Prepare release v2.1.3

Co-authored-by: mpl <mathieu.lonjaret@gmail.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.
 
 Documentation fixes or enhancements:
 - for Traefik v1: use branch v1.7
-- for Traefik v2: use branch v2.0
+- for Traefik v2: use branch v2.1
 
 Bug fixes:
 - for Traefik v1: use branch v1.7
-- for Traefik v2: use branch v2.0
+- for Traefik v2: use branch v2.1
 
 Enhancements:
 - for Traefik v1: we only accept bug fixes

.golangci.toml

@@ -47,6 +47,7 @@
     "gocognit",
     "bodyclose", # Too many false-positive and panics.
     "wsl", # Too strict
+    "gomnd", # Too strict
     "stylecheck", # skip because report issues related to some generated files.
   ]
 
@@ -92,6 +93,15 @@
  [[issues.exclude-rules]]
     path = "cmd/configuration.go"
     text = "string `traefik` has (\\d) occurrences, make it a constant"
+ [[issues.exclude-rules]]
+    path = "pkg/server/middleware/middlewares.go"
+    text = "Function 'buildConstructor' is too long \\(\\d+ > 230\\)"
  [[issues.exclude-rules]] # FIXME must be fixed
     path = "cmd/context.go"
     text = "S1000: should use a simple channel send/receive instead of `select` with a single case"
+ [[issues.exclude-rules]]
+    path = "pkg/tracing/haystack/logger.go"
+    linters = ["goprintffuncname"]
+ [[issues.exclude-rules]]
+    path = "pkg/tracing/tracing.go"
+    text = "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"

CHANGELOG.md

@@ -1,3 +1,120 @@
+## [v2.1.3](https://github.com/containous/traefik/tree/v2.1.3) (2020-01-21)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.2...v2.1.3)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v3.3.0 ([#6192](https://github.com/containous/traefik/pull/6192) by [shilch](https://github.com/shilch))
+- **[docker]** Use the calculated port when useBindPortIP is enabled ([#6199](https://github.com/containous/traefik/pull/6199) by [juliens](https://github.com/juliens))
+- **[docker]** fix: invalid service definition. ([#6198](https://github.com/containous/traefik/pull/6198) by [ldez](https://github.com/ldez))
+- **[server]** Remove Content-Type auto-detection ([#6097](https://github.com/containous/traefik/pull/6097) by [juliens](https://github.com/juliens))
+- **[service]** fix memleak in safe.Pool ([#6140](https://github.com/containous/traefik/pull/6140) by [mpl](https://github.com/mpl))
+
+**Documentation:**
+- **[docker]** Fix typo in docker routing documentation ([#6147](https://github.com/containous/traefik/pull/6147) by [tvrg](https://github.com/tvrg))
+- **[k8s]** Fixed typo in k8s doc ([#6163](https://github.com/containous/traefik/pull/6163) by [MyIgel](https://github.com/MyIgel))
+- **[marathon]** Fix typo in Marathon doc. ([#6150](https://github.com/containous/traefik/pull/6150) by [thatshubham](https://github.com/thatshubham))
+- **[middleware]** Adding an explanation how to use `htpasswd` for k8s secret ([#6194](https://github.com/containous/traefik/pull/6194) by [jamct](https://github.com/jamct))
+- doc: adds an explanation of the global redirection pattern. ([#6195](https://github.com/containous/traefik/pull/6195) by [ldez](https://github.com/ldez))
+- Fix small typo in user-guides documentation ([#6154](https://github.com/containous/traefik/pull/6154) by [evert-arias](https://github.com/evert-arias))
+
+## [v2.1.2](https://github.com/containous/traefik/tree/v2.1.2) (2020-01-07)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.1...v2.1.2)
+
+**Bug fixes:**
+- **[authentication,middleware,tracing]** fix(tracing): makes sure tracing headers are being propagated when using forwardAuth ([#6072](https://github.com/containous/traefik/pull/6072) by [jcchavezs](https://github.com/jcchavezs))
+- **[cli]** fix: invalid label/flag parsing. ([#6028](https://github.com/containous/traefik/pull/6028) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Query consul catalog for service health separately ([#6046](https://github.com/containous/traefik/pull/6046) by [SantoDE](https://github.com/SantoDE))
+- **[k8s,k8s/crd]** Restore ExternalName https support for Kubernetes CRD ([#6037](https://github.com/containous/traefik/pull/6037) by [kpeiruza](https://github.com/kpeiruza))
+- **[k8s,k8s/crd]** Log the ignored namespace only when needed ([#6087](https://github.com/containous/traefik/pull/6087) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s,k8s/ingress]** k8s Ingress: fix crash on rules with nil http ([#6121](https://github.com/containous/traefik/pull/6121) by [grimmy](https://github.com/grimmy))
+- **[logs]** Improves error message when a configuration file is empty. ([#6135](https://github.com/containous/traefik/pull/6135) by [ldez](https://github.com/ldez))
+- **[server]** Handle respondingTimeout and better shutdown tests. ([#6115](https://github.com/containous/traefik/pull/6115) by [juliens](https://github.com/juliens))
+- **[server]** Don't set user-agent to Go-http-client/1.1 ([#6030](https://github.com/containous/traefik/pull/6030) by [sh7dm](https://github.com/sh7dm))
+- **[tracing]** fix: Malformed x-b3-traceid Header ([#6079](https://github.com/containous/traefik/pull/6079) by [ldez](https://github.com/ldez))
+- **[webui]** fix: dashboard redirect loop ([#6078](https://github.com/containous/traefik/pull/6078) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** Use consistent name in ACME documentation ([#6019](https://github.com/containous/traefik/pull/6019) by [ldez](https://github.com/ldez))
+- **[api,k8s/crd]** Add a documentation example for dashboard and api for kubernetes CRD ([#6022](https://github.com/containous/traefik/pull/6022) by [dduportal](https://github.com/dduportal))
+- **[cli]** Fix examples for the use of websecure via CLI ([#6116](https://github.com/containous/traefik/pull/6116) by [tiagoboeing](https://github.com/tiagoboeing))
+- **[k8s,k8s/crd]** Improve documentation about Kubernetes IngressRoute ([#6058](https://github.com/containous/traefik/pull/6058) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[middleware]** Improve sourceRange explanation for ipWhiteList ([#6070](https://github.com/containous/traefik/pull/6070) by [der-domi](https://github.com/der-domi))
+
+## [v2.1.1](https://github.com/containous/traefik/tree/v2.1.1) (2019-12-12)
+[All Commits](https://github.com/containous/traefik/compare/v2.1.0...v2.1.1)
+
+**Bug fixes:**
+- **[logs,middleware,metrics]** CloseNotifier: return pointer instead of value ([#6010](https://github.com/containous/traefik/pull/6010) by [mpl](https://github.com/mpl))
+
+**Documentation:**
+- Add Migration Guide for Traefik v2.1 ([#6017](https://github.com/containous/traefik/pull/6017) by [SantoDE](https://github.com/SantoDE))
+
+## [v2.1.0](https://github.com/containous/traefik/tree/v2.1.0) (2019-12-10)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.0-rc1...v2.1.0)
+
+**Enhancements:**
+- **[consulcatalog]** Add consul catalog options: requireConsistent, stale, cache ([#5752](https://github.com/containous/traefik/pull/5752) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Add Consul Catalog provider ([#5395](https://github.com/containous/traefik/pull/5395) by [negasus](https://github.com/negasus))
+- **[k8s,k8s/crd,service]** Support for all services kinds (and sticky) in CRD ([#5711](https://github.com/containous/traefik/pull/5711) by [mpl](https://github.com/mpl))
+- **[metrics]** Added configurable prefix for statsd metrics collection ([#5336](https://github.com/containous/traefik/pull/5336) by [schulterklopfer](https://github.com/schulterklopfer))
+- **[middleware]** Conditional compression based on request Content-Type ([#5721](https://github.com/containous/traefik/pull/5721) by [ldez](https://github.com/ldez))
+- **[server]** Add internal provider ([#5815](https://github.com/containous/traefik/pull/5815) by [ldez](https://github.com/ldez))
+- **[tls]** Add support for MaxVersion in tls.Options ([#5650](https://github.com/containous/traefik/pull/5650) by [kmeekva](https://github.com/kmeekva))
+- **[tls]** Add tls option for Elliptic Curve Preferences ([#5466](https://github.com/containous/traefik/pull/5466) by [ksarink](https://github.com/ksarink))
+- **[tracing]** Update jaeger dependencies ([#5637](https://github.com/containous/traefik/pull/5637) by [mmatur](https://github.com/mmatur))
+
+**Bug fixes:**
+- **[api]** fix: debug endpoint when insecure API. ([#5937](https://github.com/containous/traefik/pull/5937) by [ldez](https://github.com/ldez))
+- **[cli]** fix: sub command help ([#5887](https://github.com/containous/traefik/pull/5887) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** fix: consul catalog constraints. ([#5913](https://github.com/containous/traefik/pull/5913) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Service registered with same id on Consul Catalog ([#5900](https://github.com/containous/traefik/pull/5900) by [mmatur](https://github.com/mmatur))
+- **[consulcatalog]** Fix empty address for registering service without IP ([#5826](https://github.com/containous/traefik/pull/5826) by [mmatur](https://github.com/mmatur))
+- **[logs,middleware,metrics]** detect CloseNotify capability in accesslog and metrics ([#5985](https://github.com/containous/traefik/pull/5985) by [mpl](https://github.com/mpl))
+- **[server]** fix: remove double call to server Close. ([#5960](https://github.com/containous/traefik/pull/5960) by [ldez](https://github.com/ldez))
+- **[webui]** Fix weighted service provider icon ([#5983](https://github.com/containous/traefik/pull/5983) by [sh7dm](https://github.com/sh7dm))
+- **[webui]** Fix http/tcp resources pagination ([#5986](https://github.com/containous/traefik/pull/5986) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Use valid condition in the service details panel UI ([#5984](https://github.com/containous/traefik/pull/5984) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[webui]** Web UI: Avoid polling on /api/entrypoints ([#5863](https://github.com/containous/traefik/pull/5863) by [matthieuh](https://github.com/matthieuh))
+- **[webui]** Web UI: Sync toolbar table state with url query params ([#5861](https://github.com/containous/traefik/pull/5861) by [matthieuh](https://github.com/matthieuh))
+
+**Documentation:**
+- **[consulcatalog]** fix: Consul Catalog documentation. ([#5725](https://github.com/containous/traefik/pull/5725) by [ldez](https://github.com/ldez))
+- **[consulcatalog]** Fix consul catalog documentation ([#5661](https://github.com/containous/traefik/pull/5661) by [mmatur](https://github.com/mmatur))
+- Prepare release v2.1.0-rc2 ([#5846](https://github.com/containous/traefik/pull/5846) by [ldez](https://github.com/ldez))
+- Prepare release v2.1.0-rc1 ([#5844](https://github.com/containous/traefik/pull/5844) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Several documentation fixes ([#5987](https://github.com/containous/traefik/pull/5987) by [ldez](https://github.com/ldez))
+- Prepare release v2.1.0-rc3 ([#5929](https://github.com/containous/traefik/pull/5929) by [ldez](https://github.com/ldez))
+
+**Misc:**
+- **[cli]** Add custom help function to command ([#5923](https://github.com/containous/traefik/pull/5923) by [Ullaakut](https://github.com/Ullaakut))
+- **[server]** fix: use MaxInt32. ([#5845](https://github.com/containous/traefik/pull/5845) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master ([#5841](https://github.com/containous/traefik/pull/5841) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master  ([#5749](https://github.com/containous/traefik/pull/5749) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master  ([#5619](https://github.com/containous/traefik/pull/5619) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into master  ([#5464](https://github.com/containous/traefik/pull/5464) by [ldez](https://github.com/ldez))
+- Merge v2.0.0 into master ([#5402](https://github.com/containous/traefik/pull/5402) by [ldez](https://github.com/ldez))
+- Merge v2.0.0-rc3 into master ([#5354](https://github.com/containous/traefik/pull/5354) by [ldez](https://github.com/ldez))
+- Merge v2.0.0-rc1 into master  ([#5253](https://github.com/containous/traefik/pull/5253) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into v2.1 ([#5977](https://github.com/containous/traefik/pull/5977) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into v2.1 ([#5931](https://github.com/containous/traefik/pull/5931) by [ldez](https://github.com/ldez))
+- Merge current v2.0 branch into v2.1 ([#5928](https://github.com/containous/traefik/pull/5928) by [ldez](https://github.com/ldez))
+
+## [v2.0.7](https://github.com/containous/traefik/tree/v2.0.7) (2019-12-09)
+[All Commits](https://github.com/containous/traefik/compare/v2.0.6...v2.0.7)
+
+**Bug fixes:**
+- **[logs,middleware]** Remove mirroring impact in accesslog ([#5967](https://github.com/containous/traefik/pull/5967) by [juliens](https://github.com/juliens))
+- **[middleware]** fix: PassClientTLSCert middleware separators and formatting ([#5921](https://github.com/containous/traefik/pull/5921) by [ldez](https://github.com/ldez))
+- **[server]** Do not stop to listen on tcp listeners on temporary errors  ([#5935](https://github.com/containous/traefik/pull/5935) by [skwair](https://github.com/skwair))
+
+**Documentation:**
+- **[acme,k8s/crd,k8s/ingress]** Document LE caveats with Kubernetes on v2 ([#5902](https://github.com/containous/traefik/pull/5902) by [dtomcej](https://github.com/dtomcej))
+- **[acme]** The Cloudflare hint for the GLOBAL API KEY for CF MAIL/API_KEY ([#5964](https://github.com/containous/traefik/pull/5964) by [EugenMayer](https://github.com/EugenMayer))
+- **[acme]** Improve documentation for ACME/Let's Encrypt ([#5819](https://github.com/containous/traefik/pull/5819) by [dduportal](https://github.com/dduportal))
+- **[file]** Improve documentation on file provider limitations with file system notifications ([#5939](https://github.com/containous/traefik/pull/5939) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Make trailing slash more prominent for the "secure dashboard setup" too ([#5963](https://github.com/containous/traefik/pull/5963) by [EugenMayer](https://github.com/EugenMayer))
+- Fix Docker example in "Strip and Rewrite Path Prefixes" in migration guide ([#5949](https://github.com/containous/traefik/pull/5949) by [q210](https://github.com/q210))
+- readme: Fix link to file backend/provider documentation ([#5945](https://github.com/containous/traefik/pull/5945) by [hartwork](https://github.com/hartwork))
+
 ## [v2.1.0-rc3](https://github.com/containous/traefik/tree/v2.1.0-rc3) (2019-12-02)
 [All Commits](https://github.com/containous/traefik/compare/v2.1.0-rc2...v2.1.0-rc3)
 

LICENSE.md

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016-2018 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -73,7 +73,7 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 - [Kubernetes](https://docs.traefik.io/providers/kubernetes-crd/)
 - [Marathon](https://docs.traefik.io/providers/marathon/)
 - [Rancher](https://docs.traefik.io/providers/rancher/) (Metadata)
-- [File](https://docs.traefik.io/configuration/backends/file)
+- [File](https://docs.traefik.io/providers/file/)
 
 ## Quickstart
 

build.Dockerfile

@@ -19,7 +19,7 @@ RUN mkdir -p /usr/local/bin \
     && chmod +x /usr/local/bin/go-bindata
 
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.20.0
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.23.0
 
 # Download golangci-lint and misspell binary to bin folder in $GOPATH
 RUN GO111MODULE=off go get github.com/client9/misspell/cmd/misspell

cmd/traefik/traefik.go

@@ -69,10 +69,10 @@ Complete documentation is available at https://traefik.io`,
 	err = cli.Execute(cmdTraefik)
 	if err != nil {
 		stdlog.Println(err)
-		os.Exit(1)
+		logrus.Exit(1)
 	}
 
-	os.Exit(0)
+	logrus.Exit(0)
 }
 
 func runCmd(staticConfiguration *static.Configuration) error {
@@ -156,7 +156,6 @@ func runCmd(staticConfiguration *static.Configuration) error {
 
 	svr.Wait()
 	log.WithoutContext().Info("Shutting down")
-	logrus.Exit(0)
 	return nil
 }
 
@@ -173,7 +172,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)
 
-	serverEntryPointsTCP, err := server.NewTCPEntryPoints(*staticConfiguration)
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints)
 	if err != nil {
 		return nil, err
 	}

docs/check.Dockerfile

@@ -15,8 +15,12 @@ RUN gem install html-proofer --version 3.13.0 --no-document -- --use-system-libr
 RUN apk --no-cache --no-progress add \
     git \
     nodejs \
-    npm \
-  && npm install --global \
+    npm
+
+# To handle 'not get uid/gid'
+RUN npm config set unsafe-perm true
+
+RUN npm install --global \
     markdownlint@0.17.2 \
     markdownlint-cli@0.19.0
 

docs/content/contributing/building-testing.md

@@ -62,7 +62,7 @@ Requirements:
 
 - `go` v1.13+
 - environment variable `GO111MODULE=on`
-- go-bindata `GO111MODULE=off go get -u github.com/containous/go-bindata/...`
+- [go-bindata](https://github.com/containous/go-bindata) `GO111MODULE=off go get -u github.com/containous/go-bindata/...`
 
 !!! tip "Source Directory"
 
@@ -98,30 +98,32 @@ Requirements:
 #### Build Traefik
 
 Once you've set up your go environment and cloned the source repository, you can build Traefik.
-Beforehand, you need to get `go-bindata` (the first time) in order to be able to use the `go generate` command (which is part of the build process).
+
+Beforehand, you need to get [go-bindata](https://github.com/containous/go-bindata) (the first time) in order to be able to use the `go generate` command (which is part of the build process).
 
 ```bash
 cd ~/go/src/github.com/containous/traefik
 
 # Get go-bindata. (Important: the ellipses are required.)
 GO111MODULE=off go get github.com/containous/go-bindata/...
+```
 
-# Let's build
+```bash
+# Generate UI static files
+rm -rf static/ autogen/; make generate-webui
 
-# generate
-# (required to merge non-code components into the final binary, such as the web dashboard and the provider's templates)
+# required to merge non-code components into the final binary,
+# such as the web dashboard/UI
 go generate
+```
 
+```bash
 # Standard go build
 go build ./cmd/traefik
 ```
 
 You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/containous/traefik` directory.
 
-### Updating the templates
-
-If you happen to update the provider's templates (located in `/templates`), you must run `go generate` to update the `autogen` package.
-
 ## Testing
 
 ### Method 1: `Docker` and `make`

docs/content/getting-started/install-traefik.md

@@ -72,7 +72,7 @@ helm install ./traefik-helm-chart
     {: #helm-custom-values }
     
     The values are not (yet) documented, but are self-explanatory:
-    you can look at the [default `values.yaml`](https://github.com/containous/traefik-helm-chart/blob/master/values.yaml) file to explore possibilities.
+    you can look at the [default `values.yaml`](https://github.com/containous/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
     
     Example of installation with logging set to `DEBUG`:
     

docs/content/https/.markdownlint.json

@@ -0,0 +1,4 @@
+{
+    "extends": "../../.markdownlint.json",
+    "MD041": false
+}

docs/content/https/acme.md

@@ -8,6 +8,45 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
 !!! warning "Let's Encrypt and Rate Limiting"
     Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits).
 
+    Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
+    when experimenting to avoid hitting this limit too fast.
+    
+## Certificate Resolvers
+
+Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration), 
+which are responsible for retrieving certificates from an ACME server.
+
+Then, each ["router"](../routing/routers/index.md) is configured to enable TLS,
+and is associated to a certificate resolver through the [`tls.certresolver` configuration option](../routing/routers/index.md#certresolver).
+
+Certificates are requested for domain names retrieved from the router's [dynamic configuration](../getting-started/configuration-overview.md#the-dynamic-configuration).
+
+You can read more about this retrieval mechanism in the following section: [ACME Domain Definition](#domain-definition).
+
+## Domain Definition
+
+Certificate resolvers request certificates for a set of the domain names 
+inferred from routers, with the following logic:
+
+- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
+  then the certificate resolver uses the `main` (and optionally `sans`) option of `tls.domains` to know the domain names for this router.
+
+- If no [`tls.domains`](../routing/routers/index.md#domains) option is set, 
+  then the certificate resolver uses the [router's rule](../routing/routers/index.md#rule), 
+  by checking the `Host()` matchers. 
+  Please note that [multiple `Host()` matchers can be used](../routing/routers/index.md#certresolver)) for specifying multiple domain names for this router.
+
+Please note that:
+
+- When multiple domain names are inferred from a given router,
+  only **one** certificate is requested with the first domain name as the main domain,
+  and the other domains as ["SANs" (Subject Alternative Name)](https://en.wikipedia.org/wiki/Subject_Alternative_Name).
+
+- As [ACME V2 supports "wildcard domains"](#wildcard-domains),
+  any router can provide a [wildcard domain](https://en.wikipedia.org/wiki/Wildcard_certificate) name, as "main" domain or as "SAN" domain.
+
+Please check the [configuration examples below](#configuration-examples) for more details.
+
 ## Configuration Examples
 
 ??? example "Enabling ACME"
@@ -20,10 +59,10 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
       [entryPoints.web-secure]
         address = ":443"
     
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.le.acme]
       email = "your-email@your-domain.org"
       storage = "acme.json"
-      [certificatesResolvers.sample.acme.httpChallenge]
+      [certificatesResolvers.le.acme.httpChallenge]
         # used during the challenge
         entryPoint = "web"
     ```
@@ -50,10 +89,10 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
     --entryPoints.web.address=:80
     --entryPoints.websecure.address=:443
     # ...
-    --certificatesResolvers.sample.acme.email=your-email@your-domain.org
-    --certificatesResolvers.sample.acme.storage=acme.json
+    --certificatesResolvers.le.acme.email=your-email@your-domain.org
+    --certificatesResolvers.le.acme.storage=acme.json
     # used during the challenge
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+    --certificatesResolvers.le.acme.httpChallenge.entryPoint=web
     ```
 
 !!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
@@ -75,6 +114,26 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
     --8<-- "content/https/ref-acme.txt"
     ```
 
+??? example "Single Domain from Router's Rule Example"
+    
+    * A certificate for the domain `company.com` is requested:
+
+    --8<-- "content/https/include-acme-single-domain-example.md"
+
+??? example "Multiple Domains from Router's Rule Example"
+ 
+    * A certificate for the domains `company.com` (main) and `blog.company.org`
+      is requested:
+    
+    --8<-- "content/https/include-acme-multiple-domains-from-rule-example.md"
+    
+??? example "Multiple Domains from Router's `tls.domain` Example"
+
+    * A certificate for the domains `company.com` (main) and `*.company.org` (SAN)
+      is requested:
+      
+    --8<-- "content/https/include-acme-multiple-domains-example.md"
+
 ## Automatic Renewals
 
 Traefik automatically tracks the expiry date of ACME certificates it generates.
@@ -84,6 +143,13 @@ If there are less than 30 days remaining before the certificate expires, Traefik
 !!! info ""
     Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
 
+## Using LetsEncrypt with Kubernetes
+
+When using LetsEncrypt with kubernetes, there are some known caveats with both the [ingress](../providers/kubernetes-ingress.md) and [crd](../providers/kubernetes-crd.md) providers.
+
+!!! info ""
+    If you intend to run multiple instances of Traefik with LetsEncrypt, please ensure you read the sections on those provider pages.
+
 ## The Different ACME Challenges
 
 !!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
@@ -98,9 +164,9 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 ??? example "Configuring the `tlsChallenge`"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.le.acme]
       # ...
-      [certificatesResolvers.sample.acme.tlsChallenge]
+      [certificatesResolvers.le.acme.tlsChallenge]
     ```
 
     ```yaml tab="File (YAML)"
@@ -113,7 +179,7 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
     
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.tlsChallenge=true
+    --certificatesResolvers.le.acme.tlsChallenge=true
     ```
 
 ### `httpChallenge`
@@ -121,7 +187,7 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
 Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
 
 As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
-when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
+when using the `HTTP-01` challenge, `certificatesResolvers.le.acme.httpChallenge.entryPoint` must be reachable by Let's Encrypt through port 80.
 
 ??? example "Using an EntryPoint Called http for the `httpChallenge`"
 
@@ -133,9 +199,9 @@ when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChall
       [entryPoints.web-secure]
         address = ":443"
     
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.le.acme]
       # ...
-      [certificatesResolvers.sample.acme.httpChallenge]
+      [certificatesResolvers.le.acme.httpChallenge]
         entryPoint = "web"
     ```
 
@@ -159,7 +225,7 @@ when using the `HTTP-01` challenge, `certificatesResolvers.sample.acme.httpChall
     --entryPoints.web.address=:80
     --entryPoints.websecure.address=:443
     # ...
-    --certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+    --certificatesResolvers.le.acme.httpChallenge.entryPoint=web
     ```
 
 !!! info ""
@@ -172,9 +238,9 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
 ??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.le.acme]
       # ...
-      [certificatesResolvers.sample.acme.dnsChallenge]
+      [certificatesResolvers.le.acme.dnsChallenge]
         provider = "digitalocean"
         delayBeforeCheck = 0
     # ...
@@ -193,8 +259,8 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
     
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
-    --certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+    --certificatesResolvers.le.acme.dnsChallenge.provider=digitalocean
+    --certificatesResolvers.le.acme.dnsChallenge.delayBeforeCheck=0
     # ...
     ```
 
@@ -219,8 +285,9 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 | [Azure](https://azure.microsoft.com/services/dns/)          | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)        |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)  | `bindman`      | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)      |
 | [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)      |
+| [Checkdomain](https://www.checkdomain.de/)                  | `checkdomain`  | `CHECKDOMAIN_TOKEN`,                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/) |
 | [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)      |
-| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]` [^5]                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
+| [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
 | [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)     |
 | [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)       |
 | [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
@@ -291,9 +358,9 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 Use custom DNS servers to resolve the FQDN authority.
 
 ```toml tab="File (TOML)"
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.le.acme]
   # ...
-  [certificatesResolvers.sample.acme.dnsChallenge]
+  [certificatesResolvers.le.acme.dnsChallenge]
     # ...
     resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
 ```
@@ -312,7 +379,7 @@ certificatesResolvers:
 
 ```bash tab="CLI"
 # ...
---certificatesResolvers.sample.acme.dnsChallenge.resolvers:=1.1.1.1:53,8.8.8.8:53
+--certificatesResolvers.le.acme.dnsChallenge.resolvers:=1.1.1.1:53,8.8.8.8:53
 ```
 
 #### Wildcard Domains
@@ -320,12 +387,14 @@ certificatesResolvers:
 [ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
 As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).
 
