: "")
-    Kubernetes certificate authority file path (not needed for in-cluster client).
-
--providers.kubernetes.disablepasshostheaders  (Default: "false")
-    Kubernetes disable PassHost Headers.
-
--providers.kubernetes.endpoint  (Default: "")
-    Kubernetes server endpoint (required for external cluster client).
-
--providers.kubernetes.ingressclass  (Default: "")
-    Value of kubernetes.io/ingress.class annotation to watch for.
-
--providers.kubernetes.ingressendpoint.hostname  (Default: "")
-    Hostname used for Kubernetes Ingress endpoints.
-
--providers.kubernetes.ingressendpoint.ip  (Default: "")
-    IP used for Kubernetes Ingress endpoints.
-
--providers.kubernetes.ingressendpoint.publishedservice  (Default: "")
-    Published Kubernetes Service to copy status from.
-
--providers.kubernetes.labelselector  (Default: "")
-    Kubernetes Ingress label selector to use.
-
--providers.kubernetes.namespaces  (Default: "")
-    Kubernetes namespaces.
-
--providers.kubernetes.token  (Default: "")
-    Kubernetes bearer token (not needed for in-cluster client).
-
--providers.kubernetescrd  (Default: "false")
-    Enable Kubernetes backend with default settings.
-
--providers.kubernetescrd.certauthfilepath  (Default: "")
-    Kubernetes certificate authority file path (not needed for in-cluster client).
-
--providers.kubernetescrd.disablepasshostheaders  (Default: "false")
-    Kubernetes disable PassHost Headers.
-
--providers.kubernetescrd.endpoint  (Default: "")
-    Kubernetes server endpoint (required for external cluster client).
-
--providers.kubernetescrd.ingressclass  (Default: "")
-    Value of kubernetes.io/ingress.class annotation to watch for.
-
--providers.kubernetescrd.labelselector  (Default: "")
-    Kubernetes label selector to use.
-
--providers.kubernetescrd.namespaces  (Default: "")
-    Kubernetes namespaces.
-
--providers.kubernetescrd.token  (Default: "")
-    Kubernetes bearer token (not needed for in-cluster client).
-
--providers.marathon  (Default: "false")
-    Enable Marathon backend with default settings.
-
--providers.marathon.basic.httpbasicauthuser  (Default: "")
-    Basic authentication User.
-
--providers.marathon.basic.httpbasicpassword  (Default: "")
-    Basic authentication Password.
-
--providers.marathon.constraints  (Default: "")
-    Constraints is an expression that Traefik matches against the application's
-    labels to determine whether to create any route for that application.
-
--providers.marathon.dcostoken  (Default: "")
-    DCOSToken for DCOS environment, This will override the Authorization header.
-
--providers.marathon.defaultrule  (Default: "Host(`{{ normalize .Name }}`)")
-    Default rule.
-
--providers.marathon.dialertimeout  (Default: "5")
-    Set a dialer timeout for Marathon.
-
--providers.marathon.endpoint  (Default: "http://127.0.0.1:8080")
-    Marathon server endpoint. You can also specify multiple endpoint for Marathon.
-
--providers.marathon.exposedbydefault  (Default: "true")
-    Expose Marathon apps by default.
-
--providers.marathon.forcetaskhostname  (Default: "false")
-    Force to use the task's hostname.
-
--providers.marathon.keepalive  (Default: "10")
-    Set a TCP Keep Alive time.
-
--providers.marathon.respectreadinesschecks  (Default: "false")
-    Filter out tasks with non-successful readiness checks during deployments.
-
--providers.marathon.responseheadertimeout  (Default: "60")
-    Set a response header timeout for Marathon.
-
--providers.marathon.tls.ca  (Default: "")
-    TLS CA
-
--providers.marathon.tls.caoptional  (Default: "false")
-    TLS CA.Optional
-
--providers.marathon.tls.cert  (Default: "")
-    TLS cert
-
--providers.marathon.tls.insecureskipverify  (Default: "false")
-    TLS insecure skip verify
-
--providers.marathon.tls.key  (Default: "")
-    TLS key
-
--providers.marathon.tlshandshaketimeout  (Default: "5")
-    Set a TLS handshake timeout for Marathon.
-
--providers.marathon.trace  (Default: "false")
-    Display additional provider logs.
-
--providers.marathon.watch  (Default: "true")
-    Watch provider.
-
--providers.providersthrottleduration  (Default: "2")
-    Backends throttle duration: minimum duration between 2 events from providers
-    before applying a new configuration. It avoids unnecessary reloads if multiples
-    events are sent in a short amount of time.
-
--providers.rancher  (Default: "false")
-    Enable Rancher backend with default settings.
-
--providers.rancher.constraints  (Default: "")
-    Constraints is an expression that Traefik matches against the container's labels
-    to determine whether to create any route for that container.
-
--providers.rancher.defaultrule  (Default: "Host(`{{ normalize .Name }}`)")
-    Default rule.
-
--providers.rancher.enableservicehealthfilter  (Default: "true")
-    Filter services with unhealthy states and inactive states.
-
--providers.rancher.exposedbydefault  (Default: "true")
-    Expose containers by default.
-
--providers.rancher.intervalpoll  (Default: "false")
-    Poll the Rancher metadata service every 'rancher.refreshseconds' (less
-    accurate).
-
--providers.rancher.prefix  (Default: "latest")
-    Prefix used for accessing the Rancher metadata service.
-
--providers.rancher.refreshseconds  (Default: "15")
-    Defines the polling interval in seconds.
-
--providers.rancher.watch  (Default: "true")
-    Watch provider.
-
--providers.rest  (Default: "false")
-    Enable Rest backend with default settings.
-
--providers.rest.entrypoint  (Default: "traefik")
-    EntryPoint.
-
--serverstransport.forwardingtimeouts.dialtimeout  (Default: "30")
-    The amount of time to wait until a connection to a backend server can be
-    established. If zero, no timeout exists.
-
--serverstransport.forwardingtimeouts.responseheadertimeout  (Default: "0")
-    The amount of time to wait for a server's response headers after fully writing
-    the request (including its body, if any). If zero, no timeout exists.
-
--serverstransport.insecureskipverify  (Default: "false")
-    Disable SSL certificate verification.
-
--serverstransport.maxidleconnsperhost  (Default: "200")
-    If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero,
-    DefaultMaxIdleConnsPerHost is used
-
--serverstransport.rootcas  (Default: "")
-    Add cert file for self-signed certificate.
-
--tracing  (Default: "false")
-    OpenTracing configuration.
-
--tracing.backend  (Default: "jaeger")
-    Selects the tracking backend ('jaeger','zipkin','datadog','instana').
-
--tracing.datadog  (Default: "false")
-    Settings for DataDog.
-
--tracing.datadog.bagageprefixheadername  (Default: "")
-    Specifies the header name prefix that will be used to store baggage items in a
-    map.
-
--tracing.datadog.debug  (Default: "false")
-    Enable DataDog debug.
-
--tracing.datadog.globaltag  (Default: "")
-    Key:Value tag to be set on all the spans.
-
--tracing.datadog.localagenthostport  (Default: "localhost:8126")
-    Set datadog-agent's host:port that the reporter will used.
-
--tracing.datadog.parentidheadername  (Default: "")
-    Specifies the header name that will be used to store the parent ID.
-
--tracing.datadog.prioritysampling  (Default: "false")
-    Enable priority sampling. When using distributed tracing, this option must be
-    enabled in order to get all the parts of a distributed trace sampled.
-
--tracing.datadog.samplingpriorityheadername  (Default: "")
-    Specifies the header name that will be used to store the sampling priority.
-
--tracing.datadog.traceidheadername  (Default: "")
-    Specifies the header name that will be used to store the trace ID.
-
--tracing.haystack  (Default: "false")
-    Settings for Haystack.
-
--tracing.haystack.baggageprefixheadername  (Default: "")
-    specifies the header name prefix that will be used to store baggage items in a
-    map.
-
--tracing.haystack.globaltag  (Default: "")
-    Key:Value tag to be set on all the spans.
-
--tracing.haystack.localagenthost  (Default: "LocalAgentHost")
-    Set haystack-agent's host that the reporter will used.
-
--tracing.haystack.localagentport  (Default: "35000")
-    Set haystack-agent's port that the reporter will used.
-
--tracing.haystack.parentidheadername  (Default: "")
-    Specifies the header name that will be used to store the parent ID.
-
--tracing.haystack.spanidheadername  (Default: "")
-    Specifies the header name that will be used to store the span ID.
-
--tracing.haystack.traceidheadername  (Default: "")
-    Specifies the header name that will be used to store the trace ID.
-
--tracing.instana  (Default: "false")
-    Settings for Instana.
-
--tracing.instana.localagenthost  (Default: "localhost")
-    Set instana-agent's host that the reporter will used.
-
--tracing.instana.localagentport  (Default: "42699")
-    Set instana-agent's port that the reporter will used.
-
--tracing.instana.loglevel  (Default: "info")
-    Set instana-agent's log level. ('error','warn','info','debug')
-
--tracing.jaeger  (Default: "false")
-    Settings for jaeger.
-
--tracing.jaeger.gen128bit  (Default: "false")
-    Generate 128 bit span IDs.
-
--tracing.jaeger.localagenthostport  (Default: "127.0.0.1:6831")
-    Set jaeger-agent's host:port that the reporter will used.
-
--tracing.jaeger.propagation  (Default: "jaeger")
-    Which propgation format to use (jaeger/b3).
-
--tracing.jaeger.samplingparam  (Default: "1.000000")
-    Set the sampling parameter.
-
--tracing.jaeger.samplingserverurl  (Default: "http://localhost:5778/sampling")
-    Set the sampling server url.
-
--tracing.jaeger.samplingtype  (Default: "const")
-    Set the sampling type.
-
--tracing.jaeger.tracecontextheadername  (Default: "uber-trace-id")
-    Set the header to use for the trace-id.
-
--tracing.servicename  (Default: "traefik")
-    Set the name for this service.
-
--tracing.spannamelimit  (Default: "0")
-    Set the maximum character limit for Span names (default 0 = no limit).
-
--tracing.zipkin  (Default: "false")
-    Settings for zipkin.
-
--tracing.zipkin.debug  (Default: "false")
-    Enable Zipkin debug.
-
--tracing.zipkin.httpendpoint  (Default: "http://localhost:9411/api/v1/spans")
-    HTTP Endpoint to report traces to.
-
--tracing.zipkin.id128bit  (Default: "true")
-    Use Zipkin 128 bit root span IDs.
-
--tracing.zipkin.samespan  (Default: "false")
-    Use Zipkin SameSpan RPC style traces.
-
--tracing.zipkin.samplerate  (Default: "1.000000")
-    The rate between 0.0 and 1.0 of requests to trace.
--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@@ -0,0 +1,577 @@
+<!--
+CODE GENERATED AUTOMATICALLY
+THIS FILE MUST NOT BE EDITED BY HAND
+-->
+
+`TRAEFIK_ACCESSLOG`:  
+Access log settings. (Default: ```false```)
+
+`TRAEFIK_ACCESSLOG_BUFFERINGSIZE`:  
+Number of access log lines to process in a buffered way. (Default: ```0```)
+
+`TRAEFIK_ACCESSLOG_FIELDS_DEFAULTMODE`:  
+Default mode for fields: keep | drop (Default: ```keep```)
+
+`TRAEFIK_ACCESSLOG_FIELDS_HEADERS_DEFAULTMODE`:  
+Default mode for fields: keep | drop | redact (Default: ```drop```)
+
+`TRAEFIK_ACCESSLOG_FIELDS_HEADERS_NAMES_<NAME>`:  
+Override mode for headers
+
+`TRAEFIK_ACCESSLOG_FIELDS_NAMES_<NAME>`:  
+Override mode for fields
+
+`TRAEFIK_ACCESSLOG_FILEPATH`:  
+Access log file path. Stdout is used when omitted or empty.
+
+`TRAEFIK_ACCESSLOG_FILTERS_MINDURATION`:  
+Keep access logs when request took longer than the specified duration. (Default: ```0```)
+
+`TRAEFIK_ACCESSLOG_FILTERS_RETRYATTEMPTS`:  
+Keep access logs when at least one retry happened. (Default: ```false```)
+
+`TRAEFIK_ACCESSLOG_FILTERS_STATUSCODES`:  
+Keep access logs with status codes in the specified range.
+
+`TRAEFIK_ACCESSLOG_FORMAT`:  
+Access log format: json | common (Default: ```common```)
+
+`TRAEFIK_API`:  
+Enable api/dashboard. (Default: ```false```)
+
+`TRAEFIK_API_DASHBOARD`:  
+Activate dashboard. (Default: ```true```)
+
+`TRAEFIK_API_DEBUG`:  
+Enable additional endpoints for debugging and profiling. (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>`:  
+Certificates resolvers configuration. (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CASERVER`:  
+CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE`:  
+Activate DNS-01 Challenge. (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_DELAYBEFORECHECK`:  
+Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_DISABLEPROPAGATIONCHECK`:  
+Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROVIDER`:  
+Use a DNS-01 based challenge provider rather than HTTPS.
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_RESOLVERS`:  
+Use following DNS servers to resolve the FQDN authority.
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_EMAIL`:  
+Email address used for registration.
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE`:  
+Activate HTTP-01 Challenge. (Default: ```false```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE_ENTRYPOINT`:  
+HTTP challenge EntryPoint
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_KEYTYPE`:  
+KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: ```RSA4096```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_STORAGE`:  
+Storage to use. (Default: ```acme.json```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_TLSCHALLENGE`:  
+Activate TLS-ALPN-01 Challenge. (Default: ```true```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>`:  
+Entry points definition. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_ADDRESS`:  
+Entry point address.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_INSECURE`:  
+Trust all forwarded headers. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_TRUSTEDIPS`:  
+Trust only forwarded headers from selected IPs.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_PROXYPROTOCOL`:  
+Proxy-Protocol configuration. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_PROXYPROTOCOL_INSECURE`:  
+Trust all. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_PROXYPROTOCOL_TRUSTEDIPS`:  
+Trust only selected IPs.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_LIFECYCLE_GRACETIMEOUT`:  
+Duration to give active requests a chance to finish before Traefik stops. (Default: ```10```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_LIFECYCLE_REQUESTACCEPTGRACETIMEOUT`:  
+Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure. (Default: ```0```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_RESPONDINGTIMEOUTS_IDLETIMEOUT`:  
+IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. (Default: ```180```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_RESPONDINGTIMEOUTS_READTIMEOUT`:  
+ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. (Default: ```0```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_RESPONDINGTIMEOUTS_WRITETIMEOUT`:  
+WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. (Default: ```0```)
+
+`TRAEFIK_GLOBAL_CHECKNEWVERSION`:  
+Periodically check if a new version has been released. (Default: ```false```)
+
+`TRAEFIK_GLOBAL_SENDANONYMOUSUSAGE`:  
+Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```)
+
+`TRAEFIK_HOSTRESOLVER`:  
+Enable CNAME Flattening. (Default: ```false```)
+
+`TRAEFIK_HOSTRESOLVER_CNAMEFLATTENING`:  
+A flag to enable/disable CNAME flattening (Default: ```false```)
+
+`TRAEFIK_HOSTRESOLVER_RESOLVCONFIG`:  
+resolv.conf used for DNS resolving (Default: ```/etc/resolv.conf```)
+
+`TRAEFIK_HOSTRESOLVER_RESOLVDEPTH`:  
+The maximal depth of DNS recursive resolving (Default: ```5```)
+
+`TRAEFIK_LOG`:  
+Traefik log settings. (Default: ```false```)