-## `caServer`
+## More Configuration
+
+### `caServer`
 
 ??? example "Using the Let's Encrypt staging server"
 
     ```toml tab="File (TOML)"
-    [certificatesResolvers.sample.acme]
+    [certificatesResolvers.le.acme]
       # ...
       caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
       # ...
@@ -342,16 +411,16 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
 
     ```bash tab="CLI"
     # ...
-    --certificatesResolvers.sample.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
+    --certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
     # ...
     ```
 
-## `storage`
+### `storage`
 
 The `storage` option sets the location where your ACME certificates are saved to.
 
 ```toml tab="File (TOML)"
-[certificatesResolvers.sample.acme]
+[certificatesResolvers.le.acme]
   # ...
   storage = "acme.json"
   # ...
@@ -368,7 +437,7 @@ certificatesResolvers:
 
 ```bash tab="CLI"
 # ...
---certificatesResolvers.sample.acme.storage=acme.json
+--certificatesResolvers.le.acme.storage=acme.json
 # ...
 ```
 
@@ -376,7 +445,7 @@ The value can refer to some kinds of storage:
 
 - a JSON file
 
-### In a File
+#### In a File
 
 ACME certificates can be stored in a JSON file that needs to have a `600` file mode .
 

docs/content/https/include-acme-multiple-domains-example.md

@@ -0,0 +1,88 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=le
+  - traefik.http.routers.blog.tls.domains[0].main=company.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=le
+    - traefik.http.routers.blog.tls.domains[0].main=company.org
+    - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
+```
+
+```yaml tab="Kubernetes"
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`company.com`) && Path(`/blog`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls:
+    certResolver: le
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`company.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "le",
+  "traefik.http.routers.blog.tls.domains[0].main": "company.com",
+  "traefik.http.routers.blog.tls.domains[0].sans": "*.company.com",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=le
+  - traefik.http.routers.blog.tls.domains[0].main=company.org
+  - traefik.http.routers.blog.tls.domains[0].sans=*.company.org
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "Host(`company.com`) && Path(`/blog`)"
+    [http.routers.blog.tls]
+      certResolver = "le" # From static configuration
+      [[http.routers.blog.tls.domains]]
+        main = "company.org"
+        sans = ["*.company.org"]
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "Host(`company.com`) && Path(`/blog`)"
+      tls:
+        certResolver: le
+        domains:
+          - main: "company.org"
+            sans:
+              - "*.company.org"
+```

docs/content/https/include-acme-multiple-domains-from-rule-example.md

@@ -0,0 +1,72 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=le
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=le
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+```
+
+```yaml tab="Kubernetes"
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: (Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls: {}
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "le",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=le
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.blog]
+    rule = "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)"
+    [http.routers.blog.tls]
+      certResolver = "le" # From static configuration
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)"
+      tls:
+        certResolver: le
+```

docs/content/https/include-acme-single-domain-example.md

@@ -0,0 +1,72 @@
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=le
+```
+
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=le
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+```
+
+```yaml tab="Kubernetes"
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blogtls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`company.com`) && Path(`/blog`)
+    kind: Rule
+    services:
+    - name: blog
+      port: 8080
+  tls: {}
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`company.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "le",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=le
+```
+
+```toml tab="Single Domain"
+## Dynamic configuration
+[http.routers]
+    [http.routers.blog]
+    rule = "Host(`company.com`) && Path(`/blog`)"
+    [http.routers.blog.tls]
+        certResolver = "le" # From static configuration
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    blog:
+      rule: "Host(`company.com`) && Path(`/blog`)"
+      tls:
+        certResolver: le
+```

docs/content/https/ref-acme.toml

@@ -35,13 +35,13 @@
   #
   # Optional (but recommended)
   #
-  [certificatesResolvers.sample.acme.tlsChallenge]
+  [certificatesResolvers.le.acme.tlsChallenge]
 
   # Use a HTTP-01 ACME challenge.
   #
   # Optional
   #
-  # [certificatesResolvers.sample.acme.httpChallenge]
+  # [certificatesResolvers.le.acme.httpChallenge]
 
     # EntryPoint to use for the HTTP-01 challenges.
     #
@@ -54,7 +54,7 @@
   #
   # Optional
   #
-  # [certificatesResolvers.sample.acme.dnsChallenge]
+  # [certificatesResolvers.le.acme.dnsChallenge]
 
     # DNS provider used.
     #

docs/content/https/ref-acme.txt

@@ -4,13 +4,13 @@
 #
 # Required
 #
---certificatesResolvers.sample.acme.email=test@traefik.io
+--certificatesResolvers.le.acme.email=test@traefik.io
 
 # File or key used for certificates storage.
 #
 # Required
 #
---certificatesResolvers.sample.acme.storage=acme.json
+--certificatesResolvers.le.acme.storage=acme.json
 
 # CA server to use.
 # Uncomment the line to use Let's Encrypt's staging server,
@@ -19,7 +19,7 @@
 # Optional
 # Default: "https://acme-v02.api.letsencrypt.org/directory"
 #
---certificatesResolvers.sample.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
+--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
 
 # KeyType to use.
 #
@@ -28,38 +28,38 @@
 #
 # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
 #
---certificatesResolvers.sample.acme.keyType=RSA4096
+--certificatesResolvers.le.acme.keyType=RSA4096
 
 # Use a TLS-ALPN-01 ACME challenge.
 #
 # Optional (but recommended)
 #
---certificatesResolvers.sample.acme.tlsChallenge=true
+--certificatesResolvers.le.acme.tlsChallenge=true
 
 # Use a HTTP-01 ACME challenge.
 #
 # Optional
 #
---certificatesResolvers.sample.acme.httpChallenge=true
+--certificatesResolvers.le.acme.httpChallenge=true
 
 # EntryPoint to use for the HTTP-01 challenges.
 #
 # Required
 #
---certificatesResolvers.sample.acme.httpChallenge.entryPoint=web
+--certificatesResolvers.le.acme.httpChallenge.entryPoint=web
 
 # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
 # Note: mandatory for wildcard certificate generation.
 #
 # Optional
 #
---certificatesResolvers.sample.acme.dnsChallenge=true
+--certificatesResolvers.le.acme.dnsChallenge=true
 
 # DNS provider used.
 #
 # Required
 #
---certificatesResolvers.sample.acme.dnsChallenge.provider=digitalocean
+--certificatesResolvers.le.acme.dnsChallenge.provider=digitalocean
 
 # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
 # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
@@ -68,14 +68,14 @@
 # Optional
 # Default: 0
 #
---certificatesResolvers.sample.acme.dnsChallenge.delayBeforeCheck=0
+--certificatesResolvers.le.acme.dnsChallenge.delayBeforeCheck=0
 
 # Use following DNS servers to resolve the FQDN authority.
 #
 # Optional
 # Default: empty
 #
---certificatesResolvers.sample.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
+--certificatesResolvers.le.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 
 # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
 #
@@ -85,4 +85,4 @@
 # Optional
 # Default: false
 #
---certificatesResolvers.sample.acme.dnsChallenge.disablePropagationCheck=true
+--certificatesResolvers.le.acme.dnsChallenge.disablePropagationCheck=true

docs/content/https/ref-acme.yaml

@@ -1,5 +1,5 @@
 certificatesResolvers:
-  sample:
+  le:
     # Enable ACME (Let's Encrypt): automatic SSL.
     acme:
 

docs/content/https/tls.md

@@ -40,7 +40,7 @@ tls:
 
     In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
     It is the only available method to configure the certificates (as well as the options and the stores).
-    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](../routing/providers/kubernetes-crd.md#tls). 
+    However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/). 
 
 ## Certificates Stores
 

docs/content/index.md

@@ -20,4 +20,4 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo
 
 !!! info
 
-    If you're a business running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://containo.us/services/#commercial-support) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik. 
+    If you're a business running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://info.containo.us/commercial-services) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik. 

docs/content/middlewares/basicauth.md

@@ -90,7 +90,7 @@ The `users` option is an array of authorized users. Each user will be declared u
 # Declaring the user list
 #
 # Note: all dollar signs in the hash need to be doubled for escaping.
-# To create user:password pair, it's possible to use this command:
+# To create a user:password pair, the following command can be used:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
 labels:
   - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -107,6 +107,10 @@ spec:
     secret: authsecret
 
 ---
+# Note: in a kubernetes secret the string (e.g. generated by htpasswd) must be base64-encoded first.
+# To create an encoded user:password pair, the following command can be used:
+# htpasswd -nb user password | openssl base64
+
 apiVersion: v1
 kind: Secret
 metadata:

docs/content/middlewares/contenttype.md

@@ -0,0 +1,83 @@
+
+# ContentType
+
+Handling ContentType auto-detection
+{: .subtitle }
+
+The Content-Type middleware - or rather its unique `autoDetect` option -
+specifies whether to let the `Content-Type` header,
+if it has not been set by the backend,
+be automatically set to a value derived from the contents of the response.
+
+As a proxy, the default behavior should be to leave the header alone,
+regardless of what the backend did with it.
+However, the historic default was to always auto-detect and set the header if it was nil,
+and it is going to be kept that way in order to support users currently relying on it.
+This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
+
+!!! info
+
+    As explained above, for compatibility reasons the default behavior on a router (without this middleware),
+    is still to automatically set the `Content-Type` header.
+    Therefore, given the default value of the `autoDetect` option (false),
+    simply enabling this middleware for a router switches the router's behavior.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+# Disable auto-detection
+labels:
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```yaml tab="Kubernetes"
+# Disable auto-detection
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: autodetect
+spec:
+  contentType:
+    autoDetect: false
+```
+
+```yaml tab="Consul Catalog"
+# Disable auto-detection
+- "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.autodetect.contenttype.autodetect": "false"
+}
+```
+
+```yaml tab="Rancher"
+# Disable auto-detection
+labels:
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```toml tab="File (TOML)"
+# Disable auto-detection
+[http.middlewares]
+  [http.middlewares.autodetect.contentType]
+     autoDetect=false
+```
+
+```yaml tab="File (YAML)"
+# Disable auto-detection
+http:
+  middlewares:
+    autodetect:
+      contentType:
+        autoDetect: false
+```
+
+## Configuration Options
+
+### `autoDetect`
+
+`autoDetect` specifies whether to let the `Content-Type` header,
+if it has not been set by the backend,
+be automatically set to a value derived from the contents of the response.

docs/content/middlewares/ipwhitelist.md

@@ -66,7 +66,7 @@ http:
 
 ### `sourceRange`
 
-The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs).
+The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
 
 ### `ipStrategy`
 

docs/content/middlewares/passtlsclientcert.md

@@ -406,7 +406,7 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
 !!! info "Extracted data"
     
     The delimiters and `\n` will be removed.  
-    If there are more than one certificate, they are separated by a "`;`".
+    If there are more than one certificate, they are separated by a "`,`".
 
 !!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"
 
@@ -421,12 +421,12 @@ The value of the header will be an escaped concatenation of all the selected cer
 The following example shows an unescaped result that uses all the available fields: 
 
 ```text
-Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com",Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2",NB=1544094616,NA=1607166616,SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
+Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2"
 ```
 
 !!! info "Multiple certificates"
 
-    If there are more than one certificate, they are separated by a `;`.
+    If there are more than one certificate, they are separated by a `,`.
 
 #### `info.notAfter`
 
@@ -442,7 +442,7 @@ The data are taken from the following certificate part:
 The escape `notAfter` info part will be like:
 
 ```text
-NA=1607166616
+NA="1607166616"
 ```
 
 #### `info.notBefore`
@@ -459,7 +459,7 @@ Validity
 The escape `notBefore` info part will be like:
 
 ```text
-NB=1544094616
+NB="1544094616"
 ```
 
 #### `info.sans`
@@ -476,7 +476,7 @@ The data are taken from the following certificate part:
 The escape SANs info part will be like:
 
 ```text
-SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
+SAN="*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2"
 ```
 
 !!! info "multiple values"

docs/content/migration/v1-to-v2.md

@@ -104,7 +104,7 @@ Then any router can refer to an instance of the wanted middleware.
 
     ```yaml tab="K8s IngressRoute"
     # The definitions below require the definitions for the Middleware and IngressRoute kinds.
-    # https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
+    # https://docs.traefik.io/v2.1/reference/dynamic-configuration/kubernetes-crd/#definitions
     apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
@@ -184,7 +184,7 @@ Then any router can refer to an instance of the wanted middleware.
               - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
     ```
 
-## TLS Configuration Is Now Dynamic, per Router.
+## TLS Configuration is Now Dynamic, per Router.
 
 TLS parameters used to be specified in the static configuration, as an entryPoint field.
 With Traefik v2, a new dynamic TLS section at the root contains all the desired TLS configurations.
@@ -209,7 +209,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
             "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-           ]
+          ]
           [[entryPoints.web-secure.tls.certificates]]
             certFile = "path/to/my.cert"
             keyFile = "path/to/my.key"
@@ -242,13 +242,13 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
       [tls.options.myTLSOptions]
         minVersion = "VersionTLS13"
         cipherSuites = [
-            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
-            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
-            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-            ]
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+          "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+          "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        ]
     ```
 
     ```yaml tab="File (YAML)"
@@ -278,7 +278,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
 
     ```yaml tab="K8s IngressRoute"
     # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
-    # https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
+    # https://docs.traefik.io/v2.1/reference/dynamic-configuration/kubernetes-crd/#definitions
     apiVersion: traefik.containo.us/v1alpha1
     kind: TLSOption
     metadata:
@@ -322,50 +322,216 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
       - "traefik.http.routers.router0.tls.options=myTLSOptions@file"
     ```
 
-## HTTP to HTTPS Redirection Is Now Configured on Routers
+## HTTP to HTTPS Redirection is Now Configured on Routers
 
 Previously on Traefik v1, the redirection was applied on an entry point or on a frontend.
 With Traefik v2 it is applied on a [Router](../routing/routers/index.md). 
 
 To apply a redirection, one of the redirect middlewares, [RedirectRegex](../middlewares/redirectregex.md) or [RedirectScheme](../middlewares/redirectscheme.md), has to be configured and added to the router middlewares list.
 
-!!! example "HTTP to HTTPS redirection"
+!!! example "Global HTTP to HTTPS redirection"
 
     !!! info "v1"
     
     ```toml tab="File (TOML)"
     # static configuration
-    defaultEntryPoints = ["http", "https"]
+    defaultEntryPoints = ["web", "websecure"]
     
     [entryPoints]
-      [entryPoints.http]
+      [entryPoints.web]
         address = ":80"
-        [entryPoints.http.redirect]
-          entryPoint = "https"
+        [entryPoints.web.redirect]
+          entryPoint = "websecure"
 
-      [entryPoints.https]
+      [entryPoints.websecure]
         address = ":443"
-        [entryPoints.https.tls]
-          [[entryPoints.https.tls.certificates]]
+        [entryPoints.websecure.tls]
+    ```
+
+    ```bash tab="CLI"
+    --entrypoints=Name:web Address::80 Redirect.EntryPoint:websecure
+    --entryPoints='Name:websecure Address::443 TLS'
+    ```
+
+    !!! info "v2"
+    
+    ```yaml tab="Docker"
+    # ...
+      traefik:
+        image: traefik:v2.1
+        command:
+          - --entrypoints.web.address=:80
+          - --entrypoints.websecure.address=:443
+          - --providers.docker=true
+        ports:
+          - 80:80
+          - 443:443
+        labels:
+          traefik.http.routers.http_catchall.rule: HostRegexp(`{any:.+}`)
+          traefik.http.routers.http_catchall.entrypoints: web
+          traefik.http.routers.http_catchall.middlewares: https_redirect
+          traefik.http.middlewares.https_redirect.redirectscheme.scheme: https
+          traefik.http.middlewares.https_redirect.redirectscheme.permanent: true
+        volumes:
+          - /var/run/docker.sock:/var/run/docker.sock
+    ```
+    
+    ```yaml tab="K8s IngressRoute"
+    # The entry points web (port 80) and websecure (port 443) must be defined the static configuration.
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: http_catchall
+      namespace: traefik
+    spec:
+      entryPoints:
+        - web
+      routes:
+        - match: HostRegexp(`{any:.+}`)
+          kind: Rule
+          services:
+            # any service in the namespace
+            # the service will be never called
+            - name: noop
+              port: 80
+          middlewares:
+            - name: https_redirect
+              # if the Middleware has distinct namespace
+              namespace: traefik
+    
+    ---
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware 
+    metadata:
+      name: https_redirect
+      namespace: traefik
+    spec:
+      redirectScheme:
+        scheme: https
+        permanent: true
+    ```
+    
+    ```toml tab="File (TOML)"
+    # traefik.toml
+    ## static configuration
+    
+    [entryPoints]
+      [entryPoints.web]
+        address = 80
+      [entryPoints.websecure]
+        address = 443
+    
+    [providers.file]
+      directory = "/dynamic/"
+    
+    ##--------------------##
+    
+    # /dynamic/redirect.toml
+    ## dynamic configuration
+    
+    [http.routers]
+      [http.routers.http_catchall]
+        entryPoints = ["web"]
+        middlewares = ["https_redirect"]
+        rule = "HostRegexp(`{any:.+}`)"
+        service = "noop"
+    
+    [http.services]
+      # noop service, the URL will be never called
+      [http.services.noop.loadBalancer]
+        [[http.services.noop.loadBalancer.servers]]
+          url = "http://192.168.0.1:1337"
+    
+    [http.middlewares]
+      [http.middlewares.https_redirect.redirectScheme]
+        scheme = "https"
+        permanent = true
+    ```
+    
+    ```yaml tab="File (YAML)"
+    # traefik.yaml
+    ## static configuration
+    
+    entryPoints:
+      web:
+        address: 80
+      websecure:
+        address: 443
+    
+    providers:
+      file:
+        directory: /dynamic/
+    
+    ##--------------------##
+    
+    # /dynamic/redirect.yml
+    ## dynamic configuration
+    
+    http:
+      routers:
+        http_catchall:
+          entryPoints:
+            - web
+          middlewares:
+            - https_redirect
+          rule: "HostRegexp(`{any:.+}`)"
+          service: noop
+    
+      services:
+        # noop service, the URL will be never called
+        noop:
+          loadBalancer:
+            servers:
+              - url: http://192.168.0.1:1337
+    
+      middlewares:
+        https_redirect:
+          redirectScheme:
+            scheme: https
+            permanent: true
+    ```
+
+!!! example "HTTP to HTTPS redirection per domain"
+
+    !!! info "v1"
+    
+    ```toml tab="File (TOML)"
+    # static configuration
+    defaultEntryPoints = ["web", "websecure"]
+    
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+        [entryPoints.web.redirect]
+          entryPoint = "websecure"
+
+      [entryPoints.websecure]
+        address = ":443"
+        [entryPoints.websecure.tls]
+          [[entryPoints.websecure.tls.certificates]]
             certFile = "examples/traefik.crt"
             keyFile = "examples/traefik.key"
     ```
 
     ```bash tab="CLI"
-    --entrypoints=Name:web Address::80 Redirect.EntryPoint:web-secure
-    --entryPoints='Name:web-secure Address::443 TLS:path/to/my.cert,path/to/my.key'
+    --entrypoints=Name:web Address::80 Redirect.EntryPoint:websecure
+    --entryPoints='Name:websecure Address::443 TLS:path/to/my.cert,path/to/my.key'
     ```
 
     !!! info "v2"
 
     ```yaml tab="Docker"
     labels:
-    - traefik.http.routers.web.rule=Host(`foo.com`)
-    - traefik.http.routers.web.entrypoints=web
-    - traefik.http.routers.web.middlewares=redirect@file
-    - traefik.http.routers.web-secured.rule=Host(`foo.com`)
-    - traefik.http.routers.web-secured.entrypoints=web-secure
-    - traefik.http.routers.web-secured.tls=true
+      traefik.http.routers.app.rule: Host(`foo.com`)
+      traefik.http.routers.app.entrypoints: web
+      traefik.http.routers.app.middlewares: https_redirect
+    
+      traefik.http.routers.appsecured.rule: Host(`foo.com`)
+      traefik.http.routers.appsecured.entrypoints: websecure
+      traefik.http.routers.appsecured.tls: true
+    
+      traefik.http.middlewares.https_redirect.redirectscheme.scheme: https
+      traefik.http.middlewares.https_redirect.redirectscheme.permanent: true
     ```
 
     ```yaml tab="K8s IngressRoute"
@@ -384,7 +550,7 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
             - name: whoami
               port: 80
           middlewares:
-            - name: redirect
+            - name: https_redirect
     
     ---
     apiVersion: traefik.containo.us/v1alpha1
@@ -394,7 +560,7 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
     
     spec:
       entryPoints:
-        - web-secure
+        - websecure
       routes:
         - match: Host(`foo`)
           kind: Rule
@@ -407,11 +573,11 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
     apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
-      name: redirect
+      name: https_redirect
     spec:
       redirectScheme:
         scheme: https
-      
+        permanent: true
     ```
 
     ```toml tab="File (TOML)"
@@ -421,7 +587,7 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
     [entryPoints.web]
       address = ":80"
     
-    [entryPoints.web-secure]
+    [entryPoints.websecure]
       address = ":443"
     
     ##---------------------##
@@ -434,12 +600,12 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
         rule = "Host(`foo.com`)"
         service = "my-service"
         entrypoints = ["web"]
-        middlewares = ["redirect"]
+        middlewares = ["https_redirect"]
     
     [http.routers.router1]
         rule = "Host(`foo.com`)"
         service = "my-service"
-        entrypoints = ["web-secure"]
+        entrypoints = ["websecure"]
         [http.routers.router1.tls]
         
     [http.services]
@@ -449,8 +615,9 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
         url = "http://10.10.10.2:80"
     
     [http.middlewares]
-      [http.middlewares.redirect.redirectScheme]
+      [http.middlewares.https_redirect.redirectScheme]
         scheme = "https"
+        permanent = true
     
     [[tls.certificates]]
       certFile = "/path/to/domain.cert"
@@ -465,7 +632,7 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
       web:
         address: ":80"
     
-      web-secure:
+      websecure:
         address: ":443"
     
     ##---------------------##
@@ -480,13 +647,13 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
           entryPoints:
             - web
           middlewares:
-            - redirect
+            - https_redirect
           service: my-service
     
         router1:
           rule: "Host(`foo.com`)"
           entryPoints:
-            - web-secure
+            - websecure
           service: my-service
           tls: {}
     
@@ -498,9 +665,10 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
               - url: http://10.10.10.2:80
     
       middlewares:
-        redirect:
+        https_redirect:
           redirectScheme:
             scheme: https
+            permanent: true
     
     tls:
       certificates:
@@ -512,14 +680,14 @@ To apply a redirection, one of the redirect middlewares, [RedirectRegex](../midd
 
 With the new core notions of v2 (introduced earlier in the section
 ["Frontends and Backends Are Dead... Long Live Routers, Middlewares, and Services"](#frontends-and-backends-are-dead-long-live-routers-middlewares-and-services)),
-transforming the URL path prefix of incoming requests is configured with [middlewares](../../middlewares/overview/),
+transforming the URL path prefix of incoming requests is configured with [middlewares](../middlewares/overview.md),
 after the routing step with [router rule `PathPrefix`](https://docs.traefik.io/v2.0/routing/routers/#rule).
 
 Use Case: Incoming requests to `http://company.org/admin` are forwarded to the webapplication "admin",
 with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, you must:
 
 * First, configure a router named `admin` with a rule matching at least the path prefix with the `PathPrefix` keyword,
-* Then, define a middleware of type [`stripprefix`](../../middlewares/stripprefix/), which remove the prefix `/admin`, associated to the router `admin`.
+* Then, define a middleware of type [`stripprefix`](../middlewares/stripprefix.md), which removes the prefix `/admin`, associated to the router `admin`.
 
 !!! example "Strip Path Prefix When Forwarding to Backend"
 
@@ -560,8 +728,8 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
     ```yaml tab="Docker"
     labels:
       - "traefik.http.routers.admin.rule=Host(`company.org`) && PathPrefix(`/admin`)"
+      - "traefik.http.routers.admin.middlewares=admin-stripprefix"
       - "traefik.http.middlewares.admin-stripprefix.stripprefix.prefixes=/admin"
-      - "traefik.http.routers.web.middlewares=admin-stripprefix@docker"
     ```
 
     ```yaml tab="Kubernetes IngressRoute"
@@ -1029,12 +1197,12 @@ As the dashboard access is now secured by default you can either:
     [api]
     
     [providers.file]
-      filename = "/dynamic-conf.toml"
+      directory = "/path/to/dynamic/config"
     
     ##---------------------##
     
     ## dynamic configuration
-    # dynamic-conf.toml
+    # /path/to/dynamic/config/dynamic-conf.toml
     
     [http.routers.api]
       rule = "Host(`traefik.docker.localhost`)"
@@ -1061,12 +1229,12 @@ As the dashboard access is now secured by default you can either:
     
     providers:
       file:
-        filename: /dynamic-conf.yaml
+        directory: /path/to/dynamic/config
    
     ##---------------------##
     
     ## dynamic configuration
-    # dynamic-conf.yaml
+    # /path/to/dynamic/config/dynamic-conf.yaml
     
      http:
       routers:

docs/content/migration/v2.md

@@ -0,0 +1,99 @@
+# Migration: Steps needed between the versions
+
+## v2.0 to v2.1
+
+In v2.1, a new CRD called `TraefikService` was added. While updating an installation to v2.1,
+it is required to apply that CRD before as well as enhance the existing `ClusterRole` definition to allow Traefik to use that CRD.
+
+To add that CRD and enhance the permissions, following definitions need to be applied to the cluster.
+
+```yaml tab="TraefikService"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: traefikservices.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TraefikService
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced
+```
+
+```yaml tab="ClusterRole"
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - ingressroutes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - ingressroutetcps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - tlsoptions
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - traefikservices
+    verbs:
+      - get
+      - list
+      - watch
+```
+
+After having both resources applied, Traefik will work properly.

docs/content/operations/dashboard.md

@@ -85,19 +85,17 @@ We recommend to use a "Host Based rule" as ```Host(`traefik.domain.com`)``` to m
 or to make sure that the defined rule captures both prefixes:
 
 ```bash tab="Host Rule"
-# Matches http://traefik.domain.com/api or http://traefik.domain.com/dashboard
+# The dashboard can be accessed on http://traefik.domain.com/dashboard/
 rule = "Host(`traefik.domain.com`)"
 ```
 
 ```bash tab="Path Prefix Rule"
-# Matches http://traefik.domain.com/api , http://domain.com/api or http://traefik.domain.com/dashboard
-# but does not match http://traefik.domain.com/hello
+# The dashboard can be accessed on http://domain.com/dashboard/ or http://traefik.domain.com/dashboard/
 rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
 ```
 
 ```bash tab="Combination of Rules"
-# Matches http://traefik.domain.com/api or http://traefik.domain.com/dashboard
-# but does not match http://traefik.domain.com/hello
+# The dashboard can be accessed on http://traefik.domain.com/dashboard/
 rule = "Host(`traefik.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
 ```
 

docs/content/operations/include-api-examples.md

@@ -19,6 +19,28 @@ deploy:
     - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
 ```
 
+```yaml tab="Kubernetes CRD"
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+spec:
+  routes:
+  - match: Host(`traefik.domain.com`)
+    kind: Rule
+    services:
+    - name: api@internal
+      kind: TraefikService
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: auth
+spec:
+  basicAuth:
+    secret: secretName # Kubernetes secret named "secretName"
+```
+
 ```yaml tab="Consul Catalog"
 # Dynamic Configuration
 - "traefik.http.routers.api.rule=Host(`traefik.domain.com`)"

docs/content/operations/ping.md

@@ -59,7 +59,7 @@ ping:
 --ping.entryPoint=ping
 ```
 
-#### `manualRouting`
+### `manualRouting`
 
 _Optional, Default=false_
 

docs/content/providers/docker.md

@@ -86,7 +86,7 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
 ## Routing Configuration
 
 When using Docker as a [provider](https://docs.traefik.io/providers/overview/),
-Trafik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#set-metadata-on-container--l---label---label-file) to retrieve its routing configuration.
+Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#set-metadata-on-container--l---label---label-file) to retrieve its routing configuration.
 
 See the list of labels in the dedicated [routing](../routing/providers/docker.md) section.
 

docs/content/providers/file.md

@@ -23,17 +23,17 @@ You can write one of these mutually exclusive configuration elements:
     
     ```toml tab="File (TOML)"
     [providers.file]
-      filename = "/my/path/to/dynamic-conf.toml"
+      directory = "/path/to/dynamic/conf"
     ```
     
     ```yaml tab="File (YAML)"
     providers:
       file:
-        filename: "/my/path/to/dynamic-conf.yml"
+        directory: "/path/to/dynamic/conf"
     ```
     
     ```bash tab="CLI"
-    --providers.file.filename=/my/path/to/dynamic_conf.toml
+    --providers.file.directory=/path/to/dynamic/conf
     ```
     
     Declaring Routers, Middlewares & Services:
@@ -100,6 +100,22 @@ You can write one of these mutually exclusive configuration elements:
 
 If you're in a hurry, maybe you'd rather go through the [dynamic configuration](../reference/dynamic-configuration/file.md) references and the [static configuration](../reference/static-configuration/overview.md).
 
+!!! warning "Limitations"
+
+    With the file provider, Traefik listens for file system notifications to update the dynamic configuration.
+    
+    If you use a mounted/bound file system in your orchestrator (like docker or kubernetes), the way the files are linked may be a source of errors.
+    If the link between the file systems is broken, when a source file/directory is changed/renamed, nothing will be reported to the linked file/directory, so the file system notifications will be neither triggered nor caught. 
+    
+    For example, in docker, if the host file is renamed, the link to the mounted file will be broken and the container's file will not be updated.
+    To avoid this kind of issue, a good practice is to:
+        
+    * set the Traefik [**directory**](#directory) configuration with the parent directory
+    * mount/bind the parent directory
+
+    As it is very difficult to listen to all file system notifications, Traefik use [fsnotify](https://github.com/fsnotify/fsnotify).
+    If using a directory with a mounted directory does not fix your issue, please check your file system compatibility with fsnotify.
+    
 ### `filename`
 
 Defines the path of the configuration file.
@@ -148,19 +164,19 @@ It works with both the `filename` and the `directory` options.
 ```toml tab="File (TOML)"
 [providers]
   [providers.file]
-    filename = "dynamic_conf.toml"
+    directory = "/path/to/dynamic/conf"
     watch = true
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   file:
-    filename: dynamic_conf.yml
+    directory: /path/to/dynamic/conf
     watch: true
 ```
 
 ```bash tab="CLI"
---providers.file.filename=dynamic_conf.toml
+--providers.file.directory=/my/path/to/dynamic/conf
 --providers.file.watch=true
 ```
 

docs/content/providers/kubernetes-crd.md

@@ -8,9 +8,60 @@ Traefik used to support Kubernetes only through the [Kubernetes Ingress provider
 However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
 we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
 
+## Configuration Requirements
+
+!!! tip "All Steps for a Successful Deployment"
+
+    * Add/update **all** the Traefik resources [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions)
+    * Add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik custom resources
+    * Use [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart) or use a custom Traefik Deployment 
+        * Enable the kubernetesCRD provider
+        * Apply the needed kubernetesCRD provider [configuration](#provider-configuration)
+    * Add all needed traefik custom [resources](../reference/dynamic-configuration/kubernetes-crd.md#resources)
+ 
+??? example "Initializing Resource Definition and RBAC"
+
+    ```yaml tab="Traefik Resource Definition"
+    # All resources definition must be declared
+    --8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition.yml"
+    ```
+
+    ```yaml tab="RBAC for Traefik CRD"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
+    ```
+
 ## Resource Configuration
 
-See the dedicated section in [routing](../routing/providers/kubernetes-crd.md).
+When using KubernetesCRD as a provider,
+Traefik uses [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) to retrieve its routing configuration.
+Traefik Custom Resource Definitions are a Kubernetes implementation of the Traefik concepts. The main particularities are:
+
+* The usage of `name` **and** `namespace` to refer to another Kubernetes resource.
+* The usage of [secret](https://kubernetes.io/docs/concepts/configuration/secret/) for sensible data like:
+    * TLS certificate.
+    * Authentication data.
+* The structure of the configuration.
+* The obligation to declare all the [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions).
+
+The Traefik CRD are building blocks which you can assemble according to your needs.
+See the list of CRDs in the dedicated [routing section](../routing/providers/kubernetes-crd.md).
+
+## LetsEncrypt Support with the Custom Resource Definition Provider
+
+By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration.
+For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.
+
+When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure.
+Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
+Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
+
+If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
+
+If you are wanting to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
+When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot interface directly with the CRDs _yet_, but this is being worked on by our team.
+A workaround it to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.
+Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once created, Cert-Manager will keep the certificate renewed.
 