+
+`TRAEFIK_LOG_FILEPATH`:  
+Traefik log file path. Stdout is used when omitted or empty.
+
+`TRAEFIK_LOG_FORMAT`:  
+Traefik log format: json | common (Default: ```common```)
+
+`TRAEFIK_LOG_LEVEL`:  
+Log level set to traefik logs. (Default: ```ERROR```)
+
+`TRAEFIK_METRICS_DATADOG`:  
+DataDog metrics exporter type. (Default: ```false```)
+
+`TRAEFIK_METRICS_DATADOG_ADDENTRYPOINTSLABELS`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`TRAEFIK_METRICS_DATADOG_ADDRESS`:  
+DataDog's address. (Default: ```localhost:8125```)
+
+`TRAEFIK_METRICS_DATADOG_ADDSERVICESLABELS`:  
+Enable metrics on services. (Default: ```true```)
+
+`TRAEFIK_METRICS_DATADOG_PUSHINTERVAL`:  
+DataDog push interval. (Default: ```10```)
+
+`TRAEFIK_METRICS_INFLUXDB`:  
+InfluxDB metrics exporter type. (Default: ```false```)
+
+`TRAEFIK_METRICS_INFLUXDB_ADDENTRYPOINTSLABELS`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`TRAEFIK_METRICS_INFLUXDB_ADDRESS`:  
+InfluxDB address. (Default: ```localhost:8089```)
+
+`TRAEFIK_METRICS_INFLUXDB_ADDSERVICESLABELS`:  
+Enable metrics on services. (Default: ```true```)
+
+`TRAEFIK_METRICS_INFLUXDB_DATABASE`:  
+InfluxDB database used when protocol is http.
+
+`TRAEFIK_METRICS_INFLUXDB_PASSWORD`:  
+InfluxDB password (only with http).
+
+`TRAEFIK_METRICS_INFLUXDB_PROTOCOL`:  
+InfluxDB address protocol (udp or http). (Default: ```udp```)
+
+`TRAEFIK_METRICS_INFLUXDB_PUSHINTERVAL`:  
+InfluxDB push interval. (Default: ```10```)
+
+`TRAEFIK_METRICS_INFLUXDB_RETENTIONPOLICY`:  
+InfluxDB retention policy used when protocol is http.
+
+`TRAEFIK_METRICS_INFLUXDB_USERNAME`:  
+InfluxDB username (only with http).
+
+`TRAEFIK_METRICS_PROMETHEUS`:  
+Prometheus metrics exporter type. (Default: ```false```)
+
+`TRAEFIK_METRICS_PROMETHEUS_ADDENTRYPOINTSLABELS`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`TRAEFIK_METRICS_PROMETHEUS_ADDSERVICESLABELS`:  
+Enable metrics on services. (Default: ```true```)
+
+`TRAEFIK_METRICS_PROMETHEUS_BUCKETS`:  
+Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000```)
+
+`TRAEFIK_METRICS_STATSD`:  
+StatsD metrics exporter type. (Default: ```false```)
+
+`TRAEFIK_METRICS_STATSD_ADDENTRYPOINTSLABELS`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`TRAEFIK_METRICS_STATSD_ADDRESS`:  
+StatsD address. (Default: ```localhost:8125```)
+
+`TRAEFIK_METRICS_STATSD_ADDSERVICESLABELS`:  
+Enable metrics on services. (Default: ```true```)
+
+`TRAEFIK_METRICS_STATSD_PUSHINTERVAL`:  
+StatsD push interval. (Default: ```10```)
+
+`TRAEFIK_PING`:  
+Enable ping. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_DOCKER`:  
+Enable Docker backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_CONSTRAINTS`:  
+Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
+
+`TRAEFIK_PROVIDERS_DOCKER_DEFAULTRULE`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`TRAEFIK_PROVIDERS_DOCKER_ENDPOINT`:  
+Docker server endpoint. Can be a tcp or a unix socket endpoint. (Default: ```unix:///var/run/docker.sock```)
+
+`TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT`:  
+Expose containers by default. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_DOCKER_NETWORK`:  
+Default Docker network used.
+
+`TRAEFIK_PROVIDERS_DOCKER_SWARMMODE`:  
+Use Docker on Swarm Mode. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_SWARMMODEREFRESHSECONDS`:  
+Polling interval for swarm mode. (Default: ```15```)
+
+`TRAEFIK_PROVIDERS_DOCKER_TLS_CA`:  
+TLS CA
+
+`TRAEFIK_PROVIDERS_DOCKER_TLS_CAOPTIONAL`:  
+TLS CA.Optional (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_TLS_CERT`:  
+TLS cert
+
+`TRAEFIK_PROVIDERS_DOCKER_TLS_INSECURESKIPVERIFY`:  
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_TLS_KEY`:  
+TLS key
+
+`TRAEFIK_PROVIDERS_DOCKER_USEBINDPORTIP`:  
+Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_DOCKER_WATCH`:  
+Watch provider. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_FILE_DEBUGLOGGENERATEDTEMPLATE`:  
+Enable debug logging of generated configuration template. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_FILE_DIRECTORY`:  
+Load configuration from one or more .toml files in a directory.
+
+`TRAEFIK_PROVIDERS_FILE_FILENAME`:  
+Override default configuration template. For advanced users :)
+
+`TRAEFIK_PROVIDERS_FILE_WATCH`:  
+Watch provider. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD`:  
+Enable Kubernetes backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_CERTAUTHFILEPATH`:  
+Kubernetes certificate authority file path (not needed for in-cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_DISABLEPASSHOSTHEADERS`:  
+Kubernetes disable PassHost Headers. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_ENDPOINT`:  
+Kubernetes server endpoint (required for external cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_INGRESSCLASS`:  
+Value of kubernetes.io/ingress.class annotation to watch for.
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_LABELSELECTOR`:  
+Kubernetes label selector to use.
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_NAMESPACES`:  
+Kubernetes namespaces.
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_TOKEN`:  
+Kubernetes bearer token (not needed for in-cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS`:  
+Enable Kubernetes backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_CERTAUTHFILEPATH`:  
+Kubernetes certificate authority file path (not needed for in-cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_DISABLEPASSHOSTHEADERS`:  
+Kubernetes disable PassHost Headers. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_ENDPOINT`:  
+Kubernetes server endpoint (required for external cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_INGRESSCLASS`:  
+Value of kubernetes.io/ingress.class annotation to watch for.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_INGRESSENDPOINT_HOSTNAME`:  
+Hostname used for Kubernetes Ingress endpoints.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_INGRESSENDPOINT_IP`:  
+IP used for Kubernetes Ingress endpoints.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_INGRESSENDPOINT_PUBLISHEDSERVICE`:  
+Published Kubernetes Service to copy status from.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_LABELSELECTOR`:  
+Kubernetes Ingress label selector to use.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_NAMESPACES`:  
+Kubernetes namespaces.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_TOKEN`:  
+Kubernetes bearer token (not needed for in-cluster client).
+
+`TRAEFIK_PROVIDERS_MARATHON`:  
+Enable Marathon backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_BASIC_HTTPBASICAUTHUSER`:  
+Basic authentication User.
+
+`TRAEFIK_PROVIDERS_MARATHON_BASIC_HTTPBASICPASSWORD`:  
+Basic authentication Password.
+
+`TRAEFIK_PROVIDERS_MARATHON_CONSTRAINTS`:  
+Constraints is an expression that Traefik matches against the application's labels to determine whether to create any route for that application.
+
+`TRAEFIK_PROVIDERS_MARATHON_DCOSTOKEN`:  
+DCOSToken for DCOS environment, This will override the Authorization header.
+
+`TRAEFIK_PROVIDERS_MARATHON_DEFAULTRULE`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`TRAEFIK_PROVIDERS_MARATHON_DIALERTIMEOUT`:  
+Set a dialer timeout for Marathon. (Default: ```5```)
+
+`TRAEFIK_PROVIDERS_MARATHON_ENDPOINT`:  
+Marathon server endpoint. You can also specify multiple endpoint for Marathon. (Default: ```http://127.0.0.1:8080```)
+
+`TRAEFIK_PROVIDERS_MARATHON_EXPOSEDBYDEFAULT`:  
+Expose Marathon apps by default. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_MARATHON_FORCETASKHOSTNAME`:  
+Force to use the task's hostname. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_KEEPALIVE`:  
+Set a TCP Keep Alive time. (Default: ```10```)
+
+`TRAEFIK_PROVIDERS_MARATHON_RESPECTREADINESSCHECKS`:  
+Filter out tasks with non-successful readiness checks during deployments. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_RESPONSEHEADERTIMEOUT`:  
+Set a response header timeout for Marathon. (Default: ```60```)
+
+`TRAEFIK_PROVIDERS_MARATHON_TLSHANDSHAKETIMEOUT`:  
+Set a TLS handshake timeout for Marathon. (Default: ```5```)
+
+`TRAEFIK_PROVIDERS_MARATHON_TLS_CA`:  
+TLS CA
+
+`TRAEFIK_PROVIDERS_MARATHON_TLS_CAOPTIONAL`:  
+TLS CA.Optional (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_TLS_CERT`:  
+TLS cert
+
+`TRAEFIK_PROVIDERS_MARATHON_TLS_INSECURESKIPVERIFY`:  
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_TLS_KEY`:  
+TLS key
+
+`TRAEFIK_PROVIDERS_MARATHON_TRACE`:  
+Display additional provider logs. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_MARATHON_WATCH`:  
+Watch provider. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_PROVIDERSTHROTTLEDURATION`:  
+Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. (Default: ```0```)
+
+`TRAEFIK_PROVIDERS_RANCHER`:  
+Enable Rancher backend with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_RANCHER_CONSTRAINTS`:  
+Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
+
+`TRAEFIK_PROVIDERS_RANCHER_DEFAULTRULE`:  
+Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
+
+`TRAEFIK_PROVIDERS_RANCHER_ENABLESERVICEHEALTHFILTER`:  
+Filter services with unhealthy states and inactive states. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_RANCHER_EXPOSEDBYDEFAULT`:  
+Expose containers by default. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_RANCHER_INTERVALPOLL`:  
+Poll the Rancher metadata service every 'rancher.refreshseconds' (less accurate). (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_RANCHER_PREFIX`:  
+Prefix used for accessing the Rancher metadata service. (Default: ```latest```)
+
+`TRAEFIK_PROVIDERS_RANCHER_REFRESHSECONDS`:  
+Defines the polling interval in seconds. (Default: ```15```)
+
+`TRAEFIK_PROVIDERS_RANCHER_WATCH`:  
+Watch provider. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_REST`:  
+Enable Rest backend with default settings. (Default: ```true```)
+
+`TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_DIALTIMEOUT`:  
+The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
+
+`TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_IDLECONNTIMEOUT`:  
+The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself (Default: ```90```)
+
+`TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_RESPONSEHEADERTIMEOUT`:  
+The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. (Default: ```0```)
+
+`TRAEFIK_SERVERSTRANSPORT_INSECURESKIPVERIFY`:  
+Disable SSL certificate verification. (Default: ```false```)
+
+`TRAEFIK_SERVERSTRANSPORT_MAXIDLECONNSPERHOST`:  
+If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used (Default: ```0```)
+
+`TRAEFIK_SERVERSTRANSPORT_ROOTCAS`:  
+Add cert file for self-signed certificate.
+
+`TRAEFIK_TRACING`:  
+OpenTracing configuration. (Default: ```false```)
+
+`TRAEFIK_TRACING_DATADOG`:  
+Settings for DataDog. (Default: ```false```)
+
+`TRAEFIK_TRACING_DATADOG_BAGAGEPREFIXHEADERNAME`:  
+Specifies the header name prefix that will be used to store baggage items in a map.
+
+`TRAEFIK_TRACING_DATADOG_DEBUG`:  
+Enable DataDog debug. (Default: ```false```)
+
+`TRAEFIK_TRACING_DATADOG_GLOBALTAG`:  
+Key:Value tag to be set on all the spans.
+
+`TRAEFIK_TRACING_DATADOG_LOCALAGENTHOSTPORT`:  
+Set datadog-agent's host:port that the reporter will used. (Default: ```localhost:8126```)
+
+`TRAEFIK_TRACING_DATADOG_PARENTIDHEADERNAME`:  
+Specifies the header name that will be used to store the parent ID.
+
+`TRAEFIK_TRACING_DATADOG_PRIORITYSAMPLING`:  
+Enable priority sampling. When using distributed tracing, this option must be enabled in order to get all the parts of a distributed trace sampled. (Default: ```false```)
+
+`TRAEFIK_TRACING_DATADOG_SAMPLINGPRIORITYHEADERNAME`:  
+Specifies the header name that will be used to store the sampling priority.
+
+`TRAEFIK_TRACING_DATADOG_TRACEIDHEADERNAME`:  
+Specifies the header name that will be used to store the trace ID.
+
+`TRAEFIK_TRACING_HAYSTACK`:  
+Settings for Haystack. (Default: ```false```)
+
+`TRAEFIK_TRACING_HAYSTACK_BAGGAGEPREFIXHEADERNAME`:  
+Specifies the header name prefix that will be used to store baggage items in a map.
+
+`TRAEFIK_TRACING_HAYSTACK_GLOBALTAG`:  
+Key:Value tag to be set on all the spans.
+
+`TRAEFIK_TRACING_HAYSTACK_LOCALAGENTHOST`:  
+Set haystack-agent's host that the reporter will used. (Default: ```LocalAgentHost```)
+
+`TRAEFIK_TRACING_HAYSTACK_LOCALAGENTPORT`:  
+Set haystack-agent's port that the reporter will used. (Default: ```35000```)
+
+`TRAEFIK_TRACING_HAYSTACK_PARENTIDHEADERNAME`:  
+Specifies the header name that will be used to store the parent ID.
+
+`TRAEFIK_TRACING_HAYSTACK_SPANIDHEADERNAME`:  
+Specifies the header name that will be used to store the span ID.
+
+`TRAEFIK_TRACING_HAYSTACK_TRACEIDHEADERNAME`:  
+Specifies the header name that will be used to store the trace ID.
+
+`TRAEFIK_TRACING_INSTANA`:  
+Settings for Instana. (Default: ```false```)
+
+`TRAEFIK_TRACING_INSTANA_LOCALAGENTHOST`:  
+Set instana-agent's host that the reporter will used. (Default: ```localhost```)
+
+`TRAEFIK_TRACING_INSTANA_LOCALAGENTPORT`:  
+Set instana-agent's port that the reporter will used. (Default: ```42699```)
+
+`TRAEFIK_TRACING_INSTANA_LOGLEVEL`:  
+Set instana-agent's log level. ('error','warn','info','debug') (Default: ```info```)
+
+`TRAEFIK_TRACING_JAEGER`:  
+Settings for Jaeger. (Default: ```false```)
+
+`TRAEFIK_TRACING_JAEGER_COLLECTOR_ENDPOINT`:  
+Instructs reporter to send spans to jaeger-collector at this URL.
+
+`TRAEFIK_TRACING_JAEGER_COLLECTOR_PASSWORD`:  
+Password for basic http authentication when sending spans to jaeger-collector.
+
+`TRAEFIK_TRACING_JAEGER_COLLECTOR_USER`:  
+User for basic http authentication when sending spans to jaeger-collector.
+
+`TRAEFIK_TRACING_JAEGER_GEN128BIT`:  
+Generate 128 bit span IDs. (Default: ```false```)
+
+`TRAEFIK_TRACING_JAEGER_LOCALAGENTHOSTPORT`:  
+Set jaeger-agent's host:port that the reporter will used. (Default: ```127.0.0.1:6831```)
+
+`TRAEFIK_TRACING_JAEGER_PROPAGATION`:  
+Which propagation format to use (jaeger/b3). (Default: ```jaeger```)
+
+`TRAEFIK_TRACING_JAEGER_SAMPLINGPARAM`:  
+Set the sampling parameter. (Default: ```1.000000```)
+
+`TRAEFIK_TRACING_JAEGER_SAMPLINGSERVERURL`:  
+Set the sampling server url. (Default: ```http://localhost:5778/sampling```)
+
+`TRAEFIK_TRACING_JAEGER_SAMPLINGTYPE`:  
+Set the sampling type. (Default: ```const```)
+
+`TRAEFIK_TRACING_JAEGER_TRACECONTEXTHEADERNAME`:  
+Set the header to use for the trace-id. (Default: ```uber-trace-id```)
+
+`TRAEFIK_TRACING_SERVICENAME`:  
+Set the name for this service. (Default: ```traefik```)
+
+`TRAEFIK_TRACING_SPANNAMELIMIT`:  
+Set the maximum character limit for Span names (default 0 = no limit). (Default: ```0```)
+
+`TRAEFIK_TRACING_ZIPKIN`:  
+Settings for Zipkin. (Default: ```false```)
+
+`TRAEFIK_TRACING_ZIPKIN_DEBUG`:  
+Enable Zipkin debug. (Default: ```false```)
+
+`TRAEFIK_TRACING_ZIPKIN_HTTPENDPOINT`:  
+HTTP Endpoint to report traces to. (Default: ```http://localhost:9411/api/v1/spans```)
+
+`TRAEFIK_TRACING_ZIPKIN_ID128BIT`:  
+Use Zipkin 128 bit root span IDs. (Default: ```true```)
+
+`TRAEFIK_TRACING_ZIPKIN_SAMESPAN`:  
+Use Zipkin SameSpan RPC style traces. (Default: ```false```)
+
+`TRAEFIK_TRACING_ZIPKIN_SAMPLERATE`:  
+The rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)
--- a/docs/content/reference/static-configuration/env.md
+++ b/docs/content/reference/static-configuration/env.md
@@ -1,589 +1,3 @@
 # Static Configuration: Environment variables