 ## Provider Configuration
 

docs/content/providers/kubernetes-ingress.md

@@ -47,6 +47,20 @@ spec:
               servicePort: 80
 ```
 
+## LetsEncrypt Support with the Ingress Provider
+
+By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration.
+For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.
+
+When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure.
+Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
+Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
+
+If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
+
+If you are wanting to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
+
 ## Provider Configuration
 
 ### `endpoint`

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -12,100 +12,102 @@
 - "traefik.http.middlewares.middleware03.chain.middlewares=foobar, foobar"
 - "traefik.http.middlewares.middleware04.circuitbreaker.expression=foobar"
 - "traefik.http.middlewares.middleware05.compress=true"
-- "traefik.http.middlewares.middleware06.digestauth.headerfield=foobar"
-- "traefik.http.middlewares.middleware06.digestauth.realm=foobar"
-- "traefik.http.middlewares.middleware06.digestauth.removeheader=true"
-- "traefik.http.middlewares.middleware06.digestauth.users=foobar, foobar"
-- "traefik.http.middlewares.middleware06.digestauth.usersfile=foobar"
-- "traefik.http.middlewares.middleware07.errors.query=foobar"
-- "traefik.http.middlewares.middleware07.errors.service=foobar"
-- "traefik.http.middlewares.middleware07.errors.status=foobar, foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.address=foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.authresponseheaders=foobar, foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.tls.ca=foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.tls.caoptional=true"
-- "traefik.http.middlewares.middleware08.forwardauth.tls.cert=foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.tls.insecureskipverify=true"
-- "traefik.http.middlewares.middleware08.forwardauth.tls.key=foobar"
-- "traefik.http.middlewares.middleware08.forwardauth.trustforwardheader=true"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolallowcredentials=true"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolallowheaders=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolallowmethods=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolalloworigin=foobar"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolexposeheaders=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.accesscontrolmaxage=42"
-- "traefik.http.middlewares.middleware09.headers.addvaryheader=true"
-- "traefik.http.middlewares.middleware09.headers.allowedhosts=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.browserxssfilter=true"
-- "traefik.http.middlewares.middleware09.headers.contentsecuritypolicy=foobar"
-- "traefik.http.middlewares.middleware09.headers.contenttypenosniff=true"
-- "traefik.http.middlewares.middleware09.headers.custombrowserxssvalue=foobar"
-- "traefik.http.middlewares.middleware09.headers.customframeoptionsvalue=foobar"
-- "traefik.http.middlewares.middleware09.headers.customrequestheaders.name0=foobar"
-- "traefik.http.middlewares.middleware09.headers.customrequestheaders.name1=foobar"
-- "traefik.http.middlewares.middleware09.headers.customresponseheaders.name0=foobar"
-- "traefik.http.middlewares.middleware09.headers.customresponseheaders.name1=foobar"
-- "traefik.http.middlewares.middleware09.headers.featurepolicy=foobar"
-- "traefik.http.middlewares.middleware09.headers.forcestsheader=true"
-- "traefik.http.middlewares.middleware09.headers.framedeny=true"
-- "traefik.http.middlewares.middleware09.headers.hostsproxyheaders=foobar, foobar"
-- "traefik.http.middlewares.middleware09.headers.isdevelopment=true"
-- "traefik.http.middlewares.middleware09.headers.publickey=foobar"
-- "traefik.http.middlewares.middleware09.headers.referrerpolicy=foobar"
-- "traefik.http.middlewares.middleware09.headers.sslforcehost=true"
-- "traefik.http.middlewares.middleware09.headers.sslhost=foobar"
-- "traefik.http.middlewares.middleware09.headers.sslproxyheaders.name0=foobar"
-- "traefik.http.middlewares.middleware09.headers.sslproxyheaders.name1=foobar"
-- "traefik.http.middlewares.middleware09.headers.sslredirect=true"
-- "traefik.http.middlewares.middleware09.headers.ssltemporaryredirect=true"
-- "traefik.http.middlewares.middleware09.headers.stsincludesubdomains=true"
-- "traefik.http.middlewares.middleware09.headers.stspreload=true"
-- "traefik.http.middlewares.middleware09.headers.stsseconds=42"
-- "traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.depth=42"
-- "traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
-- "traefik.http.middlewares.middleware10.ipwhitelist.sourcerange=foobar, foobar"
-- "traefik.http.middlewares.middleware11.inflightreq.amount=42"
-- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.depth=42"
-- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
-- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requestheadername=foobar"
-- "traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requesthost=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.commonname=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.country=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.domaincomponent=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.locality=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.organization=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.province=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.serialnumber=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.notafter=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.notbefore=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.sans=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.commonname=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.country=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.domaincomponent=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.locality=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.organization=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.province=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.serialnumber=true"
-- "traefik.http.middlewares.middleware12.passtlsclientcert.pem=true"
-- "traefik.http.middlewares.middleware13.ratelimit.average=42"
-- "traefik.http.middlewares.middleware13.ratelimit.burst=42"
-- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.depth=42"
-- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
-- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requestheadername=foobar"
-- "traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requesthost=true"
-- "traefik.http.middlewares.middleware14.redirectregex.permanent=true"
-- "traefik.http.middlewares.middleware14.redirectregex.regex=foobar"
-- "traefik.http.middlewares.middleware14.redirectregex.replacement=foobar"
-- "traefik.http.middlewares.middleware15.redirectscheme.permanent=true"
-- "traefik.http.middlewares.middleware15.redirectscheme.port=foobar"
-- "traefik.http.middlewares.middleware15.redirectscheme.scheme=foobar"
-- "traefik.http.middlewares.middleware16.replacepath.path=foobar"
-- "traefik.http.middlewares.middleware17.replacepathregex.regex=foobar"
-- "traefik.http.middlewares.middleware17.replacepathregex.replacement=foobar"
-- "traefik.http.middlewares.middleware18.retry.attempts=42"
-- "traefik.http.middlewares.middleware19.stripprefix.forceslash=true"
-- "traefik.http.middlewares.middleware19.stripprefix.prefixes=foobar, foobar"
-- "traefik.http.middlewares.middleware20.stripprefixregex.regex=foobar, foobar"
+- "traefik.http.middlewares.middleware05.compress.excludedcontenttypes=foobar, foobar"
+- "traefik.http.middlewares.middleware06.contenttype.autodetect=true"
+- "traefik.http.middlewares.middleware07.digestauth.headerfield=foobar"
+- "traefik.http.middlewares.middleware07.digestauth.realm=foobar"
+- "traefik.http.middlewares.middleware07.digestauth.removeheader=true"
+- "traefik.http.middlewares.middleware07.digestauth.users=foobar, foobar"
+- "traefik.http.middlewares.middleware07.digestauth.usersfile=foobar"
+- "traefik.http.middlewares.middleware08.errors.query=foobar"
+- "traefik.http.middlewares.middleware08.errors.service=foobar"
+- "traefik.http.middlewares.middleware08.errors.status=foobar, foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.address=foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.authresponseheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.tls.ca=foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.tls.caoptional=true"
+- "traefik.http.middlewares.middleware09.forwardauth.tls.cert=foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.tls.insecureskipverify=true"
+- "traefik.http.middlewares.middleware09.forwardauth.tls.key=foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.trustforwardheader=true"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolallowcredentials=true"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolallowheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolallowmethods=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolalloworigin=foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolexposeheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolmaxage=42"
+- "traefik.http.middlewares.middleware10.headers.addvaryheader=true"
+- "traefik.http.middlewares.middleware10.headers.allowedhosts=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.browserxssfilter=true"
+- "traefik.http.middlewares.middleware10.headers.contentsecuritypolicy=foobar"
+- "traefik.http.middlewares.middleware10.headers.contenttypenosniff=true"
+- "traefik.http.middlewares.middleware10.headers.custombrowserxssvalue=foobar"
+- "traefik.http.middlewares.middleware10.headers.customframeoptionsvalue=foobar"
+- "traefik.http.middlewares.middleware10.headers.customrequestheaders.name0=foobar"
+- "traefik.http.middlewares.middleware10.headers.customrequestheaders.name1=foobar"
+- "traefik.http.middlewares.middleware10.headers.customresponseheaders.name0=foobar"
+- "traefik.http.middlewares.middleware10.headers.customresponseheaders.name1=foobar"
+- "traefik.http.middlewares.middleware10.headers.featurepolicy=foobar"
+- "traefik.http.middlewares.middleware10.headers.forcestsheader=true"
+- "traefik.http.middlewares.middleware10.headers.framedeny=true"
+- "traefik.http.middlewares.middleware10.headers.hostsproxyheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.isdevelopment=true"
+- "traefik.http.middlewares.middleware10.headers.publickey=foobar"
+- "traefik.http.middlewares.middleware10.headers.referrerpolicy=foobar"
+- "traefik.http.middlewares.middleware10.headers.sslforcehost=true"
+- "traefik.http.middlewares.middleware10.headers.sslhost=foobar"
+- "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name0=foobar"
+- "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name1=foobar"
+- "traefik.http.middlewares.middleware10.headers.sslredirect=true"
+- "traefik.http.middlewares.middleware10.headers.ssltemporaryredirect=true"
+- "traefik.http.middlewares.middleware10.headers.stsincludesubdomains=true"
+- "traefik.http.middlewares.middleware10.headers.stspreload=true"
+- "traefik.http.middlewares.middleware10.headers.stsseconds=42"
+- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware11.ipwhitelist.sourcerange=foobar, foobar"
+- "traefik.http.middlewares.middleware12.inflightreq.amount=42"
+- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.requestheadername=foobar"
+- "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.requesthost=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.commonname=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.country=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.domaincomponent=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.locality=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.organization=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.province=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.serialnumber=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.notafter=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.notbefore=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.sans=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.commonname=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.country=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.domaincomponent=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.locality=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.organization=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.province=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.serialnumber=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.pem=true"
+- "traefik.http.middlewares.middleware14.ratelimit.average=42"
+- "traefik.http.middlewares.middleware14.ratelimit.burst=42"
+- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.requestheadername=foobar"
+- "traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.requesthost=true"
+- "traefik.http.middlewares.middleware15.redirectregex.permanent=true"
+- "traefik.http.middlewares.middleware15.redirectregex.regex=foobar"
+- "traefik.http.middlewares.middleware15.redirectregex.replacement=foobar"
+- "traefik.http.middlewares.middleware16.redirectscheme.permanent=true"
+- "traefik.http.middlewares.middleware16.redirectscheme.port=foobar"
+- "traefik.http.middlewares.middleware16.redirectscheme.scheme=foobar"
+- "traefik.http.middlewares.middleware17.replacepath.path=foobar"
+- "traefik.http.middlewares.middleware18.replacepathregex.regex=foobar"
+- "traefik.http.middlewares.middleware18.replacepathregex.replacement=foobar"
+- "traefik.http.middlewares.middleware19.retry.attempts=42"
+- "traefik.http.middlewares.middleware20.stripprefix.forceslash=true"
+- "traefik.http.middlewares.middleware20.stripprefix.prefixes=foobar, foobar"
+- "traefik.http.middlewares.middleware21.stripprefixregex.regex=foobar, foobar"
 - "traefik.http.routers.router0.entrypoints=foobar, foobar"
 - "traefik.http.routers.router0.middlewares=foobar, foobar"
 - "traefik.http.routers.router0.priority=42"

docs/content/reference/dynamic-configuration/file.toml

@@ -113,31 +113,35 @@
         expression = "foobar"
     [http.middlewares.Middleware05]
       [http.middlewares.Middleware05.compress]
+        excludedContentTypes = ["foobar", "foobar"]
     [http.middlewares.Middleware06]
-      [http.middlewares.Middleware06.digestAuth]
+      [http.middlewares.Middleware06.contentType]
+        autoDetect = true
+    [http.middlewares.Middleware07]
+      [http.middlewares.Middleware07.digestAuth]
         users = ["foobar", "foobar"]
         usersFile = "foobar"
         removeHeader = true
         realm = "foobar"
         headerField = "foobar"
-    [http.middlewares.Middleware07]
-      [http.middlewares.Middleware07.errors]
+    [http.middlewares.Middleware08]
+      [http.middlewares.Middleware08.errors]
         status = ["foobar", "foobar"]
         service = "foobar"
         query = "foobar"
-    [http.middlewares.Middleware08]
-      [http.middlewares.Middleware08.forwardAuth]
+    [http.middlewares.Middleware09]
+      [http.middlewares.Middleware09.forwardAuth]
         address = "foobar"
         trustForwardHeader = true
         authResponseHeaders = ["foobar", "foobar"]
-        [http.middlewares.Middleware08.forwardAuth.tls]
+        [http.middlewares.Middleware09.forwardAuth.tls]
           ca = "foobar"
           caOptional = true
           cert = "foobar"
           key = "foobar"
           insecureSkipVerify = true
-    [http.middlewares.Middleware09]
-      [http.middlewares.Middleware09.headers]
+    [http.middlewares.Middleware10]
+      [http.middlewares.Middleware10.headers]
         accessControlAllowCredentials = true
         accessControlAllowHeaders = ["foobar", "foobar"]
         accessControlAllowMethods = ["foobar", "foobar"]
@@ -165,38 +169,38 @@
         referrerPolicy = "foobar"
         featurePolicy = "foobar"
         isDevelopment = true
-        [http.middlewares.Middleware09.headers.customRequestHeaders]
+        [http.middlewares.Middleware10.headers.customRequestHeaders]
           name0 = "foobar"
           name1 = "foobar"
-        [http.middlewares.Middleware09.headers.customResponseHeaders]
+        [http.middlewares.Middleware10.headers.customResponseHeaders]
           name0 = "foobar"
           name1 = "foobar"
-        [http.middlewares.Middleware09.headers.sslProxyHeaders]
+        [http.middlewares.Middleware10.headers.sslProxyHeaders]
           name0 = "foobar"
           name1 = "foobar"
-    [http.middlewares.Middleware10]
-      [http.middlewares.Middleware10.ipWhiteList]
+    [http.middlewares.Middleware11]
+      [http.middlewares.Middleware11.ipWhiteList]
         sourceRange = ["foobar", "foobar"]
-        [http.middlewares.Middleware10.ipWhiteList.ipStrategy]
+        [http.middlewares.Middleware11.ipWhiteList.ipStrategy]
           depth = 42
           excludedIPs = ["foobar", "foobar"]
-    [http.middlewares.Middleware11]
-      [http.middlewares.Middleware11.inFlightReq]
+    [http.middlewares.Middleware12]
+      [http.middlewares.Middleware12.inFlightReq]
         amount = 42
-        [http.middlewares.Middleware11.inFlightReq.sourceCriterion]
+        [http.middlewares.Middleware12.inFlightReq.sourceCriterion]
           requestHeaderName = "foobar"
           requestHost = true
-          [http.middlewares.Middleware11.inFlightReq.sourceCriterion.ipStrategy]
+          [http.middlewares.Middleware12.inFlightReq.sourceCriterion.ipStrategy]
             depth = 42
             excludedIPs = ["foobar", "foobar"]
-    [http.middlewares.Middleware12]
-      [http.middlewares.Middleware12.passTLSClientCert]
+    [http.middlewares.Middleware13]
+      [http.middlewares.Middleware13.passTLSClientCert]
         pem = true
-        [http.middlewares.Middleware12.passTLSClientCert.info]
+        [http.middlewares.Middleware13.passTLSClientCert.info]
           notAfter = true
           notBefore = true
           sans = true
-          [http.middlewares.Middleware12.passTLSClientCert.info.subject]
+          [http.middlewares.Middleware13.passTLSClientCert.info.subject]
             country = true
             province = true
             locality = true
@@ -204,7 +208,7 @@
             commonName = true
             serialNumber = true
             domainComponent = true
-          [http.middlewares.Middleware12.passTLSClientCert.info.issuer]
+          [http.middlewares.Middleware13.passTLSClientCert.info.issuer]
             country = true
             province = true
             locality = true
@@ -212,42 +216,42 @@
             commonName = true
             serialNumber = true
             domainComponent = true
-    [http.middlewares.Middleware13]
-      [http.middlewares.Middleware13.rateLimit]
+    [http.middlewares.Middleware14]
+      [http.middlewares.Middleware14.rateLimit]
         average = 42
         burst = 42
-        [http.middlewares.Middleware13.rateLimit.sourceCriterion]
+        [http.middlewares.Middleware14.rateLimit.sourceCriterion]
           requestHeaderName = "foobar"
           requestHost = true
-          [http.middlewares.Middleware13.rateLimit.sourceCriterion.ipStrategy]
+          [http.middlewares.Middleware14.rateLimit.sourceCriterion.ipStrategy]
             depth = 42
             excludedIPs = ["foobar", "foobar"]
-    [http.middlewares.Middleware14]
-      [http.middlewares.Middleware14.redirectRegex]
+    [http.middlewares.Middleware15]
+      [http.middlewares.Middleware15.redirectRegex]
         regex = "foobar"
         replacement = "foobar"
         permanent = true
-    [http.middlewares.Middleware15]
-      [http.middlewares.Middleware15.redirectScheme]
+    [http.middlewares.Middleware16]
+      [http.middlewares.Middleware16.redirectScheme]
         scheme = "foobar"
         port = "foobar"
         permanent = true
-    [http.middlewares.Middleware16]
-      [http.middlewares.Middleware16.replacePath]
-        path = "foobar"
     [http.middlewares.Middleware17]
-      [http.middlewares.Middleware17.replacePathRegex]
+      [http.middlewares.Middleware17.replacePath]
+        path = "foobar"
+    [http.middlewares.Middleware18]
+      [http.middlewares.Middleware18.replacePathRegex]
         regex = "foobar"
         replacement = "foobar"
-    [http.middlewares.Middleware18]
-      [http.middlewares.Middleware18.retry]
-        attempts = 42
     [http.middlewares.Middleware19]
-      [http.middlewares.Middleware19.stripPrefix]
+      [http.middlewares.Middleware19.retry]
+        attempts = 42
+    [http.middlewares.Middleware20]
+      [http.middlewares.Middleware20.stripPrefix]
         prefixes = ["foobar", "foobar"]
         forceSlash = true
-    [http.middlewares.Middleware20]
-      [http.middlewares.Middleware20.stripPrefixRegex]
+    [http.middlewares.Middleware21]
+      [http.middlewares.Middleware21.stripPrefixRegex]
         regex = ["foobar", "foobar"]
 
 [tcp]
@@ -321,8 +325,8 @@
       minVersion = "foobar"
       maxVersion = "foobar"
       cipherSuites = ["foobar", "foobar"]
-      sniStrict = true
       curvePreferences = ["foobar", "foobar"]
+      sniStrict = true
       [tls.options.Options0.clientAuth]
         caFiles = ["foobar", "foobar"]
         clientAuthType = "foobar"
@@ -330,8 +334,8 @@
       minVersion = "foobar"
       maxVersion = "foobar"
       cipherSuites = ["foobar", "foobar"]
-      sniStrict = true
       curvePreferences = ["foobar", "foobar"]
+      sniStrict = true
       [tls.options.Options1.clientAuth]
         caFiles = ["foobar", "foobar"]
         clientAuthType = "foobar"

docs/content/reference/dynamic-configuration/file.yaml

@@ -117,8 +117,14 @@ http:
       circuitBreaker:
         expression: foobar
     Middleware05:
-      compress: {}
+      compress:
+        excludedContentTypes:
+        - foobar
+        - foobar
     Middleware06:
+      contentType:
+        autoDetect: true
+    Middleware07:
       digestAuth:
         users:
         - foobar
@@ -127,14 +133,14 @@ http:
         removeHeader: true
         realm: foobar
         headerField: foobar
-    Middleware07:
+    Middleware08:
       errors:
         status:
         - foobar
         - foobar
         service: foobar
         query: foobar
-    Middleware08:
+    Middleware09:
       forwardAuth:
         address: foobar
         tls:
@@ -147,7 +153,7 @@ http:
         authResponseHeaders:
         - foobar
         - foobar
-    Middleware09:
+    Middleware10:
       headers:
         customRequestHeaders:
           name0: foobar
@@ -195,7 +201,7 @@ http:
         referrerPolicy: foobar
         featurePolicy: foobar
         isDevelopment: true
-    Middleware10:
+    Middleware11:
       ipWhiteList:
         sourceRange:
         - foobar
@@ -205,7 +211,7 @@ http:
           excludedIPs:
           - foobar
           - foobar
-    Middleware11:
+    Middleware12:
       inFlightReq:
         amount: 42
         sourceCriterion:
@@ -216,7 +222,7 @@ http:
             - foobar
           requestHeaderName: foobar
           requestHost: true
-    Middleware12:
+    Middleware13:
       passTLSClientCert:
         pem: true
         info:
@@ -239,7 +245,7 @@ http:
             commonName: true
             serialNumber: true
             domainComponent: true
-    Middleware13:
+    Middleware14:
       rateLimit:
         average: 42
         burst: 42
@@ -251,33 +257,33 @@ http:
             - foobar
           requestHeaderName: foobar
           requestHost: true
-    Middleware14:
+    Middleware15:
       redirectRegex:
         regex: foobar
         replacement: foobar
         permanent: true
-    Middleware15:
+    Middleware16:
       redirectScheme:
         scheme: foobar
         port: foobar
         permanent: true
-    Middleware16:
+    Middleware17:
       replacePath:
         path: foobar
-    Middleware17:
+    Middleware18:
       replacePathRegex:
         regex: foobar
         replacement: foobar
-    Middleware18:
+    Middleware19:
       retry:
         attempts: 42
-    Middleware19:
+    Middleware20:
       stripPrefix:
         prefixes:
         - foobar
         - foobar
         forceSlash: true
-    Middleware20:
+    Middleware21:
       stripPrefixRegex:
         regex:
         - foobar
@@ -353,8 +359,8 @@ tls:
       minVersion: foobar
       maxVersion: foobar
       cipherSuites:
-        - foobar
-        - foobar
+      - foobar
+      - foobar
       curvePreferences:
       - foobar
       - foobar
@@ -368,8 +374,8 @@ tls:
       minVersion: foobar
       maxVersion: foobar
       cipherSuites:
-        - foobar
-        - foobar
+      - foobar
+      - foobar
       curvePreferences:
       - foobar
       - foobar

docs/content/reference/dynamic-configuration/kubernetes-crd-definition.yml

@@ -0,0 +1,73 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutes.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRoute
+    plural: ingressroutes
+    singular: ingressroute
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: middlewares.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: Middleware
+    plural: middlewares
+    singular: middleware
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutetcps.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteTCP
+    plural: ingressroutetcps
+    singular: ingressroutetcp
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsoptions.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSOption
+    plural: tlsoptions
+    singular: tlsoption
+  scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: traefikservices.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TraefikService
+    plural: traefikservices
+    singular: traefikservice
+  scope: Namespaced

docs/content/reference/dynamic-configuration/kubernetes-crd-ingressroutetcp-definition.yml

@@ -0,0 +1,13 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressroutetcps.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteTCP
+    plural: ingressroutetcps
+    singular: ingressroutetcp
+  scope: Namespaced

docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml

@@ -0,0 +1,57 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - tlsoptions
+    verbs:
+      - get
+      - list
+      - watch
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-ingress-controller
+subjects:
+  - kind: ServiceAccount
+    name: traefik-ingress-controller
+    namespace: default

docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml

@@ -0,0 +1,157 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: wrr2
+  namespace: default
+
+spec:
+  weighted:
+    services:
+      - name: s1
+        weight: 1
+        port: 80
+        # Optional, as it is the default value
+        kind: Service
+      - name: s3
+        weight: 1
+        port: 80
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: wrr1
+  namespace: default
+
+spec:
+  weighted:
+    services:
+      - name: wrr2
+        kind: TraefikService
+        weight: 1
+      - name: s3
+        weight: 1
+        port: 80
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: mirror1
+  namespace: default
+
+spec:
+  mirroring:
+    name: s1
+    port: 80
+    mirrors:
+      - name: s3
+        percent: 20
+        port: 80
+      - name: mirror2
+        kind: TraefikService
+        percent: 20
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TraefikService
+metadata:
+  name: mirror2
+  namespace: default
+
+spec:
+  mirroring:
+    name: wrr2
+    kind: TraefikService
+    mirrors:
+      - name: s2
+        # Optional, as it is the default value
+        kind: Service
+        percent: 20
+        port: 80
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ingressroute
+spec:
+  entryPoints:
+    - web
+    - web-secure
+  routes:
+    - match: Host(`foo.com`) && PathPrefix(`/bar`)
+      kind: Rule
+      priority: 12
+      # defining several services is possible and allowed, but for now the servers of
+      # all the services (for a given route) get merged altogether under the same
+      # load-balancing strategy.
+      services:
+        - name: s1
+          port: 80
+          healthCheck:
+            path: /health
+            host: baz.com
+            intervalSeconds: 7
+            timeoutSeconds: 60
+          # strategy defines the load balancing strategy between the servers. It defaults
+          # to Round Robin, and for now only Round Robin is supported anyway.
+          strategy: RoundRobin
+        - name: s2
+          port: 433
+          healthCheck:
+            path: /health
+            host: baz.com
+            intervalSeconds: 7
+            timeoutSeconds: 60
+    - match: PathPrefix(`/misc`)
+      services:
+        - name: s3
+          port: 80
+      middlewares:
+        - name: stripprefix
+        - name: addprefix
+    - match: PathPrefix(`/misc`)
+      services:
+        - name: s3
+          # Optional, as it is the default value
+          kind: Service
+          port: 8443
+          # scheme allow to override the scheme for the service. (ex: https or h2c)
+          scheme: https
+    - match: PathPrefix(`/lb`)
+      services:
+        - name: wrr1
+          kind: TraefikService
+    - match: PathPrefix(`/mirrored`)
+      services:
+        - name: mirror1
+          kind: TraefikService
+  # use an empty tls object for TLS with Let's Encrypt
+  tls:
+    secretName: supersecret
+    options:
+      name: myTLSOption
+      namespace: default
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: ingressroutetcp.crd
+  namespace: default
+
+spec:
+  entryPoints:
+    - footcp
+  routes:
+    - match: HostSNI(`bar.com`)
+      services:
+        - name: whoamitcp
+          port: 8080
+  tls:
+    secretName: foosecret
+    passthrough: false
+    options:
+      name: myTLSOption
+      namespace: default

docs/content/reference/dynamic-configuration/kubernetes-crd.md

@@ -3,6 +3,20 @@
 Dynamic configuration with Kubernetes Custom Resource
 {: .subtitle }
 
+## Definitions
+
 ```yaml
---8<-- "content/reference/dynamic-configuration/kubernetes-crd.yml"
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition.yml"
+```
+
+## Resources
+
+```yaml
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-resource.yml"
+```
+
+## RBAC
+
+```yaml
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
 ```

docs/content/reference/dynamic-configuration/marathon-labels.json

@@ -12,100 +12,102 @@
 "traefik.http.middlewares.middleware03.chain.middlewares": "foobar, foobar",
 "traefik.http.middlewares.middleware04.circuitbreaker.expression": "foobar",
 "traefik.http.middlewares.middleware05.compress": "true",
-"traefik.http.middlewares.middleware06.digestauth.headerfield": "foobar",
-"traefik.http.middlewares.middleware06.digestauth.realm": "foobar",
-"traefik.http.middlewares.middleware06.digestauth.removeheader": "true",
-"traefik.http.middlewares.middleware06.digestauth.users": "foobar, foobar",
-"traefik.http.middlewares.middleware06.digestauth.usersfile": "foobar",
-"traefik.http.middlewares.middleware07.errors.query": "foobar",
-"traefik.http.middlewares.middleware07.errors.service": "foobar",
-"traefik.http.middlewares.middleware07.errors.status": "foobar, foobar",
-"traefik.http.middlewares.middleware08.forwardauth.address": "foobar",
-"traefik.http.middlewares.middleware08.forwardauth.authresponseheaders": "foobar, foobar",
-"traefik.http.middlewares.middleware08.forwardauth.tls.ca": "foobar",
-"traefik.http.middlewares.middleware08.forwardauth.tls.caoptional": "true",
-"traefik.http.middlewares.middleware08.forwardauth.tls.cert": "foobar",
-"traefik.http.middlewares.middleware08.forwardauth.tls.insecureskipverify": "true",
-"traefik.http.middlewares.middleware08.forwardauth.tls.key": "foobar",
-"traefik.http.middlewares.middleware08.forwardauth.trustforwardheader": "true",
-"traefik.http.middlewares.middleware09.headers.accesscontrolallowcredentials": "true",
-"traefik.http.middlewares.middleware09.headers.accesscontrolallowheaders": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.accesscontrolallowmethods": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.accesscontrolalloworigin": "foobar",
-"traefik.http.middlewares.middleware09.headers.accesscontrolexposeheaders": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.accesscontrolmaxage": "42",
-"traefik.http.middlewares.middleware09.headers.addvaryheader": "true",
-"traefik.http.middlewares.middleware09.headers.allowedhosts": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.browserxssfilter": "true",
-"traefik.http.middlewares.middleware09.headers.contentsecuritypolicy": "foobar",
-"traefik.http.middlewares.middleware09.headers.contenttypenosniff": "true",
-"traefik.http.middlewares.middleware09.headers.custombrowserxssvalue": "foobar",
-"traefik.http.middlewares.middleware09.headers.customframeoptionsvalue": "foobar",
-"traefik.http.middlewares.middleware09.headers.customrequestheaders.name0": "foobar",
-"traefik.http.middlewares.middleware09.headers.customrequestheaders.name1": "foobar",
-"traefik.http.middlewares.middleware09.headers.customresponseheaders.name0": "foobar",
-"traefik.http.middlewares.middleware09.headers.customresponseheaders.name1": "foobar",
-"traefik.http.middlewares.middleware09.headers.featurepolicy": "foobar",
-"traefik.http.middlewares.middleware09.headers.forcestsheader": "true",
-"traefik.http.middlewares.middleware09.headers.framedeny": "true",
-"traefik.http.middlewares.middleware09.headers.hostsproxyheaders": "foobar, foobar",
-"traefik.http.middlewares.middleware09.headers.isdevelopment": "true",
-"traefik.http.middlewares.middleware09.headers.publickey": "foobar",
-"traefik.http.middlewares.middleware09.headers.referrerpolicy": "foobar",
-"traefik.http.middlewares.middleware09.headers.sslforcehost": "true",
-"traefik.http.middlewares.middleware09.headers.sslhost": "foobar",
-"traefik.http.middlewares.middleware09.headers.sslproxyheaders.name0": "foobar",
-"traefik.http.middlewares.middleware09.headers.sslproxyheaders.name1": "foobar",
-"traefik.http.middlewares.middleware09.headers.sslredirect": "true",
-"traefik.http.middlewares.middleware09.headers.ssltemporaryredirect": "true",
-"traefik.http.middlewares.middleware09.headers.stsincludesubdomains": "true",
-"traefik.http.middlewares.middleware09.headers.stspreload": "true",
-"traefik.http.middlewares.middleware09.headers.stsseconds": "42",
-"traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.depth": "42",
-"traefik.http.middlewares.middleware10.ipwhitelist.ipstrategy.excludedips": "foobar, foobar",
-"traefik.http.middlewares.middleware10.ipwhitelist.sourcerange": "foobar, foobar",
-"traefik.http.middlewares.middleware11.inflightreq.amount": "42",
-"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.depth": "42",
-"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
-"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requestheadername": "foobar",
-"traefik.http.middlewares.middleware11.inflightreq.sourcecriterion.requesthost": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.commonname": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.country": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.domaincomponent": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.locality": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.organization": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.province": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.issuer.serialnumber": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.notafter": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.notbefore": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.sans": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.commonname": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.country": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.domaincomponent": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.locality": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.organization": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.province": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.info.subject.serialnumber": "true",
-"traefik.http.middlewares.middleware12.passtlsclientcert.pem": "true",
-"traefik.http.middlewares.middleware13.ratelimit.average": "42",
-"traefik.http.middlewares.middleware13.ratelimit.burst": "42",
-"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.depth": "42",
-"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
-"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requestheadername": "foobar",
-"traefik.http.middlewares.middleware13.ratelimit.sourcecriterion.requesthost": "true",
-"traefik.http.middlewares.middleware14.redirectregex.permanent": "true",
-"traefik.http.middlewares.middleware14.redirectregex.regex": "foobar",
-"traefik.http.middlewares.middleware14.redirectregex.replacement": "foobar",
-"traefik.http.middlewares.middleware15.redirectscheme.permanent": "true",
-"traefik.http.middlewares.middleware15.redirectscheme.port": "foobar",
-"traefik.http.middlewares.middleware15.redirectscheme.scheme": "foobar",
-"traefik.http.middlewares.middleware16.replacepath.path": "foobar",
-"traefik.http.middlewares.middleware17.replacepathregex.regex": "foobar",
-"traefik.http.middlewares.middleware17.replacepathregex.replacement": "foobar",
-"traefik.http.middlewares.middleware18.retry.attempts": "42",
-"traefik.http.middlewares.middleware19.stripprefix.forceslash": "true",
-"traefik.http.middlewares.middleware19.stripprefix.prefixes": "foobar, foobar",
-"traefik.http.middlewares.middleware20.stripprefixregex.regex": "foobar, foobar",
+"traefik.http.middlewares.middleware05.compress.excludedcontenttypes": "foobar, foobar",
+"traefik.http.middlewares.middleware06.contenttype.autodetect": "true",
+"traefik.http.middlewares.middleware07.digestauth.headerfield": "foobar",
+"traefik.http.middlewares.middleware07.digestauth.realm": "foobar",
+"traefik.http.middlewares.middleware07.digestauth.removeheader": "true",
+"traefik.http.middlewares.middleware07.digestauth.users": "foobar, foobar",
+"traefik.http.middlewares.middleware07.digestauth.usersfile": "foobar",
+"traefik.http.middlewares.middleware08.errors.query": "foobar",
+"traefik.http.middlewares.middleware08.errors.service": "foobar",
+"traefik.http.middlewares.middleware08.errors.status": "foobar, foobar",
+"traefik.http.middlewares.middleware09.forwardauth.address": "foobar",
+"traefik.http.middlewares.middleware09.forwardauth.authresponseheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware09.forwardauth.tls.ca": "foobar",
+"traefik.http.middlewares.middleware09.forwardauth.tls.caoptional": "true",
+"traefik.http.middlewares.middleware09.forwardauth.tls.cert": "foobar",
+"traefik.http.middlewares.middleware09.forwardauth.tls.insecureskipverify": "true",
+"traefik.http.middlewares.middleware09.forwardauth.tls.key": "foobar",
+"traefik.http.middlewares.middleware09.forwardauth.trustforwardheader": "true",
+"traefik.http.middlewares.middleware10.headers.accesscontrolallowcredentials": "true",
+"traefik.http.middlewares.middleware10.headers.accesscontrolallowheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.accesscontrolallowmethods": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.accesscontrolalloworigin": "foobar",
+"traefik.http.middlewares.middleware10.headers.accesscontrolexposeheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.accesscontrolmaxage": "42",
+"traefik.http.middlewares.middleware10.headers.addvaryheader": "true",
+"traefik.http.middlewares.middleware10.headers.allowedhosts": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.browserxssfilter": "true",
+"traefik.http.middlewares.middleware10.headers.contentsecuritypolicy": "foobar",
+"traefik.http.middlewares.middleware10.headers.contenttypenosniff": "true",
+"traefik.http.middlewares.middleware10.headers.custombrowserxssvalue": "foobar",
+"traefik.http.middlewares.middleware10.headers.customframeoptionsvalue": "foobar",
+"traefik.http.middlewares.middleware10.headers.customrequestheaders.name0": "foobar",
+"traefik.http.middlewares.middleware10.headers.customrequestheaders.name1": "foobar",
+"traefik.http.middlewares.middleware10.headers.customresponseheaders.name0": "foobar",
+"traefik.http.middlewares.middleware10.headers.customresponseheaders.name1": "foobar",
+"traefik.http.middlewares.middleware10.headers.featurepolicy": "foobar",
+"traefik.http.middlewares.middleware10.headers.forcestsheader": "true",
+"traefik.http.middlewares.middleware10.headers.framedeny": "true",
+"traefik.http.middlewares.middleware10.headers.hostsproxyheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.isdevelopment": "true",
+"traefik.http.middlewares.middleware10.headers.publickey": "foobar",
+"traefik.http.middlewares.middleware10.headers.referrerpolicy": "foobar",
+"traefik.http.middlewares.middleware10.headers.sslforcehost": "true",
+"traefik.http.middlewares.middleware10.headers.sslhost": "foobar",
+"traefik.http.middlewares.middleware10.headers.sslproxyheaders.name0": "foobar",
+"traefik.http.middlewares.middleware10.headers.sslproxyheaders.name1": "foobar",
+"traefik.http.middlewares.middleware10.headers.sslredirect": "true",
+"traefik.http.middlewares.middleware10.headers.ssltemporaryredirect": "true",
+"traefik.http.middlewares.middleware10.headers.stsincludesubdomains": "true",
+"traefik.http.middlewares.middleware10.headers.stspreload": "true",
+"traefik.http.middlewares.middleware10.headers.stsseconds": "42",
+"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth": "42",
+"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips": "foobar, foobar",
+"traefik.http.middlewares.middleware11.ipwhitelist.sourcerange": "foobar, foobar",
+"traefik.http.middlewares.middleware12.inflightreq.amount": "42",
+"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth": "42",
+"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
+"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.requestheadername": "foobar",
+"traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.requesthost": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.commonname": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.country": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.domaincomponent": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.locality": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.organization": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.province": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.issuer.serialnumber": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.notafter": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.notbefore": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.sans": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.commonname": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.country": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.domaincomponent": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.locality": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.organization": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.province": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.serialnumber": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.pem": "true",
+"traefik.http.middlewares.middleware14.ratelimit.average": "42",
+"traefik.http.middlewares.middleware14.ratelimit.burst": "42",
+"traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.ipstrategy.depth": "42",
+"traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
+"traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.requestheadername": "foobar",
+"traefik.http.middlewares.middleware14.ratelimit.sourcecriterion.requesthost": "true",
+"traefik.http.middlewares.middleware15.redirectregex.permanent": "true",
+"traefik.http.middlewares.middleware15.redirectregex.regex": "foobar",
+"traefik.http.middlewares.middleware15.redirectregex.replacement": "foobar",
+"traefik.http.middlewares.middleware16.redirectscheme.permanent": "true",
+"traefik.http.middlewares.middleware16.redirectscheme.port": "foobar",
+"traefik.http.middlewares.middleware16.redirectscheme.scheme": "foobar",
+"traefik.http.middlewares.middleware17.replacepath.path": "foobar",
+"traefik.http.middlewares.middleware18.replacepathregex.regex": "foobar",
+"traefik.http.middlewares.middleware18.replacepathregex.replacement": "foobar",
+"traefik.http.middlewares.middleware19.retry.attempts": "42",
+"traefik.http.middlewares.middleware20.stripprefix.forceslash": "true",
+"traefik.http.middlewares.middleware20.stripprefix.prefixes": "foobar, foobar",
+"traefik.http.middlewares.middleware21.stripprefixregex.regex": "foobar, foobar",
 "traefik.http.routers.router0.entrypoints": "foobar, foobar",
 "traefik.http.routers.router0.middlewares": "foobar, foobar",
 "traefik.http.routers.router0.priority": "42",

docs/content/reference/static-configuration/file.toml

@@ -96,7 +96,7 @@
     namespaces = ["foobar", "foobar"]
     labelSelector = "foobar"
     ingressClass = "foobar"
-    throttleDuration = "10s"
+    throttleDuration = 42
   [providers.rest]
     insecure = true
   [providers.rancher]
@@ -110,25 +110,28 @@
     prefix = "foobar"
   [providers.consulCatalog]
     constraints = "foobar"
-    prefix = "traefik"
-    defaultRule = "foobar"
-    exposedByDefault = true
-    refreshInterval = 15
+    prefix = "foobar"
+    refreshInterval = 42
     requireConsistent = true
     stale = true
     cache = true
+    exposedByDefault = true
+    defaultRule = "foobar"
     [providers.consulCatalog.endpoint]
-     address = "foobar"
-     scheme = "foobar"
-     datacenter = "foobar"
-     token = "foobar"
-     endpointWaitTime = "15s"
-     [providers.consulCatalog.endpoint.tls]
-      ca = "foobar"
-      caOptional = true
-      cert = "foobar"
-      key = "foobar"
-      insecureSkipVerify = true
+      address = "foobar"
+      scheme = "foobar"
+      datacenter = "foobar"
+      token = "foobar"
+      endpointWaitTime = 42
+      [providers.consulCatalog.endpoint.tls]
+        ca = "foobar"
+        caOptional = true
+        cert = "foobar"
+        key = "foobar"
+        insecureSkipVerify = true
+      [providers.consulCatalog.endpoint.httpAuth]
+        username = "foobar"
+        password = "foobar"
 
 [api]
   insecure = true
@@ -144,19 +147,19 @@
     manualRouting = true
   [metrics.datadog]
     address = "foobar"
-    pushInterval = "10s"
+    pushInterval = "42s"
     addEntryPointsLabels = true
     addServicesLabels = true
   [metrics.statsD]
     address = "foobar"
-    pushInterval = "10s"
+    pushInterval = "42s"
     addEntryPointsLabels = true
     addServicesLabels = true
-    prefix = "traefik"
+    prefix = "foobar"
   [metrics.influxDB]
     address = "foobar"
     protocol = "foobar"
-    pushInterval = "10s"
+    pushInterval = "42s"
     database = "foobar"
     retentionPolicy = "foobar"
     username = "foobar"

docs/content/reference/static-configuration/file.yaml

@@ -88,7 +88,7 @@ providers:
     - foobar
     labelSelector: foobar
     ingressClass: foobar
-    throttleDuration: 10s
+      throttleDuration: 42s
     ingressEndpoint:
       ip: foobar
       hostname: foobar
@@ -117,25 +117,28 @@ providers:
     prefix: foobar
   consulCatalog:
     constraints: foobar
-    prefix: traefik
-    defaultRule: foobar
-    exposedByDefault: true
-    refreshInterval: 15
+    prefix: foobar
+    refreshInterval: 42s
     requireConsistent: true
     stale: true
     cache: true
+    exposedByDefault: true
+    defaultRule: foobar
     endpoint:
       address: foobar
       scheme: foobar
       datacenter: foobar
       token: foobar
-      endpointWaitTime: 15s
+      endpointWaitTime: 42s
       tls:
         ca: foobar
         caOptional: true
         cert: foobar
         key: foobar
         insecureSkipVerify: true
+      httpAuth:
+        username: foobar
+        password: foobar
 api:
   insecure: true
   dashboard: true
@@ -159,7 +162,7 @@ metrics:
     pushInterval: 42
     addEntryPointsLabels: true
     addServicesLabels: true
-    prefix: traefik
+    prefix: foobar
   influxDB:
     address: foobar
     protocol: foobar

docs/content/routing/entrypoints.md

@@ -41,7 +41,7 @@ They define the port which will receive the requests (whether HTTP or TCP).
       [entryPoints.web]
         address = ":80"
     
-      [entryPoints.web-secure]
+      [entryPoints.websecure]
         address = ":443"
     ```
     
@@ -51,18 +51,18 @@ They define the port which will receive the requests (whether HTTP or TCP).
       web:
         address: ":80"
      
-      web-secure:
+      websecure:
         address: ":443"
     ```
     
     ```bash tab="CLI"
     ## Static configuration
     --entryPoints.web.address=:80
-    --entryPoints.web-secure.address=:443
+    --entryPoints.websecure.address=:443
     ```
 
-    - Two entrypoints are defined: one called `web`, and the other called `web-secure`.
-    - `web` listens on port `80`, and `web-secure` on port `443`. 
+    - Two entrypoints are defined: one called `web`, and the other called `websecure`.
+    - `web` listens on port `80`, and `websecure` on port `443`. 
 
 ## Configuration
 

docs/content/routing/overview.md

@@ -33,9 +33,9 @@ Static configuration:
     address = ":8081"
 
 [providers]
-  # Enable the file provider to define routers / middlewares / services in a file
+  # Enable the file provider to define routers / middlewares / services in file
   [providers.file]
-    filename = "dynamic_conf.toml"
+    directory = "/path/to/dynamic/conf"
 ```
 
 ```yaml tab="File (YAML)"
@@ -45,17 +45,17 @@ entryPoints:
     address: :8081
 
 providers:
-  # Enable the file provider to define routers / middlewares / services in a file
+  # Enable the file provider to define routers / middlewares / services in file
   file:
-    filename: dynamic_conf.yml
+    directory: /path/to/dynamic/conf
 ```
 
 ```bash tab="CLI"
 # Listen on port 8081 for incoming requests
 --entryPoints.web.address=:8081
 
-# Enable the file provider to define routers / middlewares / services in a file
---providers.file.filename=dynamic_conf.toml
+# Enable the file provider to define routers / middlewares / services in file
+--providers.file.directory=/path/to/dynamic/conf
 ```
 
 Dynamic configuration:
@@ -133,9 +133,9 @@ http:
             address = ":8081"
 
         [providers]
-          # Enable the file provider to define routers / middlewares / services in a file
+          # Enable the file provider to define routers / middlewares / services in file
           [providers.file]
-            filename = "dynamic_conf.toml"
+            directory = "/path/to/dynamic/conf"
         ```
         
         ```yaml tab="File (YAML)"
@@ -144,17 +144,17 @@ http:
             # Listen on port 8081 for incoming requests
             address: :8081
         providers:
-          # Enable the file provider to define routers / middlewares / services in a file
+          # Enable the file provider to define routers / middlewares / services in file
           file:
-            filename: dynamic_conf.yml
+            directory: /path/to/dynamic/conf
         ```
         
         ```bash tab="CLI"
         # Listen on port 8081 for incoming requests
         --entryPoints.web.address=:8081
         
-        # Enable the file provider to define routers / middlewares / services in a file
-        --providers.file.filename=dynamic_conf.toml
+        # Enable the file provider to define routers / middlewares / services in file
+        --providers.file.directory=/path/to/dynamic/conf
         ```
         
         **Dynamic Configuration**

docs/content/routing/providers/docker.md

@@ -178,7 +178,7 @@ For example, to change the rule, you could add the label ```traefik.http.routers
 
 ??? info "`traefik.http.routers.<router_name>.service`"
 
-    See [rule](../routers/index.md#service) for more information.
+    See [service](../routers/index.md#service) for more information.
 
     ```yaml
     - "traefik.http.routers.myrouter.service=myservice"

docs/content/routing/providers/marathon.md

@@ -91,7 +91,7 @@ For example, to change the routing rule, you could add the label ```"traefik.htt
     See [tls](../routers/index.md#tls) for more information.
     
     ```json
-    "traefik.http.routers.myrouter>.tls": "true"
+    "traefik.http.routers.myrouter.tls": "true"
     ```
 
 ??? info "`traefik.http.routers.<router_name>.tls.certresolver`"

docs/content/routing/services/index.md

@@ -387,7 +387,9 @@ The WRR is able to load balance the requests between multiple services based on
 
 This strategy is only available to load balance between [services](./index.md) and not between [servers](./index.md#servers).
 
-!!! info "This strategy can be defined only with [File](../../providers/file.md)."
+!!! info "Supported Providers"
+    
+    This strategy can be defined currently with the [File](../../providers/file.md) or [IngressRoute](../../providers/kubernetes-crd.md) providers.
 
 ```toml tab="TOML"
 ## Dynamic configuration
@@ -438,7 +440,9 @@ http:
 
 The mirroring is able to mirror requests sent to a service to other services.
 
-!!! info "This strategy can be defined only with [File](../../providers/file.md)."
+!!! info "Supported Providers"
+    
+    This strategy can be defined currently with the [File](../../providers/file.md) or [IngressRoute](../../providers/kubernetes-crd.md) providers.
 
 ```toml tab="TOML"
 ## Dynamic configuration
@@ -583,7 +587,9 @@ The Weighted Round Robin (alias `WRR`) load-balancer of services is in charge of
 
 This strategy is only available to load balance between [services](./index.md) and not between [servers](./index.md#servers).
 
-This strategy can only be defined with [File](../../providers/file.md).
+!!! info "Supported Providers"
+    
+    This strategy can be defined currently with the [File](../../providers/file.md) or [IngressRoute](../../providers/kubernetes-crd.md) providers.
 
 ```toml tab="TOML"
 ## Dynamic configuration

docs/content/user-guides/docker-compose/basic-example/index.md

@@ -1,7 +1,7 @@
 # Docker-compose basic example
 
 In this section we quickly go over a basic docker-compose file exposing a simple service using the docker provider.  
-This will also be used as a starting point for the the other docker-compose guides.  
+This will also be used as a starting point for the other docker-compose guides.  
 
 ## Setup
 

docs/content/user-guides/grpc.md

@@ -16,7 +16,7 @@ Static configuration:
 [api]
     
 [providers.file]
-  filename = "dynamic_conf.toml"
+  directory = "/path/to/dynamic/config"
 ```
 
 ```yaml tab="File (YAML)"
@@ -26,18 +26,18 @@ entryPoints:
 
 providers:
   file:
-    filename: dynamic_conf.yml
+    directory: /path/to/dynamic/config
 
 api: {}
 ```
 
 ```yaml tab="CLI"
 --entryPoints.web.address=:80
---providers.file.filename=dynamic_conf.toml
+--providers.file.directory=/path/to/dynamic/config
 --api.insecure=true
 ```
 
-`dynamic_conf.{toml,yml}`:
+`/path/to/dynamic/config/dynamic_conf.{toml,yml}`:
 
 ```toml tab="TOML"
 ## dynamic configuration ##
@@ -132,7 +132,7 @@ Static configuration:
 [api]
 
 [provider.file]
-  filename = "dynamic_conf.toml"
+  directory = "/path/to/dynamic/config"
 ```
 
 ```yaml tab="File (YAML)"
@@ -147,7 +147,7 @@ serversTransport:
 
 providers:
   file:
-    filename: dynamic_conf.yml
+    directory: /path/to/dynamic/config
 
 api: {}
 ```
@@ -156,11 +156,11 @@ api: {}
 --entryPoints.websecure.address=:4443
 # For secure connection on backend.local
 --serversTransport.rootCAs=./backend.cert
---providers.file.filename=dynamic_conf.toml
+--providers.file.directory=/path/to/dynamic/config
 --api.insecure=true
 ```
 
-`dynamic_conf.{toml,yml}`:
+`/path/to/dynamic/config/dynamic_conf.{toml,yml}`:
 
 ```toml tab="TOML"
 ## dynamic configuration ##

docs/content/user-guides/marathon.md

@@ -77,7 +77,7 @@ A failing application always happens unexpectedly, and hence, it is very difficu
 
 Failure reasons vary broadly and could stretch from unacceptable slowness, a task crash, or a network split.
 
-There are two mitigaton efforts:
+There are two mitigation efforts:
 
 1. Configure [Marathon health checks](https://mesosphere.github.io/marathon/docs/health-checks.html) on each application.
 2. Configure Traefik health checks (possibly via the `traefik.http.services.yourServiceName.loadbalancer.healthcheck.*` labels) and make sure they probe with proper frequency.

docs/mkdocs.yml

@@ -44,7 +44,7 @@ plugins:
   - search
   - exclude:
       glob:
-        - include-*.md
+        - "**/include-*.md"
 
 # https://squidfunk.github.io/mkdocs-material/extensions/admonition/
 # https://facelessuser.github.io/pymdown-extensions/
@@ -107,6 +107,7 @@ nav:
       - 'Chain': 'middlewares/chain.md'
       - 'CircuitBreaker': 'middlewares/circuitbreaker.md'
       - 'Compress': 'middlewares/compress.md'
+      - 'ContentType': 'middlewares/contenttype.md'
       - 'DigestAuth': 'middlewares/digestauth.md'
       - 'Errors': 'middlewares/errorpages.md'
       - 'ForwardAuth': 'middlewares/forwardauth.md'
@@ -154,6 +155,7 @@ nav:
           - 'HTTP Challenge': 'user-guides/docker-compose/acme-http/index.md'
           - 'DNS Challenge': 'user-guides/docker-compose/acme-dns/index.md'
   - 'Migration':
+      - 'Traefik v2 minor migrations': 'migration/v2.md'
       - 'Traefik v1 to v2': 'migration/v1-to-v2.md'
   - 'Contributing':
       - 'Thank You!': 'contributing/thank-you.md'

docs/runtime.txt

@@ -1 +1 @@
-3.6
+3.7

go.mod

@@ -39,7 +39,7 @@ require (
 	github.com/felixge/httpsnoop v1.0.0 // indirect
 	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
 	github.com/gambol99/go-marathon v0.0.0-20180614232016-99a156b96fb2
-	github.com/go-acme/lego/v3 v3.2.0
+	github.com/go-acme/lego/v3 v3.3.0
 	github.com/go-check/check v0.0.0-00010101000000-000000000000
 	github.com/go-kit/kit v0.9.0
 	github.com/golang/protobuf v1.3.2
@@ -80,17 +80,16 @@ require (
 	github.com/stvp/go-udp-testing v0.0.0-20171104055251-c4434f09ec13
 	github.com/tinylib/msgp v1.0.2 // indirect
 	github.com/transip/gotransip v5.8.2+incompatible // indirect
-	github.com/uber/jaeger-client-go v2.19.0+incompatible
+	github.com/uber/jaeger-client-go v2.21.1+incompatible
 	github.com/uber/jaeger-lib v2.2.0+incompatible
 	github.com/unrolled/render v1.0.1
 	github.com/unrolled/secure v1.0.5
 	github.com/vdemeester/shakers v0.1.0
 	github.com/vulcand/oxy v1.0.0
 	github.com/vulcand/predicate v1.1.0
-	golang.org/x/net v0.0.0-20190930134127-c5a3c61f89f3
+	golang.org/x/net v0.0.0-20191027093000-83d349e8ac1a
 	golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a // indirect
 	golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0
-	golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 // indirect
 	google.golang.org/grpc v1.22.1
 	gopkg.in/DataDog/dd-trace-go.v1 v1.16.1
 	gopkg.in/fsnotify.v1 v1.4.7

go.sum

@@ -2,8 +2,19 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.38.0 h1:ROfEUZz+Gh5pa62DJWXSaonyu3StP6EA6lPEXPI6mCo=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
+cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
+cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
+cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
+cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
+cloud.google.com/go v0.50.0 h1:0E3eE8MX426vUOs7aHfI7aN1BrIzzzf4ccKCSfSjGmc=
+cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
+cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
+cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
+cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
+cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
 contrib.go.opencensus.io/exporter/ocagent v0.4.12 h1:jGFvw3l57ViIVEPKKEUXPcLYIXJmQxLUh6ey1eJhwyc=
 contrib.go.opencensus.io/exporter/ocagent v0.4.12/go.mod h1:450APlNTSR6FrvC3CTRqYosuDstRB9un7SOx2k/9ckA=
+dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/Azure/azure-sdk-for-go v32.4.0+incompatible h1:1JP8SKfroEakYiQU2ZyPDosh8w2Tg9UopKt88VyQPt4=
 github.com/Azure/azure-sdk-for-go v32.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
@@ -130,8 +141,6 @@ github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:ma
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/decker502/dnspod-go v0.2.0 h1:6dwhUFCYbC5bgpebLKn7PrI43e/5mn9tpUL9YcYCdTU=
-github.com/decker502/dnspod-go v0.2.0/go.mod h1:qsurYu1FgxcDwfSwXJdLt4kRsBLZeosEb9uq4Sy+08g=
 github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
@@ -193,11 +202,12 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
 github.com/gambol99/go-marathon v0.0.0-20180614232016-99a156b96fb2 h1:df6OFl8WNXk82xxP3R9ZPZ5seOA8XZkwLdbEzZF1/xI=
 github.com/gambol99/go-marathon v0.0.0-20180614232016-99a156b96fb2/go.mod h1:GLyXJD41gBO/NPKVPGQbhyyC06eugGy15QEZyUkE2/s=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-acme/lego/v3 v3.2.0 h1:z0zvNlL1niv/1qA06V5X1BRC5PeLoGKAlVaWthXQz9c=
-github.com/go-acme/lego/v3 v3.2.0/go.mod h1:074uqt+JS6plx+c9Xaiz6+L+GBb+7itGtzfcDM2AhEE=
+github.com/go-acme/lego/v3 v3.3.0 h1:6BePZsOiYA4/w+M7QDytxQtMfCipMPGnWAHs9pWks98=
+github.com/go-acme/lego/v3 v3.3.0/go.mod h1:iGSY2vQrvQs3WezicSB/oVbO2eCrD88dpWPwb1qLqu0=
 github.com/go-cmd/cmd v1.0.5/go.mod h1:y8q8qlK5wQibcw63djSl/ntiHUHXHGdCkPk0j4QeW4s=
 github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w=
 github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-ini/ini v1.44.0 h1:8+SRbfpRFlIunpSum4BEf1ClTtVjOgKzgBv9pHFkI6w=
 github.com/go-ini/ini v1.44.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
@@ -225,6 +235,8 @@ github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4er
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0 h1:28o5sBqPkBsMGnC6b4MvE2TzSr5/AT4c/1fLqVGIwlk=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.3.1 h1:qGJ6qTW+x6xX/my+8YUVl4WNpX9B7+/l2tRsHGZ7f2s=
+github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -250,6 +262,8 @@ github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -429,6 +443,8 @@ github.com/nbio/st v0.0.0-20140626010706-e9e8d9816f32 h1:W6apQkHrMkS0Muv8G/TipAy
 github.com/nbio/st v0.0.0-20140626010706-e9e8d9816f32/go.mod h1:9wM+0iRr9ahx58uYLpLIr5fm8diHn0JbqRycJi6w0Ms=
 github.com/nrdcg/auroradns v1.0.0 h1:b+NpSqNG6HzMqX2ohGQe4Q/G0WQq8pduWCiZ19vdLY8=
 github.com/nrdcg/auroradns v1.0.0/go.mod h1:6JPXKzIRzZzMqtTDgueIhTi6rFf1QvYE/HzqidhOhjw=
+github.com/nrdcg/dnspod-go v0.3.0 h1:EbYggdEGFGq17Vp7sUwd9PyHZv5mMxJwX7nBPukKNoU=
+github.com/nrdcg/dnspod-go v0.3.0/go.mod h1:vZSoFSFeQVm2gWLMkyX61LZ8HI3BaqtHZWgPTGKr6KQ=
 github.com/nrdcg/goinwx v0.6.1 h1:AJnjoWPELyCtofhGcmzzcEMFd9YdF2JB/LgutWsWt/s=
 github.com/nrdcg/goinwx v0.6.1/go.mod h1:XPiut7enlbEdntAqalBIqcYcTEVhpv/dKWgDCX2SwKQ=
 github.com/nrdcg/namesilo v0.2.1 h1:kLjCjsufdW/IlC+iSfAqj0iQGgKjlbUUeDJio5Y6eMg=
@@ -511,6 +527,7 @@ github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a h1:9ZKAASQSHhD
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
+github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/sacloud/libsacloud v1.26.1 h1:td3Kd7lvpSAxxHEVpnaZ9goHmmhi0D/RfP0Rqqf/kek=
@@ -554,8 +571,8 @@ github.com/transip/gotransip v5.8.2+incompatible/go.mod h1:uacMoJVmrfOcscM4Bi5NV
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/uber-go/atomic v1.3.2 h1:Azu9lPBWRNKzYXSIwRfgRuDuS0YKsK4NFhiQv98gkxo=
 github.com/uber-go/atomic v1.3.2/go.mod h1:/Ct5t2lcmbJ4OSe/waGBoaVvVqtO0bmtfVNex1PFV8g=
-github.com/uber/jaeger-client-go v2.19.0+incompatible h1:pbwbYfHUoaase0oPQOdZ1GcaUjImYGimUXSQ/+8+Z8Q=
-github.com/uber/jaeger-client-go v2.19.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
+github.com/uber/jaeger-client-go v2.21.1+incompatible h1:oozboeZmWz+tyh3VZttJWlF3K73mHgbokieceqKccLo=
+github.com/uber/jaeger-client-go v2.21.1+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
 github.com/uber/jaeger-lib v2.2.0+incompatible h1:MxZXOiR2JuoANZ3J6DE/U0kSFv/eJ/GfSYVCjK7dyaw=
 github.com/uber/jaeger-lib v2.2.0+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U=
 github.com/unrolled/render v1.0.1 h1:VDDnQQVfBMsOsp3VaCJszSO0nkBIVEYoPWeRThk9spY=
@@ -586,6 +603,8 @@ go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.21.0 h1:mU6zScU4U1YAFPHEHYk+3JC4SY7JxgkqS10ZOSyksNg=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
+go.opencensus.io v0.22.0 h1:C9hSCOW830chIVkdja34wa6Ky+IzWllkUinR+BtRZd4=
+go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.uber.org/atomic v1.3.2 h1:2Oa65PReHzfn29GpvgsYwloV9AVFHPDk8tYxt2c2tr4=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0 h1:cxzIVoETapQEqDhQu3QfnvXAV4AlzcvUCxkVUFw3+EU=
@@ -602,19 +621,35 @@ golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
+golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 h1:HuIa8hRrWRSrqYzx1qI49NNxhdi2PrY7gxVSq1JjLDc=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495 h1:I6A9Ag9FpEKOjcKrRNjQkPHawoXIhKyTGfvvjFAiiAk=
 golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
+golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
+golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
+golang.org/x/exp v0.0.0-20191129062945-2f5052295587 h1:5Uz0rkjCFu9BC9gCRN7EkwVvhNyQgGWb8KNJrPwBoHY=
+golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
+golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
+golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
+golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
+golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/net v0.0.0-20180611182652-db08ff08e862/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -629,12 +664,17 @@ golang.org/x/net v0.0.0-20190206173232-65e2d4e15006/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80 h1:Ao/3l156eZf2AW5wK8a7/smtodRU+gha3+BeqJ69lRk=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190930134127-c5a3c61f89f3 h1:6KET3Sqa7fkVfD63QnAM81ZeYg5n4HwApOJkufONnHA=
 golang.org/x/net v0.0.0-20190930134127-c5a3c61f89f3/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191027093000-83d349e8ac1a h1:Yu34BogBivvmu7SAzHHaB9nZWH5D1C+z3F1jyIaYZSQ=
+golang.org/x/net v0.0.0-20191027093000-83d349e8ac1a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -646,6 +686,8 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180622082034-63fc586f45fe/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -661,8 +703,12 @@ golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b h1:ag/x1USPSsqHud38I9BAC88qdNLDHHtQ4mlgQIZPPNA=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a h1:aYOabOQFp6Vj6W1F80affTUvO9UxmJRx8K0gsfABByQ=
 golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -686,12 +732,24 @@ golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3
 golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c h1:97SnQk1GYRXJgvwZ8fadnxDOWfKvkNQHH3CtZntPSrM=
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135 h1:5Beo0mZN8dRzgrMMkDp0jc8YXQKx9DiJ2k1dkvGsn5A=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191216173652-a0e659d51361 h1:RIIXAeV6GvDBuADKumTODatUqANFZ+5BPMnzsy4hulY=
+golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 h1:/atklqdjdhuosWIl6AIbOeHJjicWYPqR9bpxqxYG2pA=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485 h1:OB/uP/Puiu5vS5QMRPrXCDWUPb+kt8f1KW8oQzFejQw=
 gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0=
 gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw=
@@ -699,23 +757,36 @@ gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e h1:jRyg0XfpwWlhEV8mDfdNGB
 gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ=
 google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
+google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0 h1:VGGbLNyPF7dvYHhcUGYBBGCRDDK0RRJAI6KCvo0CL+E=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.14.0 h1:uMf5uLi4eQMRrMKhCplNik4U4H8Z6C1br3zOtAa/aDE=
+google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.6.1 h1:QzqyMA1tlu6CgqCDUtU9V+ZKhLFT2dkJuANu5QaxI3I=
+google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873 h1:nfPFGzJkUDX6uBmpN/pSw7MbOAWegH5QDQuoXFHedLg=
 google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
+google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1 h1:aQktFqmDE2yjveXJlVIfslDFmFnUXSqG0i6KRcJAeMc=
+google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.19.1/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM=
 google.golang.org/grpc v1.20.1 h1:Hz2g2wirWK7H0qIIhGIqRGTuMwTE8HEKFnDZZ7lm9NU=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
+google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.22.1 h1:/7cs52RnTJmD43s3uxzlq2U7nqVTd/37viQwMrMNlOM=
 google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 gopkg.in/DataDog/dd-trace-go.v1 v1.16.1 h1:Dngw1zun6yTYFHNdzEWBlrJzFA2QJMjSA2sZ4nH2UWo=
@@ -724,6 +795,7 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/h2non/gock.v1 v1.0.15 h1:SzLqcIlb/fDfg7UvukMpNcWsu7sI5tWwL+KCATZqks0=
@@ -764,6 +836,7 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 k8s.io/api v0.0.0-20190718183219-b59d8169aab5 h1:X3LHYU4fwu75lvvWypbppCKuhqg1KrvcZ1lLaAgmE/g=
 k8s.io/api v0.0.0-20190718183219-b59d8169aab5/go.mod h1:TBhBqb1AWbBQbW3XRusr7n7E4v2+5ZY8r8sAMnyFC5A=
 k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719 h1:uV4S5IB5g4Nvi+TBVNf3e9L4wrirlwYJ6w88jUQxTUw=
@@ -787,5 +860,6 @@ modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs
 modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I=
 mvdan.cc/xurls/v2 v2.0.0 h1:r1zSOSNS/kqtpmATyMMMvaZ4/djsesbYz5kr0+qMRWc=
 mvdan.cc/xurls/v2 v2.0.0/go.mod h1:2/webFPYOXN9jp/lzuj0zuAVlF+9g4KPFJANH1oJhRU=
+rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=

integration/consul_catalog_test.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"net/http"
 	"os"
-	"strconv"
 	"time"
 
 	"github.com/containous/traefik/v2/integration/try"
@@ -62,23 +61,13 @@ func (s *ConsulCatalogSuite) TearDownSuite(c *check.C) {
 	}
 }
 
-func (s *ConsulCatalogSuite) registerService(id, name, address, port string, tags []string, onAgent bool) error {
-	iPort, err := strconv.Atoi(port)
-	if err != nil {
-		return err
-	}
+func (s *ConsulCatalogSuite) registerService(reg *api.AgentServiceRegistration, onAgent bool) error {
 	client := s.consulClient
 	if onAgent {
 		client = s.consulAgentClient
 	}
 
-	return client.Agent().ServiceRegister(&api.AgentServiceRegistration{
-		ID:      id,
-		Name:    name,
-		Address: address,
-		Port:    iPort,
-		Tags:    tags,
-	})
+	return client.Agent().ServiceRegister(reg)
 }
 
 func (s *ConsulCatalogSuite) deregisterService(id string, onAgent bool) error {
@@ -90,11 +79,34 @@ func (s *ConsulCatalogSuite) deregisterService(id string, onAgent bool) error {
 }
 
 func (s *ConsulCatalogSuite) TestWithNotExposedByDefaultAndDefaultsSettings(c *check.C) {
-	err := s.registerService("whoami1", "whoami", s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress, "80", []string{"traefik.enable=true"}, false)
+	reg1 := &api.AgentServiceRegistration{
+		ID:      "whoami1",
+		Name:    "whoami",
+		Tags:    []string{"traefik.enable=true"},
+		Port:    80,
+		Address: s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
+	}
+	err := s.registerService(reg1, false)
 	c.Assert(err, checker.IsNil)
-	err = s.registerService("whoami2", "whoami", s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress, "80", []string{"traefik.enable=true"}, false)
+
+	reg2 := &api.AgentServiceRegistration{
+		ID:      "whoami2",
+		Name:    "whoami",
+		Tags:    []string{"traefik.enable=true"},
+		Port:    80,
+		Address: s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress,
+	}
+	err = s.registerService(reg2, false)
 	c.Assert(err, checker.IsNil)
-	err = s.registerService("whoami3", "whoami", s.composeProject.Container(c, "whoami3").NetworkSettings.IPAddress, "80", []string{"traefik.enable=true"}, false)
+
+	reg3 := &api.AgentServiceRegistration{
+		ID:      "whoami3",
+		Name:    "whoami",
+		Tags:    []string{"traefik.enable=true"},
+		Port:    80,
+		Address: s.composeProject.Container(c, "whoami3").NetworkSettings.IPAddress,
+	}
+	err = s.registerService(reg3, false)
 	c.Assert(err, checker.IsNil)
 
 	tempObjects := struct {
@@ -128,14 +140,21 @@ func (s *ConsulCatalogSuite) TestWithNotExposedByDefaultAndDefaultsSettings(c *c
 }
 
 func (s *ConsulCatalogSuite) TestByLabels(c *check.C) {
-	labels := []string{
-		"traefik.enable=true",
-		"traefik.http.routers.router1.rule=Path(`/whoami`)",
-		"traefik.http.routers.router1.service=service1",
-		"traefik.http.services.service1.loadBalancer.server.url=http://" + s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
-	}
+	containerIP := s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
 