-`TRAEFIK_ACCESSLOG`:  
-Access log settings. (Default: ```false```)
-
-`TRAEFIK_ACCESSLOG_BUFFERINGSIZE`:  
-Number of access log lines to process in a buffered way. (Default: ```0```)
-
-`TRAEFIK_ACCESSLOG_FIELDS_DEFAULTMODE`:  
-Default mode for fields: keep | drop (Default: ```keep```)
-
-`TRAEFIK_ACCESSLOG_FIELDS_HEADERS_DEFAULTMODE`:  
-Default mode for fields: keep | drop | redact (Default: ```keep```)
-
-`TRAEFIK_ACCESSLOG_FIELDS_HEADERS_NAMES_<NAME>`:  
-Override mode for headers
-
-`TRAEFIK_ACCESSLOG_FIELDS_NAMES_<NAME>`:  
-Override mode for fields
-
-`TRAEFIK_ACCESSLOG_FILEPATH`:  
-Access log file path. Stdout is used when omitted or empty.
-
-`TRAEFIK_ACCESSLOG_FILTERS_MINDURATION`:  
-Keep access logs when request took longer than the specified duration. (Default: ```0```)
-
-`TRAEFIK_ACCESSLOG_FILTERS_RETRYATTEMPTS`:  
-Keep access logs when at least one retry happened. (Default: ```false```)
-
-`TRAEFIK_ACCESSLOG_FILTERS_STATUSCODES`:  
-Keep access logs with status codes in the specified range.
-
-`TRAEFIK_ACCESSLOG_FORMAT`:  
-Access log format: json | common (Default: ```common```)
-
-`TRAEFIK_ACME_ACMELOGGING`:  
-Enable debug logging of ACME actions. (Default: ```false```)
-
-`TRAEFIK_ACME_CASERVER`:  
-CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)
-
-`TRAEFIK_ACME_DNSCHALLENGE`:  
-Activate DNS-01 Challenge. (Default: ```false```)
-
-`TRAEFIK_ACME_DNSCHALLENGE_DELAYBEFORECHECK`:  
-Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
-
-`TRAEFIK_ACME_DNSCHALLENGE_DISABLEPROPAGATIONCHECK`:  
-Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
-
-`TRAEFIK_ACME_DNSCHALLENGE_PROVIDER`:  
-Use a DNS-01 based challenge provider rather than HTTPS.
-
-`TRAEFIK_ACME_DNSCHALLENGE_RESOLVERS`:  
-Use following DNS servers to resolve the FQDN authority.
-
-`TRAEFIK_ACME_DOMAINS`:  
-The list of domains for which certificates are generated on startup. Wildcard domains only accepted with DNSChallenge.
-
-`TRAEFIK_ACME_DOMAINS[n]_MAIN`:  
-Default subject name.
-
-`TRAEFIK_ACME_DOMAINS[n]_SANS`:  
-Subject alternative names.
-
-`TRAEFIK_ACME_EMAIL`:  
-Email address used for registration.
-
-`TRAEFIK_ACME_ENTRYPOINT`:  
-EntryPoint to use.
-
-`TRAEFIK_ACME_HTTPCHALLENGE`:  
-Activate HTTP-01 Challenge. (Default: ```false```)
-
-`TRAEFIK_ACME_HTTPCHALLENGE_ENTRYPOINT`:  
-HTTP challenge EntryPoint
-
-`TRAEFIK_ACME_KEYTYPE`:  
-KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: ```RSA4096```)
-
-`TRAEFIK_ACME_ONHOSTRULE`:  
-Enable certificate generation on router Host rules. (Default: ```false```)
-
-`TRAEFIK_ACME_STORAGE`:  
-Storage to use. (Default: ```acme.json```)
-
-`TRAEFIK_ACME_TLSCHALLENGE`:  
-Activate TLS-ALPN-01 Challenge. (Default: ```true```)
-
-`TRAEFIK_API`:  
-Enable api/dashboard. (Default: ```false```)
-
-`TRAEFIK_API_DASHBOARD`:  
-Activate dashboard. (Default: ```true```)
-
-`TRAEFIK_API_DEBUG`:  
-Enable additional endpoints for debugging and profiling. (Default: ```false```)
-
-`TRAEFIK_API_ENTRYPOINT`:  
-The entry point that the API handler will be bound to. (Default: ```traefik```)
-
-`TRAEFIK_API_MIDDLEWARES`:  
-Middleware list.
-
-`TRAEFIK_API_STATISTICS`:  
-Enable more detailed statistics. (Default: ```false```)
-
-`TRAEFIK_API_STATISTICS_RECENTERRORS`:  
-Number of recent errors logged. (Default: ```10```)
-
-`TRAEFIK_CONFIGFILE`:  
-Configuration file to use. If specified all other flags are ignored. (Default: "")
-
-`TRAEFIK_ENTRYPOINTS_<NAME>`:  
-Entry points definition. (Default: ```false```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_ADDRESS`:  
-Entry point address.
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_INSECURE`:  
-Trust all forwarded headers. (Default: ```false```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_TRUSTEDIPS`:  
-Trust only forwarded headers from selected IPs.
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_PROXYPROTOCOL`:  
-Proxy-Protocol configuration. (Default: ```false```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_PROXYPROTOCOL_INSECURE`:  
-Trust all. (Default: ```false```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_PROXYPROTOCOL_TRUSTEDIPS`:  
-Trust only selected IPs.
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_LIFECYCLE_GRACETIMEOUT`:  
-Duration to give active requests a chance to finish before Traefik stops. (Default: ```10```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_LIFECYCLE_REQUESTACCEPTGRACETIMEOUT`:  
-Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure. (Default: ```0```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_RESPONDINGTIMEOUTS_IDLETIMEOUT`:  
-IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. (Default: ```180```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_RESPONDINGTIMEOUTS_READTIMEOUT`:  
-ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. (Default: ```0```)
-
-`TRAEFIK_ENTRYPOINTS_<NAME>_TRANSPORT_RESPONDINGTIMEOUTS_WRITETIMEOUT`:  
-WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. (Default: ```0```)
-
-`TRAEFIK_GLOBAL_CHECKNEWVERSION`:  
-Periodically check if a new version has been released. (Default: ```false```)
-
-`TRAEFIK_GLOBAL_SENDANONYMOUSUSAGE`:  
-Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default.
-
-`TRAEFIK_HOSTRESOLVER`:  
-Enable CNAME Flattening. (Default: ```false```)
-
-`TRAEFIK_HOSTRESOLVER_CNAMEFLATTENING`:  
-A flag to enable/disable CNAME flattening (Default: ```false```)
-
-`TRAEFIK_HOSTRESOLVER_RESOLVCONFIG`:  
-resolv.conf used for DNS resolving (Default: ```/etc/resolv.conf```)
-
-`TRAEFIK_HOSTRESOLVER_RESOLVDEPTH`:  
-The maximal depth of DNS recursive resolving (Default: ```5```)
-
-`TRAEFIK_LOG`:  
-Traefik log settings. (Default: "false")
-
-`TRAEFIK_LOG_FILEPATH`:  
-Traefik log file path. Stdout is used when omitted or empty.
-
-`TRAEFIK_LOG_FORMAT`:  
-Traefik log format: json | common (Default: ```common```)
-
-`TRAEFIK_LOG_LEVEL`:  
-Log level set to traefik logs. (Default: ```ERROR```)
-
-`TRAEFIK_METRICS_DATADOG`:  
-DataDog metrics exporter type. (Default: ```false```)
-
-`TRAEFIK_METRICS_DATADOG_ADDRESS`:  
-DataDog's address. (Default: ```localhost:8125```)
-
-`TRAEFIK_METRICS_DATADOG_PUSHINTERVAL`:  
-DataDog push interval. (Default: ```10```)
-
-`TRAEFIK_METRICS_INFLUXDB`:  
-InfluxDB metrics exporter type. (Default: ```false```)
-
-`TRAEFIK_METRICS_INFLUXDB_ADDRESS`:  
-InfluxDB address. (Default: ```localhost:8089```)
-
-`TRAEFIK_METRICS_INFLUXDB_DATABASE`:  
-InfluxDB database used when protocol is http.
-
-`TRAEFIK_METRICS_INFLUXDB_PASSWORD`:  
-InfluxDB password (only with http).
-
-`TRAEFIK_METRICS_INFLUXDB_PROTOCOL`:  
-InfluxDB address protocol (udp or http). (Default: ```udp```)
-
-`TRAEFIK_METRICS_INFLUXDB_PUSHINTERVAL`:  
-InfluxDB push interval. (Default: ```10```)
-
-`TRAEFIK_METRICS_INFLUXDB_RETENTIONPOLICY`:  
-InfluxDB retention policy used when protocol is http.
-
-`TRAEFIK_METRICS_INFLUXDB_USERNAME`:  
-InfluxDB username (only with http).
-
-`TRAEFIK_METRICS_PROMETHEUS`:  
-Prometheus metrics exporter type. (Default: ```false```)
-
-`TRAEFIK_METRICS_PROMETHEUS_BUCKETS`:  
-Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000```)
-
-`TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT`:  
-EntryPoint. (Default: ```traefik```)
-
-`TRAEFIK_METRICS_PROMETHEUS_MIDDLEWARES`:  
-Middlewares.
-
-`TRAEFIK_METRICS_STATSD`:  
-StatsD metrics exporter type. (Default: ```false```)
-
-`TRAEFIK_METRICS_STATSD_ADDRESS`:  
-StatsD address. (Default: ```localhost:8125```)
-
-`TRAEFIK_METRICS_STATSD_PUSHINTERVAL`:  
-StatsD push interval. (Default: ```10```)
-
-`TRAEFIK_PING`:  
-Enable ping. (Default: ```false```)
-
-`TRAEFIK_PING_ENTRYPOINT`:  
-Ping entryPoint. (Default: ```traefik```)
-
-`TRAEFIK_PING_MIDDLEWARES`:  
-Middleware list.
-
-`TRAEFIK_PROVIDERS_DOCKER`:  
-Enable Docker backend with default settings. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_DOCKER_CONSTRAINTS`:  
-Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
-
-`TRAEFIK_PROVIDERS_DOCKER_DEFAULTRULE`:  
-Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
-
-`TRAEFIK_PROVIDERS_DOCKER_ENDPOINT`:  
-Docker server endpoint. Can be a tcp or a unix socket endpoint. (Default: ```unix:///var/run/docker.sock```)
-
-`TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT`:  
-Expose containers by default. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_DOCKER_NETWORK`:  
-Default Docker network used.
-
-`TRAEFIK_PROVIDERS_DOCKER_SWARMMODE`:  
-Use Docker on Swarm Mode. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_DOCKER_SWARMMODEREFRESHSECONDS`:  
-Polling interval for swarm mode. (Default: ```15```)
-
-`TRAEFIK_PROVIDERS_DOCKER_TLS_CA`:  
-TLS CA
-
-`TRAEFIK_PROVIDERS_DOCKER_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_DOCKER_TLS_CERT`:  
-TLS cert
-
-`TRAEFIK_PROVIDERS_DOCKER_TLS_INSECURESKIPVERIFY`:  
-TLS insecure skip verify (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_DOCKER_TLS_KEY`:  
-TLS key
-
-`TRAEFIK_PROVIDERS_DOCKER_USEBINDPORTIP`:  
-Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_DOCKER_WATCH`:  
-Watch provider. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_FILE`:  
-Enable File backend with default settings. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_FILE_DEBUGLOGGENERATEDTEMPLATE`:  
-Enable debug logging of generated configuration template. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_FILE_DIRECTORY`:  
-Load configuration from one or more .toml files in a directory.
-
-`TRAEFIK_PROVIDERS_FILE_FILENAME`:  
-Override default configuration template. For advanced users :)
-
-`TRAEFIK_PROVIDERS_FILE_WATCH`:  
-Watch provider. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_KUBERNETES`:  
-Enable Kubernetes backend with default settings. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD`:  
-Enable Kubernetes backend with default settings. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD_CERTAUTHFILEPATH`:  
-Kubernetes certificate authority file path (not needed for in-cluster client).
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD_DISABLEPASSHOSTHEADERS`:  
-Kubernetes disable PassHost Headers. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD_ENDPOINT`:  
-Kubernetes server endpoint (required for external cluster client).
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD_INGRESSCLASS`:  
-Value of kubernetes.io/ingress.class annotation to watch for.
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD_LABELSELECTOR`:  
-Kubernetes label selector to use.
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD_NAMESPACES`:  
-Kubernetes namespaces.
-
-`TRAEFIK_PROVIDERS_KUBERNETESCRD_TOKEN`:  
-Kubernetes bearer token (not needed for in-cluster client).
-
-`TRAEFIK_PROVIDERS_KUBERNETES_CERTAUTHFILEPATH`:  
-Kubernetes certificate authority file path (not needed for in-cluster client).
-
-`TRAEFIK_PROVIDERS_KUBERNETES_DISABLEPASSHOSTHEADERS`:  
-Kubernetes disable PassHost Headers. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_KUBERNETES_ENDPOINT`:  
-Kubernetes server endpoint (required for external cluster client).
-
-`TRAEFIK_PROVIDERS_KUBERNETES_INGRESSCLASS`:  
-Value of kubernetes.io/ingress.class annotation to watch for.
-
-`TRAEFIK_PROVIDERS_KUBERNETES_INGRESSENDPOINT_HOSTNAME`:  
-Hostname used for Kubernetes Ingress endpoints.
-
-`TRAEFIK_PROVIDERS_KUBERNETES_INGRESSENDPOINT_IP`:  
-IP used for Kubernetes Ingress endpoints.
-
-`TRAEFIK_PROVIDERS_KUBERNETES_INGRESSENDPOINT_PUBLISHEDSERVICE`:  
-Published Kubernetes Service to copy status from.
-
-`TRAEFIK_PROVIDERS_KUBERNETES_LABELSELECTOR`:  
-Kubernetes Ingress label selector to use.
-
-`TRAEFIK_PROVIDERS_KUBERNETES_NAMESPACES`:  
-Kubernetes namespaces.
-
-`TRAEFIK_PROVIDERS_KUBERNETES_TOKEN`:  
-Kubernetes bearer token (not needed for in-cluster client).
-
-`TRAEFIK_PROVIDERS_MARATHON`:  
-Enable Marathon backend with default settings. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_MARATHON_BASIC_HTTPBASICAUTHUSER`:  
-Basic authentication User.
-
-`TRAEFIK_PROVIDERS_MARATHON_BASIC_HTTPBASICPASSWORD`:  
-Basic authentication Password.
-
-`TRAEFIK_PROVIDERS_MARATHON_CONSTRAINTS`:  
-Constraints is an expression that Traefik matches against the application's labels to determine whether to create any route for that application.
-
-`TRAEFIK_PROVIDERS_MARATHON_DCOSTOKEN`:  
-DCOSToken for DCOS environment, This will override the Authorization header.
-
-`TRAEFIK_PROVIDERS_MARATHON_DEFAULTRULE`:  
-Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
-
-`TRAEFIK_PROVIDERS_MARATHON_DIALERTIMEOUT`:  
-Set a dialer timeout for Marathon. (Default: ```5```)
-
-`TRAEFIK_PROVIDERS_MARATHON_ENDPOINT`:  
-Marathon server endpoint. You can also specify multiple endpoint for Marathon. (Default: ```http://127.0.0.1:8080```)
-
-`TRAEFIK_PROVIDERS_MARATHON_EXPOSEDBYDEFAULT`:  
-Expose Marathon apps by default. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_MARATHON_FORCETASKHOSTNAME`:  
-Force to use the task's hostname. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_MARATHON_KEEPALIVE`:  
-Set a TCP Keep Alive time. (Default: ```10```)
-
-`TRAEFIK_PROVIDERS_MARATHON_RESPECTREADINESSCHECKS`:  
-Filter out tasks with non-successful readiness checks during deployments. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_MARATHON_RESPONSEHEADERTIMEOUT`:  
-Set a response header timeout for Marathon. (Default: ```60```)
-
-`TRAEFIK_PROVIDERS_MARATHON_TLSHANDSHAKETIMEOUT`:  
-Set a TLS handshake timeout for Marathon. (Default: ```5```)
-
-`TRAEFIK_PROVIDERS_MARATHON_TLS_CA`:  
-TLS CA
-
-`TRAEFIK_PROVIDERS_MARATHON_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_MARATHON_TLS_CERT`:  
-TLS cert
-
-`TRAEFIK_PROVIDERS_MARATHON_TLS_INSECURESKIPVERIFY`:  
-TLS insecure skip verify (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_MARATHON_TLS_KEY`:  
-TLS key
-
-`TRAEFIK_PROVIDERS_MARATHON_TRACE`:  
-Display additional provider logs. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_MARATHON_WATCH`:  
-Watch provider. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_PROVIDERSTHROTTLEDURATION`:  
-Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. (Default: ```0```)
-
-`TRAEFIK_PROVIDERS_RANCHER`:  
-Enable Rancher backend with default settings. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_RANCHER_CONSTRAINTS`:  
-Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
-
-`TRAEFIK_PROVIDERS_RANCHER_DEFAULTRULE`:  
-Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
-
-`TRAEFIK_PROVIDERS_RANCHER_ENABLESERVICEHEALTHFILTER`:  
-Filter services with unhealthy states and inactive states. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_RANCHER_EXPOSEDBYDEFAULT`:  
-Expose containers by default. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_RANCHER_INTERVALPOLL`:  
-Poll the Rancher metadata service every 'rancher.refreshseconds' (less accurate). (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_RANCHER_PREFIX`:  
-Prefix used for accessing the Rancher metadata service. (Default: ```latest```)
-
-`TRAEFIK_PROVIDERS_RANCHER_REFRESHSECONDS`:  
-Defines the polling interval in seconds. (Default: ```15```)
-
-`TRAEFIK_PROVIDERS_RANCHER_WATCH`:  
-Watch provider. (Default: ```true```)
-
-`TRAEFIK_PROVIDERS_REST`:  
-Enable Rest backend with default settings. (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_REST_ENTRYPOINT`:  
-EntryPoint. (Default: ```traefik```)
-
-`TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_DIALTIMEOUT`:  
-The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
-
-`TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_RESPONSEHEADERTIMEOUT`:  
-The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. (Default: ```0```)
-
-`TRAEFIK_SERVERSTRANSPORT_INSECURESKIPVERIFY`:  
-Disable SSL certificate verification. (Default: ```false```)
-
-`TRAEFIK_SERVERSTRANSPORT_MAXIDLECONNSPERHOST`:  
-If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used (Default: ```0```)
-
-`TRAEFIK_SERVERSTRANSPORT_ROOTCAS`:  
-Add cert file for self-signed certificate.
-
-`TRAEFIK_TRACING`:  
-OpenTracing configuration. (Default: ```false```)
-
-`TRAEFIK_TRACING_BACKEND`:  
-Selects the tracking backend ('jaeger','zipkin','datadog','instana'). (Default: ```jaeger```)
-
-`TRAEFIK_TRACING_DATADOG`:  
-Settings for DataDog. (Default: ```false```)
-
-`TRAEFIK_TRACING_DATADOG_BAGAGEPREFIXHEADERNAME`:  
-Specifies the header name prefix that will be used to store baggage items in a map.
-
-`TRAEFIK_TRACING_DATADOG_DEBUG`:  
-Enable DataDog debug. (Default: ```false```)
-
-`TRAEFIK_TRACING_DATADOG_GLOBALTAG`:  
-Key:Value tag to be set on all the spans.
-
-`TRAEFIK_TRACING_DATADOG_LOCALAGENTHOSTPORT`:  
-Set datadog-agent's host:port that the reporter will used. (Default: ```localhost:8126```)
-
-`TRAEFIK_TRACING_DATADOG_PARENTIDHEADERNAME`:  
-Specifies the header name that will be used to store the parent ID.
-
-`TRAEFIK_TRACING_DATADOG_PRIORITYSAMPLING`:  
-Enable priority sampling. When using distributed tracing, this option must be enabled in order to get all the parts of a distributed trace sampled. (Default: ```false```)
-
-`TRAEFIK_TRACING_DATADOG_SAMPLINGPRIORITYHEADERNAME`:  
-Specifies the header name that will be used to store the sampling priority.
-
-`TRAEFIK_TRACING_DATADOG_TRACEIDHEADERNAME`:  
-Specifies the header name that will be used to store the trace ID.
-
-`TRAEFIK_TRACING_HAYSTACK`:  
-Settings for Haystack. (Default: ```false```)
-
-`TRAEFIK_TRACING_HAYSTACK_BAGGAGEPREFIXHEADERNAME`:  
-specifies the header name prefix that will be used to store baggage items in a map.
-
-`TRAEFIK_TRACING_HAYSTACK_GLOBALTAG`:  
-Key:Value tag to be set on all the spans.
-
-`TRAEFIK_TRACING_HAYSTACK_LOCALAGENTHOST`:  
-Set haystack-agent's host that the reporter will used. (Default: ```LocalAgentHost```)
-
-`TRAEFIK_TRACING_HAYSTACK_LOCALAGENTPORT`:  
-Set haystack-agent's port that the reporter will used. (Default: ```35000```)
-
-`TRAEFIK_TRACING_HAYSTACK_PARENTIDHEADERNAME`:  
-Specifies the header name that will be used to store the parent ID.
-
-`TRAEFIK_TRACING_HAYSTACK_SPANIDHEADERNAME`:  
-Specifies the header name that will be used to store the span ID.
-
-`TRAEFIK_TRACING_HAYSTACK_TRACEIDHEADERNAME`:  
-Specifies the header name that will be used to store the trace ID.
-
-`TRAEFIK_TRACING_INSTANA`:  
-Settings for Instana. (Default: ```false```)
-
-`TRAEFIK_TRACING_INSTANA_LOCALAGENTHOST`:  
-Set instana-agent's host that the reporter will used. (Default: ```localhost```)
-
-`TRAEFIK_TRACING_INSTANA_LOCALAGENTPORT`:  
-Set instana-agent's port that the reporter will used. (Default: ```42699```)
-
-`TRAEFIK_TRACING_INSTANA_LOGLEVEL`:  
-Set instana-agent's log level. ('error','warn','info','debug') (Default: ```info```)
-
-`TRAEFIK_TRACING_JAEGER`:  
-Settings for jaeger. (Default: ```false```)
-
-`TRAEFIK_TRACING_JAEGER_GEN128BIT`:  
-Generate 128 bit span IDs. (Default: ```false```)
-
-`TRAEFIK_TRACING_JAEGER_LOCALAGENTHOSTPORT`:  
-Set jaeger-agent's host:port that the reporter will used. (Default: ```127.0.0.1:6831```)
-
-`TRAEFIK_TRACING_JAEGER_PROPAGATION`:  
-Which propgation format to use (jaeger/b3). (Default: ```jaeger```)
-
-`TRAEFIK_TRACING_JAEGER_SAMPLINGPARAM`:  
-Set the sampling parameter. (Default: ```1.000000```)
-
-`TRAEFIK_TRACING_JAEGER_SAMPLINGSERVERURL`:  
-Set the sampling server url. (Default: ```http://localhost:5778/sampling```)
-
-`TRAEFIK_TRACING_JAEGER_SAMPLINGTYPE`:  
-Set the sampling type. (Default: ```const```)
-
-`TRAEFIK_TRACING_JAEGER_TRACECONTEXTHEADERNAME`:  
-Set the header to use for the trace-id. (Default: ```uber-trace-id```)
-
-`TRAEFIK_TRACING_SERVICENAME`:  
-Set the name for this service. (Default: ```traefik```)
-
-`TRAEFIK_TRACING_SPANNAMELIMIT`:  
-Set the maximum character limit for Span names (default 0 = no limit). (Default: ```0```)
-
-`TRAEFIK_TRACING_ZIPKIN`:  
-Settings for zipkin. (Default: ```false```)
-
-`TRAEFIK_TRACING_ZIPKIN_DEBUG`:  
-Enable Zipkin debug. (Default: ```false```)
-
-`TRAEFIK_TRACING_ZIPKIN_HTTPENDPOINT`:  
-HTTP Endpoint to report traces to. (Default: ```http://localhost:9411/api/v1/spans```)
-
-`TRAEFIK_TRACING_ZIPKIN_ID128BIT`:  
-Use Zipkin 128 bit root span IDs. (Default: ```true```)
-
-`TRAEFIK_TRACING_ZIPKIN_SAMESPAN`:  
-Use Zipkin SameSpan RPC style traces. (Default: ```false```)
-
-`TRAEFIK_TRACING_ZIPKIN_SAMPLERATE`:  
-The rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)
+--8<-- "content/reference/static-configuration/env-ref.md"
--- a/docs/content/reference/static-configuration/file.md
+++ b/docs/content/reference/static-configuration/file.md
@@ -1,7 +1,9 @@
 # Static Configuration: File