-	err := s.registerService("whoami1", "whoami", s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress, "80", labels, false)
+	reg := &api.AgentServiceRegistration{
+		ID:   "whoami1",
+		Name: "whoami",
+		Tags: []string{
+			"traefik.enable=true",
+			"traefik.http.routers.router1.rule=Path(`/whoami`)",
+			"traefik.http.routers.router1.service=service1",
+			"traefik.http.services.service1.loadBalancer.server.url=http://" + containerIP,
+		},
+		Port:    80,
+		Address: containerIP,
+	}
+	err := s.registerService(reg, false)
 	c.Assert(err, checker.IsNil)
 
 	tempObjects := struct {
@@ -172,7 +191,14 @@ func (s *ConsulCatalogSuite) TestSimpleConfiguration(c *check.C) {
 	file := s.adaptFile(c, "fixtures/consul_catalog/simple.toml", tempObjects)
 	defer os.Remove(file)
 
-	err := s.registerService("whoami1", "whoami", s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress, "80", []string{"traefik.enable=true"}, false)
+	reg := &api.AgentServiceRegistration{
+		ID:      "whoami1",
+		Name:    "whoami",
+		Tags:    []string{"traefik.enable=true"},
+		Port:    80,
+		Address: s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
+	}
+	err := s.registerService(reg, false)
 	c.Assert(err, checker.IsNil)
 
 	cmd, display := s.traefikCmd(withConfigFile(file))
@@ -204,7 +230,14 @@ func (s *ConsulCatalogSuite) TestRegisterServiceWithoutIP(c *check.C) {
 	file := s.adaptFile(c, "fixtures/consul_catalog/simple.toml", tempObjects)
 	defer os.Remove(file)
 
-	err := s.registerService("whoami1", "whoami", "", "80", []string{"traefik.enable=true"}, false)
+	reg := &api.AgentServiceRegistration{
+		ID:      "whoami1",
+		Name:    "whoami",
+		Tags:    []string{"traefik.enable=true"},
+		Port:    80,
+		Address: "",
+	}
+	err := s.registerService(reg, false)
 	c.Assert(err, checker.IsNil)
 
 	cmd, display := s.traefikCmd(withConfigFile(file))
@@ -236,7 +269,13 @@ func (s *ConsulCatalogSuite) TestDefaultConsulService(c *check.C) {
 	file := s.adaptFile(c, "fixtures/consul_catalog/simple.toml", tempObjects)
 	defer os.Remove(file)
 
-	err := s.registerService("whoami1", "whoami", s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress, "80", nil, false)
+	reg := &api.AgentServiceRegistration{
+		ID:      "whoami1",
+		Name:    "whoami",
+		Port:    80,
+		Address: s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
+	}
+	err := s.registerService(reg, false)
 	c.Assert(err, checker.IsNil)
 
 	// Start traefik
@@ -269,14 +308,20 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithTCPLabels(c *check.C) {
 	file := s.adaptFile(c, "fixtures/consul_catalog/simple.toml", tempObjects)
 	defer os.Remove(file)
 
-	// Start a container with some labels
-	labels := []string{
-		"traefik.tcp.Routers.Super.Rule=HostSNI(`my.super.host`)",
-		"traefik.tcp.Routers.Super.tls=true",
-		"traefik.tcp.Services.Super.Loadbalancer.server.port=8080",
+	// Start a container with some tags
+	reg := &api.AgentServiceRegistration{
+		ID:   "whoamitcp",
+		Name: "whoamitcp",
+		Tags: []string{
+			"traefik.tcp.Routers.Super.Rule=HostSNI(`my.super.host`)",
+			"traefik.tcp.Routers.Super.tls=true",
+			"traefik.tcp.Services.Super.Loadbalancer.server.port=8080",
+		},
+		Port:    8080,
+		Address: s.composeProject.Container(c, "whoamitcp").NetworkSettings.IPAddress,
 	}
 
-	err := s.registerService("whoamitcp", "whoamitcp", s.composeProject.Container(c, "whoamitcp").NetworkSettings.IPAddress, "8080", labels, false)
+	err := s.registerService(reg, false)
 	c.Assert(err, checker.IsNil)
 
 	// Start traefik
@@ -310,18 +355,31 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithLabels(c *check.C) {
 	file := s.adaptFile(c, "fixtures/consul_catalog/simple.toml", tempObjects)
 	defer os.Remove(file)
 
-	// Start a container with some labels
-	labels := []string{
-		"traefik.http.Routers.Super.Rule=Host(`my.super.host`)",
+	// Start a container with some tags
+	reg1 := &api.AgentServiceRegistration{
+		ID:   "whoami1",
+		Name: "whoami",
+		Tags: []string{
+			"traefik.http.Routers.Super.Rule=Host(`my.super.host`)",
+		},
+		Port:    80,
+		Address: s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
 	}
-	err := s.registerService("whoami1", "whoami", s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress, "80", labels, false)
+
+	err := s.registerService(reg1, false)
 	c.Assert(err, checker.IsNil)
 
 	// Start another container by replacing a '.' by a '-'
-	labels = []string{
-		"traefik.http.Routers.SuperHost.Rule=Host(`my-super.host`)",
+	reg2 := &api.AgentServiceRegistration{
+		ID:   "whoami2",
+		Name: "whoami",
+		Tags: []string{
+			"traefik.http.Routers.SuperHost.Rule=Host(`my-super.host`)",
+		},
+		Port:    80,
+		Address: s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress,
 	}
-	err = s.registerService("whoami2", "whoami", s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress, "80", labels, false)
+	err = s.registerService(reg2, false)
 	c.Assert(err, checker.IsNil)
 
 	// Start traefik
@@ -364,16 +422,31 @@ func (s *ConsulCatalogSuite) TestSameServiceIDOnDifferentConsulAgent(c *check.C)
 	file := s.adaptFile(c, "fixtures/consul_catalog/default_not_exposed.toml", tempObjects)
 	defer os.Remove(file)
 
-	// Start a container with some labels
-	labels := []string{
+	// Start a container with some tags
+	tags := []string{
 		"traefik.enable=true",
 		"traefik.http.Routers.Super.service=whoami",
 		"traefik.http.Routers.Super.Rule=Host(`my.super.host`)",
 	}
-	err := s.registerService("whoami", "whoami", s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress, "80", labels, false)
+
+	reg1 := &api.AgentServiceRegistration{
+		ID:      "whoami",
+		Name:    "whoami",
+		Tags:    tags,
+		Port:    80,
+		Address: s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
+	}
+	err := s.registerService(reg1, false)
 	c.Assert(err, checker.IsNil)
 
-	err = s.registerService("whoami", "whoami", s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress, "80", labels, true)
+	reg2 := &api.AgentServiceRegistration{
+		ID:      "whoami",
+		Name:    "whoami",
+		Tags:    tags,
+		Port:    80,
+		Address: s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress,
+	}
+	err = s.registerService(reg2, true)
 	c.Assert(err, checker.IsNil)
 
 	// Start traefik
@@ -417,11 +490,18 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithOneMissingLabels(c *check.C) {
 	file := s.adaptFile(c, "fixtures/consul_catalog/simple.toml", tempObjects)
 	defer os.Remove(file)
 
-	// Start a container with some labels
-	labels := []string{
-		"traefik.random.value=my.super.host",
+	// Start a container with some tags
+	reg := &api.AgentServiceRegistration{
+		ID:   "whoami1",
+		Name: "whoami",
+		Tags: []string{
+			"traefik.random.value=my.super.host",
+		},
+		Port:    80,
+		Address: s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
 	}
-	err := s.registerService("whoami1", "whoami", s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress, "80", labels, false)
+
+	err := s.registerService(reg, false)
 	c.Assert(err, checker.IsNil)
 
 	// Start traefik
@@ -441,3 +521,82 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithOneMissingLabels(c *check.C) {
 	err = try.Request(req, 1500*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
 }
+
+func (s *ConsulCatalogSuite) TestConsulServiceWithHealthCheck(c *check.C) {
+	tags := []string{
+		"traefik.enable=true",
+		"traefik.http.routers.router1.rule=Path(`/whoami`)",
+		"traefik.http.routers.router1.service=service1",
+		"traefik.http.services.service1.loadBalancer.server.url=http://" + s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
+	}
+
+	reg1 := &api.AgentServiceRegistration{
+		ID:      "whoami1",
+		Name:    "whoami",
+		Tags:    tags,
+		Port:    80,
+		Address: s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
+		Check: &api.AgentServiceCheck{
+			CheckID:  "some-failed-check",
+			TCP:      "127.0.0.1:1234",
+			Name:     "some-failed-check",
+			Interval: "1s",
+			Timeout:  "1s",
+		},
+	}
+
+	err := s.registerService(reg1, false)
+	c.Assert(err, checker.IsNil)
+
+	tempObjects := struct {
+		ConsulAddress string
+	}{
+		ConsulAddress: s.consulAddress,
+	}
+
+	file := s.adaptFile(c, "fixtures/consul_catalog/simple.toml", tempObjects)
+	defer os.Remove(file)
+
+	cmd, display := s.traefikCmd(withConfigFile(file))
+	defer display(c)
+	err = cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	err = try.GetRequest("http://127.0.0.1:8000/whoami", 2*time.Second, try.StatusCodeIs(http.StatusNotFound))
+	c.Assert(err, checker.IsNil)
+
+	err = s.deregisterService("whoami1", false)
+	c.Assert(err, checker.IsNil)
+
+	containerIP := s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress
+
+	reg2 := &api.AgentServiceRegistration{
+		ID:      "whoami2",
+		Name:    "whoami",
+		Tags:    tags,
+		Port:    80,
+		Address: containerIP,
+		Check: &api.AgentServiceCheck{
+			CheckID:  "some-ok-check",
+			TCP:      containerIP + ":80",
+			Name:     "some-ok-check",
+			Interval: "1s",
+			Timeout:  "1s",
+		},
+	}
+
+	err = s.registerService(reg2, false)
+	c.Assert(err, checker.IsNil)
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/whoami", nil)
+	c.Assert(err, checker.IsNil)
+	req.Host = "whoami"
+
+	// FIXME Need to wait for up to 10 seconds (for consul discovery or traefik to boot up ?)
+	err = try.Request(req, 10*time.Second, try.StatusCodeIs(200), try.BodyContainsOr("Hostname: whoami2"))
+	c.Assert(err, checker.IsNil)
+
+	err = s.deregisterService("whoami2", false)
+	c.Assert(err, checker.IsNil)
+}

integration/fixtures/simple_contenttype.toml

@@ -0,0 +1,61 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[log]
+  level = "DEBUG"
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8000"
+
+[api]
+  insecure = true
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[http.routers]
+  [http.routers.router1]
+    service = "service1"
+    rule = "PathPrefix(`/css/ct/nomiddleware`) || PathPrefix(`/pdf/ct/nomiddleware`)"
+
+  [http.routers.router2]
+    service = "service1"
+    middlewares = ["autodetect"]
+    rule = "PathPrefix(`/css/ct/middlewareauto`) || PathPrefix(`/pdf/ct/middlewareauto`)"
+
+  [http.routers.router3]
+    service = "service1"
+    middlewares = ["noautodetect"]
+    rule = "PathPrefix(`/css/ct/middlewarenoauto`) || PathPrefix(`/pdf/ct/middlewarenoauto`)"
+
+  [http.routers.router4]
+    service = "service1"
+    rule = "PathPrefix(`/css/noct/nomiddleware`) || PathPrefix(`/pdf/noct/nomiddleware`)"
+
+  [http.routers.router5]
+    service = "service1"
+    middlewares = ["autodetect"]
+    rule = "PathPrefix(`/css/noct/middlewareauto`) || PathPrefix(`/pdf/noct/middlewareauto`)"
+
+  [http.routers.router6]
+    service = "service1"
+    middlewares = ["noautodetect"]
+    rule = "PathPrefix(`/css/noct/middlewarenoauto`) || PathPrefix(`/pdf/noct/middlewarenoauto`)"
+
+
+[http.services]
+  [http.services.service1]
+    [http.services.service1.loadBalancer]
+      passHostHeader = true
+      [[http.services.service1.loadBalancer.servers]]
+        url = "{{ .Server }}"
+
+[http.middlewares.autodetect.contentType]
+autoDetect=true
+
+[http.middlewares.noautodetect.contentType]
+autoDetect=false

integration/simple_test.go

@@ -779,3 +779,98 @@ func (s *SimpleSuite) TestSecureAPI(c *check.C) {
 	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
 }
+
+func (s *SimpleSuite) TestContentTypeDisableAutoDetect(c *check.C) {
+	srv1 := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+		rw.Header()["Content-Type"] = nil
+		switch req.URL.Path[:4] {
+		case "/css":
+			if !strings.Contains(req.URL.Path, "noct") {
+				rw.Header().Set("Content-Type", "text/css")
+			}
+
+			rw.WriteHeader(http.StatusOK)
+
+			_, err := rw.Write([]byte(".testcss { }"))
+			c.Assert(err, checker.IsNil)
+		case "/pdf":
+			if !strings.Contains(req.URL.Path, "noct") {
+				rw.Header().Set("Content-Type", "application/pdf")
+			}
+
+			rw.WriteHeader(http.StatusOK)
+
+			bytes, err := ioutil.ReadFile("fixtures/test.pdf")
+			c.Assert(err, checker.IsNil)
+
+			_, err = rw.Write(bytes)
+			c.Assert(err, checker.IsNil)
+		}
+	}))
+
+	defer srv1.Close()
+
+	file := s.adaptFile(c, "fixtures/simple_contenttype.toml", struct {
+		Server string
+	}{
+		Server: srv1.URL,
+	})
+	defer os.Remove(file)
+
+	cmd, display := s.traefikCmd(withConfigFile(file), "--log.level=DEBUG")
+	defer display(c)
+
+	err := cmd.Start()
+	c.Assert(err, check.IsNil)
+	defer cmd.Process.Kill()
+
+	// wait for traefik
+	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("127.0.0.1"))
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8000/css/ct/nomiddleware", time.Second, try.HasHeaderValue("Content-Type", "text/css", false))
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8000/pdf/ct/nomiddleware", time.Second, try.HasHeaderValue("Content-Type", "application/pdf", false))
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8000/css/ct/middlewareauto", time.Second, try.HasHeaderValue("Content-Type", "text/css", false))
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8000/pdf/ct/nomiddlewareauto", time.Second, try.HasHeaderValue("Content-Type", "application/pdf", false))
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8000/css/ct/middlewarenoauto", time.Second, try.HasHeaderValue("Content-Type", "text/css", false))
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8000/pdf/ct/nomiddlewarenoauto", time.Second, try.HasHeaderValue("Content-Type", "application/pdf", false))
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8000/css/noct/nomiddleware", time.Second, try.HasHeaderValue("Content-Type", "text/plain; charset=utf-8", false))
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8000/pdf/noct/nomiddleware", time.Second, try.HasHeaderValue("Content-Type", "application/pdf", false))
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8000/css/noct/middlewareauto", time.Second, try.HasHeaderValue("Content-Type", "text/plain; charset=utf-8", false))
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8000/pdf/noct/nomiddlewareauto", time.Second, try.HasHeaderValue("Content-Type", "application/pdf", false))
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8000/css/noct/middlewarenoauto", time.Second, func(res *http.Response) error {
+		if ct, ok := res.Header["Content-Type"]; ok {
+			return fmt.Errorf("should have no content type and %s is present", ct)
+		}
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
+
+	err = try.GetRequest("http://127.0.0.1:8000/pdf/noct/middlewarenoauto", time.Second, func(res *http.Response) error {
+		if ct, ok := res.Header["Content-Type"]; ok {
+			return fmt.Errorf("should have no content type and %s is present", ct)
+		}
+		return nil
+	})
+	c.Assert(err, checker.IsNil)
+}

integration/testdata/rawdata-ingress.json

@@ -60,7 +60,7 @@
 	"middlewares": {
 		"dashboard_redirect@internal": {
 			"redirectRegex": {
-				"regex": "^(http:\\/\\/[^:]+(:\\d+)?)/$",
+				"regex": "^(http:\\/\\/[^:\\/]+(:\\d+)?)\\/$",
 				"replacement": "${1}/dashboard/",
 				"permanent": true
 			},

pkg/config/dynamic/middlewares.go

@@ -35,6 +35,22 @@ type Middleware struct {
 	Compress          *Compress          `json:"compress,omitempty" toml:"compress,omitempty" yaml:"compress,omitempty" label:"allowEmpty"`
 	PassTLSClientCert *PassTLSClientCert `json:"passTLSClientCert,omitempty" toml:"passTLSClientCert,omitempty" yaml:"passTLSClientCert,omitempty"`
 	Retry             *Retry             `json:"retry,omitempty" toml:"retry,omitempty" yaml:"retry,omitempty"`
+	ContentType       *ContentType       `json:"contentType,omitempty" toml:"contentType,omitempty" yaml:"contentType,omitempty"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// ContentType middleware - or rather its unique `autoDetect` option -
+// specifies whether to let the `Content-Type` header,
+// if it has not been set by the backend,
+// be automatically set to a value derived from the contents of the response.
+// As a proxy, the default behavior should be to leave the header alone,
+// regardless of what the backend did with it.
+// However, the historic default was to always auto-detect and set the header if it was nil,
+// and it is going to be kept that way in order to support users currently relying on it.
+// This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
+type ContentType struct {
+	AutoDetect bool `json:"autoDetect,omitempty" toml:"autoDetect,omitempty" yaml:"autoDetect,omitempty"`
 }
 
 // +k8s:deepcopy-gen=true

pkg/config/dynamic/zz_generated.deepcopy.go

@@ -3,7 +3,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -252,6 +252,22 @@ func (in Configurations) DeepCopy() Configurations {
 	return *out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ContentType) DeepCopyInto(out *ContentType) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContentType.
+func (in *ContentType) DeepCopy() *ContentType {
+	if in == nil {
+		return nil
+	}
+	out := new(ContentType)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Cookie) DeepCopyInto(out *Cookie) {
 	*out = *in
@@ -679,6 +695,11 @@ func (in *Middleware) DeepCopyInto(out *Middleware) {
 		*out = new(Retry)
 		**out = **in
 	}
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(ContentType)
+		**out = **in
+	}
 	return
 }
 

pkg/config/file/file_node.go

@@ -13,8 +13,7 @@ import (
 )
 
 // decodeFileToNode decodes the configuration in filePath in a tree of untyped nodes.
-// If filters is not empty, it skips any configuration element whose name is
-// not among filters.
+// If filters is not empty, it skips any configuration element whose name is not among filters.
 func decodeFileToNode(filePath string, filters ...string) (*parser.Node, error) {
 	content, err := ioutil.ReadFile(filePath)
 	if err != nil {
@@ -40,7 +39,20 @@ func decodeFileToNode(filePath string, filters ...string) (*parser.Node, error)
 		return nil, fmt.Errorf("unsupported file extension: %s", filePath)
 	}
 
-	return decodeRawToNode(data, parser.DefaultRootName, filters...)
+	if len(data) == 0 {
+		return nil, fmt.Errorf("no configuration found in file: %s", filePath)
+	}
+
+	node, err := decodeRawToNode(data, parser.DefaultRootName, filters...)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(node.Children) == 0 {
+		return nil, fmt.Errorf("no valid configuration found in file: %s", filePath)
+	}
+
+	return node, nil
 }
 
 func getRootFieldNames(element interface{}) []string {

pkg/config/file/file_node_test.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/containous/traefik/v2/pkg/config/parser"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func Test_getRootFieldNames(t *testing.T) {
@@ -42,17 +43,43 @@ func Test_getRootFieldNames(t *testing.T) {
 	}
 }
 
+func Test_decodeFileToNode_errors(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		confFile string
+	}{
+		{
+			desc:     "non existing file",
+			confFile: "./fixtures/not_existing.toml",
+		},
+		{
+			desc:     "file without content",
+			confFile: "./fixtures/empty.toml",
+		},
+		{
+			desc:     "file without any valid configuration",
+			confFile: "./fixtures/no_conf.toml",
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			node, err := decodeFileToNode(test.confFile,
+				"Global", "ServersTransport", "EntryPoints", "Providers", "API", "Metrics", "Ping", "Log", "AccessLog", "Tracing", "HostResolver", "CertificatesResolvers")
+
+			require.Error(t, err)
+			assert.Nil(t, node)
+		})
+	}
+}
+
 func Test_decodeFileToNode_compare(t *testing.T) {
 	nodeToml, err := decodeFileToNode("./fixtures/sample.toml",
 		"Global", "ServersTransport", "EntryPoints", "Providers", "API", "Metrics", "Ping", "Log", "AccessLog", "Tracing", "HostResolver", "CertificatesResolvers")
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	nodeYaml, err := decodeFileToNode("./fixtures/sample.yml")
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	assert.Equal(t, nodeToml, nodeYaml)
 }
@@ -60,9 +87,7 @@ func Test_decodeFileToNode_compare(t *testing.T) {
 func Test_decodeFileToNode_Toml(t *testing.T) {
 	node, err := decodeFileToNode("./fixtures/sample.toml",
 		"Global", "ServersTransport", "EntryPoints", "Providers", "API", "Metrics", "Ping", "Log", "AccessLog", "Tracing", "HostResolver", "CertificatesResolvers")
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	expected := &parser.Node{
 		Name: "traefik",
@@ -294,9 +319,7 @@ func Test_decodeFileToNode_Toml(t *testing.T) {
 
 func Test_decodeFileToNode_Yaml(t *testing.T) {
 	node, err := decodeFileToNode("./fixtures/sample.yml")
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	expected := &parser.Node{
 		Name: "traefik",

pkg/config/file/fixtures/no_conf.toml

@@ -0,0 +1,2 @@
+[foo]
+  bar = "test"

pkg/config/parser/labels_decode.go

@@ -21,6 +21,10 @@ func DecodeToNode(labels map[string]string, rootName string, filters ...string)
 
 		var parts []string
 		for _, v := range split {
+			if v == "" {
+				return nil, fmt.Errorf("invalid element: %s", key)
+			}
+
 			if v[0] == '[' {
 				return nil, fmt.Errorf("invalid leading character '[' in field name (bracket is a slice delimiter): %s", v)
 			}

pkg/config/parser/labels_decode_test.go

@@ -26,6 +26,15 @@ func TestDecodeToNode(t *testing.T) {
 			in:       map[string]string{},
 			expected: expected{node: nil},
 		},
+		{
+			desc: "invalid label, ending by a dot",
+			in: map[string]string{
+				"traefik.http.": "bar",
+			},
+			expected: expected{
+				error: true,
+			},
+		},
 		{
 			desc: "level 1",
 			in: map[string]string{

pkg/middlewares/accesslog/capture_response_writer.go

@@ -10,9 +10,23 @@ import (
 )
 
 var (
-	_ middlewares.Stateful = &captureResponseWriter{}
+	_ middlewares.Stateful = &captureResponseWriterWithCloseNotify{}
 )
 
+type capturer interface {
+	http.ResponseWriter
+	Size() int64
+	Status() int
+}
+
+func newCaptureResponseWriter(rw http.ResponseWriter) capturer {
+	capt := &captureResponseWriter{rw: rw}
+	if _, ok := rw.(http.CloseNotifier); !ok {
+		return capt
+	}
+	return &captureResponseWriterWithCloseNotify{capt}
+}
+
 // captureResponseWriter is a wrapper of type http.ResponseWriter
 // that tracks request status and size
 type captureResponseWriter struct {
@@ -21,6 +35,16 @@ type captureResponseWriter struct {
 	size   int64
 }
 
+type captureResponseWriterWithCloseNotify struct {
+	*captureResponseWriter
+}
+
+// CloseNotify returns a channel that receives at most a
+// single value (true) when the client connection has gone away.
+func (r *captureResponseWriterWithCloseNotify) CloseNotify() <-chan bool {
+	return r.rw.(http.CloseNotifier).CloseNotify()
+}
+
 func (crw *captureResponseWriter) Header() http.Header {
 	return crw.rw.Header()
 }
@@ -52,13 +76,6 @@ func (crw *captureResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error)
 	return nil, nil, fmt.Errorf("not a hijacker: %T", crw.rw)
 }
 
-func (crw *captureResponseWriter) CloseNotify() <-chan bool {
-	if c, ok := crw.rw.(http.CloseNotifier); ok {
-		return c.CloseNotify()
-	}
-	return nil
-}
-
 func (crw *captureResponseWriter) Status() int {
 	return crw.status
 }

pkg/middlewares/accesslog/capture_response_writer_test.go

@@ -0,0 +1,50 @@
+package accesslog
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type rwWithCloseNotify struct {
+	*httptest.ResponseRecorder
+}
+
+func (r *rwWithCloseNotify) CloseNotify() <-chan bool {
+	panic("implement me")
+}
+
+func TestCloseNotifier(t *testing.T) {
+	testCases := []struct {
+		rw                      http.ResponseWriter
+		desc                    string
+		implementsCloseNotifier bool
+	}{
+		{
+			rw:                      httptest.NewRecorder(),
+			desc:                    "does not implement CloseNotifier",
+			implementsCloseNotifier: false,
+		},
+		{
+			rw:                      &rwWithCloseNotify{httptest.NewRecorder()},
+			desc:                    "implements CloseNotifier",
+			implementsCloseNotifier: true,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			_, ok := test.rw.(http.CloseNotifier)
+			assert.Equal(t, test.implementsCloseNotifier, ok)
+
+			rw := newCaptureResponseWriter(test.rw)
+			_, impl := rw.(http.CloseNotifier)
+			assert.Equal(t, test.implementsCloseNotifier, impl)
+		})
+	}
+}

pkg/middlewares/accesslog/field_middleware.go

@@ -49,7 +49,7 @@ func AddServiceFields(rw http.ResponseWriter, req *http.Request, next http.Handl
 