-## TOML
-
-```toml
+```toml  tab="TOML"
 --8<-- "content/reference/static-configuration/file.toml"
 ```
+
+```yml  tab="YAML"
+--8<-- "content/reference/static-configuration/file.yaml"
+```
--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@@ -1,246 +1,243 @@
-[Global]
-  CheckNewVersion = true
-  SendAnonymousUsage = true
+[global]
+  checkNewVersion = true
+  sendAnonymousUsage = true

-[ServersTransport]
-  InsecureSkipVerify = true
-  RootCAs = ["foobar", "foobar"]
-  MaxIdleConnsPerHost = 42
-  [ServersTransport.ForwardingTimeouts]
-    DialTimeout = 42
-    ResponseHeaderTimeout = 42
+[serversTransport]
+  insecureSkipVerify = true
+  rootCAs = ["foobar", "foobar"]
+  maxIdleConnsPerHost = 42
+  [serversTransport.forwardingTimeouts]
+    dialTimeout = 42
+    responseHeaderTimeout = 42
+    idleConnTimeout = 42

-[EntryPoints]
+[entryPoints]
+  [entryPoints.EntryPoint0]
+    address = "foobar"
+    [entryPoints.EntryPoint0.transport]
+      [entryPoints.EntryPoint0.transport.lifeCycle]
+        requestAcceptGraceTimeout = 42
+        graceTimeOut = 42
+      [entryPoints.EntryPoint0.transport.respondingTimeouts]
+        readTimeout = 42
+        writeTimeout = 42
+        idleTimeout = 42
+    [entryPoints.EntryPoint0.proxyProtocol]
+      insecure = true
+      trustedIPs = ["foobar", "foobar"]
+    [entryPoints.EntryPoint0.forwardedHeaders]
+      insecure = true
+      trustedIPs = ["foobar", "foobar"]

-  [EntryPoints.EntryPoint0]
-    Address = "foobar"
-    [EntryPoints.EntryPoint0.Transport]
-      [EntryPoints.EntryPoint0.Transport.LifeCycle]
-        RequestAcceptGraceTimeout = 42
-        GraceTimeOut = 42
-      [EntryPoints.EntryPoint0.Transport.RespondingTimeouts]
-        ReadTimeout = 42
-        WriteTimeout = 42
-        IdleTimeout = 42
-    [EntryPoints.EntryPoint0.ProxyProtocol]
-      Insecure = true
-      TrustedIPs = ["foobar", "foobar"]
-    [EntryPoints.EntryPoint0.ForwardedHeaders]
-      Insecure = true
-      TrustedIPs = ["foobar", "foobar"]
+[providers]
+  providersThrottleDuration = 42
+  [providers.docker]
+    constraints = "foobar"
+    watch = true
+    endpoint = "foobar"
+    defaultRule = "foobar"
+    exposedByDefault = true
+    useBindPortIP = true
+    swarmMode = true
+    network = "foobar"
+    swarmModeRefreshSeconds = 42
+    [providers.docker.tls]
+      ca = "foobar"
+      caOptional = true
+      cert = "foobar"
+      key = "foobar"
+      insecureSkipVerify = true
+  [providers.file]
+    directory = "foobar"
+    watch = true
+    filename = "foobar"
+    debugLogGeneratedTemplate = true
+  [providers.marathon]
+    constraints = "foobar"
+    trace = true
+    watch = true
+    endpoint = "foobar"
+    defaultRule = "foobar"
+    exposedByDefault = true
+    dcosToken = "foobar"
+    dialerTimeout = 42
+    responseHeaderTimeout = 42
+    tlsHandshakeTimeout = 42
+    keepAlive = 42
+    forceTaskHostname = true
+    respectReadinessChecks = true
+    [providers.marathon.tls]
+      ca = "foobar"
+      caOptional = true
+      cert = "foobar"
+      key = "foobar"
+      insecureSkipVerify = true
+    [providers.marathon.basic]
+      httpBasicAuthUser = "foobar"
+      httpBasicPassword = "foobar"
+  [providers.kubernetesIngress]
+    endpoint = "foobar"
+    token = "foobar"
+    certAuthFilePath = "foobar"
+    disablePassHostHeaders = true
+    namespaces = ["foobar", "foobar"]
+    labelSelector = "foobar"
+    ingressClass = "foobar"
+    [providers.kubernetesIngress.ingressEndpoint]
+      ip = "foobar"
+      hostname = "foobar"
+      publishedService = "foobar"
+  [providers.kubernetesCRD]
+    endpoint = "foobar"
+    token = "foobar"
+    certAuthFilePath = "foobar"
+    disablePassHostHeaders = true
+    namespaces = ["foobar", "foobar"]
+    labelSelector = "foobar"
+    ingressClass = "foobar"
+  [providers.rest]
+    entryPoint = "foobar"
+  [providers.rancher]
+    constraints = "foobar"
+    watch = true
+    defaultRule = "foobar"
+    exposedByDefault = true
+    enableServiceHealthFilter = true
+    refreshSeconds = 42
+    intervalPoll = true
+    prefix = "foobar"

-[Providers]
-  ProvidersThrottleDuration = 42
+[api]
+  entryPoint = "foobar"
+  dashboard = true
+  debug = true
+  middlewares = ["foobar", "foobar"]
+  [api.statistics]
+    recentErrors = 42

-  [Providers.Docker]
-    Watch = true
-    Endpoint = "foobar"
-    DefaultRule = "foobar"
-    ExposedByDefault = true
-    UseBindPortIP = true
-    SwarmMode = true
-    Network = "foobar"
-    SwarmModeRefreshSeconds = 42
-    Constraints = "foobar"
+[metrics]
+  [metrics.prometheus]
+    buckets = [42.0, 42.0]
+    entryPoint = "foobar"
+    middlewares = ["foobar", "foobar"]
+    addEntryPointsLabels = true
+    addServicesLabels = true
+  [metrics.dataDog]
+    address = "foobar"
+    pushInterval = "10s"
+    addEntryPointsLabels = true
+    addServicesLabels = true
+  [metrics.statsD]
+    address = "foobar"
+    pushInterval = "10s"
+    addEntryPointsLabels = true
+    addServicesLabels = true
+  [metrics.influxDB]
+    address = "foobar"
+    protocol = "foobar"
+    pushInterval = "10s"
+    database = "foobar"
+    retentionPolicy = "foobar"
+    username = "foobar"
+    password = "foobar"
+    addEntryPointsLabels = true
+    addServicesLabels = true

-    [Providers.Docker.TLS]
-      CA = "foobar"
-      CAOptional = true
-      Cert = "foobar"
-      Key = "foobar"
-      InsecureSkipVerify = true
+[ping]
+  entryPoint = "foobar"
+  middlewares = ["foobar", "foobar"]

-  [Providers.File]
-    Directory = "foobar"
-    Watch = true
-    Filename = "foobar"
-    DebugLogGeneratedTemplate = true
-    TraefikFile = "foobar"
+[log]
+  level = "foobar"
+  filePath = "foobar"
+  format = "foobar"

-  [Providers.Marathon]
-    Trace = true
-    Watch = true
-    Endpoint = "foobar"
-    DefaultRule = "foobar"
-    ExposedByDefault = true
-    DCOSToken = "foobar"
-    DialerTimeout = 42
-    ResponseHeaderTimeout = 42
-    TLSHandshakeTimeout = 42
-    KeepAlive = 42
-    ForceTaskHostname = true
-    RespectReadinessChecks = true
-    Constraints = "foobar"
-
-    [Providers.Marathon.TLS]
-      CA = "foobar"
-      CAOptional = true
-      Cert = "foobar"
-      Key = "foobar"
-      InsecureSkipVerify = true
-    [Providers.Marathon.Basic]
-      HTTPBasicAuthUser = "foobar"
-      HTTPBasicPassword = "foobar"
-
-  [Providers.Kubernetes]
-    Endpoint = "foobar"
-    Token = "foobar"
-    CertAuthFilePath = "foobar"
-    DisablePassHostHeaders = true
-    Namespaces = ["foobar", "foobar"]
-    LabelSelector = "foobar"
-    IngressClass = "foobar"
-    [Providers.Kubernetes.IngressEndpoint]
-      IP = "foobar"
-      Hostname = "foobar"
-      PublishedService = "foobar"
-
-  [Providers.KubernetesCRD]
-    Endpoint = "foobar"
-    Token = "foobar"
-    CertAuthFilePath = "foobar"
-    DisablePassHostHeaders = true
-    Namespaces = ["foobar", "foobar"]
-    LabelSelector = "foobar"
-    IngressClass = "foobar"
-
-  [Providers.Rest]
-    EntryPoint = "foobar"
-
-  [Providers.Rancher]
-    Watch = true
-    DefaultRule = "foobar"
-    ExposedByDefault = true
-    EnableServiceHealthFilter = true
-    RefreshSeconds = 42
-    IntervalPoll = true
-    Prefix = "foobar"
-    Constraints = "foobar"
-
-[API]
-  EntryPoint = "foobar"
-  Dashboard = true
-  Middlewares = ["foobar", "foobar"]
-  [API.Statistics]
-    RecentErrors = 42
-
-[Metrics]
-
-  [Metrics.Prometheus]
-    Buckets = [42.0, 42.0]
-    EntryPoint = "foobar"
-    Middlewares = ["foobar", "foobar"]
-
-  [Metrics.Datadog]
-    Address = "foobar"
-    PushInterval = "foobar"
-
-  [Metrics.StatsD]
-    Address = "foobar"
-    PushInterval = "foobar"
-
-  [Metrics.InfluxDB]
-    Address = "foobar"
-    Protocol = "foobar"
-    PushInterval = "foobar"
-    Database = "foobar"
-    RetentionPolicy = "foobar"
-    Username = "foobar"
-    Password = "foobar"
-
-[Ping]
-  EntryPoint = "foobar"
-  Middlewares = ["foobar", "foobar"]
-
-[Log]
-  Level = "foobar"
-  FilePath = "foobar"
-  Format = "foobar"
-
-[AccessLog]
-  FilePath = "foobar"
-  Format = "foobar"
-  BufferingSize = 42
-  [AccessLog.Filters]
-    StatusCodes = ["foobar", "foobar"]
-    RetryAttempts = true
-    MinDuration = 42
-  [AccessLog.Fields]
-    DefaultMode = "foobar"
-    [AccessLog.Fields.Names]
+[accessLog]
+  filePath = "foobar"
+  format = "foobar"
+  bufferingSize = 42
+  [accessLog.filters]
+    statusCodes = ["foobar", "foobar"]
+    retryAttempts = true
+    minDuration = 42
+  [accessLog.fields]
+    defaultMode = "foobar"
+    [accessLog.fields.names]
      name0 = "foobar"
      name1 = "foobar"
-    [AccessLog.Fields.Headers]
-      DefaultMode = "foobar"
-      [AccessLog.Fields.Headers.Names]
+    [accessLog.fields.headers]
+      defaultMode = "foobar"
+      [accessLog.fields.headers.names]
        name0 = "foobar"
        name1 = "foobar"

-[Tracing]
-  Backend = "foobar"
-  ServiceName = "foobar"
-  SpanNameLimit = 42
+[tracing]
+  serviceName = "foobar"
+  spanNameLimit = 42
+  [tracing.jaeger]
+    samplingServerURL = "foobar"
+    samplingType = "foobar"
+    samplingParam = 42.0
+    localAgentHostPort = "foobar"
+    gen128Bit = true
+    propagation = "foobar"
+    traceContextHeaderName = "foobar"
+    [tracing.jaeger.collector]
+      endpoint = "foobar"
+      user = "foobar"
+      password = "foobar"
+  [tracing.zipkin]
+    httpEndpoint = "foobar"
+    sameSpan = true
+    id128Bit = true
+    debug = true
+    sampleRate = 42.0
+  [tracing.dataDog]
+    localAgentHostPort = "foobar"
+    globalTag = "foobar"
+    debug = true
+    prioritySampling = true
+    traceIDHeaderName = "foobar"
+    parentIDHeaderName = "foobar"
+    samplingPriorityHeaderName = "foobar"
+    bagagePrefixHeaderName = "foobar"
+  [tracing.instana]
+    localAgentHost = "foobar"
+    localAgentPort = 42
+    logLevel = "foobar"
+  [tracing.haystack]
+    localAgentHost = "foobar"
+    localAgentPort = 42
+    globalTag = "foobar"
+    traceIDHeaderName = "foobar"
+    parentIDHeaderName = "foobar"
+    spanIDHeaderName = "foobar"
+    baggagePrefixHeaderName = "foobar"

-  [Tracing.Jaeger]
-    SamplingServerURL = "foobar"
-    SamplingType = "foobar"
-    SamplingParam = 42.0
-    LocalAgentHostPort = "foobar"
-    Gen128Bit = true
-    Propagation = "foobar"
-    TraceContextHeaderName = "foobar"
+[hostResolver]
+  cnameFlattening = true
+  resolvConfig = "foobar"
+  resolvDepth = 42

-  [Tracing.Zipkin]
-    HTTPEndpoint = "foobar"
-    SameSpan = true
-    ID128Bit = true
-    Debug = true
-    SampleRate = 42.0
+[acme]
+  email = "foobar"
+  caServer = "foobar"
+  storage = "foobar"
+  entryPoint = "foobar"
+  keyType = "foobar"
+  [acme.dnsChallenge]
+    provider = "foobar"
+    delayBeforeCheck = 42
+    resolvers = ["foobar", "foobar"]
+    disablePropagationCheck = true
+  [acme.httpChallenge]
+    entryPoint = "foobar"
+  [acme.tlsChallenge]

-  [Tracing.DataDog]
-    LocalAgentHostPort = "foobar"
-    GlobalTag = "foobar"
-    Debug = true
-    PrioritySampling = true
-    TraceIDHeaderName = "foobar"
-    ParentIDHeaderName = "foobar"
-    SamplingPriorityHeaderName = "foobar"
-    BagagePrefixHeaderName = "foobar"
+  [[acme.domains]]
+    main = "foobar"
+    sans = ["foobar", "foobar"]

-  [Tracing.Instana]
-    LocalAgentHost = "foobar"
-    LocalAgentPort = 42
-    LogLevel = "foobar"
-
-[HostResolver]
-  CnameFlattening = true
-  ResolvConfig = "foobar"
-  ResolvDepth = 42
-
-[ACME]
-  Email = "foobar"
-  ACMELogging = true
-  CAServer = "foobar"
-  Storage = "foobar"
-  EntryPoint = "foobar"
-  KeyType = "foobar"
-  OnHostRule = true
-
-  [ACME.DNSChallenge]
-    Provider = "foobar"
-    DelayBeforeCheck = 42
-    Resolvers = ["foobar", "foobar"]
-    DisablePropagationCheck = true
-
-  [ACME.HTTPChallenge]
-    EntryPoint = "foobar"
-
-  [ACME.TLSChallenge]
-
-  [[ACME.Domains]]
-    Main = "foobar"
-    SANs = ["foobar", "foobar"]
-
-  [[ACME.Domains]]
-    Main = "foobar"
-    SANs = ["foobar", "foobar"]
+  [[acme.domains]]
+    main = "foobar"
+    sans = ["foobar", "foobar"]
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@@ -0,0 +1,255 @@
+global:
+  checkNewVersion: true
+  sendAnonymousUsage: true
+serversTransport:
+  insecureSkipVerify: true
+  rootCAs:
+  - foobar
+  - foobar
+  maxIdleConnsPerHost: 42
+  forwardingTimeouts:
+    dialTimeout: 42
+    responseHeaderTimeout: 42
+    idleConnTimeout: 42
+entryPoints:
+  EntryPoint0:
+    address: foobar
+    transport:
+      lifeCycle:
+        requestAcceptGraceTimeout: 42
+        graceTimeOut: 42
+      respondingTimeouts:
+        readTimeout: 42
+        writeTimeout: 42
+        idleTimeout: 42
+    proxyProtocol:
+      insecure: true
+      trustedIPs:
+      - foobar
+      - foobar
+    forwardedHeaders:
+      insecure: true
+      trustedIPs:
+      - foobar
+      - foobar
+providers:
+  providersThrottleDuration: 42
+  docker:
+    constraints: foobar
+    watch: true
+    endpoint: foobar
+    defaultRule: foobar
+    tls:
+      ca: foobar
+      caOptional: true
+      cert: foobar
+      key: foobar
+      insecureSkipVerify: true
+    exposedByDefault: true
+    useBindPortIP: true
+    swarmMode: true
+    network: foobar
+    swarmModeRefreshSeconds: 42
+  file:
+    directory: foobar
+    watch: true
+    filename: foobar
+    debugLogGeneratedTemplate: true
+  marathon:
+    constraints: foobar
+    trace: true
+    watch: true
+    endpoint: foobar
+    defaultRule: foobar
+    exposedByDefault: true
+    dcosToken: foobar
+    tls:
+      ca: foobar
+      caOptional: true
+      cert: foobar
+      key: foobar
+      insecureSkipVerify: true
+    dialerTimeout: 42
+    responseHeaderTimeout: 42
+    tlsHandshakeTimeout: 42
+    keepAlive: 42
+    forceTaskHostname: true
+    basic:
+      httpBasicAuthUser: foobar
+      httpBasicPassword: foobar
+    respectReadinessChecks: true
+  kubernetesIngress:
+    endpoint: foobar
+    token: foobar
+    certAuthFilePath: foobar
+    disablePassHostHeaders: true
+    namespaces:
+    - foobar
+    - foobar
+    labelSelector: foobar
+    ingressClass: foobar
+    ingressEndpoint:
+      ip: foobar
+      hostname: foobar
+      publishedService: foobar
+  kubernetesCRD:
+    endpoint: foobar
+    token: foobar
+    certAuthFilePath: foobar
+    disablePassHostHeaders: true
+    namespaces:
+    - foobar
+    - foobar
+    labelSelector: foobar
+    ingressClass: foobar
+  rest:
+    entryPoint: foobar
+  rancher:
+    constraints: foobar
+    watch: true
+    defaultRule: foobar
+    exposedByDefault: true
+    enableServiceHealthFilter: true
+    refreshSeconds: 42
+    intervalPoll: true
+    prefix: foobar
+api:
+  entryPoint: foobar
+  dashboard: true
+  debug: true
+  statistics:
+    recentErrors: 42
+  middlewares:
+  - foobar
+  - foobar
+metrics:
+  prometheus:
+    buckets:
+    - 42
+    - 42
+    entryPoint: foobar
+    middlewares:
+    - foobar
+    - foobar
+    addEntryPointsLabels: true
+    addServicesLabels: true
+  dataDog:
+    address: foobar
+    pushInterval: 42
+    addEntryPointsLabels: true
+    addServicesLabels: true
+  statsD:
+    address: foobar
+    pushInterval: 42
+    addEntryPointsLabels: true
+    addServicesLabels: true
+  influxDB:
+    address: foobar
+    protocol: foobar
+    pushInterval: 42
+    database: foobar
+    retentionPolicy: foobar
+    username: foobar
+    password: foobar
+    addEntryPointsLabels: true
+    addServicesLabels: true
+ping:
+  entryPoint: foobar
+  middlewares:
+  - foobar
+  - foobar
+log:
+  level: foobar
+  filePath: foobar
+  format: foobar
+accessLog:
+  filePath: foobar
+  format: foobar
+  filters:
+    statusCodes:
+    - foobar
+    - foobar
+    retryAttempts: true
+    minDuration: 42
+  fields:
+    defaultMode: foobar
+    names:
+      name0: foobar
+      name1: foobar
+    headers:
+      defaultMode: foobar
+      names:
+        name0: foobar
+        name1: foobar
+  bufferingSize: 42
+tracing:
+  serviceName: foobar
+  spanNameLimit: 42
+  jaeger:
+    samplingServerURL: foobar
+    samplingType: foobar
+    samplingParam: 42
+    localAgentHostPort: foobar
+    gen128Bit: true
+    propagation: foobar
+    traceContextHeaderName: foobar
+    collector:
+      endpoint: foobar
+      user: foobar
+      password: foobar
+  zipkin:
+    httpEndpoint: foobar
+    sameSpan: true
+    id128Bit: true
+    debug: true
+    sampleRate: 42
+  dataDog:
+    localAgentHostPort: foobar
+    globalTag: foobar
+    debug: true
+    prioritySampling: true
+    traceIDHeaderName: foobar
+    parentIDHeaderName: foobar
+    samplingPriorityHeaderName: foobar
+    bagagePrefixHeaderName: foobar
+  instana:
+    localAgentHost: foobar
+    localAgentPort: 42
+    logLevel: foobar
+  haystack:
+    localAgentHost: foobar
+    localAgentPort: 42
+    globalTag: foobar
+    traceIDHeaderName: foobar
+    parentIDHeaderName: foobar
+    spanIDHeaderName: foobar
+    baggagePrefixHeaderName: foobar
+hostResolver:
+  cnameFlattening: true
+  resolvConfig: foobar
+  resolvDepth: 42
+acme:
+  email: foobar
+  caServer: foobar
+  storage: foobar
+  entryPoint: foobar
+  keyType: foobar
+  dnsChallenge:
+    provider: foobar
+    delayBeforeCheck: 42
+    resolvers:
+    - foobar
+    - foobar
+    disablePropagationCheck: true
+  httpChallenge:
+    entryPoint: foobar
+  tlsChallenge: {}
+  domains:
+  - main: foobar
+    sans:
+    - foobar
+    - foobar
+  - main: foobar
+    sans:
+    - foobar
+    - foobar
--- a/docs/content/routing/entrypoints.md
+++ b/docs/content/routing/entrypoints.md
@@ -3,7 +3,7 @@
 Opening Connections for Incoming Requests
 {: .subtitle }

-![EntryPoints](../assets/img/entrypoints.png)
+![entryPoints](../assets/img/entrypoints.png)

 EntryPoints are the network entry points into Traefik.
 They define the port which will receive the requests (whether HTTP or TCP).
@@ -12,17 +12,27 @@ They define the port which will receive the requests (whether HTTP or TCP).

 ??? example "Port 80 only"

-    ```toml
+    ```toml tab="File (TOML)"
    [entryPoints]
      [entryPoints.web]
-         address = ":80"
+        address = ":80"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+       address: ":80"
+    ```
+    
+    ```bash tab="CLI"
+    --entryPoints.web.address=:80
    ```

    We define an `entrypoint` called `web` that will listen on port `80`.

 ??? example "Port 80 & 443" 

-    ```toml
+    ```toml tab="File (TOML)"
    [entryPoints]
      [entryPoints.web]
        address = ":80"
@@ -30,6 +40,20 @@ They define the port which will receive the requests (whether HTTP or TCP).
      [entryPoints.web-secure]
        address = ":443"
    ```
+    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+     
+      web-secure:
+        address: ":443"
+    ```
+    
+    ```bash tab="CLI"
+    --entryPoints.web.address=:80
+    --entryPoints.web-secure.address=:443
+    ```

    - Two entrypoints are defined: one called `web`, and the other called `web-secure`.
    - `web` listens on port `80`, and `web-secure` on port `443`. 
@@ -43,38 +67,63 @@ You can define them using a toml file, CLI arguments, or a key-value store.

 See the complete reference for the list of available options:

-```toml tab="File"
+```toml tab="File (TOML)"
 [entryPoints]

  [entryPoints.EntryPoint0]
-    Address = ":8888"
-    [entryPoints.EntryPoint0.Transport]
-      [entryPoints.EntryPoint0.Transport.LifeCycle]
-        RequestAcceptGraceTimeout = 42
-        GraceTimeOut = 42
-      [entryPoints.EntryPoint0.Transport.RespondingTimeouts]
-        ReadTimeout = 42
-        WriteTimeout = 42
-        IdleTimeout = 42
-    [entryPoints.EntryPoint0.ProxyProtocol]
-      Insecure = true
-      TrustedIPs = ["foobar", "foobar"]
-    [entryPoints.EntryPoint0.ForwardedHeaders]
-      Insecure = true
-      TrustedIPs = ["foobar", "foobar"]
+    address = ":8888"
+    [entryPoints.EntryPoint0.transport]
+      [entryPoints.EntryPoint0.transport.lifeCycle]
+        requestAcceptGraceTimeout = 42
+        graceTimeOut = 42
+      [entryPoints.EntryPoint0.transport.respondingTimeouts]
+        readTimeout = 42
+        writeTimeout = 42
+        idleTimeout = 42
+    [entryPoints.EntryPoint0.proxyProtocol]
+      insecure = true
+      trustedIPs = ["foobar", "foobar"]
+    [entryPoints.EntryPoint0.forwardedHeaders]
+      insecure = true
+      trustedIPs = ["foobar", "foobar"]
 ```

-```ini tab="CLI"
--entryPoints.EntryPoint0.Address=:8888
--entryPoints.EntryPoint0.Transport.LifeCycle.RequestAcceptGraceTimeout=42
--entryPoints.EntryPoint0.Transport.LifeCycle.GraceTimeOut=42
--entryPoints.EntryPoint0.Transport.RespondingTimeouts.ReadTimeout=42
--entryPoints.EntryPoint0.Transport.RespondingTimeouts.WriteTimeout=42
--entryPoints.EntryPoint0.Transport.RespondingTimeouts.IdleTimeout=42
--entryPoints.EntryPoint0.ProxyProtocol.Insecure=true
--entryPoints.EntryPoint0.ProxyProtocol.TrustedIPs=foobar,foobar
--entryPoints.EntryPoint0.ForwardedHeaders.Insecure=true
--entryPoints.EntryPoint0.ForwardedHeaders.TrustedIPs=foobar,foobar
+```yaml tab="File (YAML)"
+entryPoints:
+
+  EntryPoint0:
+    address: ":8888"
+    transport:
+      lifeCycle:
+        requestAcceptGraceTimeout: 42
+        graceTimeOut: 42
+      respondingTimeouts:
+        readTimeout: 42
+        writeTimeout: 42
+        idleTimeout: 42
+    proxyProtocol:
+      insecure: true
+      trustedIPs:
+      - "foobar"
+      - "foobar"
+    forwardedHeaders:
+      insecure: true
+      trustedIPs:
+      - "foobar"
+      - "foobar"
+```
+
+```bash tab="CLI"
+--entryPoints.EntryPoint0.address=:8888
+--entryPoints.EntryPoint0.transport.lifeCycle.requestAcceptGraceTimeout=42
+--entryPoints.EntryPoint0.transport.lifeCycle.graceTimeOut=42
+--entryPoints.EntryPoint0.transport.respondingTimeouts.readTimeout=42
+--entryPoints.EntryPoint0.transport.respondingTimeouts.writeTimeout=42
+--entryPoints.EntryPoint0.transport.respondingTimeouts.idleTimeout=42
+--entryPoints.EntryPoint0.proxyProtocol.insecure=true
+--entryPoints.EntryPoint0.proxyProtocol.trustedIPs=foobar,foobar
+--entryPoints.EntryPoint0.forwardedHeaders.insecure=true
+--entryPoints.EntryPoint0.forwardedHeaders.trustedIPs=foobar,foobar
 ```

 ## ProxyProtocol
@@ -83,7 +132,7 @@ Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-

 ??? example "Enabling Proxy Protocol with Trusted IPs" 

-    ```toml
+    ```toml tab="File (TOML)"
    [entryPoints]
      [entryPoints.web]
        address = ":80"
@@ -92,6 +141,21 @@ Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-
          trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
    ```
    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+        proxyProtocol
+          trustedIPs:
+          - "127.0.0.1/32"
+          - "192.168.1.7"
+    ```
+    
+    ```bash tab="CLI"
+    --entryPoints.web.address=:80
+    --entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,192.168.1.7
+    ```
+
    IPs in `trustedIPs` only will lead to remote client address replacement: Declare load-balancer IPs or CIDR range here.
    
 ??? example "Insecure Mode -- Testing Environment Only"
@@ -99,7 +163,7 @@ Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-
    In a test environments, you can configure Traefik to trust every incoming connection.
    Doing so, every remote client address will be replaced (`trustedIPs` won't have any effect)

-    ```toml
+    ```toml tab="File (TOML)"
    [entryPoints]
      [entryPoints.web]
        address = ":80"
@@ -107,7 +171,20 @@ Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-
        [entryPoints.web.proxyProtocol]
          insecure = true
    ```
-         
+    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+        proxyProtocol:
+          insecure: true
+    ```
+    
+    ```bash tab="CLI"
+    --entryPoints.web.address=:80
+    --entryPoints.web.proxyProtocol.insecure
+    ```
+
 !!! warning "Queuing Traefik behind Another Load Balancer"

    When queuing Traefik behind another load-balancer, make sure to configure Proxy Protocol on both sides.
@@ -119,7 +196,7 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward

 ??? example "Trusting Forwarded Headers from specific IPs"

-    ```toml
+    ```toml tab="File (TOML)"
    [entryPoints]
      [entryPoints.web]
        address = ":80"
@@ -128,13 +205,41 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward
          trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
    ```
    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+        forwardedHeaders
+          trustedIPs:
+          - "127.0.0.1/32"
+          - "192.168.1.7"
+    ```
+    
+    ```bash tab="CLI"
+    --entryPoints.web.address=:80
+    --entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,192.168.1.7
+    ```
+
 ??? example "Insecure Mode -- Always Trusting Forwarded Headers"

-    ```toml
+    ```toml tab="File (TOML)"
    [entryPoints]
      [entryPoints.web]
        address = ":80"
    
        [entryPoints.web.forwardedHeaders]
-           insecure = true
+          insecure = true
+    ```
+    
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+        forwardedHeaders:
+          insecure: true
+    ```
+    
+    ```bash tab="CLI"
+    --entryPoints.web.address=:80
+    --entryPoints.web.forwardedHeaders.insecure
    ```
--- a/docs/content/routing/overview.md
+++ b/docs/content/routing/overview.md
@@ -24,29 +24,92 @@ If they do, the router might transform the request using pieces of [middleware](
 Below is an example of a full configuration file for the [file provider](../providers/file.md) that forwards `http://domain/whoami/` requests to a service reachable on `http://private/whoami-service/`.
 In the process, Traefik will make sure that the user is authenticated (using the [BasicAuth middleware](../middlewares/basicauth.md)).

-```toml
+Static configuration:
+
+```toml tab="File (TOML)"
 [entryPoints]
-   [entryPoints.web]
-      address = ":8081" # Listen on port 8081 for incoming requests
+  [entryPoints.web]
+    # Listen on port 8081 for incoming requests
+    address = ":8081"

 [providers]
-   [providers.file] # Enable the file provider to define routers / middlewares / services in a file
+  # Enable the file provider to define routers / middlewares / services in a file
+  [providers.file]
+    filename = "dynamic_conf.toml"
+```

-[http] # http routing section
-    [http.routers]
-       [http.routers.to-whoami] # Define a connection between requests and services
-          rule = "Host(domain) && PathPrefix(/whoami/)"
-          middlewares = ["test-user"] # If the rule matches, applies the middleware
-          service = "whoami" # If the rule matches, forward to the whoami service (declared below)
+```yaml tab="File (YAML)"
+entryPoints:
+  web:
+    # Listen on port 8081 for incoming requests
+    address: :8081

-    [http.middlewares]
-       [http.middlewares.test-user.basicauth] # Define an authentication mechanism
-          users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
+providers:
+  # Enable the file provider to define routers / middlewares / services in a file
+  file:
+    filename: dynamic_conf.yml
+```

-    [http.services]
-       [http.services.whoami.loadbalancer] # Define how to reach an existing service on our infrastructure
-          [[http.services.whoami.loadbalancer.servers]]
-             url = "http://private/whoami-service"
+```bash tab="CLI"
+# Listen on port 8081 for incoming requests
+--entryPoints.web.address=:8081
+
+# Enable the file provider to define routers / middlewares / services in a file
+--providers.file.filename=dynamic_conf.toml
+```
+
+Dynamic configuration:
+
+```toml tab="TOML"
+# http routing section
+[http]
+  [http.routers]
+     # Define a connection between requests and services
+     [http.routers.to-whoami]
+      rule = "Host(`domain`) && PathPrefix(`/whoami/`)"
+      # If the rule matches, applies the middleware
+      middlewares = ["test-user"]
+      # If the rule matches, forward to the whoami service (declared below)
+      service = "whoami"
+
+  [http.middlewares]
+    # Define an authentication mechanism
+    [http.middlewares.test-user.basicAuth]
+      users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
+
+  [http.services]
+    # Define how to reach an existing service on our infrastructure
+    [http.services.whoami.loadBalancer]
+      [[http.services.whoami.loadBalancer.servers]]
+        url = "http://private/whoami-service"
+```
+
+```yaml tab="YAML"
+# http routing section
+http:
+  routers:
+    # Define a connection between requests and services
+    to-whoami:
+      rule: "Host(`domain`) && PathPrefix(`/whoami/`)"
+       # If the rule matches, applies the middleware
+      middlewares:
+      - test-user
+      # If the rule matches, forward to the whoami service (declared below)
+      service: whoami
+
+  middlewares:
+    # Define an authentication mechanism
+    test-user:
+      basicAuth:
+        users:
+        - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
+
+  services:
+    # Define how to reach an existing service on our infrastructure
+    whoami:
+      loadBalancer:
+        servers:
+        - url: http://private/whoami-service
 ```

 !!! note "The File Provider"
@@ -61,39 +124,114 @@ In the process, Traefik will make sure that the user is authenticated (using the

    ??? example "Adding a TCP route for TLS requests on whoami.traefik.io"

-        ```toml
+        Static configuration:
+        
+        ```toml tab="File (TOML)"
        [entryPoints]
-           [entryPoints.web]
-              address = ":8081" # Listen on port 8081 for incoming requests
+          [entryPoints.web]
+            # Listen on port 8081 for incoming requests
+            address = ":8081"

        [providers]
-           [providers.file] # Enable the file provider to define routers / middlewares / services in a file
-
-        [http] # http routing section
-            [http.routers]
-               [http.routers.to-whoami] # Define a connection between requests and services
-                  rule = "Host(`domain`) && PathPrefix(/whoami/)"
-                  middlewares = ["test-user"] # If the rule matches, applies the middleware
-                  service = "whoami" # If the rule matches, forward to the whoami service (declared below)
-
-            [http.middlewares]
-               [http.middlewares.test-user.basicauth] # Define an authentication mechanism
-                  users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
-
-            [http.services]
-               [http.services.whoami.loadbalancer] # Define how to reach an existing service on our infrastructure
-                  [[http.services.whoami.loadbalancer.servers]]
-                     url = "http://private/whoami-service"
-
-           [tcp]
-              [tcp.routers]
-                 [tcp.routers.to-whoami-tcp]
-                     rule = "HostSNI(`whoami-tcp.traefik.io`)"
-                     service = "whoami-tcp"
-                     [tcp.routers.to-whoami-tcp.tls]
-
-              [tcp.services]
-                 [tcp.services.whoami-tcp.loadbalancer]
-                    [[tcp.services.whoami-tcp.loadbalancer.servers]]
-                       address = "xx.xx.xx.xx:xx"
+          # Enable the file provider to define routers / middlewares / services in a file
+          [providers.file]
+            filename = "dynamic_conf.toml"
+        ```
+        
+        ```yaml tab="File (YAML)"
+        entryPoints:
+          web:
+            # Listen on port 8081 for incoming requests
+            address: :8081
+        providers:
+          # Enable the file provider to define routers / middlewares / services in a file
+          file:
+            filename: dynamic_conf.yml
+        ```
+        
+        ```bash tab="CLI"
+        # Listen on port 8081 for incoming requests
+        --entryPoints.web.address=":8081"
+        
+        # Enable the file provider to define routers / middlewares / services in a file
+        --providers.file.filename=dynamic_conf.toml
+        ```
+        
+        Dynamic configuration:
+
+        ```toml tab="TOML"
+        # http routing section
+        [http]
+          [http.routers]
+            # Define a connection between requests and services
+            [http.routers.to-whoami]
+              rule = "Host(`domain`) && PathPrefix(`/whoami/`)"
+              # If the rule matches, applies the middleware
+              middlewares = ["test-user"]
+              # If the rule matches, forward to the whoami service (declared below)
+              service = "whoami"
+
+          [http.middlewares]
+             # Define an authentication mechanism
+             [http.middlewares.test-user.basicAuth]
+               users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
+
+          [http.services]
+             # Define how to reach an existing service on our infrastructure
+             [http.services.whoami.loadBalancer]
+               [[http.services.whoami.loadBalancer.servers]]
+                 url = "http://private/whoami-service"
+
+        [tcp]
+          [tcp.routers]
+            [tcp.routers.to-whoami-tcp]
+              rule = "HostSNI(`whoami-tcp.traefik.io`)"
+              service = "whoami-tcp"
+              [tcp.routers.to-whoami-tcp.tls]
+
+          [tcp.services]
+            [tcp.services.whoami-tcp.loadBalancer]
+              [[tcp.services.whoami-tcp.loadBalancer.servers]]
+                address = "xx.xx.xx.xx:xx"
+        ```
+        
+        ```yaml tab="YAML"
+        # http routing section
+        http:
+
+          routers:
+            # Define a connection between requests and services
+            to-whoami:
+              rule: Host(`domain`) && PathPrefix(`/whoami/`)
+              # If the rule matches, applies the middleware
+              middlewares:
+              - test-user
+              # If the rule matches, forward to the whoami service (declared below)
+              service: whoami
+
+          middlewares:
+            # Define an authentication mechanism
+            test-user:
+              basicAuth:
+                users:
+                - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
+
+          services:
+            # Define how to reach an existing service on our infrastructure
+            whoami:
+              loadBalancer:
+                servers:
+                - url: http://private/whoami-service
+        tcp:
+
+          routers:
+            to-whoami-tcp:
+              service: whoami-tcp
+              rule: HostSNI(`whoami-tcp.traefik.io`)
+
+          services:
+            whoami-tcp:
+              loadBalancer:
+                servers:
+                - address: xx.xx.xx.xx:xx
        ```
--- a/docs/content/routing/routers/index.md
+++ b/docs/content/routing/routers/index.md
@@ -12,40 +12,84 @@ In the process, routers may use pieces of [middleware](../../middlewares/overvie

 ??? example "Requests /foo are Handled by service-foo -- Using the [File Provider](../../providers/file.md)"

-    ```toml
+    ```toml tab="TOML"
      [http.routers]
        [http.routers.my-router]
-        rule = "Path(`/foo`)"
-        service = "service-foo"
+          rule = "Path(`/foo`)"
+          service = "service-foo"
+    ```
+
+    ```yaml tab="YAML"
+      http:
+        routers:
+          my-router:
+            rule: "Path(`/foo`)"
+            service: service-foo
    ```

 ??? example "With a [middleware](../../middlewares/overview.md) -- using the [File Provider](../../providers/file.md)"

-    ```toml
+    ```toml tab="TOML"
      [http.routers]
        [http.routers.my-router]
-        rule = "Path(`/foo`)"
-        middlewares = ["authentication"] # declared elsewhere
-        service = "service-foo"
+          rule = "Path(`/foo`)"
+          # declared elsewhere
+          middlewares = ["authentication"]
+          service = "service-foo"
+    ```
+
+    ```yaml tab="YAML"
+      http:
+        routers:
+          my-router:
+            rule: "Path(`/foo`)"
+            # declared elsewhere
+            middlewares:
+            - authentication
+            service: service-foo
    ```

 ??? example "Forwarding all (non-tls) requests on port 3306 to a database service"
-
-    ```toml
-      [entryPoints]
-        [entryPoints.mysql-default]
-          address = ":80"
-        [entryPoints.mysql-default]
-          address = ":3306"   
+    
+    ```toml tab="TOML"
+    ## Static configuration ##
+    
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+      [entryPoints.mysql-default]
+        address = ":3306"   
+    
+    ## Dynamic configuration ##
+    
+    [tcp]
+      [tcp.routers]
+        [tcp.routers.to-database]
+          entryPoints = ["mysql-default"]
+          # Catch every request (only available rule for non-tls routers. See below.)
+          rule = "HostSNI(`*`)"
+          service = "database"
    ```
    
-    ```toml
-      [tcp]
-        [tcp.routers]
-          [tcp.routers.to-database]
-            entryPoints = ["mysql-default"]
-            rule = "HostSNI(`*`)" # Catch every request (only available rule for non-tls routers. See below.)
-            service = "database"
+    ```yaml tab="YAML"
+    ## Static configuration ##
+    
+    entryPoints:
+      web:
+        address: ":80"
+      mysql-default:
+        address: ":3306"   
+    
+    ## Dynamic configuration ##
+    
+    tcp:
+      routers:
+        to-database:
+          entryPoints:
+          - "mysql-default"
+          # Catch every request (only available rule for non-tls routers. See below.)
+          rule: "HostSNI(`*`)"
+          service: database
    ```

 ## Configuring HTTP Routers
@@ -56,43 +100,94 @@ If not specified, HTTP routers will accept requests from all defined entry point
 If you want to limit the router scope to a set of entry points, set the `entryPoints` option.

 ??? example "Listens to Every EntryPoint"
-
-    ```toml
+    
+    ```toml tab="TOML"
+    ## Static configuration ##
+    
    [entryPoints]
-       [entryPoints.web]
-          # ...
-       [entryPoints.web-secure]
-          # ...
-       [entryPoints.other]
-          # ...
+      [entryPoints.web]
+        # ...
+      [entryPoints.web-secure]
+        # ...
+      [entryPoints.other]
+        # ...
+    
+    
+    ## Dynamic configuration ##
+        
+    [http.routers]
+      [http.routers.Router-1]
+        # By default, routers listen to every entry points
+        rule = "Host(`traefik.io`)"
+        service = "service-1"
    ```
    
-    ```toml
-    [http.routers]
-       [http.routers.Router-1]
-          # By default, routers listen to every entrypoints
-          rule = "Host(`traefik.io`)"
-          service = "service-1"
+    ```yaml tab="YAML"
+    ## Static configuration ##
+    
+    entryPoints:
+      web:
+        # ...
+      web-secure:
+        # ...
+      other:
+        # ...
+    
+    ## Dynamic configuration ##
+        
+    http:
+      routers:
+        Router-1:
+          # By default, routers listen to every entry points
+          rule: "Host(`traefik.io`)"
+          service: "service-1"
    ```

 ??? example "Listens to Specific EntryPoints"
-
-    ```toml
+    
+    ```toml tab="TOML"
+    ## Static configuration ##
+    
    [entryPoints]
-       [entryPoints.web]
-          # ...
-       [entryPoints.web-secure]
-          # ...
-       [entryPoints.other]
-          # ...
+      [entryPoints.web]
+        # ...
+      [entryPoints.web-secure]
+        # ...
+      [entryPoints.other]
+        # ...
+        
+    ## Dynamic configuration ##
+    
+    [http.routers]
+      [http.routers.Router-1]
+        # won't listen to entry point web
+        entryPoints = ["web-secure", "other"]
+        rule = "Host(`traefik.io`)"
+        service = "service-1"
    ```
    
-    ```toml
-    [http.routers]
-       [http.routers.Router-1]
-          entryPoints = ["web-secure", "other"] # won't listen to entrypoint web
-          rule = "Host(`traefik.io`)"
-          service = "service-1"
+    ```yaml tab="YAML"
+    ## Static configuration ##
+    
+    entryPoints:
+      web:
+        # ...
+      web-secure:
+        # ...
+      other:
+        # ...
+        
+    ## Dynamic configuration ##
+    
+    http:
+      routers:
+        Router-1:
+          # won't listen to entry point web
+          entryPoints:
+          - "web-secure"
+          - "other"
+          rule: "Host(`traefik.io`)"
+          service: "service-1"
    ```

 ### Rule
@@ -170,12 +265,23 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted

 ??? example "Configuring the router to accept HTTPS requests only"

-    ```toml
+    ```toml tab="TOML"
    [http.routers]
-       [http.routers.Router-1]
-          rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
-          service = "service-id"
-          [http.routers.Router-1.tls] # will terminate the TLS request
+      [http.routers.Router-1]
+        rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
+        service = "service-id"
+        # will terminate the TLS request
+        [http.routers.Router-1.tls]
+    ```
+    
+    ```yaml tab="YAML"
+    http:
+      routers:
+        Router-1:
+          rule: "Host(`foo-domain`) && Path(`/foo-path/`)"
+          service: service-id
+          # will terminate the TLS request
+          tls: {}
    ```

 !!! note "HTTPS & ACME"
@@ -192,41 +298,186 @@ Traefik will terminate the SSL connections (meaning that it will send decrypted

    ??? example "HTTP & HTTPS routes"

-        ```toml
+        ```toml tab="TOML"
        [http.routers]
-           [http.routers.my-https-router]
-              rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
-              service = "service-id"
-              [http.routers.my-https-router.tls] # will terminate the TLS request
+          [http.routers.my-https-router]
+            rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
+            service = "service-id"
+            # will terminate the TLS request
+            [http.routers.my-https-router.tls]

-           [http.routers.my-http-router]
-              rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
-              service = "service-id"
+          [http.routers.my-http-router]
+            rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
+            service = "service-id"
        ```

-#### `Options`
+        ```yaml tab="YAML"
+        http:
+          routers:
+            my-https-router:
+              rule: "Host(`foo-domain`) && Path(`/foo-path/`)"
+              service: service-id
+              # will terminate the TLS request
+              tls: {}

-The `Options` field enables fine-grained control of the TLS parameters.  
-It refers to a [tlsOptions](../../https/tls.md#tls-options) and will be applied only if a `Host` rule is defined.
+            my-http-router:
+              rule: "Host(`foo-domain`) && Path(`/foo-path/`)"
+              service: service-id
+        ```

-??? example "Configuring the tls options"
+#### `options`

-    ```toml
+The `options` field enables fine-grained control of the TLS parameters.
+It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `Host` rule is defined.
+
+!!! note "Server Name Association"
+
+    Even though one might get the impression that a TLS options reference is mapped to a router, or a router rule, one should realize that it is actually mapped only to the host name found in the `Host` part of the rule. Of course, there could also be several `Host` parts in a rule, in which case the TLS options reference would be mapped to as many host names.
+
+    Another thing to keep in mind is: the TLS option is picked from the mapping mentioned above and based on the server name provided during the TLS handshake, and it all happens before routing actually occurs.
+
+??? example "Configuring the TLS options"
+
+    ```toml tab="TOML"
    [http.routers]
-       [http.routers.Router-1]
-          rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
-          service = "service-id"
-          [http.routers.Router-1.tls] # will terminate the TLS request
-            options = "foo"
+      [http.routers.Router-1]
+        rule = "Host(`foo-domain`) && Path(`/foo-path/`)"
+        service = "service-id"
+        # will terminate the TLS request
+        [http.routers.Router-1.tls]
+          options = "foo"
    
-    [tlsOptions]
-      [tlsOptions.foo]
-          minVersion = "VersionTLS12"
-          cipherSuites = [
-            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-            "TLS_RSA_WITH_AES_256_GCM_SHA384"
-          ]
+    [tls.options]
+      [tls.options.foo]
+        minVersion = "VersionTLS12"
+        cipherSuites = [
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+          "TLS_RSA_WITH_AES_256_GCM_SHA384"
+        ]
    ```
+    
+    ```yaml tab="YAML"
+    http:
+      routers:
+        Router-1:
+          rule: "Host(`foo-domain`) && Path(`/foo-path/`)"
+          service: service-id
+          # will terminate the TLS request
+          tls:
+            options: foo
+    
+    tls:
+      options:
+        foo:
+          minVersion: VersionTLS12
+          cipherSuites:
+          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+          - TLS_RSA_WITH_AES_256_GCM_SHA384
+    ```
+
+!!! important "Conflicting TLS Options"
+
+    Since a TLS options reference is mapped to a host name, if a configuration introduces a situation where the same host name (from a `Host` rule) gets matched with two TLS options references, a conflict occurs, such as in the example below:
+
+    ```toml tab="TOML"
+    [http.routers]
+      [http.routers.routerfoo]
+        rule = "Host(`snitest.com`) && Path(`/foo`)"
+        [http.routers.routerfoo.tls]
+          options = "foo"
+
+    [http.routers]
+      [http.routers.routerbar]
+        rule = "Host(`snitest.com`) && Path(`/bar`)"
+        [http.routers.routerbar.tls]
+          options = "bar"
+    ```
+
+    ```yaml tab="YAML"
+    http:
+      routers:
+        routerfoo:
+          rule: "Host(`snitest.com`) && Path(`/foo`)"
+          tls:
+            options: foo
+
+        routerbar:
+          rule: "Host(`snitest.com`) && Path(`/bar`)"
+          tls:
+            options: bar
+    ```
+
+    If that happens, both mappings are discarded, and the host name (`snitest.com` in this case) for these routers gets associated with the default TLS options instead.
+
+#### `certResolver`
+
+If `certResolver` is defined, Traefik will try to generate certificates based on routers `Host` & `HostSNI` rules.
+
+```toml tab="TOML"
+[http.routers]
+  [http.routers.routerfoo]
+    rule = "Host(`snitest.com`) && Path(`/foo`)"
+    [http.routers.routerfoo.tls]
+      certResolver = "foo"
+```
+
+```yaml tab="YAML"
+http:
+  routers:
+    routerfoo:
+      rule: "Host(`snitest.com`) && Path(`/foo`)"
+      tls:
+        certResolver: foo
+```
+
+!!! note "Multiple Hosts in a Rule"
+    The rule `Host(test1.traefik.io,test2.traefik.io)` will request a certificate with the main domain `test1.traefik.io` and SAN `test2.traefik.io`.
+
+#### `domains`
+
+You can set SANs (alternative domains) for each main domain.
+Every domain must have A/AAAA records pointing to Traefik.
+Each domain & SAN will lead to a certificate request.
+
+```toml tab="TOML"
+[http.routers]
+  [http.routers.routerbar]
+    rule = "Host(`snitest.com`) && Path(`/bar`)"
+    [http.routers.routerbar.tls]
+      certResolver = "bar"
+      [[http.routers.routerbar.tls.domains]]
+        main = "snitest.com"
+        sans = "*.snitest.com"
+```
+
+```yaml tab="YAML"
+http:
+  routers:
+    routerbar:
+      rule: "Host(`snitest.com`) && Path(`/bar`)"
+      tls:
+        certResolver: "bar"
+      domains:
+      - main: "snitest.com"
+        sans: "*.snitest.com"
+```
+
+[ACME v2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
+As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](./../../https/acme.md#dnschallenge).
+
+Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 `DNS-01` challenges are executed.
+In this case the generated DNS TXT record for both domains is the same.
+Even though this behavior is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant,
+it can lead to problems as all DNS providers keep DNS records cached for a given time (TTL) and this TTL can be greater than the challenge timeout making the `DNS-01` challenge fail.
+
+The Traefik ACME client library [LEGO](https://github.com/go-acme/lego) supports some but not all DNS providers to work around this issue.
+The [Supported `provider` table](./../../https/acme.md#providers) indicates if they allow generating certificates for a wildcard domain and its root domain.
+
+!!! note
+    Wildcard certificates can only be verified through a `DNS-01` challenge.
+
+!!! note "Double Wildcard Certificates"
+    It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`).

 ## Configuring TCP Routers

@@ -242,44 +493,100 @@ If you want to limit the router scope to a set of entry points, set the entry po

 ??? example "Listens to Every Entry Point"

-    ```toml
+    ```toml tab="TOML"
+    ## Static configuration ##
+    
    [entryPoints]
-       [entryPoints.web]
-          # ...
-       [entryPoints.web-secure]
-          # ...
-       [entryPoints.other]
-          # ...
+      [entryPoints.web]
+        # ...
+      [entryPoints.web-secure]
+        # ...
+      [entryPoints.other]
+        # ...
+    
+    ## Dynamic configuration ##
+    
+    [tcp.routers]
+      [tcp.routers.Router-1]
+        # By default, routers listen to every entrypoints
+        rule = "HostSNI(`traefik.io`)"
+        service = "service-1"
+        # will route TLS requests (and ignore non tls requests)
+        [tcp.routers.Router-1.tls]
    ```
    
-    ```toml
-    [tcp.routers]
-       [tcp.routers.Router-1]
+    ```yaml tab="YAML"
+    ## Static configuration ##
+    
+    entryPoints:
+      web:
+        # ...
+      web-secure:
+        # ...
+      other:
+        # ...
+    
+    ## Dynamic configuration ##
+    
+    tcp:
+      routers:
+        Router-1:
          # By default, routers listen to every entrypoints
-          rule = "HostSNI(`traefik.io`)"
-          service = "service-1"
-          [tcp.routers.Router-1.tls] # will route TLS requests (and ignore non tls requests)
+          rule: "HostSNI(`traefik.io`)"
+          service: "service-1"
+          # will route TLS requests (and ignore non tls requests)
+          tls: {}
    ```

 ??? example "Listens to Specific Entry Points"
-
-    ```toml
+    
+    ```toml tab="TOML"
+    ## Static configuration ##
+    
    [entryPoints]
-       [entryPoints.web]
-          # ...
-       [entryPoints.web-secure]
-          # ...
-       [entryPoints.other]
-          # ...
-    ```
-
-    ```toml
+      [entryPoints.web]
+        # ...
+      [entryPoints.web-secure]
+        # ...
+      [entryPoints.other]
+        # ...
+        
+    ## Dynamic configuration ##
+    
    [tcp.routers]
-       [tcp.routers.Router-1]
-          entryPoints = ["web-secure", "other"] # won't listen to entrypoint web
-          rule = "HostSNI(`traefik.io`)"
-          service = "service-1"
-          [tcp.routers.Router-1.tls] # will route TLS requests (and ignore non tls requests)
+      [tcp.routers.Router-1]
+        # won't listen to entry point web
+        entryPoints = ["web-secure", "other"]
+        rule = "HostSNI(`traefik.io`)"
+        service = "service-1"
+        # will route TLS requests (and ignore non tls requests)
+        [tcp.routers.Router-1.tls]
+    ```
+    
+    ```yaml tab="YAML"
+    ## Static configuration ##
+    
+    entryPoints:
+      web:
+        # ...
+      web-secure:
+        # ...
+      other:
+        # ...
+        
+    ## Dynamic configuration ##
+    
+    tcp:
+      routers:
+        Router-1:
+          # won't listen to entry point web
+          entryPoints:
+          - "web-secure"
+          - "other"
+          rule: "HostSNI(`traefik.io`)"
+          service: "service-1"
+          # will route TLS requests (and ignore non tls requests)
+          tls: {}
    ```

 ### Rule
@@ -312,49 +619,138 @@ Services are the target for the router.

 ??? example "Configuring TLS Termination"

-    ```toml
+    ```toml tab="TOML"
    [tcp.routers]
-       [tcp.routers.Router-1]
-          rule = "HostSNI(`foo-domain`)"
-          service = "service-id"
-          [tcp.routers.Router-1.tls] # will terminate the TLS request by default
+      [tcp.routers.Router-1]
+        rule = "HostSNI(`foo-domain`)"
+        service = "service-id"
+        # will terminate the TLS request by default
+        [tcp.routers.Router-1.tls]
+    ```
+
+    ```yaml tab="YAML"
+    tcp:
+      routers:
+        Router-1:
+          rule: "HostSNI(`foo-domain`)"
+          service: service-id
+          # will terminate the TLS request by default
+          tld: {}
    ```

 ??? example "Configuring passthrough"

-    ```toml
+    ```toml tab="TOML"
    [tcp.routers]
-       [tcp.routers.Router-1]
-          rule = "HostSNI(`foo-domain`)"
-          service = "service-id"
-          [tcp.routers.Router-1.tls]
-             passthrough=true
+      [tcp.routers.Router-1]
+        rule = "HostSNI(`foo-domain`)"
+        service = "service-id"
+        [tcp.routers.Router-1.tls]
+          passthrough = true
+    ```
+
+    ```yaml tab="YAML"
+    tcp:
+      routers:
+        Router-1:
+          rule: "HostSNI(`foo-domain`)"
+          service: service-id
+          tls:
+            passthrough: true
    ```

 !!! note "TLS & ACME"

    In the current version, with [ACME](../../https/acme.md) enabled, automatic certificate generation will apply to every router declaring a TLS section.

-#### `Options`
+#### `options`

-The `Options` field enables fine-grained control of the TLS parameters.  
-It refers to a [tlsOptions](../../https/tls.md#tls-options) and will be applied only if a `HostSNI` rule is defined.
+The `options` field enables fine-grained control of the TLS parameters.  
+It refers to a [TLS Options](../../https/tls.md#tls-options) and will be applied only if a `HostSNI` rule is defined.

 ??? example "Configuring the tls options"

-    ```toml
+    ```toml tab="TOML"
    [tcp.routers]
-       [tcp.routers.Router-1]
-          rule = "HostSNI(`foo-domain`)"
-          service = "service-id"
-          [tcp.routers.Router-1.tls] # will terminate the TLS request
-            options = "foo"
+      [tcp.routers.Router-1]
+        rule = "HostSNI(`foo-domain`)"
+        service = "service-id"
+        # will terminate the TLS request
+        [tcp.routers.Router-1.tls]
+          options = "foo"
    
-    [tlsOptions]
-      [tlsOptions.foo]
-          minVersion = "VersionTLS12"
-          cipherSuites = [
-            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-            "TLS_RSA_WITH_AES_256_GCM_SHA384"
-          ]
+    [tls.options]
+      [tls.options.foo]
+        minVersion = "VersionTLS12"
+        cipherSuites = [
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+          "TLS_RSA_WITH_AES_256_GCM_SHA384"
+        ]
    ```
+
+    ```yaml tab="YAML"
+    tcp:
+      routers:
+        Router-1:
+          rule: "HostSNI(`foo-domain`)"
+          service: service-id
+          # will terminate the TLS request
+          tls:
+            options: foo
+    
+    tls:
+      options:
+        foo:
+          minVersion: VersionTLS12
+          cipherSuites:
+          - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+          - "TLS_RSA_WITH_AES_256_GCM_SHA384"
+    ```
+
+#### `certResolver`
+
+See [`certResolver` for HTTP router](./index.md#certresolver) for more information.
+
+```toml tab="TOML"
+[tcp.routers]
+  [tcp.routers.routerfoo]
+    rule = "HostSNI(`snitest.com`)"
+    [tcp.routers.routerfoo.tls]
+      certResolver = "foo"
+```
+
+```yaml tab="YAML"
+tcp:
+  routers:
+    routerfoo:
+      rule: "HostSNI(`snitest.com`)"
+      tls:
+        certResolver: foo
+```
+
+#### `domains`
+
+See [`domains` for HTTP router](./index.md#domains) for more information.
+
+```toml tab="TOML"
+[tcp.routers]
+  [tcp.routers.routerbar]
+    rule = "HostSNI(`snitest.com`)"
+    [tcp.routers.routerbar.tls]
+      certResolver = "bar"
+      [[tcp.routers.routerbar.tls.domains]]
+        main = "snitest.com"
+        sans = "*.snitest.com"
+```
+
+```yaml tab="YAML"
+tcp:
+  routers:
+    routerbar:
+      rule: "HostSNI(`snitest.com`)"
+      tls:
+        certResolver: "bar"
+      domains:
+      - main: "snitest.com"
+        sans: "*.snitest.com"
+```
--- a/docs/content/routing/services/index.md
+++ b/docs/content/routing/services/index.md
@@ -11,25 +11,45 @@ The `Services` are responsible for configuring how to reach the actual services

 ??? example "Declaring an HTTP Service with Two Servers -- Using the [File Provider](../../providers/file.md)"

-    ```toml
+    ```toml tab="TOML"
    [http.services]
-      [http.services.my-service.LoadBalancer]
-         
-         [[http.services.my-service.LoadBalancer.servers]]
-            url = "http://private-ip-server-1/"
-         [[http.services.my-service.LoadBalancer.servers]]
-            url = "http://private-ip-server-2/"
+      [http.services.my-service.loadBalancer]
+
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-1/"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-2/"
+    ```
+    
+    ```yaml tab="YAML"
+    http:
+      services:
+        my-service:
+          loadBalancer:
+            servers:
+            - url: "http://private-ip-server-1/"
+            - url: "http://private-ip-server-2/"
    ```

 ??? example "Declaring a TCP Service with Two Servers -- Using the [File Provider](../../providers/file.md)"

-    ```toml
+    ```toml tab="TOML"
    [tcp.services]
-      [tcp.services.my-service.LoadBalancer]         
-         [[tcp.services.my-service.LoadBalancer.servers]]
-            address = "xx.xx.xx.xx:xx"
-         [[tcp.services.my-service.LoadBalancer.servers]]
-            address = "xx.xx.xx.xx:xx"
+      [tcp.services.my-service.loadBalancer]
+         [[tcp.services.my-service.loadBalancer.servers]]
+           address = "xx.xx.xx.xx:xx"
+         [[tcp.services.my-service.loadBalancer.servers]]
+           address = "xx.xx.xx.xx:xx"
+    ```
+    
+    ```yaml tab="YAML"
+    tcp:
+      services:
+        my-service:
+          loadBalancer:         
+            servers:
+            - address: "xx.xx.xx.xx:xx"
+            - address: "xx.xx.xx.xx:xx"
    ```

 ## Configuring HTTP Services
@@ -46,14 +66,24 @@ The load balancers are able to load balance the requests between multiple instan

 ??? example "Declaring a Service with Two Servers (with Load Balancing) -- Using the [File Provider](../../providers/file.md)"

-    ```toml
+    ```toml tab="TOML"
    [http.services]
-      [http.services.my-service.LoadBalancer]
-         
-         [[http.services.my-service.LoadBalancer.servers]]
-            url = "http://private-ip-server-1/"
-         [[http.services.my-service.LoadBalancer.servers]]
-            url = "http://private-ip-server-2/"
+      [http.services.my-service.loadBalancer]
+
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-1/"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-2/"
+    ```
+
+    ```yaml tab="YAML"
+    http:
+      services:
+        my-service:
+          loadBalancer:
+            servers:
+            - url: "http://private-ip-server-1/"
+            - url: "http://private-ip-server-2/"
    ```

 #### Servers
@@ -68,11 +98,20 @@ The `url` option point to a specific instance.

 ??? example "A Service with One Server -- Using the [File Provider](../../providers/file.md)"

-    ```toml
+    ```toml tab="TOML"
    [http.services]
-      [http.services.my-service.LoadBalancer]
-         [[http.services.my-service.LoadBalancer.servers]]
-            url = "http://private-ip-server-1/"
+      [http.services.my-service.loadBalancer]
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-1/"
+    ```
+    
+    ```yaml tab="YAML"
+    http:
+      services:
+        my-service:
+          loadBalancer:
+            servers:
+              url: "http://private-ip-server-1/"
    ```

 #### Load-balancing
@@ -81,13 +120,23 @@ For now, only round robin load balancing is supported:

 ??? example "Load Balancing -- Using the [File Provider](../../providers/file.md)"

-    ```toml
+    ```toml tab="TOML"
    [http.services]
-      [http.services.my-service.LoadBalancer]
-         [[http.services.my-service.LoadBalancer.servers]]
-            url = "http://private-ip-server-1/"
-         [[http.services.my-service.LoadBalancer.servers]]
-            url = "http://private-ip-server-1/"
+      [http.services.my-service.loadBalancer]
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-1/"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-2/"
+    ```
+
+    ```yaml tab="YAML"
+    http:
+      services:
+        my-service:
+          loadBalancer:
+            servers:
+            - url: "http://private-ip-server-1/"
+            - url: "http://private-ip-server-2/"
    ```

 #### Sticky sessions
@@ -109,39 +158,56 @@ On subsequent requests, the client is forwarded to the same server.

 ??? example "Adding Stickiness"

-    ```toml
+    ```toml tab="TOML"
    [http.services]
      [http.services.my-service]
-        [http.services.my-service.LoadBalancer.stickiness]
-          secureCookie = true
-          httpOnlyCookie = true
+        [http.services.my-service.loadBalancer.stickiness]
+    ```
+    
+    ```yaml tab="YAML"
+    http:
+      services:
+        my-service:
+          loadBalancer:
+            stickiness: {}
    ```

 ??? example "Adding Stickiness with a Custom Cookie Name"

-    ```toml
+    ```toml tab="TOML"
    [http.services]
      [http.services.my-service]
-        [http.services.my-service.LoadBalancer.stickiness]
-           cookieName = "my_stickiness_cookie_name"
-           secureCookie = true
-           httpOnlyCookie = true
+        [http.services.my-service.loadBalancer.stickiness]
+          cookieName = "my_stickiness_cookie_name"
+          secureCookie = true
+          httpOnlyCookie = true
+    ```
+
+    ```yaml tab="YAML"
+    http:
+      services:
+        my-service:
+          loadBalancer:
+            stickiness:
+              cookieName: my_stickiness_cookie_name
+              secureCookie: true
+              httpOnlyCookie: true
    ```

 #### Health Check

-Configure healthcheck to remove unhealthy servers from the load balancing rotation.
+Configure health check to remove unhealthy servers from the load balancing rotation.
 Traefik will consider your servers healthy as long as they return status codes between `2XX` and `3XX` to the health check requests (carried out every `interval`).

 Below are the available options for the health check mechanism:

- `path` is appended to the server URL to set the healcheck endpoint.
- `scheme`, if defined, will replace the server URL `scheme` for the healthcheck endpoint
- `hostname`, if defined, will replace the server URL `hostname` for the healthcheck endpoint.
- `port`, if defined, will replace the server URL `port` for the healthcheck endpoint.
- `interval` defines the frequency of the healthcheck calls.
- `timeout` defines the maximum duration Traefik will wait for a healthcheck request before considering the server failed (unhealthy).
- `headers` defines custom headers to be sent to the healthcheck endpoint.
+- `path` is appended to the server URL to set the health check endpoint.
+- `scheme`, if defined, will replace the server URL `scheme` for the health check endpoint
+- `hostname`, if defined, will replace the server URL `hostname` for the health check endpoint.
+- `port`, if defined, will replace the server URL `port` for the health check endpoint.
+- `interval` defines the frequency of the health check calls.
+- `timeout` defines the maximum duration Traefik will wait for a health check request before considering the server failed (unhealthy).
+- `headers` defines custom headers to be sent to the health check endpoint.

 !!! note "Interval & Timeout Format"

@@ -153,50 +219,93 @@ Below are the available options for the health check mechanism:
    Traefik keeps monitoring the health of unhealthy servers. 
    If a server has recovered (returning `2xx` -> `3xx` responses again), it will be added back to the load balacer rotation pool.

-??? example "Custom Interval & Timeout -- Using the File Provider"
+??? example "Custom Interval & Timeout -- Using the [File Provider](../../providers/file.md)"

-    ```toml
+    ```toml tab="TOML"
    [http.services]
      [http.servicess.Service-1]
-        [http.services.Service-1.healthcheck]
-            path = "/health"
-            interval = "10s"
-            timeout = "3s"
+        [http.services.Service-1.loadBalancer.healthCheck]
+          path = "/health"
+          interval = "10s"
+          timeout = "3s"
    ```

-??? example "Custom Port -- Using the File Provider"
+    ```yaml tab="YAML"
+    http:
+      servicess:
+        Service-1:
+          loadBalancer:
+            healthCheck:
+              path: /health
+              interval: "10s"
+              timeout: "3s"
+    ```

-    ```toml
+??? example "Custom Port -- Using the [File Provider](../../providers/file.md)"
+
+    ```toml tab="TOML"
    [http.services]
      [http.services.Service-1]
-        [http.services.Service-1.healthcheck]
-            path = "/health"
-            port = 8080
-    ```
-
-??? example "Custom Scheme -- Using the File Provider"
-
-    ```toml
-    [http.services]
-      [http.services.Service-1]
-        [http.services.Service-1.healthcheck]
-            path = "/health"
-            scheme = "http"
-    ```
-
-??? example "Additional HTTP Headers -- Using the File Provider"
-
-    ```toml
-    [http.services]
-        [http.services.Service-1]
-            [http.servicess.Service-1.healthcheck]
-                path = "/health"
-
-                [Service.Service-1.healthcheck.headers]
-                    My-Custom-Header = "foo"
-                    My-Header = "bar"
+        [http.services.Service-1.loadBalancer.healthCheck]
+          path = "/health"
+          port = 8080
    ```
    
+    ```yaml tab="YAML"
+    http:
+      services:
+        Service-1:
+          loadBalancer:
+            healthCheck:
+              path: /health
+              port: 8080
+    ```
+
+??? example "Custom Scheme -- Using the [File Provider](../../providers/file.md)"
+
+    ```toml tab="TOML"
+    [http.services]
+      [http.services.Service-1]
+        [http.services.Service-1.loadBalancer.healthCheck]
+          path = "/health"
+          scheme = "http"
+    ```
+    
+    ```yaml tab="YAML"
+    http:
+      services:
+        Service-1:
+          loadBalancer:
+            healthCheck:
+              path: /health
+              scheme: http
+    ```
+
+??? example "Additional HTTP Headers -- Using the [File Provider](../../providers/file.md)"
+
+    ```toml tab="TOML"
+    [http.services]
+      [http.services.Service-1]
+        [http.services.Service-1.loadBalancer.healthCheck]
+          path = "/health"
+
+          [http.services.Service-1.loadBalancer.healthCheck.headers]
+            My-Custom-Header = "foo"
+            My-Header = "bar"
+    ```
+    
+    ```yaml tab="YAML"
+    http:
+      services:
+        Service-1:
+          loadBalancer:
+            healthCheck:
+              path: /health
+              headers:
+                My-Custom-Header: foo
+                My-Header: bar
+    ```
+
 ## Configuring TCP Services

 ### General
@@ -211,13 +320,23 @@ The load balancers are able to load balance the requests between multiple instan

 ??? example "Declaring a Service with Two Servers -- Using the [File Provider](../../providers/file.md)"

-    ```toml
+    ```toml tab="TOML"
    [tcp.services]
-      [tcp.services.my-service.LoadBalancer]
-         [[tcp.services.my-service.LoadBalancer.servers]]
-            address = "xx.xx.xx.xx:xx"
-         [[tcp.services.my-service.LoadBalancer.servers]]
-            address = "xx.xx.xx.xx:xx"
+      [tcp.services.my-service.loadBalancer]
+        [[tcp.services.my-service.loadBalancer.servers]]
+          address = "xx.xx.xx.xx:xx"
+        [[tcp.services.my-service.loadBalancer.servers]]
+           address = "xx.xx.xx.xx:xx"
+    ```
+
+    ```yaml tab="YAML"
+    tcp:
+      services:
+        my-service:
+          loadBalancer:
+            servers:
+            - address: "xx.xx.xx.xx:xx"
+            - address: "xx.xx.xx.xx:xx"
    ```

 #### Servers
@@ -227,9 +346,18 @@ The `address` option (IP:Port) point to a specific instance.

 ??? example "A Service with One Server -- Using the [File Provider](../../providers/file.md)"

-    ```toml
+    ```toml tab="TOML"
    [tcp.services]
-      [tcp.services.my-service.LoadBalancer]
-         [[tcp.services.my-service.LoadBalancer.servers]]
-            address = "xx.xx.xx.xx:xx"
+      [tcp.services.my-service.loadBalancer]
+        [[tcp.services.my-service.loadBalancer.servers]]
+          address = "xx.xx.xx.xx:xx"
+    ```
+
+    ```yaml tab="YAML"
+    tcp:
+      services:
+        my-service:
+          loadBalancer:
+            servers:
+              address: "xx.xx.xx.xx:xx"
    ```
--- a/docs/content/user-guides/crd-acme/01-crd.yml
+++ b/docs/content/user-guides/crd-acme/01-crd.yml
@@ -42,6 +42,21 @@ spec:
    singular: middleware
  scope: Namespaced

+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsoptions.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSOption
+    plural: tlsoptions
+    singular: tlsoption
+  scope: Namespaced
+
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -97,6 +112,14 @@ rules:
      - get
      - list
      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - tlsoptions
+    verbs:
+      - get
+      - list
+      - watch

 ---
 kind: ClusterRoleBinding
--- a/docs/content/user-guides/crd-acme/03-deployments.yml
+++ b/docs/content/user-guides/crd-acme/03-deployments.yml
@@ -33,17 +33,13 @@ spec:
            - --entrypoints.web.Address=:8000
            - --entrypoints.websecure.Address=:4443
            - --providers.kubernetescrd
-            - --providers.kubernetescrd.trace
-            - --acme
-            - --acme.acmelogging
-            - --acme.tlschallenge
-            - --acme.onhostrule
-            - --acme.email=foo@you.com
-            - --acme.entrypoint=websecure
-            - --acme.storage=acme.json
+            - --certificatesresolvers.default.acme.tlschallenge
+            - --certificatesresolvers.default.acme.email=foo@you.com
+            - --certificatesresolvers.default.acme.entrypoint=websecure
+            - --certificatesresolvers.default.acme.storage=acme.json
            # Please note that this is the staging Let's Encrypt server.
            # Once you get things working, you should remove that whole line altogether.
-            - --acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+            - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
          ports:
            - name: web
              containerPort: 8000
--- a/docs/content/user-guides/crd-acme/04-ingressroutes.yml
+++ b/docs/content/user-guides/crd-acme/04-ingressroutes.yml
@@ -26,5 +26,5 @@ spec:
    services:
    - name: whoami
      port: 80
-  # Please note the use of an empty TLS object to enable TLS with Let's Encrypt.
-  tls: {}
+  tls:
+    certResolver: default
--- a/docs/content/user-guides/crd-acme/index.md
+++ b/docs/content/user-guides/crd-acme/index.md
@@ -16,6 +16,10 @@ In the following, the Kubernetes resources defined in YAML configuration files c
 - the first, and usual way, is simply with the `kubectl apply` command.
 - the second, which can be used for this tutorial, is to directly place the files in the directory used by the k3s docker image for such inputs (`/var/lib/rancher/k3s/server/manifests`).

+!!! important "Kubectl Version"
+
+    With the `rancher/k3s` version used in this guide (`0.5.0`), the kubectl version needs to be >= `0.11`.
+
 ## k3s Docker-compose Configuration

 Our starting point is the docker-compose configuration file, to start the k3s cluster.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Ludovic Fernandez	a5aa8c6006	Prepare release v2.0.0-beta1	2019-07-19 17:18:03 +02:00
Jan	022d14abe1	Fixed a typo in label.	2019-07-19 17:00:05 +02:00
Ludovic Fernandez	1800b0b69c	Improve error on router without service. Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2019-07-19 16:42:04 +02:00
Julien Salleyron	c39a550b00	Lets encrypt documentation typo	2019-07-19 15:52:03 +02:00
mpl	092aa8fa6d	API: remove configuration of Entrypoint and Middlewares Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2019-07-19 12:28:07 +02:00
Ludovic Fernandez	f75f73f3d2	Certificate resolvers. Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com> Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com>	2019-07-19 11:52:04 +02:00
Julien Salleyron	e3627e9cba	Disable RateLimit temporarily	2019-07-19 10:50:05 +02:00
mpl	d5f4934acf	Add documentation about Kubernetes Ingress provider	2019-07-19 09:50:04 +02:00
Jean-Baptiste Doumenjou	693bd7e110	Add a basic Traefik install guide	2019-07-19 09:24:04 +02:00
Antoine Caron	4d8dcdc623	feat(webui/dashboard): init new dashboard	2019-07-18 22:36:04 +02:00
Michael	8e97af8dc3	Add Metrics	2019-07-18 21:36:05 +02:00
Ludovic Fernandez	4dc448056c	fix: TLS configuration from directory.	2019-07-18 16:26:05 +02:00
Ludovic Fernandez	68c349bbfa	Manage status for TCP element in the endpoint overview.	2019-07-18 15:56:04 +02:00
David Dymko	75aedc8e94	Fixed doc link for AlibabaCloud	2019-07-17 20:12:04 +02:00
Damien Duportal	8b08f89d2c	Allows logs to use local time zone instead of UTC Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>	2019-07-17 20:12:04 +02:00
Michael	889b38f75a	Improve tracing documentation	2019-07-16 09:54:04 +02:00
Jean-Baptiste Doumenjou	a17ac23457	Update Dynamic Configuration Reference for both Docker and Marathon	2019-07-16 06:48:03 +02:00
mpl	6fdd48509e	config: deal with multiple errors and their criticality Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2019-07-15 17:04:04 +02:00
Ryan Fitzpatrick	62800116d3	Add Jaeger collector endpoint	2019-07-15 14:52:04 +02:00
Antoine Caron	1bccbf061b	refactor(webui): use @vue/cli to bootstrap new ui	2019-07-15 10:58:03 +02:00
Ludovic Fernandez	093658836e	Restrict traefik.toml to static configuration.	2019-07-15 10:22:03 +02:00
Ludovic Fernandez	f49800e56a	user guide: fix a mistake in the deployment definition	2019-07-15 10:00:06 +02:00
Ludovic Fernandez	e478dbeb85	Docker URL	2019-07-15 07:06:03 +02:00
Daniel Tomcej	51486b18fa	Enhance REST provider	2019-07-13 01:24:03 +02:00
Michael	48d98dcf45	Update docker version for build	2019-07-12 21:14:03 +02:00
Jean-Baptiste Doumenjou	2c7cfd1c68	Expand Client Auth Type configuration	2019-07-12 17:50:04 +02:00
Michael	7a4b4c941c	Update dep version	2019-07-12 15:36:04 +02:00
Michael	608ccb0ca1	Update golangci-lint	2019-07-12 15:04:03 +02:00
Daniel Tomcej	3f6ea04048	Properly add response headers for CORS	2019-07-12 11:46:04 +02:00
Ludovic Fernandez	74c5ec70a9	Improve API endpoints	2019-07-12 11:10:03 +02:00
Ludovic Fernandez	c8bf8e896a	Move dynamic config into a dedicated package.	2019-07-10 09:26:04 +02:00
Michael	09cc1161c9	Generate deepcopy for configuration struct	2019-07-09 15:18:04 +02:00
Jean-Baptiste Doumenjou	8ab33db51a	Renamed `kubernetes` provider in `kubernetesIngress` provider	2019-07-08 21:36:03 +02:00
stffabi	cc4258bf9d	Remove X-Forwarded-(Uri, Method, Tls-Client-Cert and Tls-Client-Cert-Info) from untrusted IP	2019-07-08 17:56:04 +02:00
Ludovic Fernandez	0ee5d3d83f	Automatic generation of the doc for the CLI flags and env vars.	2019-07-08 11:00:04 +02:00
Ludovic Fernandez	c39aa5e857	Add scheme to IngressRoute.	2019-07-05 17:24:04 +02:00
mpl	39aae4167e	TLSOptions: handle conflict: same host name, different TLS options Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2019-07-03 19:22:05 +02:00
Ludovic Fernandez	9db9143366	Improve providers documentation.	2019-07-02 17:36:04 +02:00
Ludovic Fernandez	49814b92fe	Prepare release v2.0.0-alpha8	2019-07-01 19:36:04 +02:00
Ludovic Fernandez	260b5d6b0d	Add gRPC user guide	2019-07-01 15:28:04 +02:00
Julien Salleyron	4360ca14c1	Use h2c from x/net to handle h2c requests Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2019-07-01 15:08:04 +02:00
Ludovic Fernandez	c7d336f958	Use the same case everywhere	2019-07-01 11:30:05 +02:00
Máté Szabó	f6436663eb	Make HTTP Keep-Alive timeout configurable for backend connections	2019-06-28 00:36:04 +02:00
Michael	84d7c65039	Improve tracing	2019-06-28 00:16:04 +02:00
Ludovic Fernandez	4245096be4	Define a TLS section to group TLS, TLSOptions, and TLSStores. Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com>	2019-06-27 23:58:03 +02:00
Ludovic Fernandez	c9b2a07bc7	Drop headers by default in access logs.	2019-06-27 16:04:03 +02:00
Ludovic Fernandez	e69d4cba88	Support YAML for the dynamic configuration.	2019-06-26 18:18:04 +02:00
mpl	96962dd21f	Handle cross-provider middleware in kubernetes CRD Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2019-06-26 14:14:05 +02:00
Ludovic Fernandez	36d48224b5	fix: error log message.	2019-06-26 09:10:03 +02:00
Daniel Alan Miller	53779d6ceb	Adding content-header to api endpoints	2019-06-25 17:44:03 +02:00
mpl	e7e268b3bd	doc/crd-acme: specify required kubectl version	2019-06-25 14:50:04 +02:00
Damien Duportal	ca2f76fe1f	Update Slack support channel references to Discourse community forum	2019-06-25 10:08:04 +02:00
Ludovic Fernandez	4d44ab9628	Change the loading resource order	2019-06-24 16:40:06 +02:00
Ludovic Fernandez	dd62051e6c	Improve middleware documentation.	2019-06-24 06:04:03 +02:00