 // AddOriginFields add origin fields
 func AddOriginFields(rw http.ResponseWriter, req *http.Request, next http.Handler, data *LogData) {
-	crw := &captureResponseWriter{rw: rw}
+	crw := newCaptureResponseWriter(rw)
 	start := time.Now().UTC()
 
 	next.ServeHTTP(crw, req)

pkg/middlewares/accesslog/logger.go

@@ -200,7 +200,7 @@ func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request, next http
 		core[ClientHost] = forwardedFor
 	}
 
-	crw := &captureResponseWriter{rw: rw}
+	crw := newCaptureResponseWriter(rw)
 
 	next.ServeHTTP(crw, reqWithDataTable)
 

pkg/middlewares/auth/forward.go

@@ -88,9 +88,11 @@ func (fa *forwardAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	writeHeader(req, forwardReq, fa.trustForwardHeader)
+	// Ensure tracing headers are in the request before we copy the headers to the
+	// forwardReq.
+	tracing.InjectRequestHeaders(req)
 
-	tracing.InjectRequestHeaders(forwardReq)
+	writeHeader(req, forwardReq, fa.trustForwardHeader)
 
 	forwardResponse, forwardErr := httpClient.Do(forwardReq)
 	if forwardErr != nil {

pkg/middlewares/auth/forward_test.go

@@ -3,13 +3,18 @@ package auth
 import (
 	"context"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 
 	"github.com/containous/traefik/v2/pkg/config/dynamic"
+	tracingMiddleware "github.com/containous/traefik/v2/pkg/middlewares/tracing"
 	"github.com/containous/traefik/v2/pkg/testhelpers"
+	"github.com/containous/traefik/v2/pkg/tracing"
+	"github.com/opentracing/opentracing-go"
+	"github.com/opentracing/opentracing-go/mocktracer"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/vulcand/oxy/forward"
@@ -394,3 +399,44 @@ func Test_writeHeader(t *testing.T) {
 		})
 	}
 }
+
+func TestForwardAuthUsesTracing(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Header.Get("Mockpfx-Ids-Traceid") == "" {
+			t.Errorf("expected Mockpfx-Ids-Traceid header to be present in request")
+		}
+	}))
+	defer server.Close()
+
+	next := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
+
+	auth := dynamic.ForwardAuth{
+		Address: server.URL,
+	}
+
+	tracer := mocktracer.New()
+	opentracing.SetGlobalTracer(tracer)
+
+	tr, _ := tracing.NewTracing("testApp", 100, &mockBackend{tracer})
+
+	next, err := NewForward(context.Background(), next, auth, "authTest")
+	require.NoError(t, err)
+
+	next = tracingMiddleware.NewEntryPoint(context.Background(), tr, "tracingTest", next)
+
+	ts := httptest.NewServer(next)
+	defer ts.Close()
+
+	req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
+	res, err := http.DefaultClient.Do(req)
+	require.NoError(t, err)
+	assert.Equal(t, http.StatusOK, res.StatusCode)
+}
+
+type mockBackend struct {
+	opentracing.Tracer
+}
+
+func (b *mockBackend) Setup(componentName string) (opentracing.Tracer, io.Closer, error) {
+	return b.Tracer, ioutil.NopCloser(nil), nil
+}

pkg/middlewares/metrics/metrics.go

@@ -89,10 +89,10 @@ func (m *metricsMiddleware) ServeHTTP(rw http.ResponseWriter, req *http.Request)
 	}(labels)
 
 	start := time.Now()
-	recorder := &responseRecorder{rw, http.StatusOK}
+	recorder := newResponseRecorder(rw)
 	m.next.ServeHTTP(recorder, req)
 
-	labels = append(labels, "code", strconv.Itoa(recorder.statusCode))
+	labels = append(labels, "code", strconv.Itoa(recorder.getCode()))
 	m.reqsCounter.With(labels...).Add(1)
 	m.reqDurationHistogram.With(labels...).Observe(time.Since(start).Seconds())
 }

pkg/middlewares/metrics/metrics_test.go

@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/go-kit/kit/metrics"
+	"github.com/stretchr/testify/assert"
 )
 
 // CollectingCounter is a metrics.Counter implementation that enables access to the CounterValue and LastLabelValues.
@@ -56,3 +57,44 @@ func newCollectingRetryMetrics() *collectingRetryMetrics {
 func (m *collectingRetryMetrics) ServiceRetriesCounter() metrics.Counter {
 	return m.retriesCounter
 }
+
+type rwWithCloseNotify struct {
+	*httptest.ResponseRecorder
+}
+
+func (r *rwWithCloseNotify) CloseNotify() <-chan bool {
+	panic("implement me")
+}
+
+func TestCloseNotifier(t *testing.T) {
+	testCases := []struct {
+		rw                      http.ResponseWriter
+		desc                    string
+		implementsCloseNotifier bool
+	}{
+		{
+			rw:                      httptest.NewRecorder(),
+			desc:                    "does not implement CloseNotifier",
+			implementsCloseNotifier: false,
+		},
+		{
+			rw:                      &rwWithCloseNotify{httptest.NewRecorder()},
+			desc:                    "implements CloseNotifier",
+			implementsCloseNotifier: true,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			_, ok := test.rw.(http.CloseNotifier)
+			assert.Equal(t, test.implementsCloseNotifier, ok)
+
+			rw := newResponseRecorder(test.rw)
+			_, impl := rw.(http.CloseNotifier)
+			assert.Equal(t, test.implementsCloseNotifier, impl)
+		})
+	}
+}

pkg/middlewares/metrics/recorder.go

@@ -6,6 +6,23 @@ import (
 	"net/http"
 )
 
+type recorder interface {
+	http.ResponseWriter
+	http.Flusher
+	getCode() int
+}
+
+func newResponseRecorder(rw http.ResponseWriter) recorder {
+	rec := &responseRecorder{
+		ResponseWriter: rw,
+		statusCode:     http.StatusOK,
+	}
+	if _, ok := rw.(http.CloseNotifier); !ok {
+		return rec
+	}
+	return &responseRecorderWithCloseNotify{rec}
+}
+
 // responseRecorder captures information from the response and preserves it for
 // later analysis.
 type responseRecorder struct {
@@ -13,6 +30,20 @@ type responseRecorder struct {
 	statusCode int
 }
 
+type responseRecorderWithCloseNotify struct {
+	*responseRecorder
+}
+
+// CloseNotify returns a channel that receives at most a
+// single value (true) when the client connection has gone away.
+func (r *responseRecorderWithCloseNotify) CloseNotify() <-chan bool {
+	return r.ResponseWriter.(http.CloseNotifier).CloseNotify()
+}
+
+func (r *responseRecorder) getCode() int {
+	return r.statusCode
+}
+
 // WriteHeader captures the status code for later retrieval.
 func (r *responseRecorder) WriteHeader(status int) {
 	r.ResponseWriter.WriteHeader(status)
@@ -24,13 +55,6 @@ func (r *responseRecorder) Hijack() (net.Conn, *bufio.ReadWriter, error) {
 	return r.ResponseWriter.(http.Hijacker).Hijack()
 }
 
-// CloseNotify returns a channel that receives at most a
-// single value (true) when the client connection has gone
-// away.
-func (r *responseRecorder) CloseNotify() <-chan bool {
-	return r.ResponseWriter.(http.CloseNotifier).CloseNotify()
-}
-
 // Flush sends any buffered data to the client.
 func (r *responseRecorder) Flush() {
 	if f, ok := r.ResponseWriter.(http.Flusher); ok {

pkg/middlewares/passtlsclientcert/pass_tls_client_cert.go

@@ -18,10 +18,17 @@ import (
 	"github.com/opentracing/opentracing-go/ext"
 )
 
+const typeName = "PassClientTLSCert"
+
 const (
 	xForwardedTLSClientCert     = "X-Forwarded-Tls-Client-Cert"
 	xForwardedTLSClientCertInfo = "X-Forwarded-Tls-Client-Cert-Info"
-	typeName                    = "PassClientTLSCert"
+)
+
+const (
+	certSeparator     = ","
+	fieldSeparator    = ";"
+	subFieldSeparator = ","
 )
 
 var attributeTypeNames = map[string]string{
@@ -55,6 +62,29 @@ func newDistinguishedNameOptions(info *dynamic.TLSCLientCertificateDNInfo) *Dist
 	}
 }
 
+// tlsClientCertificateInfo is a struct for specifying the configuration for the passTLSClientCert middleware.
+type tlsClientCertificateInfo struct {
+	notAfter  bool
+	notBefore bool
+	sans      bool
+	subject   *DistinguishedNameOptions
+	issuer    *DistinguishedNameOptions
+}
+
+func newTLSClientCertificateInfo(info *dynamic.TLSClientCertificateInfo) *tlsClientCertificateInfo {
+	if info == nil {
+		return nil
+	}
+
+	return &tlsClientCertificateInfo{
+		issuer:    newDistinguishedNameOptions(info.Issuer),
+		notAfter:  info.NotAfter,
+		notBefore: info.NotBefore,
+		subject:   newDistinguishedNameOptions(info.Subject),
+		sans:      info.Sans,
+	}
+}
+
 // passTLSClientCert is a middleware that helps setup a few tls info features.
 type passTLSClientCert struct {
 	next http.Handler
@@ -71,45 +101,84 @@ func New(ctx context.Context, next http.Handler, config dynamic.PassTLSClientCer
 		next: next,
 		name: name,
 		pem:  config.PEM,
-		info: newTLSClientInfo(config.Info),
+		info: newTLSClientCertificateInfo(config.Info),
 	}, nil
 }
 
-// tlsClientCertificateInfo is a struct for specifying the configuration for the passTLSClientCert middleware.
-type tlsClientCertificateInfo struct {
-	notAfter  bool
-	notBefore bool
-	sans      bool
-	subject   *DistinguishedNameOptions
-	issuer    *DistinguishedNameOptions
-}
-
-func newTLSClientInfo(info *dynamic.TLSClientCertificateInfo) *tlsClientCertificateInfo {
-	if info == nil {
-		return nil
-	}
-
-	return &tlsClientCertificateInfo{
-		issuer:    newDistinguishedNameOptions(info.Issuer),
-		notAfter:  info.NotAfter,
-		notBefore: info.NotBefore,
-		subject:   newDistinguishedNameOptions(info.Subject),
-		sans:      info.Sans,
-	}
-}
-
 func (p *passTLSClientCert) GetTracingInformation() (string, ext.SpanKindEnum) {
 	return p.name, tracing.SpanKindNoneEnum
 }
 
 func (p *passTLSClientCert) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	ctx := middlewares.GetLoggerCtx(req.Context(), p.name, typeName)
+	logger := log.FromContext(ctx)
+
+	if p.pem {
+		if req.TLS != nil && len(req.TLS.PeerCertificates) > 0 {
+			req.Header.Set(xForwardedTLSClientCert, getCertificates(ctx, req.TLS.PeerCertificates))
+		} else {
+			logger.Warn("Tried to extract a certificate on a request without mutual TLS")
+		}
+	}
+
+	if p.info != nil {
+		if req.TLS != nil && len(req.TLS.PeerCertificates) > 0 {
+			headerContent := p.getCertInfo(ctx, req.TLS.PeerCertificates)
+			req.Header.Set(xForwardedTLSClientCertInfo, url.QueryEscape(headerContent))
+		} else {
+			logger.Warn("Tried to extract a certificate on a request without mutual TLS")
+		}
+	}
 
-	p.modifyRequestHeaders(ctx, req)
 	p.next.ServeHTTP(rw, req)
 }
 
-func getDNInfo(ctx context.Context, prefix string, options *DistinguishedNameOptions, cs *pkix.Name) string {
+// getCertInfo Build a string with the wanted client certificates information
+// - the `,` is used to separate certificates
+// - the `;` is used to separate root fields
+// - the value of root fields is always wrapped by double quote
+// - if a field is empty, the field is ignored
+func (p *passTLSClientCert) getCertInfo(ctx context.Context, certs []*x509.Certificate) string {
+	var headerValues []string
+
+	for _, peerCert := range certs {
+		var values []string
+
+		if p.info != nil {
+			subject := getDNInfo(ctx, p.info.subject, &peerCert.Subject)
+			if subject != "" {
+				values = append(values, fmt.Sprintf(`Subject="%s"`, strings.TrimSuffix(subject, subFieldSeparator)))
+			}
+
+			issuer := getDNInfo(ctx, p.info.issuer, &peerCert.Issuer)
+			if issuer != "" {
+				values = append(values, fmt.Sprintf(`Issuer="%s"`, strings.TrimSuffix(issuer, subFieldSeparator)))
+			}
+
+			if p.info.notBefore {
+				values = append(values, fmt.Sprintf(`NB="%d"`, uint64(peerCert.NotBefore.Unix())))
+			}
+
+			if p.info.notAfter {
+				values = append(values, fmt.Sprintf(`NA="%d"`, uint64(peerCert.NotAfter.Unix())))
+			}
+
+			if p.info.sans {
+				sans := getSANs(peerCert)
+				if len(sans) > 0 {
+					values = append(values, fmt.Sprintf(`SAN="%s"`, strings.Join(sans, subFieldSeparator)))
+				}
+			}
+		}
+
+		value := strings.Join(values, fieldSeparator)
+		headerValues = append(headerValues, value)
+	}
+
+	return strings.Join(headerValues, certSeparator)
+}
+
+func getDNInfo(ctx context.Context, options *DistinguishedNameOptions, cs *pkix.Name) string {
 	if options == nil {
 		return ""
 	}
@@ -120,7 +189,7 @@ func getDNInfo(ctx context.Context, prefix string, options *DistinguishedNameOpt
 	for _, name := range cs.Names {
 		// Domain Component - RFC 2247
 		if options.DomainComponent && attributeTypeNames[name.Type.String()] == "DC" {
-			content.WriteString(fmt.Sprintf("DC=%s,", name.Value))
+			content.WriteString(fmt.Sprintf("DC=%s%s", name.Value, subFieldSeparator))
 		}
 	}
 
@@ -148,11 +217,7 @@ func getDNInfo(ctx context.Context, prefix string, options *DistinguishedNameOpt
 		writePart(ctx, content, cs.CommonName, "CN")
 	}
 
-	if content.Len() > 0 {
-		return prefix + `="` + strings.TrimSuffix(content.String(), ",") + `"`
-	}
-
-	return ""
+	return content.String()
 }
 
 func writeParts(ctx context.Context, content io.StringWriter, entries []string, prefix string) {
@@ -163,135 +228,63 @@ func writeParts(ctx context.Context, content io.StringWriter, entries []string,
 
 func writePart(ctx context.Context, content io.StringWriter, entry string, prefix string) {
 	if len(entry) > 0 {
-		_, err := content.WriteString(fmt.Sprintf("%s=%s,", prefix, entry))
+		_, err := content.WriteString(fmt.Sprintf("%s=%s%s", prefix, entry, subFieldSeparator))
 		if err != nil {
 			log.FromContext(ctx).Error(err)
 		}
 	}
 }
 
-// getXForwardedTLSClientCertInfo Build a string with the wanted client certificates information
-// like Subject="C=%s,ST=%s,L=%s,O=%s,CN=%s",NB=%d,NA=%d,SAN=%s;
-func (p *passTLSClientCert) getXForwardedTLSClientCertInfo(ctx context.Context, certs []*x509.Certificate) string {
-	var headerValues []string
-
-	for _, peerCert := range certs {
-		var values []string
-		var sans string
-		var nb string
-		var na string
-
-		if p.info != nil {
-			subject := getDNInfo(ctx, "Subject", p.info.subject, &peerCert.Subject)
-			if len(subject) > 0 {
-				values = append(values, subject)
-			}
-
-			issuer := getDNInfo(ctx, "Issuer", p.info.issuer, &peerCert.Issuer)
-			if len(issuer) > 0 {
-				values = append(values, issuer)
-			}
-		}
-
-		ci := p.info
-		if ci != nil {
-			if ci.notBefore {
-				nb = fmt.Sprintf("NB=%d", uint64(peerCert.NotBefore.Unix()))
-				values = append(values, nb)
-			}
-			if ci.notAfter {
-				na = fmt.Sprintf("NA=%d", uint64(peerCert.NotAfter.Unix()))
-				values = append(values, na)
-			}
-
-			if ci.sans {
-				sans = fmt.Sprintf("SAN=%s", strings.Join(getSANs(peerCert), ","))
-				values = append(values, sans)
-			}
-		}
-
-		value := strings.Join(values, ",")
-		headerValues = append(headerValues, value)
-	}
-
-	return strings.Join(headerValues, ";")
-}
-
-// modifyRequestHeaders set the wanted headers with the certificates information.
-func (p *passTLSClientCert) modifyRequestHeaders(ctx context.Context, r *http.Request) {
-	logger := log.FromContext(ctx)
-
-	if p.pem {
-		if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
-			r.Header.Set(xForwardedTLSClientCert, getXForwardedTLSClientCert(ctx, r.TLS.PeerCertificates))
-		} else {
-			logger.Warn("Tried to extract a certificate on a request without mutual TLS")
-		}
-	}
-
-	if p.info != nil {
-		if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
-			headerContent := p.getXForwardedTLSClientCertInfo(ctx, r.TLS.PeerCertificates)
-			r.Header.Set(xForwardedTLSClientCertInfo, url.QueryEscape(headerContent))
-		} else {
-			logger.Warn("Tried to extract a certificate on a request without mutual TLS")
-		}
-	}
-}
-
 // sanitize As we pass the raw certificates, remove the useless data and make it http request compliant.
 func sanitize(cert []byte) string {
-	s := string(cert)
-	r := strings.NewReplacer("-----BEGIN CERTIFICATE-----", "",
+	cleaned := strings.NewReplacer(
+		"-----BEGIN CERTIFICATE-----", "",
 		"-----END CERTIFICATE-----", "",
-		"\n", "")
-	cleaned := r.Replace(s)
+		"\n", "",
+	).Replace(string(cert))
 
 	return url.QueryEscape(cleaned)
 }
 
-// extractCertificate extract the certificate from the request.
-func extractCertificate(ctx context.Context, cert *x509.Certificate) string {
-	b := pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
-	certPEM := pem.EncodeToMemory(&b)
-	if certPEM == nil {
-		log.FromContext(ctx).Error("Cannot extract the certificate content")
-		return ""
-	}
-	return sanitize(certPEM)
-}
-
-// getXForwardedTLSClientCert Build a string with the client certificates.
-func getXForwardedTLSClientCert(ctx context.Context, certs []*x509.Certificate) string {
+// getCertificates Build a string with the client certificates.
+func getCertificates(ctx context.Context, certs []*x509.Certificate) string {
 	var headerValues []string
 
 	for _, peerCert := range certs {
 		headerValues = append(headerValues, extractCertificate(ctx, peerCert))
 	}
 
-	return strings.Join(headerValues, ",")
+	return strings.Join(headerValues, certSeparator)
+}
+
+// extractCertificate extract the certificate from the request.
+func extractCertificate(ctx context.Context, cert *x509.Certificate) string {
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
+	if certPEM == nil {
+		log.FromContext(ctx).Error("Cannot extract the certificate content")
+		return ""
+	}
+
+	return sanitize(certPEM)
 }
 
 // getSANs get the Subject Alternate Name values.
 func getSANs(cert *x509.Certificate) []string {
-	var sans []string
 	if cert == nil {
-		return sans
+		return nil
 	}
 
+	var sans []string
 	sans = append(sans, cert.DNSNames...)
 	sans = append(sans, cert.EmailAddresses...)
 
-	var ips []string
 	for _, ip := range cert.IPAddresses {
-		ips = append(ips, ip.String())
+		sans = append(sans, ip.String())
 	}
-	sans = append(sans, ips...)
 
-	var uris []string
 	for _, uri := range cert.URIs {
-		uris = append(uris, uri.String())
+		sans = append(sans, uri.String())
 	}
 
-	return append(sans, uris...)
+	return sans
 }

pkg/middlewares/passtlsclientcert/pass_tls_client_cert_test.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/containous/traefik/v2/pkg/config/dynamic"
 	"github.com/containous/traefik/v2/pkg/testhelpers"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
@@ -113,6 +114,7 @@ Cg+XKmHzexmTnKaKac2w9ZECpRsQ9IBdQq9OghIwPtOnERTOUJEEgNcqA+9xELjb
 pQ==
 -----END CERTIFICATE-----
 `
+
 	minimalCheeseCrt = `-----BEGIN CERTIFICATE-----
 MIIEQDCCAygCFFRY0OBk/L5Se0IZRj3CMljawL2UMA0GCSqGSIb3DQEBCwUAMIIB
 hDETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixkARkWBmNoZWVzZTEP
@@ -262,47 +264,6 @@ jECvgAY7Nfd9mZ1KtyNaW31is+kag7NsvjxU/kM=
 -----END CERTIFICATE-----`
 )
 
-func getCleanCertContents(certContents []string) string {
-	var re = regexp.MustCompile("-----BEGIN CERTIFICATE-----(?s)(.*)")
-
-	var cleanedCertContent []string
-	for _, certContent := range certContents {
-		cert := re.FindString(certContent)
-		cleanedCertContent = append(cleanedCertContent, sanitize([]byte(cert)))
-	}
-
-	return strings.Join(cleanedCertContent, ",")
-}
-
-func getCertificate(certContent string) *x509.Certificate {
-	roots := x509.NewCertPool()
-	ok := roots.AppendCertsFromPEM([]byte(signingCA))
-	if !ok {
-		panic("failed to parse root certificate")
-	}
-
-	block, _ := pem.Decode([]byte(certContent))
-	if block == nil {
-		panic("failed to parse certificate PEM")
-	}
-	cert, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		panic("failed to parse certificate: " + err.Error())
-	}
-
-	return cert
-}
-
-func buildTLSWith(certContents []string) *tls.ConnectionState {
-	var peerCertificates []*x509.Certificate
-
-	for _, certContent := range certContents {
-		peerCertificates = append(peerCertificates, getCertificate(certContent))
-	}
-
-	return &tls.ConnectionState{PeerCertificates: peerCertificates}
-}
-
 var next = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 	_, err := w.Write([]byte("bar"))
 	if err != nil {
@@ -310,59 +271,7 @@ var next = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 	}
 })
 
-func getExpectedSanitized(s string) string {
-	return url.QueryEscape(strings.Replace(s, "\n", "", -1))
-}
-
-func TestSanitize(t *testing.T) {
-	testCases := []struct {
-		desc       string
-		toSanitize []byte
-		expected   string
-	}{
-		{
-			desc: "Empty",
-		},
-		{
-			desc:       "With a minimal cert",
-			toSanitize: []byte(minimalCheeseCrt),
-			expected: getExpectedSanitized(`MIIEQDCCAygCFFRY0OBk/L5Se0IZRj3CMljawL2UMA0GCSqGSIb3DQEBCwUAMIIB
-hDETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixkARkWBmNoZWVzZTEP
-MA0GA1UECgwGQ2hlZXNlMREwDwYDVQQKDAhDaGVlc2UgMjEfMB0GA1UECwwWU2lt
-cGxlIFNpZ25pbmcgU2VjdGlvbjEhMB8GA1UECwwYU2ltcGxlIFNpZ25pbmcgU2Vj
-dGlvbiAyMRowGAYDVQQDDBFTaW1wbGUgU2lnbmluZyBDQTEcMBoGA1UEAwwTU2lt
-cGxlIFNpZ25pbmcgQ0EgMjELMAkGA1UEBhMCRlIxCzAJBgNVBAYTAlVTMREwDwYD
-VQQHDAhUT1VMT1VTRTENMAsGA1UEBwwETFlPTjEWMBQGA1UECAwNU2lnbmluZyBT
-dGF0ZTEYMBYGA1UECAwPU2lnbmluZyBTdGF0ZSAyMSEwHwYJKoZIhvcNAQkBFhJz
-aW1wbGVAc2lnbmluZy5jb20xIjAgBgkqhkiG9w0BCQEWE3NpbXBsZTJAc2lnbmlu
-Zy5jb20wHhcNMTgxMjA2MTExMDM2WhcNMjEwOTI1MTExMDM2WjAzMQswCQYDVQQG
-EwJGUjETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UECgwGQ2hlZXNlMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAskX/bUtwFo1gF2BTPNaNcTUMaRFu
-FMZozK8IgLjccZ4kZ0R9oFO6Yp8Zl/IvPaf7tE26PI7XP7eHriUdhnQzX7iioDd0
-RZa68waIhAGc+xPzRFrP3b3yj3S2a9Rve3c0K+SCV+EtKAwsxMqQDhoo9PcBfo5B
-RHfht07uD5MncUcGirwN+/pxHV5xzAGPcc7On0/5L7bq/G+63nhu78zw9XyuLaHC
-PM5VbOUvpyIESJHbMMzTdFGL8ob9VKO+Kr1kVGdEA9i8FLGl3xz/GBKuW/JD0xyW
-DrU29mri5vYWHmkuv7ZWHGXnpXjTtPHwveE9/0/ArnmpMyR9JtqFr1oEvQIDAQAB
-MA0GCSqGSIb3DQEBCwUAA4IBAQBHta+NWXI08UHeOkGzOTGRiWXsOH2dqdX6gTe9
-xF1AIjyoQ0gvpoGVvlnChSzmlUj+vnx/nOYGIt1poE3hZA3ZHZD/awsvGyp3GwWD
-IfXrEViSCIyF+8tNNKYyUcEO3xdAsAUGgfUwwF/mZ6MBV5+A/ZEEILlTq8zFt9dV
-vdKzIt7fZYxYBBHFSarl1x8pDgWXlf3hAufevGJXip9xGYmznF0T5cq1RbWJ4be3
-/9K7yuWhuBYC3sbTbCneHBa91M82za+PIISc1ygCYtWSBoZKSAqLk0rkZpHaekDP
-WqeUSNGYV//RunTeuRDAf5OxehERb1srzBXhRZ3cZdzXbgR/`),
-		},
-	}
-
-	for _, test := range testCases {
-		test := test
-		t.Run(test.desc, func(t *testing.T) {
-			t.Parallel()
-
-			require.Equal(t, test.expected, sanitize(test.toSanitize), "The sanitized certificates should be equal")
-		})
-	}
-}
-
-func TestTLSClientHeadersWithPEM(t *testing.T) {
+func TestPassTLSClientCert_PEM(t *testing.T) {
 	testCases := []struct {
 		desc           string
 		certContents   []string // set the request TLS attribute if defined
@@ -417,70 +326,36 @@ func TestTLSClientHeadersWithPEM(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
 
-			require.Equal(t, http.StatusOK, res.Code, "Http Status should be OK")
-			require.Equal(t, "bar", res.Body.String(), "Should be the expected body")
+			assert.Equal(t, http.StatusOK, res.Code, "Http Status should be OK")
+			assert.Equal(t, "bar", res.Body.String(), "Should be the expected body")
 
 			if test.expectedHeader != "" {
-				require.Equal(t, getCleanCertContents(test.certContents), req.Header.Get(xForwardedTLSClientCert), "The request header should contain the cleaned certificate")
+				expected := getCleanCertContents(test.certContents)
+				assert.Equal(t, expected, req.Header.Get(xForwardedTLSClientCert), "The request header should contain the cleaned certificate")
 			} else {
-				require.Empty(t, req.Header.Get(xForwardedTLSClientCert))
+				assert.Empty(t, req.Header.Get(xForwardedTLSClientCert))
 			}
-			require.Empty(t, res.Header().Get(xForwardedTLSClientCert), "The response header should be always empty")
+
+			assert.Empty(t, res.Header().Get(xForwardedTLSClientCert), "The response header should be always empty")
 		})
 	}
 }
 
-func TestGetSans(t *testing.T) {
-	urlFoo, err := url.Parse("my.foo.com")
-	require.NoError(t, err)
-	urlBar, err := url.Parse("my.bar.com")
-	require.NoError(t, err)
+func TestPassTLSClientCert_certInfo(t *testing.T) {
+	minimalCheeseCertAllInfo := strings.Join([]string{
+		`Subject="C=FR,ST=Some-State,O=Cheese"`,
+		`Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2"`,
+		`NB="1544094636"`,
+		`NA="1632568236"`,
+	}, fieldSeparator)
 
-	testCases := []struct {
-		desc     string
-		cert     *x509.Certificate // set the request TLS attribute if defined
-		expected []string
-	}{
-		{
-			desc: "With nil",
-		},
-		{
-			desc: "Certificate without Sans",
-			cert: &x509.Certificate{},
-		},
-		{
-			desc: "Certificate with all Sans",
-			cert: &x509.Certificate{
-				DNSNames:       []string{"foo", "bar"},
-				EmailAddresses: []string{"test@test.com", "test2@test.com"},
-				IPAddresses:    []net.IP{net.IPv4(10, 0, 0, 1), net.IPv4(10, 0, 0, 2)},
-				URIs:           []*url.URL{urlFoo, urlBar},
-			},
-			expected: []string{"foo", "bar", "test@test.com", "test2@test.com", "10.0.0.1", "10.0.0.2", urlFoo.String(), urlBar.String()},
-		},
-	}
-
-	for _, test := range testCases {
-		sans := getSANs(test.cert)
-
-		test := test
-		t.Run(test.desc, func(t *testing.T) {
-			t.Parallel()
-
-			if len(test.expected) > 0 {
-				for i, expected := range test.expected {
-					require.Equal(t, expected, sans[i])
-				}
-			} else {
-				require.Empty(t, sans)
-			}
-		})
-	}
-}
-
-func TestTLSClientHeadersWithCertInfo(t *testing.T) {
-	minimalCheeseCertAllInfo := `Subject="C=FR,ST=Some-State,O=Cheese",Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2",NB=1544094636,NA=1632568236,SAN=`
-	completeCertAllInfo := `Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com",Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2",NB=1544094616,NA=1607166616,SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2`
+	completeCertAllInfo := strings.Join([]string{
+		`Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com"`,
+		`Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2"`,
+		`NB="1544094616"`,
+		`NA="1607166616"`,
+		`SAN="*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2"`,
+	}, fieldSeparator)
 
 	testCases := []struct {
 		desc           string
@@ -547,7 +422,7 @@ func TestTLSClientHeadersWithCertInfo(t *testing.T) {
 					},
 				},
 			},
-			expectedHeader: url.QueryEscape(minimalCheeseCertAllInfo),
+			expectedHeader: minimalCheeseCertAllInfo,
 		},
 		{
 			desc:         "TLS with simple certificate, with some info",
@@ -564,7 +439,7 @@ func TestTLSClientHeadersWithCertInfo(t *testing.T) {
 					},
 				},
 			},
-			expectedHeader: url.QueryEscape(`Subject="O=Cheese",Issuer="C=FR,C=US",NA=1632568236,SAN=`),
+			expectedHeader: `Subject="O=Cheese";Issuer="C=FR,C=US";NA="1632568236"`,
 		},
 		{
 			desc:         "TLS with complete certificate, with all info",
@@ -594,7 +469,7 @@ func TestTLSClientHeadersWithCertInfo(t *testing.T) {
 					},
 				},
 			},
-			expectedHeader: url.QueryEscape(completeCertAllInfo),
+			expectedHeader: completeCertAllInfo,
 		},
 		{
 			desc:         "TLS with 2 certificates, with all info",
@@ -624,7 +499,7 @@ func TestTLSClientHeadersWithCertInfo(t *testing.T) {
 					},
 				},
 			},
-			expectedHeader: url.QueryEscape(strings.Join([]string{minimalCheeseCertAllInfo, completeCertAllInfo}, ";")),
+			expectedHeader: strings.Join([]string{minimalCheeseCertAllInfo, completeCertAllInfo}, certSeparator),
 		},
 	}
 
@@ -645,15 +520,157 @@ func TestTLSClientHeadersWithCertInfo(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
 
-			require.Equal(t, http.StatusOK, res.Code, "Http Status should be OK")
-			require.Equal(t, "bar", res.Body.String(), "Should be the expected body")
+			assert.Equal(t, http.StatusOK, res.Code, "Http Status should be OK")
+			assert.Equal(t, "bar", res.Body.String(), "Should be the expected body")
 
 			if test.expectedHeader != "" {
-				require.Equal(t, test.expectedHeader, req.Header.Get(xForwardedTLSClientCertInfo), "The request header should contain the cleaned certificate")
+				unescape, err := url.QueryUnescape(req.Header.Get(xForwardedTLSClientCertInfo))
+				require.NoError(t, err)
+				assert.Equal(t, test.expectedHeader, unescape, "The request header should contain the cleaned certificate")
 			} else {
-				require.Empty(t, req.Header.Get(xForwardedTLSClientCertInfo))
+				assert.Empty(t, req.Header.Get(xForwardedTLSClientCertInfo))
 			}
-			require.Empty(t, res.Header().Get(xForwardedTLSClientCertInfo), "The response header should be always empty")
+
+			assert.Empty(t, res.Header().Get(xForwardedTLSClientCertInfo), "The response header should be always empty")
 		})
 	}
 }
+
+func Test_sanitize(t *testing.T) {
+	testCases := []struct {
+		desc       string
+		toSanitize []byte
+		expected   string
+	}{
+		{
+			desc: "Empty",
+		},
+		{
+			desc:       "With a minimal cert",
+			toSanitize: []byte(minimalCheeseCrt),
+			expected: `MIIEQDCCAygCFFRY0OBk/L5Se0IZRj3CMljawL2UMA0GCSqGSIb3DQEBCwUAMIIB
+hDETMBEGCgmSJomT8ixkARkWA29yZzEWMBQGCgmSJomT8ixkARkWBmNoZWVzZTEP
+MA0GA1UECgwGQ2hlZXNlMREwDwYDVQQKDAhDaGVlc2UgMjEfMB0GA1UECwwWU2lt
+cGxlIFNpZ25pbmcgU2VjdGlvbjEhMB8GA1UECwwYU2ltcGxlIFNpZ25pbmcgU2Vj
+dGlvbiAyMRowGAYDVQQDDBFTaW1wbGUgU2lnbmluZyBDQTEcMBoGA1UEAwwTU2lt
+cGxlIFNpZ25pbmcgQ0EgMjELMAkGA1UEBhMCRlIxCzAJBgNVBAYTAlVTMREwDwYD
+VQQHDAhUT1VMT1VTRTENMAsGA1UEBwwETFlPTjEWMBQGA1UECAwNU2lnbmluZyBT
+dGF0ZTEYMBYGA1UECAwPU2lnbmluZyBTdGF0ZSAyMSEwHwYJKoZIhvcNAQkBFhJz
+aW1wbGVAc2lnbmluZy5jb20xIjAgBgkqhkiG9w0BCQEWE3NpbXBsZTJAc2lnbmlu
+Zy5jb20wHhcNMTgxMjA2MTExMDM2WhcNMjEwOTI1MTExMDM2WjAzMQswCQYDVQQG
+EwJGUjETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UECgwGQ2hlZXNlMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAskX/bUtwFo1gF2BTPNaNcTUMaRFu
+FMZozK8IgLjccZ4kZ0R9oFO6Yp8Zl/IvPaf7tE26PI7XP7eHriUdhnQzX7iioDd0
+RZa68waIhAGc+xPzRFrP3b3yj3S2a9Rve3c0K+SCV+EtKAwsxMqQDhoo9PcBfo5B
+RHfht07uD5MncUcGirwN+/pxHV5xzAGPcc7On0/5L7bq/G+63nhu78zw9XyuLaHC
+PM5VbOUvpyIESJHbMMzTdFGL8ob9VKO+Kr1kVGdEA9i8FLGl3xz/GBKuW/JD0xyW
+DrU29mri5vYWHmkuv7ZWHGXnpXjTtPHwveE9/0/ArnmpMyR9JtqFr1oEvQIDAQAB
+MA0GCSqGSIb3DQEBCwUAA4IBAQBHta+NWXI08UHeOkGzOTGRiWXsOH2dqdX6gTe9
+xF1AIjyoQ0gvpoGVvlnChSzmlUj+vnx/nOYGIt1poE3hZA3ZHZD/awsvGyp3GwWD
+IfXrEViSCIyF+8tNNKYyUcEO3xdAsAUGgfUwwF/mZ6MBV5+A/ZEEILlTq8zFt9dV
+vdKzIt7fZYxYBBHFSarl1x8pDgWXlf3hAufevGJXip9xGYmznF0T5cq1RbWJ4be3
+/9K7yuWhuBYC3sbTbCneHBa91M82za+PIISc1ygCYtWSBoZKSAqLk0rkZpHaekDP
+WqeUSNGYV//RunTeuRDAf5OxehERb1srzBXhRZ3cZdzXbgR/`,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			content := sanitize(test.toSanitize)
+
+			expected := url.QueryEscape(strings.Replace(test.expected, "\n", "", -1))
+			assert.Equal(t, expected, content, "The sanitized certificates should be equal")
+		})
+	}
+}
+
+func Test_getSANs(t *testing.T) {
+	urlFoo := testhelpers.MustParseURL("my.foo.com")
+	urlBar := testhelpers.MustParseURL("my.bar.com")
+
+	testCases := []struct {
+		desc     string
+		cert     *x509.Certificate // set the request TLS attribute if defined
+		expected []string
+	}{
+		{
+			desc: "With nil",
+		},
+		{
+			desc: "Certificate without Sans",
+			cert: &x509.Certificate{},
+		},
+		{
+			desc: "Certificate with all Sans",
+			cert: &x509.Certificate{
+				DNSNames:       []string{"foo", "bar"},
+				EmailAddresses: []string{"test@test.com", "test2@test.com"},
+				IPAddresses:    []net.IP{net.IPv4(10, 0, 0, 1), net.IPv4(10, 0, 0, 2)},
+				URIs:           []*url.URL{urlFoo, urlBar},
+			},
+			expected: []string{"foo", "bar", "test@test.com", "test2@test.com", "10.0.0.1", "10.0.0.2", urlFoo.String(), urlBar.String()},
+		},
+	}
+
+	for _, test := range testCases {
+		sans := getSANs(test.cert)
+
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			if len(test.expected) > 0 {
+				for i, expected := range test.expected {
+					assert.Equal(t, expected, sans[i])
+				}
+			} else {
+				assert.Empty(t, sans)
+			}
+		})
+	}
+}
+
+func getCleanCertContents(certContents []string) string {
+	exp := regexp.MustCompile("-----BEGIN CERTIFICATE-----(?s)(.*)")
+
+	var cleanedCertContent []string
+	for _, certContent := range certContents {
+		cert := sanitize([]byte(exp.FindString(certContent)))
+		cleanedCertContent = append(cleanedCertContent, cert)
+	}
+
+	return strings.Join(cleanedCertContent, certSeparator)
+}
+
+func buildTLSWith(certContents []string) *tls.ConnectionState {
+	var peerCertificates []*x509.Certificate
+
+	for _, certContent := range certContents {
+		peerCertificates = append(peerCertificates, getCertificate(certContent))
+	}
+
+	return &tls.ConnectionState{PeerCertificates: peerCertificates}
+}
+
+func getCertificate(certContent string) *x509.Certificate {
+	roots := x509.NewCertPool()
+	ok := roots.AppendCertsFromPEM([]byte(signingCA))
+	if !ok {
+		panic("failed to parse root certificate")
+	}
+
+	block, _ := pem.Decode([]byte(certContent))
+	if block == nil {
+		panic("failed to parse certificate PEM")
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		panic("failed to parse certificate: " + err.Error())
+	}
+
+	return cert
+}

pkg/provider/consulcatalog/consul_catalog.go

@@ -54,7 +54,7 @@ type Provider struct {
 type EndpointConfig struct {
 	Address          string                  `description:"The address of the Consul server" json:"address,omitempty" toml:"address,omitempty" yaml:"address,omitempty" export:"true"`
 	Scheme           string                  `description:"The URI scheme for the Consul server" json:"scheme,omitempty" toml:"scheme,omitempty" yaml:"scheme,omitempty" export:"true"`
-	DataCenter       string                  `description:"Data center to use. If not provided, the default agent data center is used" json:"data center,omitempty" toml:"data center,omitempty" yaml:"datacenter,omitempty" export:"true"`
+	DataCenter       string                  `description:"Data center to use. If not provided, the default agent data center is used" json:"datacenter,omitempty" toml:"datacenter,omitempty" yaml:"datacenter,omitempty" export:"true"`
 	Token            string                  `description:"Token is used to provide a per-request ACL token which overrides the agent's default token" json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty" export:"true"`
 	TLS              *types.ClientTLS        `description:"Enable TLS support." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"`
 	HTTPAuth         *EndpointHTTPAuthConfig `description:"Auth info to use for http access" json:"httpAuth,omitempty" toml:"httpAuth,omitempty" yaml:"httpAuth,omitempty" export:"true"`
@@ -152,12 +152,12 @@ func (p *Provider) getConsulServicesData(ctx context.Context) ([]itemData, error
 
 	var data []itemData
 	for name := range consulServiceNames {
-		consulServices, err := p.fetchService(ctx, name)
+		consulServices, healthServices, err := p.fetchService(ctx, name)
 		if err != nil {
 			return nil, err
 		}
 
-		for _, consulService := range consulServices {
+		for i, consulService := range consulServices {
 			address := consulService.ServiceAddress
 			if address == "" {
 				address = consulService.Address
@@ -171,7 +171,7 @@ func (p *Provider) getConsulServicesData(ctx context.Context) ([]itemData, error
 				Port:    strconv.Itoa(consulService.ServicePort),
 				Labels:  tagsToNeutralLabels(consulService.ServiceTags, p.Prefix),
 				Tags:    consulService.ServiceTags,
-				Status:  consulService.Checks.AggregatedStatus(),
+				Status:  healthServices[i].Checks.AggregatedStatus(),
 			}
 
 			extraConf, err := p.getConfiguration(item)
@@ -187,15 +187,21 @@ func (p *Provider) getConsulServicesData(ctx context.Context) ([]itemData, error
 	return data, nil
 }
 
-func (p *Provider) fetchService(ctx context.Context, name string) ([]*api.CatalogService, error) {
+func (p *Provider) fetchService(ctx context.Context, name string) ([]*api.CatalogService, []*api.ServiceEntry, error) {
 	var tagFilter string
 	if !p.ExposedByDefault {
 		tagFilter = p.Prefix + ".enable=true"
 	}
 
 	opts := &api.QueryOptions{AllowStale: p.Stale, RequireConsistent: p.RequireConsistent, UseCache: p.Cache}
+
 	consulServices, _, err := p.client.Catalog().Service(name, tagFilter, opts)
-	return consulServices, err
+	if err != nil {
+		return nil, nil, err
+	}
+
+	healthServices, _, err := p.client.Health().Service(name, tagFilter, false, opts)
+	return consulServices, healthServices, err
 }
 
 func (p *Provider) fetchServices(ctx context.Context) (map[string][]string, error) {

pkg/provider/docker/config.go

@@ -89,7 +89,7 @@ func (p *Provider) buildTCPServiceConfiguration(ctx context.Context, container d
 		ctxSvc := log.With(ctx, log.Str(log.ServiceName, name))
 		err := p.addServerTCP(ctxSvc, container, service.LoadBalancer)
 		if err != nil {
-			return err
+			return fmt.Errorf("service %q error: %w", name, err)
 		}
 	}
 
@@ -112,7 +112,7 @@ func (p *Provider) buildServiceConfiguration(ctx context.Context, container dock
 		ctxSvc := log.With(ctx, log.Str(log.ServiceName, name))
 		err := p.addServer(ctxSvc, container, service.LoadBalancer)
 		if err != nil {
-			return err
+			return fmt.Errorf("service %q error: %w", name, err)
 		}
 	}
 
@@ -146,10 +146,16 @@ func (p *Provider) keepContainer(ctx context.Context, container dockerData) bool
 }
 
 func (p *Provider) addServerTCP(ctx context.Context, container dockerData, loadBalancer *dynamic.TCPServersLoadBalancer) error {
-	serverPort := ""
-	if loadBalancer != nil && len(loadBalancer.Servers) > 0 {
-		serverPort = loadBalancer.Servers[0].Port
+	if loadBalancer == nil {
+		return errors.New("load-balancer is not defined")
 	}
+
+	var serverPort string
+	if len(loadBalancer.Servers) > 0 {
+		serverPort = loadBalancer.Servers[0].Port
+		loadBalancer.Servers[0].Port = ""
+	}
+
 	ip, port, err := p.getIPPort(ctx, container, serverPort)
 	if err != nil {
 		return err
@@ -161,11 +167,6 @@ func (p *Provider) addServerTCP(ctx context.Context, container dockerData, loadB
 		loadBalancer.Servers = []dynamic.TCPServer{server}
 	}
 
-	if serverPort != "" {
-		port = serverPort
-		loadBalancer.Servers[0].Port = ""
-	}
-
 	if port == "" {
 		return errors.New("port is missing")
 	}
@@ -175,7 +176,16 @@ func (p *Provider) addServerTCP(ctx context.Context, container dockerData, loadB
 }
 
 func (p *Provider) addServer(ctx context.Context, container dockerData, loadBalancer *dynamic.ServersLoadBalancer) error {
-	serverPort := getLBServerPort(loadBalancer)
+	if loadBalancer == nil {
+		return errors.New("load-balancer is not defined")
+	}
+
+	var serverPort string
+	if len(loadBalancer.Servers) > 0 {
+		serverPort = loadBalancer.Servers[0].Port
+		loadBalancer.Servers[0].Port = ""
+	}
+
 	ip, port, err := p.getIPPort(ctx, container, serverPort)
 	if err != nil {
 		return err
@@ -188,11 +198,6 @@ func (p *Provider) addServer(ctx context.Context, container dockerData, loadBala
 		loadBalancer.Servers = []dynamic.Server{server}
 	}
 
-	if serverPort != "" {
-		port = serverPort
-		loadBalancer.Servers[0].Port = ""
-	}
-
 	if port == "" {
 		return errors.New("port is missing")
 	}
@@ -294,13 +299,6 @@ func (p *Provider) getPortBinding(container dockerData, serverPort string) (*nat
 	return nil, fmt.Errorf("unable to find the external IP:Port for the container %q", container.Name)
 }
 
-func getLBServerPort(loadBalancer *dynamic.ServersLoadBalancer) string {
-	if loadBalancer != nil && len(loadBalancer.Servers) > 0 {
-		return loadBalancer.Servers[0].Port
-	}
-	return ""
-}
-
 func getPort(container dockerData, serverPort string) string {
 	if len(serverPort) > 0 {
 		return serverPort

pkg/provider/docker/config_test.go

@@ -339,11 +339,80 @@ func TestDefaultRule(t *testing.T) {
 
 func Test_buildConfiguration(t *testing.T) {
 	testCases := []struct {
-		desc        string
-		containers  []dockerData
-		constraints string
-		expected    *dynamic.Configuration
+		desc          string
+		containers    []dockerData
+		useBindPortIP bool
+		constraints   string
+		expected      *dynamic.Configuration
 	}{
+		{
+			desc: "invalid HTTP service definition",
+			containers: []dockerData{
+				{
+					ServiceName: "Test",
+					Name:        "Test",
+					Labels: map[string]string{
+						"traefik.http.services.test": "",
+					},
+					NetworkSettings: networkSettings{
+						Ports: nat.PortMap{
+							nat.Port("80/tcp"): []nat.PortBinding{},
+						},
+						Networks: map[string]*networkData{
+							"bridge": {
+								Name: "bridge",
+								Addr: "127.0.0.1",
+							},
+						},
+					},
+				},
+			},
+			expected: &dynamic.Configuration{
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers:     map[string]*dynamic.Router{},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services:    map[string]*dynamic.Service{},
+				},
+			},
+		},
+		{
+			desc: "invalid TCP service definition",
+			containers: []dockerData{
+				{
+					ServiceName: "Test",
+					Name:        "Test",
+					Labels: map[string]string{
+						"traefik.tcp.services.test": "",
+					},
+					NetworkSettings: networkSettings{
+						Ports: nat.PortMap{
+							nat.Port("80/tcp"): []nat.PortBinding{},
+						},
+						Networks: map[string]*networkData{
+							"bridge": {
+								Name: "bridge",
+								Addr: "127.0.0.1",
+							},
+						},
+					},
+				},
+			},
+			expected: &dynamic.Configuration{
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers:     map[string]*dynamic.Router{},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services:    map[string]*dynamic.Service{},
+				},
+			},
+		},
 		{
 			desc: "one container no label",
 			containers: []dockerData{
@@ -2447,6 +2516,64 @@ func Test_buildConfiguration(t *testing.T) {
 				},
 			},
 		},
+		{
+			desc: "useBindPortIP with LblPort |	ExtIp:ExtPort:LblPort => ExtIp:ExtPort",
+			containers: []dockerData{
+				{
+					ServiceName: "Test",
+					Name:        "Test",
+					Labels: map[string]string{
+						"traefik.http.services.Test.loadbalancer.server.port": "80",
+					},
+					NetworkSettings: networkSettings{
+						Ports: nat.PortMap{
+							nat.Port("79/tcp"): []nat.PortBinding{{
+								HostIP:   "192.168.0.1",
+								HostPort: "8080",
+							}},
+							nat.Port("80/tcp"): []nat.PortBinding{{
+								HostIP:   "192.168.0.1",
+								HostPort: "8081",
+							}},
+						},
+						Networks: map[string]*networkData{
+							"bridge": {
+								Name: "bridge",
+								Addr: "127.0.0.1",
+							},
+						},
+					},
+				},
+			},
+			useBindPortIP: true,
+			expected: &dynamic.Configuration{
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers: map[string]*dynamic.Router{
+						"Test": {
+							Service: "Test",
+							Rule:    "Host(`Test.traefik.wtf`)",
+						},
+					},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services: map[string]*dynamic.Service{
+						"Test": {
+							LoadBalancer: &dynamic.ServersLoadBalancer{
+								Servers: []dynamic.Server{
+									{
+										URL: "http://192.168.0.1:8081",
+									},
+								},
+								PassHostHeader: Bool(true),
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 
 	for _, test := range testCases {
@@ -2458,6 +2585,7 @@ func Test_buildConfiguration(t *testing.T) {
 			p := Provider{
 				ExposedByDefault: true,
 				DefaultRule:      "Host(`{{ normalize .Name }}.traefik.wtf`)",
+				UseBindPortIP:    test.useBindPortIP,
 			}
 			p.Constraints = test.constraints
 

pkg/provider/kubernetes/crd/generated/clientset/versioned/clientset.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pkg/provider/kubernetes/crd/generated/clientset/versioned/doc.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pkg/provider/kubernetes/crd/generated/clientset/versioned/fake/clientset_generated.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pkg/provider/kubernetes/crd/generated/clientset/versioned/fake/doc.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pkg/provider/kubernetes/crd/generated/clientset/versioned/fake/register.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme/doc.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme/register.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/doc.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/fake/doc.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/fake/fake_ingressroute.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/fake/fake_ingressroutetcp.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/fake/fake_middleware.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/fake/fake_tlsoption.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/fake/fake_traefik_client.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/fake/fake_traefikservice.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/generated_expansion.go

@@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)
 
-Copyright (c) 2016-2019 Containous SAS
+Copyright (c) 2016-2020 Containous SAS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal