Prepare release v2.6.2

Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>

.github/workflows/build.yaml

@@ -8,7 +8,7 @@ on:
 env:
   GO_VERSION: 1.17
   CGO_ENABLED: 0
-  PRE_TARGET: ""
+  IN_DOCKER: ""
 
 jobs:
 
@@ -23,7 +23,7 @@ jobs:
 
       - name: Build webui
         run: |
-          make generate-webui
+          make clean-webui generate-webui
           tar czvf webui.tar.gz ./webui/static/
 
       - name: Artifact webui

.github/workflows/documentation.yml

@@ -44,7 +44,7 @@ jobs:
           STRUCTOR_LATEST_TAG: ${{ secrets.STRUCTOR_LATEST_TAG }}
 
       - name: Apply seo
-        run: $HOME/bin/seo -path=./site
+        run: $HOME/bin/seo -path=./site -product=traefik
 
       - name: Publish documentation
         run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik

.github/workflows/test-unit.yaml

@@ -7,7 +7,7 @@ on:
 
 env:
   GO_VERSION: 1.17
-  PRE_TARGET: ""
+  IN_DOCKER: ""
 
 jobs:
 
@@ -40,7 +40,7 @@ jobs:
           restore-keys: ${{ runner.os }}-test-unit-go-
 
       - name: Avoid generating webui
-        run: mkdir -p webui/static && touch webui/static/index.html
+        run: touch webui/static/index.html
 
       - name: Tests
         run: make test-unit

.github/workflows/validate.yaml

@@ -7,9 +7,9 @@ on:
 
 env:
   GO_VERSION: 1.17
-  GOLANGCI_LINT_VERSION: v1.43.0
+  GOLANGCI_LINT_VERSION: v1.45.0
   MISSSPELL_VERSION: v0.3.4
-  PRE_TARGET: ""
+  IN_DOCKER: ""
 
 jobs:
 
@@ -48,7 +48,7 @@ jobs:
         run: curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSSPELL_VERSION}
 
       - name: Avoid generating webui
-        run: mkdir -p webui/static && touch webui/static/index.html
+        run: touch webui/static/index.html
 
       - name: Validate
         run: make validate

.gitignore

@@ -5,7 +5,6 @@
 .DS_Store
 /dist
 /webui/.tmp/
-/webui/static/
 /site/
 /docs/site/
 /autogen/

.golangci.toml

@@ -50,6 +50,58 @@
     kubeerror = "k8s.io/apimachinery/pkg/api/errors"
     composeapi = "github.com/docker/compose/v2/pkg/api"
 
+  [linters-settings.revive]
+    [[linters-settings.revive.rules]]
+      name = "struct-tag"
+    [[linters-settings.rules]]
+      name = "blank-imports"
+    [[linters-settings.rules]]
+      name = "context-as-argument"
+    [[linters-settings.rules]]
+      name = "context-keys-type"
+    [[linters-settings.rules]]
+      name = "dot-imports"
+    [[linters-settings.rules]]
+      name = "error-return"
+    [[linters-settings.rules]]
+      name = "error-strings"
+    [[linters-settings.rules]]
+      name = "error-naming"
+    [[linters-settings.rules]]
+      name = "exported"
+    [[linters-settings.rules]]
+      name = "if-return"
+    [[linters-settings.rules]]
+      name = "increment-decrement"
+    [[linters-settings.rules]]
+      name = "var-naming"
+    [[linters-settings.rules]]
+      name = "var-declaration"
+    [[linters-settings.rules]]
+      name = "package-comments"
+    [[linters-settings.rules]]
+      name = "range"
+    [[linters-settings.rules]]
+      name = "receiver-naming"
+    [[linters-settings.rules]]
+      name = "time-naming"
+    [[linters-settings.rules]]
+      name = "unexported-return"
+    [[linters-settings.rules]]
+      name = "indent-error-flow"
+    [[linters-settings.rules]]
+      name = "errorf"
+    [[linters-settings.rules]]
+      name = "empty-block"
+    [[linters-settings.rules]]
+      name = "superfluous-else"
+    [[linters-settings.rules]]
+      name = "unused-parameter"
+    [[linters-settings.rules]]
+      name = "unreachable-code"
+    [[linters-settings.rules]]
+      name = "redefines-builtin-id"
+
   [linters-settings.gomoddirectives]
     replace-allow-list = [
       "github.com/abbot/go-http-auth",
@@ -102,6 +154,8 @@
     "nilnil", # not relevant
     "ireturn", # not relevant
     "contextcheck", # too many false-positive
+    "containedctx", # too many false-positive
+    "maintidx", # kind of duplicate of gocyclo
   ]
 
 [issues]
@@ -157,3 +211,6 @@
  [[issues.exclude-rules]]
     path = "pkg/log/deprecated.go"
     linters = ["godot"]
+ [[issues.exclude-rules]]
+    path = "(.+)\\.go"
+    text = "struct-tag: unknown option 'inline' in JSON tag"

.goreleaser.yml

@@ -25,6 +25,7 @@ builds:
       - arm
       - arm64
       - ppc64le
+      - s390x
     goarm:
       - 7
       - 6

.semaphore/semaphore.yml

@@ -25,7 +25,7 @@ global_job_config:
       - export "PATH=${GOPATH}/bin:${PATH}"
       - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
       - export GOPROXY=https://proxy.golang.org,direct
-      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.43.0
+      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.45.0
       - curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
       - checkout
       - cache restore traefik-$(checksum go.sum)
@@ -40,8 +40,8 @@ blocks:
         - name: Test Integration
           commands:
             - make pull-images
-            - mkdir -p webui/static && touch webui/static/index.html # Avoid generating webui
-            - PRE_TARGET="" make binary
+            - touch webui/static/index.html # Avoid generating webui
+            - IN_DOCKER="" make binary
             - make test-integration
             - df -h
       epilogue:
@@ -65,7 +65,7 @@ blocks:
           value: 1.12.1
         - name: CODENAME
           value: "rocamadour"
-        - name: PRE_TARGET
+        - name: IN_DOCKER
           value: ""
       prologue:
         commands:

CHANGELOG.md

@@ -1,3 +1,42 @@
+## [v2.6.2](https://github.com/traefik/traefik/tree/v2.6.2) (2022-03-24)
+[All Commits](https://github.com/traefik/traefik/compare/v2.6.1...v2.6.2)
+
+**Bug fixes:**
+- **[file]** Bump paerser to v0.1.5 ([#8850](https://github.com/traefik/traefik/pull/8850) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** Fix certificates resolver typo ([#8859](https://github.com/traefik/traefik/pull/8859) by [NReilingh](https://github.com/NReilingh))
+- **[docker]** doc: fix, docker uses Label(), not Tag() ([#8823](https://github.com/traefik/traefik/pull/8823) by [mpl](https://github.com/mpl))
+- **[http3]** Fix CLI syntax in HTTP/3 documentation ([#8864](https://github.com/traefik/traefik/pull/8864) by [nstankov-bg](https://github.com/nstankov-bg))
+- **[kv]** Fix small typo in Redis provider documentation ([#8858](https://github.com/traefik/traefik/pull/8858) by [lczw](https://github.com/lczw))
+- **[marathon]** Fix brand typo ([#8788](https://github.com/traefik/traefik/pull/8788) by [0xflotus](https://github.com/0xflotus))
+- **[middleware]** Fix fenced code block typo in Buffering middleware page ([#8855](https://github.com/traefik/traefik/pull/8855) by [Wingysam](https://github.com/Wingysam))
+- **[rules]** Adjust rule length in routers documentation ([#8819](https://github.com/traefik/traefik/pull/8819) by [rtribotte](https://github.com/rtribotte))
+- **[rules]** Fix HostRegexp examples ([#8817](https://github.com/traefik/traefik/pull/8817) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls,k8s/crd,k8s]** Add default certificate definition example for Kubernetes ([#8863](https://github.com/traefik/traefik/pull/8863) by [jwausle](https://github.com/jwausle))
+- **[tls,k8s]** Clarify TLS Option documentation ([#8756](https://github.com/traefik/traefik/pull/8756) by [mloiseleur](https://github.com/mloiseleur))
+- Clarify concepts documentation page ([#8836](https://github.com/traefik/traefik/pull/8836) by [NReilingh](https://github.com/NReilingh))
+- Spelling ([#8791](https://github.com/traefik/traefik/pull/8791) by [jsoref](https://github.com/jsoref))
+- Fix routing overview examples ([#8840](https://github.com/traefik/traefik/pull/8840) by [NReilingh](https://github.com/NReilingh))
+- Add a deprecation notices section ([#8829](https://github.com/traefik/traefik/pull/8829) by [ddtmachado](https://github.com/ddtmachado))
+
+## [v2.6.1](https://github.com/traefik/traefik/tree/v2.6.1) (2022-02-14)
+[All Commits](https://github.com/traefik/traefik/compare/v2.6.0...v2.6.1)
+
+**Bug fixes:**
+- **[acme]** Add domain to HTTP challenge errors ([#8740](https://github.com/traefik/traefik/pull/8740) by [ldez](https://github.com/ldez))
+- **[metrics]** Fix metrics bucket key high cardinality ([#8761](https://github.com/traefik/traefik/pull/8761) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware,tls]** Use CNAME for SNI check on host header ([#8773](https://github.com/traefik/traefik/pull/8773) by [ldez](https://github.com/ldez))
+- **[middleware,tracing]** Rename Datadog span tags ([#8323](https://github.com/traefik/traefik/pull/8323) by [luckielordie](https://github.com/luckielordie))
+- **[tls]** Apply the same approach as the rules system on the TLS configuration choice ([#8764](https://github.com/traefik/traefik/pull/8764) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** Add Hurricane Electric to acme documentation ([#8746](https://github.com/traefik/traefik/pull/8746) by [vladshub](https://github.com/vladshub))
+- **[acme]** Clarify that ACME challenge is mandatory ([#8739](https://github.com/traefik/traefik/pull/8739) by [mpl](https://github.com/mpl))
+- **[http3]** Explain a bit more around enabling HTTP3 ([#8731](https://github.com/traefik/traefik/pull/8731) by [SantoDE](https://github.com/SantoDE))
+- **[metrics]** Fix mixups in metrics documentation ([#8752](https://github.com/traefik/traefik/pull/8752) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware,k8s/crd]** Fix Kubernetes TCP examples ([#8759](https://github.com/traefik/traefik/pull/8759) by [sylr](https://github.com/sylr))
+
 ## [v2.6.0](https://github.com/traefik/traefik/tree/v2.6.0) (2022-01-24)
 [All Commits](https://github.com/traefik/traefik/compare/v2.5.0-rc1...v2.6.0)
 
@@ -1766,7 +1805,7 @@ Same changelog as v2.0.3.
 - fix: remove extra backtick from routers docs ([#5572](https://github.com/traefik/traefik/pull/5572) by [serpi90](https://github.com/serpi90))
 - document providersThrottleDuration ([#5519](https://github.com/traefik/traefik/pull/5519) by [mpl](https://github.com/mpl))
 - Add a response forwarding section to the service documentation  ([#5517](https://github.com/traefik/traefik/pull/5517) by [jbdoumenjou](https://github.com/jbdoumenjou))
-- Change instances of "dymanic" to "dynamic" ([#5504](https://github.com/traefik/traefik/pull/5504) by [dat-gitto-kid](https://github.com/dat-gitto-kid))
+- Change instances of "dynamic" to "dynamic" ([#5504](https://github.com/traefik/traefik/pull/5504) by [dat-gitto-kid](https://github.com/dat-gitto-kid))
 - Add the pass host header section to the services documentation ([#5500](https://github.com/traefik/traefik/pull/5500) by [jbdoumenjou](https://github.com/jbdoumenjou))
 - fix misspelling on documentation landing page ([#5613](https://github.com/traefik/traefik/pull/5613) by [cthompson527](https://github.com/cthompson527))
 
@@ -2758,7 +2797,7 @@ Same changelog as v2.0.3.
 - **[healthcheck]** Query params in health check ([#4188](https://github.com/traefik/traefik/pull/4188) by [mmatur](https://github.com/mmatur))
 - **[metrics]** Upgraded DD APM library ([#4189](https://github.com/traefik/traefik/pull/4189) by [aantono](https://github.com/aantono))
 - **[middleware]** Fix ssl force host secure middleware ([#4138](https://github.com/traefik/traefik/pull/4138) by [mmatur](https://github.com/mmatur))
-- **[oxy]** Fix unannonced trailers problem when body is empty ([#4258](https://github.com/traefik/traefik/pull/4258) by [juliens](https://github.com/juliens))
+- **[oxy]** Fix unannounced trailers problem when body is empty ([#4258](https://github.com/traefik/traefik/pull/4258) by [juliens](https://github.com/juliens))
 - **[provider,server]** Log configuration errors from providers and keeps listening ([#4230](https://github.com/traefik/traefik/pull/4230) by [geraldcroes](https://github.com/geraldcroes))
 - **[tls]** Implement Case-insensitive SNI matching ([#4132](https://github.com/traefik/traefik/pull/4132) by [dtomcej](https://github.com/dtomcej))
 - Use ParseInt instead of Atoi for parsing durations ([#4263](https://github.com/traefik/traefik/pull/4263) by [mmatur](https://github.com/mmatur))
@@ -3902,7 +3941,7 @@ Same changelog as v2.0.3.
 - **[etcd]** Fix typo in examples ([#2446](https://github.com/traefik/traefik/pull/2446) by [dahefanteng](https://github.com/dahefanteng))
 - **[k8s]** Add note to Kubernetes RBAC docs about RoleBindings and namespaces ([#2498](https://github.com/traefik/traefik/pull/2498) by [jmara](https://github.com/jmara))
 - **[k8s]** k8s guide: Leave note about assumed DaemonSet usage. ([#2634](https://github.com/traefik/traefik/pull/2634) by [timoreimann](https://github.com/timoreimann))
-- **[k8s]** Apply various contentual and stylish improvements to the k8s docs. ([#2677](https://github.com/traefik/traefik/pull/2677) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Apply various contextual and stylish improvements to the k8s docs. ([#2677](https://github.com/traefik/traefik/pull/2677) by [timoreimann](https://github.com/timoreimann))
 - **[k8s]** Document rewrite-target annotation. ([#2676](https://github.com/traefik/traefik/pull/2676) by [timoreimann](https://github.com/timoreimann))
 - **[k8s]** Remove obsolete links in k8s docs ([#2465](https://github.com/traefik/traefik/pull/2465) by [marco-jantke](https://github.com/marco-jantke))
 - **[k8s]** Document filename parameter for Kubernetes. ([#2464](https://github.com/traefik/traefik/pull/2464) by [timoreimann](https://github.com/timoreimann))
@@ -3969,7 +4008,7 @@ Same changelog as v2.0.3.
 
 **Documentation:**
 - **[cluster]** Add a clustering example with Docker Swarm ([#2589](https://github.com/traefik/traefik/pull/2589) by [jmaitrehenry](https://github.com/jmaitrehenry))
-- **[k8s]** Apply various contentual and stylish improvements to the k8s docs. ([#2677](https://github.com/traefik/traefik/pull/2677) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Apply various contextual and stylish improvements to the k8s docs. ([#2677](https://github.com/traefik/traefik/pull/2677) by [timoreimann](https://github.com/timoreimann))
 - **[k8s]** Document rewrite-target annotation. ([#2676](https://github.com/traefik/traefik/pull/2676) by [timoreimann](https://github.com/timoreimann))
 - **[provider,webui]** Fix redirect problem on dashboard + docs/tests on [web] ([#2686](https://github.com/traefik/traefik/pull/2686) by [Juliens](https://github.com/Juliens))
 
@@ -4679,7 +4718,7 @@ Same changelog as v2.0.3.
 [All Commits](https://github.com/traefik/traefik/compare/v1.3.7...v1.3.8)
 
 **Bug fixes:**
-- **[middleware]** Compress and Webscocket ([#2079](https://github.com/traefik/traefik/pull/2079) by [ldez](https://github.com/ldez))
+- **[middleware]** Compress and Websocket ([#2079](https://github.com/traefik/traefik/pull/2079) by [ldez](https://github.com/ldez))
 
 ## [v1.3.7](https://github.com/traefik/traefik/tree/v1.3.7) (2017-08-25)
 [All Commits](https://github.com/traefik/traefik/compare/v1.3.6...v1.3.7)
@@ -4862,7 +4901,7 @@ Same changelog as v2.0.3.
 
 **Documentation:**
 - [#1578](https://github.com/traefik/traefik/issues/1578) Add Marathon guide. ([Stibbons](https://github.com/Stibbons))
-- [#1602](https://github.com/traefik/traefik/issues/1602) Re Orginise k8s docs to make 1.6 usage easier ([errm](https://github.com/errm))
+- [#1602](https://github.com/traefik/traefik/issues/1602) Re Organise k8s docs to make 1.6 usage easier ([errm](https://github.com/errm))
 - [#1642](https://github.com/traefik/traefik/issues/1642) Update changelog ([ldez](https://github.com/ldez))
 
 ## [v1.3.0-rc2](https://github.com/traefik/traefik/tree/v1.3.0-rc2) (2017-05-16)
@@ -5015,7 +5054,7 @@ Same changelog as v2.0.3.
 - Bump go-rancher version [\#1219](https://github.com/traefik/traefik/pull/1219) ([SantoDE](https://github.com/SantoDE))
 - Chunk taskArns into groups of 100 [\#1209](https://github.com/traefik/traefik/pull/1209) ([owen](https://github.com/owen))
 - Prepare release v1.2.0 rc2 [\#1204](https://github.com/traefik/traefik/pull/1204) ([emilevauge](https://github.com/emilevauge))
-- Revert "Ensure that we don't add balancees with no health check runs … [\#1198](https://github.com/traefik/traefik/pull/1198) ([jangie](https://github.com/jangie))
+- Revert "Ensure that we don't add balances with no health check runs … [\#1198](https://github.com/traefik/traefik/pull/1198) ([jangie](https://github.com/jangie))
 - Small fixes and improvements [\#1173](https://github.com/traefik/traefik/pull/1173) ([SantoDE](https://github.com/SantoDE))
 - Fix docker issues with global and dead tasks [\#1167](https://github.com/traefik/traefik/pull/1167) ([christopherobin](https://github.com/christopherobin))
 - Better ECS error checking [\#1143](https://github.com/traefik/traefik/pull/1143) ([lpetre](https://github.com/lpetre))
@@ -5041,7 +5080,7 @@ Same changelog as v2.0.3.
 - Add an ECS provider [\#1088](https://github.com/traefik/traefik/pull/1088) ([lpetre](https://github.com/lpetre))
 - Update comment to reflect the code [\#1087](https://github.com/traefik/traefik/pull/1087) ([np](https://github.com/np))
 - update NYTimes/gziphandler fixes \#1059 [\#1084](https://github.com/traefik/traefik/pull/1084) ([JamesKyburz](https://github.com/JamesKyburz))
-- Ensure that we don't add balancees with no health check runs if there is a health check defined on it [\#1080](https://github.com/traefik/traefik/pull/1080) ([jangie](https://github.com/jangie))
+- Ensure that we don't add balances with no health check runs if there is a health check defined on it [\#1080](https://github.com/traefik/traefik/pull/1080) ([jangie](https://github.com/jangie))
 - Add FreeBSD & OpenBSD to crossbinary [\#1078](https://github.com/traefik/traefik/pull/1078) ([geoffgarside](https://github.com/geoffgarside))
 - Fix metrics for multiple entry points [\#1071](https://github.com/traefik/traefik/pull/1071) ([matevzmihalic](https://github.com/matevzmihalic))
 - Allow setting load balancer method and sticky using service annotations [\#1068](https://github.com/traefik/traefik/pull/1068) ([bakins](https://github.com/bakins))
@@ -5097,7 +5136,7 @@ Same changelog as v2.0.3.
 - Bind to specific ip address [\#1193](https://github.com/traefik/traefik/issues/1193)
 - DNS01 challenge use the wrong zone through route53 [\#1192](https://github.com/traefik/traefik/issues/1192)
 - Reverse proxy https to http backends fails [\#1180](https://github.com/traefik/traefik/issues/1180)
-- Swarm Mode + Letsecrypt + KV Store [\#1176](https://github.com/traefik/traefik/issues/1176)
+- Swarm Mode + Letsencrypt + KV Store [\#1176](https://github.com/traefik/traefik/issues/1176)
 - docker deploy -c example.yml    e [\#1169](https://github.com/traefik/traefik/issues/1169)
 - Traefik not finding dynamically added services \(Docker Swarm Mode\) [\#1168](https://github.com/traefik/traefik/issues/1168)
 - Traefik with Kubernetes backend - keep getting 401 on all GET requests to kube-apiserver [\#1166](https://github.com/traefik/traefik/issues/1166)
@@ -5115,7 +5154,7 @@ Same changelog as v2.0.3.
 
 **Merged pull requests:**
 
-- Revert "Ensure that we don't add balancees with no health check runs … [\#1198](https://github.com/traefik/traefik/pull/1198) ([jangie](https://github.com/jangie))
+- Revert "Ensure that we don't add balances with no health check runs … [\#1198](https://github.com/traefik/traefik/pull/1198) ([jangie](https://github.com/jangie))
 - Small fixes and improvements [\#1173](https://github.com/traefik/traefik/pull/1173) ([SantoDE](https://github.com/SantoDE))
 - Fix docker issues with global and dead tasks [\#1167](https://github.com/traefik/traefik/pull/1167) ([christopherobin](https://github.com/christopherobin))
 - Better ECS error checking [\#1143](https://github.com/traefik/traefik/pull/1143) ([lpetre](https://github.com/lpetre))
@@ -5186,7 +5225,7 @@ Same changelog as v2.0.3.
 - Add an ECS provider [\#1088](https://github.com/traefik/traefik/pull/1088) ([lpetre](https://github.com/lpetre))
 - Update comment to reflect the code [\#1087](https://github.com/traefik/traefik/pull/1087) ([np](https://github.com/np))
 - update NYTimes/gziphandler fixes \#1059 [\#1084](https://github.com/traefik/traefik/pull/1084) ([JamesKyburz](https://github.com/JamesKyburz))
-- Ensure that we don't add balancees with no health check runs if there is a health check defined on it [\#1080](https://github.com/traefik/traefik/pull/1080) ([jangie](https://github.com/jangie))
+- Ensure that we don't add balances with no health check runs if there is a health check defined on it [\#1080](https://github.com/traefik/traefik/pull/1080) ([jangie](https://github.com/jangie))
 - Add FreeBSD & OpenBSD to crossbinary [\#1078](https://github.com/traefik/traefik/pull/1078) ([geoffgarside](https://github.com/geoffgarside))
 - Fix metrics for multiple entry points [\#1071](https://github.com/traefik/traefik/pull/1071) ([matevzmihalic](https://github.com/matevzmihalic))
 - Allow setting load balancer method and sticky using service annotations [\#1068](https://github.com/traefik/traefik/pull/1068) ([bakins](https://github.com/bakins))
@@ -5365,7 +5404,7 @@ Same changelog as v2.0.3.
 - Documented ProvidersThrottleDuration value is invalid [\#741](https://github.com/traefik/traefik/issues/741)
 - Sensible configuration for consulCatalog [\#737](https://github.com/traefik/traefik/issues/737)
 - Traefik ignoring container listening in more than one TCP port [\#734](https://github.com/traefik/traefik/issues/734)
-- Loadbalaning issues with traefik and Docker Swarm cluster [\#730](https://github.com/traefik/traefik/issues/730)
+- Loadbalancing issues with traefik and Docker Swarm cluster [\#730](https://github.com/traefik/traefik/issues/730)
 - issues with marathon app ids containing a dot [\#726](https://github.com/traefik/traefik/issues/726)
 - Error when using HA acme in kubernetes with etcd [\#725](https://github.com/traefik/traefik/issues/725)
 - \[Docker swarm mode\] No round robin when using service [\#718](https://github.com/traefik/traefik/issues/718)
@@ -5404,7 +5443,7 @@ Same changelog as v2.0.3.
 - Update docs with new Mesos provider [\#548](https://github.com/traefik/traefik/issues/548)
 - Can I use Traefik without a domain name? [\#539](https://github.com/traefik/traefik/issues/539)
 - docker run syntax in swarm example has changed [\#528](https://github.com/traefik/traefik/issues/528)
-- Priortities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
+- Priorities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
 - Route by path [\#500](https://github.com/traefik/traefik/issues/500)
 - Secure WebSockets [\#467](https://github.com/traefik/traefik/issues/467)
 - Container IP Lost [\#375](https://github.com/traefik/traefik/issues/375)
@@ -5462,7 +5501,7 @@ Same changelog as v2.0.3.
 - Update marathon [\#648](https://github.com/traefik/traefik/pull/648) ([emilevauge](https://github.com/emilevauge))
 - Add backend features to docker [\#646](https://github.com/traefik/traefik/pull/646) ([jangie](https://github.com/jangie))
 - enable consul catalog to use maxconn [\#645](https://github.com/traefik/traefik/pull/645) ([jangie](https://github.com/jangie))
-- Adopt the Code Of Coduct from http://contributor-covenant.org [\#641](https://github.com/traefik/traefik/pull/641) ([errm](https://github.com/errm))
+- Adopt the Code Of Conduct from http://contributor-covenant.org [\#641](https://github.com/traefik/traefik/pull/641) ([errm](https://github.com/errm))
 - Use secure mode 600 instead of 644 for acme.json [\#639](https://github.com/traefik/traefik/pull/639) ([discordianfish](https://github.com/discordianfish))
 - docker clarification, fix dead urls, misc typos [\#637](https://github.com/traefik/traefik/pull/637) ([djalal](https://github.com/djalal))
 - add PING handler to dashboard API [\#630](https://github.com/traefik/traefik/pull/630) ([jangie](https://github.com/jangie))
@@ -5551,7 +5590,7 @@ Same changelog as v2.0.3.
 - dependencies installation error [\#755](https://github.com/traefik/traefik/issues/755)
 - k8s provider w/ acme? [\#752](https://github.com/traefik/traefik/issues/752)
 - Documented ProvidersThrottleDuration value is invalid [\#741](https://github.com/traefik/traefik/issues/741)
-- Loadbalaning issues with traefik and Docker Swarm cluster [\#730](https://github.com/traefik/traefik/issues/730)
+- Loadbalancing issues with traefik and Docker Swarm cluster [\#730](https://github.com/traefik/traefik/issues/730)
 - issues with marathon app ids containing a dot [\#726](https://github.com/traefik/traefik/issues/726)
 - How Routing traffic depending on path not domain in docker [\#706](https://github.com/traefik/traefik/issues/706)
 - Traefik crashes when using Consul catalog [\#699](https://github.com/traefik/traefik/issues/699)
@@ -5660,7 +5699,7 @@ Same changelog as v2.0.3.
 - Traefik stuck when used as frontend for a streaming API [\#560](https://github.com/traefik/traefik/issues/560)
 - Exclude some frontends in consul catalog [\#555](https://github.com/traefik/traefik/issues/555)
 - Can I use Traefik without a domain name? [\#539](https://github.com/traefik/traefik/issues/539)
-- Priortities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
+- Priorities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
 - Route by path [\#500](https://github.com/traefik/traefik/issues/500)
 - Container IP Lost [\#375](https://github.com/traefik/traefik/issues/375)
 
@@ -5685,7 +5724,7 @@ Same changelog as v2.0.3.
 - Update marathon [\#648](https://github.com/traefik/traefik/pull/648) ([emilevauge](https://github.com/emilevauge))
 - Add backend features to docker [\#646](https://github.com/traefik/traefik/pull/646) ([jangie](https://github.com/jangie))
 - enable consul catalog to use maxconn [\#645](https://github.com/traefik/traefik/pull/645) ([jangie](https://github.com/jangie))
-- Adopt the Code Of Coduct from http://contributor-covenant.org [\#641](https://github.com/traefik/traefik/pull/641) ([errm](https://github.com/errm))
+- Adopt the Code Of Conduct from http://contributor-covenant.org [\#641](https://github.com/traefik/traefik/pull/641) ([errm](https://github.com/errm))
 - Use secure mode 600 instead of 644 for acme.json [\#639](https://github.com/traefik/traefik/pull/639) ([discordianfish](https://github.com/discordianfish))
 - docker clarification, fix dead urls, misc typos [\#637](https://github.com/traefik/traefik/pull/637) ([djalal](https://github.com/djalal))
 - add PING handler to dashboard API [\#630](https://github.com/traefik/traefik/pull/630) ([jangie](https://github.com/jangie))
@@ -5761,7 +5800,7 @@ Same changelog as v2.0.3.
 **Closed issues:**
 
 - Can I use Traefik without a domain name? [\#539](https://github.com/traefik/traefik/issues/539)
-- Priortities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
+- Priorities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
 - Route by path [\#500](https://github.com/traefik/traefik/issues/500)
 
 **Merged pull requests:**
@@ -5861,7 +5900,7 @@ Same changelog as v2.0.3.
 - Traefik doesn't listen on IPv4 ports [\#434](https://github.com/traefik/traefik/issues/434)
 - Not listening on port 80 [\#432](https://github.com/traefik/traefik/issues/432)
 - docs need updating for new frontend rules format [\#423](https://github.com/traefik/traefik/issues/423)
-- Does traefik supports for Mac? \(For devlelopment\)  [\#417](https://github.com/traefik/traefik/issues/417)
+- Does traefik supports for Mac? \(For development\)  [\#417](https://github.com/traefik/traefik/issues/417)
 
 **Merged pull requests:**
 

Makefile

@@ -7,8 +7,6 @@ SHA := $(shell git rev-parse HEAD)
 VERSION_GIT := $(if $(TAG_NAME),$(TAG_NAME),$(SHA))
 VERSION := $(if $(VERSION),$(VERSION),$(VERSION_GIT))
 
-BIND_DIR := dist
-
 GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
 TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))
 
@@ -29,14 +27,14 @@ TRAEFIK_ENVS := \
 	-e CI \
 	-e CONTAINER=DOCKER		# Indicator for integration tests that we are running inside a container.
 
-TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/traefik/traefik/$(BIND_DIR)"
+TRAEFIK_MOUNT := -v "$(CURDIR)/dist:/go/src/github.com/traefik/traefik/dist"
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
 DOCKER_NON_INTERACTIVE ?= false
 DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
 DOCKER_RUN_TRAEFIK_TEST := docker run --add-host=host.docker.internal:127.0.0.1 --rm --name=traefik --network traefik-test-network -v $(PWD):$(PWD) -w $(PWD) $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
 DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -i) $(DOCKER_RUN_OPTS)
 
-PRE_TARGET ?= build-dev-image
+IN_DOCKER ?= true
 
 PLATFORM_URL := $(if $(PLATFORM_URL),$(PLATFORM_URL),"https://pilot.traefik.io")
 
@@ -44,7 +42,7 @@ default: binary
 
 ## Build Dev Docker image
 build-dev-image: dist
-	docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
+	$(if $(IN_DOCKER),docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .,)
 
 ## Build Dev Docker image without cache
 build-dev-image-no-cache: dist
@@ -52,25 +50,33 @@ build-dev-image-no-cache: dist
 
 ## Create the "dist" directory
 dist:
-	mkdir dist
+	mkdir -p dist
 
 ## Build WebUI Docker image
 build-webui-image:
 	docker build -t traefik-webui --build-arg ARG_PLATFORM_URL=$(PLATFORM_URL) -f webui/Dockerfile webui
 
-## Generate WebUI
-generate-webui:
-	if [ ! -d "webui/static" ]; then \
-		$(MAKE) build-webui-image; \
-		mkdir -p webui/static; \
-		docker run --rm -v "$$PWD/webui/static":'/src/webui/static' traefik-webui npm run build:nc; \
-		docker run --rm -v "$$PWD/webui/static":'/src/webui/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ./static; \
-		echo 'For more information show `webui/readme.md`' > $$PWD/webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
-	fi
+## Clean WebUI static generated assets
+clean-webui:
+	rm -r webui/static
+	mkdir -p webui/static
+	echo 'For more information show `webui/readme.md`' > webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md
 
-## Build the linux binary
-binary: generate-webui $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary
+## Generate WebUI
+webui/static/index.html:
+	$(MAKE) build-webui-image
+	docker run --rm -v "$$PWD/webui/static":'/src/webui/static' traefik-webui npm run build:nc
+	docker run --rm -v "$$PWD/webui/static":'/src/webui/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ./static
+
+generate-webui: webui/static/index.html
+
+## Build the binary
+binary: generate-webui build-dev-image
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary
+
+## Build the linux binary locally
+binary-debug: generate-webui
+	GOOS=linux ./script/make.sh binary
 
 ## Build the binary for the standard platforms (linux, darwin, windows)
 crossbinary-default: generate-webui build-dev-image
@@ -82,46 +88,49 @@ crossbinary-default-parallel:
 	$(MAKE) build-dev-image crossbinary-default
 
 ## Run the unit and integration tests
-test: $(PRE_TARGET)
+test: build-dev-image
 	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
 	trap 'docker network rm traefik-test-network' EXIT; \
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_TEST),) ./script/make.sh generate test-unit binary test-integration
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST),) ./script/make.sh generate test-unit binary test-integration
 
 ## Run the unit tests
-test-unit: $(PRE_TARGET)
+test-unit: build-dev-image
 	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
 	trap 'docker network rm traefik-test-network' EXIT; \
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_TEST)) ./script/make.sh generate test-unit
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST)) ./script/make.sh generate test-unit
 
 ## Run the integration tests
-test-integration: $(PRE_TARGET)
+test-integration: build-dev-image
 	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
 	trap 'docker network rm traefik-test-network' EXIT; \
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_TEST),) ./script/make.sh generate binary test-integration
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST),) ./script/make.sh generate binary test-integration
 
 ## Pull all images for integration tests
 pull-images:
 	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml | awk '{print $$2}' | sort | uniq | xargs -P 6 -n 1 docker pull
 
 ## Validate code and docs
-validate-files: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
+validate-files: build-dev-image
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
 	bash $(CURDIR)/script/validate-shell-script.sh
 
 ## Validate code, docs, and vendor
-validate: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell validate-vendor
+validate: build-dev-image
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell validate-vendor
 	bash $(CURDIR)/script/validate-shell-script.sh
 
 ## Clean up static directory and build a Docker Traefik image
-build-image: binary
-	rm -rf webui/static
+build-image: clean-webui binary
 	docker build -t $(TRAEFIK_IMAGE) .
 
 ## Build a Docker Traefik image
 build-image-dirty: binary
 	docker build -t $(TRAEFIK_IMAGE) .
 
+## Locally build traefik for linux, then shove it an alpine image, with basic tools.
+build-image-debug: binary-debug
+	docker build -t $(TRAEFIK_IMAGE) -f debug.Dockerfile .
+
 ## Start a shell inside the build env
 shell: build-dev-image
 	$(DOCKER_RUN_TRAEFIK) /bin/bash
@@ -147,17 +156,17 @@ generate-genconf:
 	go run ./cmd/internal/gen/
 
 ## Create packages for the release
-release-packages: generate-webui $(PRE_TARGET)
+release-packages: generate-webui build-dev-image
 	rm -rf dist
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish --timeout="90m"
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish --timeout="90m"
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
 		--exclude-vcs \
 		--exclude .idea \
 		--exclude .travis \
 		--exclude .semaphoreci \
 		--exclude .github \
 		--exclude dist .
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) chown -R $(shell id -u):$(shell id -g) dist/
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) chown -R $(shell id -u):$(shell id -g) dist/
 
 ## Format the Code
 fmt:

README.md

@@ -88,8 +88,6 @@ You can access the simple HTML frontend of Traefik.
 
 You can find the complete documentation of Traefik v2 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).
 
-If you are using Traefik v1, you can find the complete documentation at [https://doc.traefik.io/traefik/v1.7/](https://doc.traefik.io/traefik/v1.7/).
-
 A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
 
 ## Support

build.Dockerfile

@@ -1,7 +1,6 @@
 FROM golang:1.17-alpine
 
-RUN apk --update upgrade \
-    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
+RUN apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
     && update-ca-certificates \
     && rm -rf /var/cache/apk/*
 
@@ -14,10 +13,10 @@ RUN mkdir -p /usr/local/bin \
     | tar -xzC /usr/local/bin --transform 's#^.+/##x'
 
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash -s -- -b $GOPATH/bin v1.43.0
+RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash -s -- -b $GOPATH/bin v1.45.0
 
 # Download misspell binary to bin folder in $GOPATH
-RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
+RUN curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
 
 # Download goreleaser binary to bin folder in $GOPATH
 RUN curl -sfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | sh

cmd/traefik/traefik.go

@@ -191,7 +191,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	// Entrypoints
 
-	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints)
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver)
 	if err != nil {
 		return nil, err
 	}

debug.Dockerfile

@@ -0,0 +1,10 @@
+FROM alpine:3.14
+# Feel free to add below any helpful dependency for debugging.
+# iproute2 is for ss.
+RUN apk --no-cache --no-progress add bash curl ca-certificates tzdata lsof iproute2 \
+    && update-ca-certificates \
+    && rm -rf /var/cache/apk/*
+COPY dist/traefik /
+EXPOSE 80
+VOLUME ["/tmp"]
+ENTRYPOINT ["/traefik"]

docs/content/contributing/building-testing.md

@@ -45,7 +45,7 @@ $ ls dist/
 traefik*
 ```
 
-The following targets can be executed outside Docker by setting the variable `PRE_TARGET` to an empty string (we don't recommend that):
+The following targets can be executed outside Docker by setting the variable `IN_DOCKER` to an empty string (although be aware that some of the tests might fail in that context):
 
 - `test-unit`
 - `test-integration`
@@ -55,7 +55,7 @@ The following targets can be executed outside Docker by setting the variable `PR
 ex:
 
 ```bash
-PRE_TARGET= make test-unit
+IN_DOCKER= make test-unit
 ```
 
 ### Method 2: Using `go`
@@ -102,7 +102,7 @@ Once you've set up your go environment and cloned the source repository, you can
 
 ```bash
 # Generate UI static files
-rm -rf ./webui/static/; make generate-webui
+make clean-webui generate-webui
 
 # required to merge non-code components into the final binary,
 # such as the web dashboard/UI

docs/content/deprecation/releases.md

@@ -0,0 +1,37 @@
+# Releases
+
+## Versions
+
+Below is a non-exhaustive list of versions and their maintenance status:
+
+| Version | Release Date | Active Support     | Security Support | 
+|---------|--------------|--------------------|------------------|
+| 2.6     | Jan 24, 2022 |      Yes           |       Yes        |
+| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 |       No         |
+| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 |       No         |
+| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 |       No         |
+| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 |       No         |
+| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 |       No         |
+| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 |       No         |
+| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 |  Contact Support |
+
+??? example "Active Support / Security Support"
+
+    **Active support**: receives any bug fixes.
+    **Security support**: receives only critical bug and security fixes.
+
+This page is maintained and updated periodically to reflect our roadmap and any decisions affecting the end of support for Traefik Proxy.
+
+Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v1 to v2 migration guide](../migration/v1-to-v2.md).
+
+!!! important "All target dates for end of support or feature removal announcements may be subject to change."
+
+## Versioning Scheme
+
+The Traefik Proxy project follows the [semantic versioning](https://semver.org/) scheme and maintains a separate branch for each minor version. The main branch always represents the next upcoming minor or major version.
+
+And these are our guiding rules for version support:
+
+- **Only the latest `minor`** will be on active support at any given time
+- **The last `minor` after releasing a new `major`** will be supported for 1 year following the `major` release
+- **Previous rules are subject to change** and in such cases an announcement will be made publicly, [here](https://traefik.io/blog/traefik-2-1-in-the-wild/) is an example extending v1.x branch support.

docs/content/getting-started/concepts.md

@@ -19,7 +19,7 @@ Deploying your services, you attach information that tells Traefik the character
 ![Decentralized Configuration](../assets/img/traefik-concepts-2.png)
 
 It means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time.
-The opposite is true: when you remove a service from your infrastructure, the route will disappear accordingly.
+Similarly, when a service is removed from the infrastructure, the corresponding route is deleted accordingly.
 
 You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.
 

docs/content/getting-started/configuration-overview.md

@@ -51,7 +51,7 @@ Once positioned, this option sets (and resets) all the default values of the sub
 
 ### Configuration File
 
-At startup, Traefik searches for a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in:
+At startup, Traefik searches for static configuration in a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in:
 
 - `/etc/traefik/`
 - `$XDG_CONFIG_HOME/`

docs/content/https/acme.md

@@ -23,7 +23,9 @@ Certificates are requested for domain names retrieved from the router's [dynamic
 
 You can read more about this retrieval mechanism in the following section: [ACME Domain Definition](#domain-definition).
 
-!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+!!! warning "Defining an [ACME challenge type](#the-different-acme-challenges) is a requirement for a certificate resolver to be functional."
+
+!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
 
 ??? note "Configuration Reference"
 
@@ -114,7 +116,7 @@ Please check the [configuration examples below](#configuration-examples) for mor
     --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
     ```
 
-!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
 
 ??? example "Single Domain from Router's Rule Example"
 
@@ -143,7 +145,7 @@ Traefik automatically tracks the expiry date of ACME certificates it generates.
 By default, Traefik manages 90 days certificates,
 and starts to renew certificates 30 days before their expiry.
 
-When using a certificates resolver that issues certificates with custom durations,
+When using a certificate resolver that issues certificates with custom durations,
 one can configure the certificates' duration with the [`certificatesDuration`](#certificatesduration) option.
 
 !!! info ""
@@ -158,7 +160,9 @@ When using LetsEncrypt with kubernetes, there are some known caveats with both t
 
 ## The Different ACME Challenges
 
-!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+!!! warning "Defining one ACME challenge is a requirement for a certificate resolver to be functional."
+
+!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
 
 ### `tlsChallenge`
 
@@ -329,6 +333,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)    |
 | [Hosttech](https://www.hosttech.eu)                         | `hosttech`     | `HOSTTECH_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)     |
 | [HyperOne](https://www.hyperone.com)                        | `hyperone`     | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)     |
+| [Hurricane Electric](https://dns.he.net)                    | `hurricane`    | `HURRICANE_TOKENS` [^6]                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/hurricane)    |
 | [IBM Cloud (SoftLayer)](https://www.ibm.com/cloud/)         | `ibmcloud`     | `SOFTLAYER_USERNAME`, `SOFTLAYER_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/ibmcloud)     |
 | [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
 | [Infoblox](https://www.infoblox.com/)                       | `infoblox`     | `INFOBLOX_USER`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox)     |
@@ -387,11 +392,12 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
 | manual                                                      | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
 
-[^1]: more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
-[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production)
+[^1]: More information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/).
+[^2]: [Providing credentials to your application](https://cloud.google.com/docs/authentication/production).
 [^3]: [google/default.go](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76)
 [^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack`, so you might need to run container with `docker run -it` to generate certificates using `manual` provider.
 [^5]: The `Global API Key` needs to be used, not the `Origin CA Key`.
+[^6]: As explained in the [LEGO hurricane configuration](https://go-acme.github.io/lego/dns/hurricane/#credentials), each domain or wildcard (record name) needs a token. So each update of record name must be followed by an update of the `HURRICANE_TOKENS` variable, and a restart of Traefik.
 
 !!! info "`delayBeforeCheck`"
     By default, the `provider` verifies the TXT record _before_ letting ACME verify.

docs/content/https/tls.md

@@ -128,6 +128,30 @@ tls:
       keyFile  = "path/to/cert.key"
 ```
 
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  defaultCertificate:
+    secretName: default-certificate
+    
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: default-certificate
+  namespace: default
+  
+type: Opaque
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
 If no default certificate is provided, Traefik generates and uses a self-signed certificate.
 
 ## TLS Options
@@ -143,11 +167,11 @@ The TLS options allow one to configure some parameters of the TLS connection.
     you must specify the provider namespace, for example:  
     `traefik.http.routers.myrouter.tls.options=myoptions@file`
 
-!!! important "TLSOptions in Kubernetes"
+!!! important "TLSOption in Kubernetes"
 
-    When using the TLSOptions-CRD in Kubernetes, one might setup a default set of options that,
+    When using the [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
     if not explicitly overwritten, should apply to all ingresses.  
-    To achieve that, you'll have to create a TLSOptions CR with the name `default`.
+    To achieve that, you'll have to create a TLSOption resource with the name `default`.
     There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
     To explicitly use a different TLSOption (and using the Kubernetes Ingress resources)
     you'll have to add an annotation to the Ingress in the following form:

docs/content/middlewares/http/buffering.md

@@ -167,7 +167,7 @@ http:
 
 The `maxResponseBodyBytes` option configures the maximum allowed response size from the service (in bytes).
 
-If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
+If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413` (Request Entity Too Large) response instead.
 
 ```yaml tab="Docker"
 labels:

docs/content/middlewares/tcp/inflightconn.md

@@ -14,7 +14,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
+kind: MiddlewareTCP
 metadata:
   name: test-inflightconn
 spec:

docs/content/middlewares/tcp/overview.md

@@ -36,7 +36,7 @@ spec:
 
 ---
 apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
+kind: MiddlewareTCP
 metadata:
   name: foo-ip-whitelist
 spec:
@@ -47,7 +47,7 @@ spec:
 
 ---
 apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
+kind: IngressRouteTCP
 metadata:
   name: ingressroute
 spec:

docs/content/migration/v2.md

@@ -426,15 +426,29 @@ Check out the [Errors middleware](../middlewares/http/errorpages.md#service) doc
 
 ## v2.5 to v2.6
 
-### HTTP3
+### HTTP/3
 
 Traefik v2.6 introduces the `AdvertisedPort` option,
 which allows advertising, in the `Alt-Svc` header, a UDP port different from the one on which Traefik is actually listening (the EntryPoint's port).
 By doing so, it introduces a new configuration structure `http3`, which replaces the `enableHTTP3` option (which therefore doesn't exist anymore).
-To enable HTTP3 on an EntryPoint, please check out the [HTTP3 configuration](../routing/entrypoints.md#http3) documentation.
+To enable HTTP/3 on an EntryPoint, please check out the [HTTP/3 configuration](../routing/entrypoints.md#http3) documentation.
 
 ### Kubernetes Gateway API Provider
 
 In `v2.6`, the [Kubernetes Gateway API provider](../providers/kubernetes-gateway.md) now only supports the version [v1alpha2](https://gateway-api.sigs.k8s.io/v1alpha2/guides/getting-started/) of the specification and 
 [route namespaces](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.RouteNamespaces) selectors, which requires Traefik to fetch and watch the cluster namespaces.
 Therefore, the [RBAC](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-gateway.md#definitions) definitions must be updated.
+
+## v2.6.0 to v2.6.1
+
+### Metrics
+
+In `v2.6.1`, the metrics system does not support any more custom HTTP method verbs to prevent potential metrics cardinality overhead.
+In consequence, for metrics having the method label,
+if the HTTP method verb of a request is not one defined in the set of common methods for [`HTTP/1.1`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
+or the [`PRI`](https://datatracker.ietf.org/doc/html/rfc7540#section-11.6) verb (for `HTTP/2`),
+the value for the method label becomes `EXTENSION_METHOD`, instead of the request's one.
+
+### Tracing
+
+In `v2.6.1`, the Datadog tags added to a span changed from `service.name` to `traefik.service.name` and from `router.name` to `traefik.router.name`.

docs/content/observability/metrics/datadog.md

@@ -118,7 +118,7 @@ metrics:
 ```toml tab="File (TOML)"
 [metrics]
   [metrics.datadog]
-    pushInterval = 10s
+    pushInterval = "10s"
 ```
 
 ```bash tab="CLI"
@@ -144,5 +144,5 @@ metrics:
 ```
 
 ```bash tab="CLI"
---metrics.datadog.prefix="traefik"
+--metrics.datadog.prefix=traefik
 ```

docs/content/observability/metrics/influxdb.md

@@ -69,7 +69,7 @@ InfluxDB database used when protocol is http.
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
-    database: "db"
+    database: db
 ```
 
 ```toml tab="File (TOML)"
@@ -91,7 +91,7 @@ InfluxDB retention policy used when protocol is http.
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
-    retentionPolicy: "two_hours"
+    retentionPolicy: two_hours
 ```
 
 ```toml tab="File (TOML)"
@@ -113,7 +113,7 @@ InfluxDB username (only with http).
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
-    username: "john"
+    username: john
 ```
 
 ```toml tab="File (TOML)"
@@ -135,7 +135,7 @@ InfluxDB password (only with http).
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
-    password: "secret"
+    password: secret
 ```
 
 ```toml tab="File (TOML)"
@@ -176,18 +176,18 @@ _Optional, Default=false_
 
 Enable metrics on routers.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    addRoutersLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
     addRoutersLabels: true
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+    addRoutersLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.influxdb.addrouterslabels=true
 ```
@@ -229,7 +229,7 @@ metrics:
 ```toml tab="File (TOML)"
 [metrics]
   [metrics.influxDB]
-    pushInterval = 10s
+    pushInterval = "10s"
 ```
 
 ```bash tab="CLI"
@@ -242,14 +242,6 @@ _Optional, Default={}_
 
 Additional labels (influxdb tags) on all metrics.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    [metrics.influxDB.additionalLabels]
-      host = "example.com"
-      environment = "production"
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   influxDB:
@@ -258,6 +250,14 @@ metrics:
       environment: production
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+    [metrics.influxDB.additionalLabels]
+      host = "example.com"
+      environment = "production"
+```
+
 ```bash tab="CLI"
 --metrics.influxdb.additionallabels.host=example.com --metrics.influxdb.additionallabels.environment=production
 ```

docs/content/observability/metrics/overview.md

@@ -7,16 +7,16 @@ Traefik supports 4 metrics backends:
 - [Prometheus](./prometheus.md)
 - [StatsD](./statsd.md)
 
-## Server Metrics
+## Global Metrics
 
 | Metric                                                                  | DataDog | InfluxDB | Prometheus | StatsD |
 |-------------------------------------------------------------------------|---------|----------|------------|--------|
 | [Configuration reloads](#configuration-reloads)                         | ✓       | ✓        | ✓          | ✓      |
-| [Configuration reload failures](#configuration-reload-failures)         | ✓       | ✓        | ✓          | ✓      |
 | [Last Configuration Reload Success](#last-configuration-reload-success) | ✓       | ✓        | ✓          | ✓      |
-| [Last Configuration Reload Failure](#last-configuration-reload-failure) | ✓       | ✓        | ✓          | ✓      |
+| [TLS certificates expiration](#tls-certificates-expiration)             | ✓       | ✓        | ✓          | ✓      |
 
 ### Configuration Reloads
+
 The total count of configuration reloads.
 
 ```dd tab="Datadog"
@@ -36,27 +36,8 @@ traefik_config_reloads_total
 {prefix}.config.reload.total
 ```
 
-### Configuration Reload Failures
-The total count of configuration reload failures.
-
-```dd tab="Datadog"
-config.reload.total (with tag "failure" to true)
-```
-
-```influxdb tab="InfluxDB"
-traefik.config.reload.total.failure
-```
-
-```prom tab="Prometheus"
-traefik_config_reloads_failure_total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
-{prefix}.config.reload.total.failure
-```
-
 ### Last Configuration Reload Success
+
 The timestamp of the last configuration reload success.
 
 ```dd tab="Datadog"
@@ -76,24 +57,27 @@ traefik_config_last_reload_success
 {prefix}.config.reload.lastSuccessTimestamp
 ```
 
-### Last Configuration Reload Failure
-The timestamp of the last configuration reload failure.
+### TLS certificates expiration
+
+The expiration date of certificates.
+
+[Labels](#labels): `cn`, `sans`, `serial`.
 
 ```dd tab="Datadog"
-config.reload.lastFailureTimestamp
+tls.certs.notAfterTimestamp
 ```
 
 ```influxdb tab="InfluxDB"
-traefik.config.reload.lastFailureTimestamp
+traefik.tls.certs.notAfterTimestamp
 ```
 
 ```prom tab="Prometheus"
-traefik_config_last_reload_failure
+traefik_tls_certs_not_after
 ```
 
 ```statsd tab="StatsD"
 # Default prefix: "traefik"
-{prefix}.config.reload.lastFailureTimestamp
+{prefix}.tls.certs.notAfterTimestamp
 ```
 
 ## EntryPoint Metrics
@@ -101,14 +85,15 @@ traefik_config_last_reload_failure
 | Metric                                                    | DataDog | InfluxDB | Prometheus | StatsD |
 |-----------------------------------------------------------|---------|----------|------------|--------|
 | [HTTP Requests Count](#http-requests-count)               | ✓       | ✓        | ✓          | ✓      |
-| [HTTPS Requests Count](#https-requests-count)             |         |          | ✓          |        |
+| [HTTPS Requests Count](#https-requests-count)             | ✓       | ✓        | ✓          | ✓      |
 | [Request Duration Histogram](#request-duration-histogram) | ✓       | ✓        | ✓          | ✓      |
 | [Open Connections Count](#open-connections-count)         | ✓       | ✓        | ✓          | ✓      |
 
 ### HTTP Requests Count
-The total count of HTTP requests processed on an entrypoint.
 
-Available labels: `code`, `method`, `protocol`, `entrypoint`.
+The total count of HTTP requests received by an entrypoint.
+
+[Labels](#labels): `code`, `method`, `protocol`, `entrypoint`.
 
 ```dd tab="Datadog"
 entrypoint.request.total
@@ -128,18 +113,33 @@ traefik_entrypoint_requests_total
 ```
 
 ### HTTPS Requests Count
-The total count of HTTPS requests processed on an entrypoint.
 
-Available labels: `tls_version`, `tls_cipher`, `entrypoint`.
+The total count of HTTPS requests received by an entrypoint.
+
+[Labels](#labels): `tls_version`, `tls_cipher`, `entrypoint`.
+
+```dd tab="Datadog"
+entrypoint.request.tls.total
+```
+
+```influxdb tab="InfluxDB"
+traefik.entrypoint.requests.tls.total
+```
 
 ```prom tab="Prometheus"
 traefik_entrypoint_requests_tls_total
 ```
 
-### Request Duration Histogram
-Request process time duration histogram on an entrypoint.
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.entrypoint.request.tls.total
+```
 
-Available labels: `code`, `method`, `protocol`, `entrypoint`.
+### Request Duration Histogram
+
+Request processing duration histogram on an entrypoint.
+
+[Labels](#labels): `code`, `method`, `protocol`, `entrypoint`.
 
 ```dd tab="Datadog"
 entrypoint.request.duration
@@ -159,9 +159,10 @@ traefik_entrypoint_request_duration_seconds
 ```
 
 ### Open Connections Count
+
 The current count of open connections on an entrypoint.
 
-Available labels: `method`, `protocol`, `entrypoint`.
+[Labels](#labels): `method`, `protocol`, `entrypoint`.
 
 ```dd tab="Datadog"
 entrypoint.connections.open
@@ -180,21 +181,123 @@ traefik_entrypoint_open_connections
 {prefix}.entrypoint.connections.open
 ```
 
-## Service Metrics
+## Router Metrics
 
 | Metric                                                      | DataDog | InfluxDB | Prometheus | StatsD |
 |-------------------------------------------------------------|---------|----------|------------|--------|
 | [HTTP Requests Count](#http-requests-count_1)               | ✓       | ✓        | ✓          | ✓      |
-| [HTTPS Requests Count](#https-requests-count_1)             |         |          | ✓          |        |
+| [HTTPS Requests Count](#https-requests-count_1)             | ✓       | ✓        | ✓          | ✓      |
 | [Request Duration Histogram](#request-duration-histogram_1) | ✓       | ✓        | ✓          | ✓      |
 | [Open Connections Count](#open-connections-count_1)         | ✓       | ✓        | ✓          | ✓      |
+
+### HTTP Requests Count
+
+The total count of HTTP requests handled by a router.
+
+[Labels](#labels): `code`, `method`, `protocol`, `router`, `service`.
+
+```dd tab="Datadog"
+router.request.total
+```
+
+```influxdb tab="InfluxDB"
+traefik.router.requests.total
+```
+
+```prom tab="Prometheus"
+traefik_router_requests_total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.router.request.total
+```
+
+### HTTPS Requests Count
+
+The total count of HTTPS requests handled by a router.
+
+[Labels](#labels): `tls_version`, `tls_cipher`, `router`, `service`.
+
+```dd tab="Datadog"
+router.request.tls.total
+```
+
+```influxdb tab="InfluxDB"
+traefik.router.requests.tls.total
+```
+
+```prom tab="Prometheus"
+traefik_router_requests_tls_total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.router.request.tls.total
+```
+
+### Request Duration Histogram
+
+Request processing duration histogram on a router.
+
+[Labels](#labels): `code`, `method`, `protocol`, `router`, `service`.
+
+```dd tab="Datadog"
+router.request.duration
+```
+
+```influxdb tab="InfluxDB"
+traefik.router.request.duration
+```
+
+```prom tab="Prometheus"
+traefik_router_request_duration_seconds
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.router.request.duration
+```
+
+### Open Connections Count
+
+The current count of open connections on a router.
+
+[Labels](#labels): `method`, `protocol`, `router`, `service`.
+
+```dd tab="Datadog"
+router.connections.open
+```
+
+```influxdb tab="InfluxDB"
+traefik.router.connections.open
+```
+
+```prom tab="Prometheus"
+traefik_router_open_connections
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.router.connections.open
+```
+
+## Service Metrics
+
+| Metric                                                      | DataDog | InfluxDB | Prometheus | StatsD |
+|-------------------------------------------------------------|---------|----------|------------|--------|
+| [HTTP Requests Count](#http-requests-count_2)               | ✓       | ✓        | ✓          | ✓      |
+| [HTTPS Requests Count](#https-requests-count_2)             | ✓       | ✓        | ✓          | ✓      |
+| [Request Duration Histogram](#request-duration-histogram_2) | ✓       | ✓        | ✓          | ✓      |
+| [Open Connections Count](#open-connections-count_2)         | ✓       | ✓        | ✓          | ✓      |
 | [Requests Retries Count](#requests-retries-count)           | ✓       | ✓        | ✓          | ✓      |
 | [Service Server UP](#service-server-up)                     | ✓       | ✓        | ✓          | ✓      |
 
 ### HTTP Requests Count
+
 The total count of HTTP requests processed on a service.
 
-Available labels: `code`, `method`, `protocol`, `service`.
+[Labels](#labels): `code`, `method`, `protocol`, `service`.
 
 ```dd tab="Datadog"
 service.request.total
@@ -214,18 +317,33 @@ traefik_service_requests_total
 ```
 
 ### HTTPS Requests Count
+
 The total count of HTTPS requests processed on a service.
 
-Available labels: `tls_version`, `tls_cipher`, `service`.
+[Labels](#labels): `tls_version`, `tls_cipher`, `service`.
+
+```dd tab="Datadog"
+router.service.tls.total
+```
+
+```influxdb tab="InfluxDB"
+traefik.service.requests.tls.total
+```
 
 ```prom tab="Prometheus"
 traefik_service_requests_tls_total
 ```
 
-### Request Duration Histogram
-Request process time duration histogram on a service.
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.service.request.tls.total
+```
 
-Available labels: `code`, `method`, `protocol`, `service`.
+### Request Duration Histogram
+
+Request processing duration histogram on a service.
+
+[Labels](#labels): `code`, `method`, `protocol`, `service`.
 
 ```dd tab="Datadog"
 service.request.duration
@@ -245,9 +363,10 @@ traefik_service_request_duration_seconds
 ```
 
 ### Open Connections Count
+
 The current count of open connections on a service.
 
-Available labels: `method`, `protocol`, `service`.
+[Labels](#labels): `method`, `protocol`, `service`.
 
 ```dd tab="Datadog"
 service.connections.open
@@ -267,9 +386,10 @@ traefik_service_open_connections
 ```
 
 ### Requests Retries Count
+
 The count of requests retries on a service.
 
-Available labels: `service`.
+[Labels](#labels): `service`.
 
 ```dd tab="Datadog"
 service.retries.total
@@ -289,9 +409,10 @@ traefik_service_retries_total
 ```
 
 ### Service Server UP
+
 Current service's server status, described by a gauge with a value of 0 for a down server or a value of 1 for an up server.
 
-Available labels: `service`, `url`.
+[Labels](#labels): `service`, `url`.
 
 ```dd tab="Datadog"
 service.server.up
@@ -309,3 +430,28 @@ traefik_service_server_up
 # Default prefix: "traefik"
 {prefix}.service.server.up
 ```
+
+## Labels
+
+Here is a comprehensive list of labels that are provided by the metrics:
+
+| Label         | Description                           | example                    |
+|---------------|---------------------------------------|----------------------------|
+| `cn`          | Certificate Common Name               | "example.com"              |
+| `code`        | Request code                          | "200"                      |
+| `entrypoint`  | Entrypoint that handled the request   | "example_entrypoint"       |
+| `method`      | Request Method                        | "GET"                      |
+| `protocol`    | Request protocol                      | "http"                     |
+| `router`      | Router that handled the request       | "example_router"           |
+| `sans`        | Certificate Subject Alternative NameS | "example.com"              |
+| `serial`      | Certificate Serial Number             | "123..."                   |
+| `service`     | Service that handled the request      | "example_service@provider" |
+| `tls_cipher`  | TLS cipher used for the request       | "TLS_FALLBACK_SCSV"        |
+| `tls_version` | TLS version used for the request      | "1.0"                      |
+| `url`         | Service server url                    | "http://example.com"       |
+
+!!! info "`method` label value"
+
+    If the HTTP method verb on a request is not one defined in the set of common methods for [`HTTP/1.1`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
+    or the [`PRI`](https://datatracker.ietf.org/doc/html/rfc7540#section-11.6) verb (for `HTTP/2`),
+    then the value for the method label becomes `EXTENSION_METHOD`.

docs/content/observability/metrics/prometheus.md

@@ -39,7 +39,7 @@ metrics:
 ```
 
 ```bash tab="CLI"
---metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000
+--metrics.prometheus.buckets=0.1,0.3,1.2,5.0
 ```
 
 #### `addEntryPointsLabels`
@@ -70,18 +70,18 @@ _Optional, Default=false_
 
 Enable metrics on routers.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.prometheus]
-    addRoutersLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   prometheus:
     addRoutersLabels: true
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    addRoutersLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.prometheus.addrouterslabels=true
 ```
@@ -117,7 +117,7 @@ Entry point used to expose metrics.
 ```yaml tab="File (YAML)"
 entryPoints:
   metrics:
-    address: ":8082"
+    address: :8082
 
 metrics:
   prometheus:

docs/content/observability/metrics/statsd.md

@@ -66,18 +66,18 @@ _Optional, Default=false_
 
 Enable metrics on entry points.
 
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.statsD]
-    addRoutersLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
   statsD:
     addRoutersLabels: true
 ```
 
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsD]
+    addRoutersLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.statsd.addrouterslabels=true
 ```
@@ -119,7 +119,7 @@ metrics:
 ```toml tab="File (TOML)"
 [metrics]
   [metrics.statsD]
-    pushInterval = 10s
+    pushInterval = "10s"
 ```
 
 ```bash tab="CLI"
@@ -145,5 +145,5 @@ metrics:
 ```
 
 ```bash tab="CLI"
---metrics.statsd.prefix="traefik"
+--metrics.statsd.prefix=traefik
 ```

docs/content/providers/consul.md

@@ -15,7 +15,7 @@ See the dedicated section in [routing](../routing/providers/kv.md).
 
 _Required, Default="127.0.0.1:8500"_
 
-Defines how to access to Consul.
+Defines how to access Consul.
 
 ```yaml tab="File (YAML)"
 providers:

docs/content/providers/docker.md

@@ -550,11 +550,11 @@ providers:
 
 _Optional, Default=""_
 
-The `constraints` option can be set to an expression that Traefik matches against the container tags to determine whether
-to create any route for that container. If none of the container tags match the expression, no route for that container is
+The `constraints` option can be set to an expression that Traefik matches against the container labels to determine whether
+to create any route for that container. If none of the container labels match the expression, no route for that container is
 created. If the expression is empty, all detected containers are included.
 
-The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions,
 as well as the usual boolean logic, as shown in examples below.
 
 ??? example "Constraints Expression Examples"

docs/content/providers/redis.md

@@ -15,7 +15,7 @@ See the dedicated section in [routing](../routing/providers/kv.md).
 
 _Required, Default="127.0.0.1:6379"_
 
-Defines how to access to Redis.
+Defines how to access Redis.
 
 ```yaml tab="File (YAML)"
 providers:

docs/content/providers/zookeeper.md

@@ -15,7 +15,7 @@ See the dedicated section in [routing](../routing/providers/kv.md).
 
 _Required, Default="127.0.0.1:2181"_
 
-Defines how to access to ZooKeeper.
+Defines how to access ZooKeeper.
 
 ```yaml tab="File (YAML)"
 providers:

docs/content/routing/entrypoints.md

@@ -223,22 +223,22 @@ If both TCP and UDP are wanted for the same port, two entryPoints definitions ar
 
     Full details for how to specify `address` can be found in [net.Listen](https://golang.org/pkg/net/#Listen) (and [net.Dial](https://golang.org/pkg/net/#Dial)) of the doc for go.
 
-### HTTP3
+### HTTP/3
 
 #### `http3`
 
-`http3` enables HTTP3 protocol on the entryPoint.
-You can only enable HTTP3 on a TCP entrypoint.
-Enabling HTTP3 will automatically add the correct headers for the connection upgrade to HTTP3.
+`http3` enables HTTP/3 protocol on the entryPoint.
+HTTP/3 requires a TCP entryPoint, as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP.
+In most scenarios, this entryPoint is the same as the one used for TLS traffic.
 
-??? info "HTTP3 uses UDP+TLS"
+??? info "HTTP/3 uses UDP+TLS"
 
-    As HTTP3 uses UDP, you can't have a TCP entrypoint with HTTP3 on the same port as a UDP entrypoint.
-    Since HTTP3 requires the use of TLS, only routers with TLS enabled will be usable with HTTP3.
+    As HTTP/3 uses UDP, you can't have a TCP entryPoint with HTTP/3 on the same port as a UDP entryPoint.
+    Since HTTP/3 requires the use of TLS, only routers with TLS enabled will be usable with HTTP/3.
 
-!!! warning "Enabling Experimental HTTP3"
+!!! warning "Enabling Experimental HTTP/3"
 
-    As the HTTP3 spec is still in draft, HTTP3 support in Traefik is an experimental feature and needs to be activated 
+    As the HTTP/3 spec is still in draft, HTTP/3 support in Traefik is an experimental feature and needs to be activated 
     in the experimental section of the static configuration.
     
     ```yaml tab="File (YAML)"
@@ -258,13 +258,14 @@ Enabling HTTP3 will automatically add the correct headers for the connection upg
     ```
     
     ```bash tab="CLI"
-    --experimental.http3=true --entrypoints.name.http3
+    --experimental.http3=true 
+    --entrypoints.name.http3
     ```
 
 #### `advertisedPort`
 
-`http3.advertisedPort` defines which UDP port to advertise as the HTTP3 authority.
-It defaults to the entrypoint's address port.
+`http3.advertisedPort` defines which UDP port to advertise as the HTTP/3 authority.
+It defaults to the entryPoint's address port.
 It can be used to override the authority in the `alt-svc` header, for example if the public facing port is different from where Traefik is listening.
 
 !!! info "http3.advertisedPort"
@@ -288,7 +289,8 @@ It can be used to override the authority in the `alt-svc` header, for example if
     ```
     
     ```bash tab="CLI"
-    --experimental.http3=true --entrypoints.name.http3.advertisedport=443
+    --experimental.http3=true 
+    --entrypoints.name.http3.advertisedport=443
     ```
 
 ### Forwarded Headers

docs/content/routing/overview.md

@@ -21,7 +21,7 @@ If they do, the router might transform the request using pieces of [middleware](
 
 ## Example with a File Provider
 
-Below is an example of a full configuration file for the [file provider](../providers/file.md) that forwards `http://domain/whoami/` requests to a service reachable on `http://private/whoami-service/`.
+Below is an example of a full configuration file for the [file provider](../providers/file.md) that forwards `http://example.com/whoami/` requests to a service reachable on `http://private/whoami-service/`.
 In the process, Traefik will make sure that the user is authenticated (using the [BasicAuth middleware](../middlewares/http/basicauth.md)).
 
 Static configuration:
@@ -122,7 +122,7 @@ http:
     In this example, we've defined routing rules for http requests only.
     Traefik also supports TCP requests. To add [TCP routers](./routers/index.md) and [TCP services](./services/index.md), declare them in a TCP section like in the following.
 
-    ??? example "Adding a TCP route for TLS requests on whoami.example.com"
+    ??? example "Adding a TCP route for TLS requests on whoami-tcp.example.com"
 
         **Static Configuration**
 

docs/content/routing/providers/kubernetes-crd.md

@@ -1485,39 +1485,40 @@ or referencing TLS options in the [`IngressRoute`](#kind-ingressroute) / [`Ingre
     apiVersion: traefik.containo.us/v1alpha1
     kind: TLSOption
     metadata:
-      name: mytlsoption
+      name: mytlsoption                             # [1]
       namespace: default
     
     spec:
-      minVersion: VersionTLS12                      # [1]
-      maxVersion: VersionTLS13                      # [1]
-      curvePreferences:                             # [3]
+      minVersion: VersionTLS12                      # [2]
+      maxVersion: VersionTLS13                      # [3]
+      curvePreferences:                             # [4]
         - CurveP521
         - CurveP384
-      cipherSuites:                                 # [4]
+      cipherSuites:                                 # [5]
         - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
         - TLS_RSA_WITH_AES_256_GCM_SHA384
-      clientAuth:                                   # [5]
-        secretNames:                                # [6]
+      clientAuth:                                   # [6]
+        secretNames:                                # [7]
           - secret-ca1
           - secret-ca2
-        clientAuthType: VerifyClientCertIfGiven     # [7]
-      sniStrict: true                               # [8]
-      alpnProtocols:                                # [9]
+        clientAuthType: VerifyClientCertIfGiven     # [8]
+      sniStrict: true                               # [9]
+      alpnProtocols:                                # [10]
         - foobar
     ```
 
-| Ref | Attribute                   | Purpose                                                                                                                                                                                                                    |
-|-----|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [1] | `minVersion`                | Defines the [minimum TLS version](../../https/tls.md#minimum-tls-version) that is acceptable                                                                                                                               |
-| [2] | `maxVersion`                | Defines the [maximum TLS version](../../https/tls.md#maximum-tls-version) that is acceptable                                                                                                                               |
-| [3] | `cipherSuites`              | list of supported [cipher suites](../../https/tls.md#cipher-suites) for TLS versions up to TLS 1.2                                                                                                                         |
-| [4] | `curvePreferences`          | List of the [elliptic curves references](../../https/tls.md#curve-preferences) that will be used in an ECDHE handshake, in preference order                                                                                |
-| [5] | `clientAuth`                | determines the server's policy for TLS [Client Authentication](../../https/tls.md#client-authentication-mtls)                                                                                                              |
-| [6] | `clientAuth.secretNames`    | list of names of the referenced Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) (in TLSOption namespace). The secret must contain a certificate under either a `tls.ca` or a `ca.crt` key. |
-| [7] | `clientAuth.clientAuthType` | defines the client authentication type to apply. The available values are: `NoClientCert`, `RequestClientCert`, `VerifyClientCertIfGiven` and `RequireAndVerifyClientCert`                                                 |
-| [8] | `sniStrict`                 | if `true`, Traefik won't allow connections from clients connections that do not specify a server_name extension                                                                                                            |
-| [9] | `alpnProtocols`             | List of supported [application level protocols](../../https/tls.md#alpn-protocols) for the TLS handshake, in order of preference.                                                                                          |
+| Ref  | Attribute                   | Purpose                                                                                                                                                                                                                    |
+|------|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [1]  | `name`                      | Defines the name of the TLSOption resource. One can use `default` as name to redefine the [default TLSOption](../../https/tls.md#tls-options).                                                                             |
+| [2]  | `minVersion`                | Defines the [minimum TLS version](../../https/tls.md#minimum-tls-version) that is acceptable.                                                                                                                              |
+| [3]  | `maxVersion`                | Defines the [maximum TLS version](../../https/tls.md#maximum-tls-version) that is acceptable.                                                                                                                              |
+| [4]  | `cipherSuites`              | list of supported [cipher suites](../../https/tls.md#cipher-suites) for TLS versions up to TLS 1.2.                                                                                                                        |
+| [5]  | `curvePreferences`          | List of the [elliptic curves references](../../https/tls.md#curve-preferences) that will be used in an ECDHE handshake, in preference order.                                                                               |
+| [6]  | `clientAuth`                | determines the server's policy for TLS [Client Authentication](../../https/tls.md#client-authentication-mtls).                                                                                                             |
+| [7]  | `clientAuth.secretNames`    | list of names of the referenced Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) (in TLSOption namespace). The secret must contain a certificate under either a `tls.ca` or a `ca.crt` key. |
+| [8]  | `clientAuth.clientAuthType` | defines the client authentication type to apply. The available values are: `NoClientCert`, `RequestClientCert`, `VerifyClientCertIfGiven` and `RequireAndVerifyClientCert`.                                                |
+| [9]  | `sniStrict`                 | if `true`, Traefik won't allow connections from clients connections that do not specify a server_name extension.                                                                                                           |
+| [10] | `alpnProtocols`             | List of supported [application level protocols](../../https/tls.md#alpn-protocols) for the TLS handshake, in order of preference.                                                                                          |
 
 !!! info "CA Secret"
 

docs/content/routing/routers/index.md

@@ -292,7 +292,7 @@ A value of `0` for the priority is ignored: `priority = 0` means that the defaul
     http:
       routers:
         Router-1:
-          rule: "HostRegexp(`.*\.traefik\.com`)"
+          rule: "HostRegexp(`{subdomain:[a-z]+}.traefik.com`)"
           # ...
         Router-2:
           rule: "Host(`foobar.traefik.com`)"
@@ -303,7 +303,7 @@ A value of `0` for the priority is ignored: `priority = 0` means that the defaul
     ## Dynamic configuration
     [http.routers]
       [http.routers.Router-1]
-        rule = "HostRegexp(`.*\.traefik\.com`)"
+        rule = "HostRegexp(`{subdomain:[a-z]+}.traefik.com`)"
         # ...
       [http.routers.Router-2]
         rule = "Host(`foobar.traefik.com`)"
@@ -312,10 +312,10 @@ A value of `0` for the priority is ignored: `priority = 0` means that the defaul
 
     In this case, all requests with host `foobar.traefik.com` will be routed through `Router-1` instead of `Router-2`.
 
-    | Name     | Rule                                 | Priority |
-    |----------|--------------------------------------|----------|
-    | Router-1 | ```HostRegexp(`.*\.traefik\.com`)``` | 30       |
-    | Router-2 | ```Host(`foobar.traefik.com`)```     | 26       |
+    | Name     | Rule                                               | Priority |
+    |----------|----------------------------------------------------|----------|
+    | Router-1 | ```HostRegexp(`{subdomain:[a-z]+}.traefik.com`)``` | 44       |
+    | Router-2 | ```Host(`foobar.traefik.com`)```                   | 26       |
 
     The previous table shows that `Router-1` has a higher priority than `Router-2`.
 
@@ -328,7 +328,7 @@ A value of `0` for the priority is ignored: `priority = 0` means that the defaul
     http:
       routers:
         Router-1:
-          rule: "HostRegexp(`.*\.traefik\.com`)"
+          rule: "HostRegexp(`{subdomain:[a-z]+}.traefik.com`)"
           entryPoints:
           - "web"
           service: service-1
@@ -345,7 +345,7 @@ A value of `0` for the priority is ignored: `priority = 0` means that the defaul
     ## Dynamic configuration
     [http.routers]
       [http.routers.Router-1]
-        rule = "HostRegexp(`.*\.traefik\.com`)"
+        rule = "HostRegexp(`{subdomain:[a-z]+}.traefik.com`)"
         entryPoints = ["web"]
         service = "service-1"
         priority = 1

docs/content/user-guides/crd-acme/k3s.yml

@@ -27,4 +27,4 @@ node:
   volumes:
     # this is where you would place a alternative traefik image (saved as a .tar file with
     # 'docker save'), if you want to use it, instead of the traefik:v2.6 image.
-    - /sowewhere/on/your/host/custom-image:/var/lib/rancher/k3s/agent/images
+    - /somewhere/on/your/host/custom-image:/var/lib/rancher/k3s/agent/images

docs/content/user-guides/marathon.md

@@ -93,7 +93,7 @@ There are two mitigation efforts:
 The Marathon health check makes sure that applications once deemed dysfunctional are being rescheduled to different slaves.
 However, they might take a while to get triggered and the follow-up processes to complete.
 
-For that reason, the Treafik health check provides an additional check that responds more rapidly and does not require a configuration reload to happen.
+For that reason, the Traefik health check provides an additional check that responds more rapidly and does not require a configuration reload to happen.
 Additionally, it protects from cases that the Marathon health check may not be able to cover, such as a network split.
 
 ### (Non-)Alternatives

docs/mkdocs.yml

@@ -196,3 +196,5 @@ nav:
         - 'KV': 'reference/dynamic-configuration/kv.md'
         - 'Marathon': 'reference/dynamic-configuration/marathon.md'
         - 'Rancher': 'reference/dynamic-configuration/rancher.md'
+  - 'Deprecation Notices':
+      - 'Releases': 'deprecation/releases.md'

exp.Dockerfile

@@ -14,8 +14,7 @@ RUN npm run build
 # BUILD
 FROM golang:1.17-alpine as gobuild
 
-RUN apk --update upgrade \
-    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
+RUN apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
     && update-ca-certificates \
     && rm -rf /var/cache/apk/*
 

go.mod

@@ -4,7 +4,7 @@ go 1.16
 
 // github.com/docker/docker v17.12.0-ce-rc1.0.20200204220554-5f6d6f3f2203+incompatible => v19.03.6
 require (
-	github.com/BurntSushi/toml v0.3.1
+	github.com/BurntSushi/toml v1.0.0
 	github.com/ExpediaDotCom/haystack-client-go v0.0.0-20190315171017-e7edbdf53a61
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/Shopify/sarama v1.23.1 // indirect
@@ -12,7 +12,7 @@ require (
 	github.com/aws/aws-sdk-go v1.39.0
 	github.com/cenkalti/backoff/v4 v4.1.1
 	github.com/compose-spec/compose-go v1.0.3
-	github.com/containerd/containerd v1.5.8 // indirect
+	github.com/containerd/containerd v1.5.9 // indirect
 	github.com/containous/alice v0.0.0-20181107144136-d83ebdd94cbd
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/davecgh/go-spew v1.1.1
@@ -31,7 +31,7 @@ require (
 	github.com/google/go-github/v28 v28.1.1
 	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/websocket v1.4.2
-	github.com/hashicorp/consul v1.10.3
+	github.com/hashicorp/consul v1.10.4
 	github.com/hashicorp/consul/api v1.12.0
 	github.com/hashicorp/go-hclog v0.16.1
 	github.com/hashicorp/go-multierror v1.1.1
@@ -60,7 +60,7 @@ require (
 	github.com/stretchr/testify v1.7.0
 	github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154
 	github.com/tinylib/msgp v1.0.2 // indirect
-	github.com/traefik/paerser v0.1.4
+	github.com/traefik/paerser v0.1.5
 	github.com/traefik/yaegi v0.11.2
 	github.com/uber/jaeger-client-go v2.29.1+incompatible
 	github.com/uber/jaeger-lib v2.2.0+incompatible

go.sum

@@ -112,8 +112,9 @@ github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZ
 github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
 github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
-github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v1.0.0 h1:dtDWrepsVPfW9H/4y7dDgFc2MBUSeJhlaDtK13CxFlU=
+github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/DataDog/datadog-go v3.2.0+incompatible h1:qSG2N4FghB1He/r2mFrWKCaL7dXCilEuNEeAn20fdD4=
@@ -207,8 +208,8 @@ github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878/go.mod h1:3AMJUQhVx52RsWOnlkpikZr01T/yAVN2gn0861vByNg=
 github.com/armon/go-metrics v0.3.0/go.mod h1:zXjbSimjXTd7vOpY8B0/2LpvNvDoXBuplAD+gJD3GYs=
-github.com/armon/go-metrics v0.3.8 h1:oOxq3KPj0WhCuy50EhzwiyMyG2ovRQZpZLXQuOh2a/M=
-github.com/armon/go-metrics v0.3.8/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc=
+github.com/armon/go-metrics v0.3.10 h1:FR+drcQStOe+32sYyJYyZ7FIdgoGGBnwLl+flodp8Uo=
+github.com/armon/go-metrics v0.3.10/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
@@ -356,8 +357,8 @@ github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09Zvgq
 github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
 github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
 github.com/containerd/containerd v1.5.5/go.mod h1:oSTh0QpT1w6jYcGmbiSbxv9OSQYaa88mPyWIuU79zyo=
-github.com/containerd/containerd v1.5.8 h1:NmkCC1/QxyZFBny8JogwLpOy2f+VEbO/f6bV2Mqtwuw=
-github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s=
+github.com/containerd/containerd v1.5.9 h1:rs6Xg1gtIxaeyG+Smsb/0xaSDu1VgFhOCKBXxMxbsF4=
+github.com/containerd/containerd v1.5.9/go.mod h1:fvQqCfadDGga5HZyn3j4+dx56qj2I9YwBrlSdalvJYQ=
 github.com/containerd/continuity v0.0.0-20181203112020-004b46473808/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -866,8 +867,8 @@ github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc
 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4=
 github.com/hanwen/go-fuse v1.0.0/go.mod h1:unqXarDXqzAk0rt98O2tVndEPIpUgLD9+rwFisZH3Ok=
 github.com/hanwen/go-fuse/v2 v2.0.4-0.20201208195215-4a458845028b/go.mod h1:0EQM6aH2ctVpvZ6a+onrQ/vaykxh2GH7hy3e13vzTUY=
-github.com/hashicorp/consul v1.10.3 h1:I6CWR8+GCmwGXR0m2eRZasVdVUBwDiDoIjEjSxBCnwk=
-github.com/hashicorp/consul v1.10.3/go.mod h1:EJMYpT39ZL2BnxjGRNTjfTH3s9893yd/DCX60PUnGUY=
+github.com/hashicorp/consul v1.10.4 h1:rqKmYP49KnCSSxbiaJ4J2CnLA3zUAmI6KwASKxmPqFc=
+github.com/hashicorp/consul v1.10.4/go.mod h1:3EJeqDz7W0LQJ2I4KzRtZZBgG5H80kZvgEtOLis/yCo=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE=
 github.com/hashicorp/consul/api v1.10.0/go.mod h1:sDjTOq0yUyv5G4h+BqSea7Fn6BU+XbolEz1952UB+mk=
@@ -955,8 +956,8 @@ github.com/hashicorp/memberlist v0.3.0/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOn
 github.com/hashicorp/net-rpc-msgpackrpc v0.0.0-20151116020338-a14192a58a69/go.mod h1:/z+jUGRBlwVpUZfjute9jWaF6/HuhjuFQuL1YXzVD1Q=
 github.com/hashicorp/raft v1.1.1/go.mod h1:vPAJM8Asw6u8LxC3eJCUZmRP/E4QmUGE1R7g7k8sG/8=
 github.com/hashicorp/raft v1.2.0/go.mod h1:vPAJM8Asw6u8LxC3eJCUZmRP/E4QmUGE1R7g7k8sG/8=
-github.com/hashicorp/raft v1.3.1 h1:zDT8ke8y2aP4wf9zPTB2uSIeavJ3Hx/ceY4jxI2JxuY=
-github.com/hashicorp/raft v1.3.1/go.mod h1:4Ak7FSPnuvmb0GV6vgIAJ4vYT4bek9bb6Q+7HVbyzqM=
+github.com/hashicorp/raft v1.3.2 h1:j2tqHqFnDdWCepLxzuo3b6WzS2krIweBrvEoqBbWMTo=
+github.com/hashicorp/raft v1.3.2/go.mod h1:4Ak7FSPnuvmb0GV6vgIAJ4vYT4bek9bb6Q+7HVbyzqM=
 github.com/hashicorp/raft-autopilot v0.1.5 h1:onEfMH5uHVdXQqtas36zXUHEZxLdsJVu/nXHLcLdL1I=
 github.com/hashicorp/raft-autopilot v0.1.5/go.mod h1:Af4jZBwaNOI+tXfIqIdbcAnh/UyyqIMj/pOISIfhArw=
 github.com/hashicorp/raft-boltdb v0.0.0-20171010151810-6e5ba93211ea/go.mod h1:pNv7Wc3ycL6F5oOWn+tPGo2gWD4a5X+yp/ntwdKLjRk=
@@ -1331,8 +1332,9 @@ github.com/opencontainers/go-digest v1.0.0-rc1.0.20180430190053-c9281466c8b2/go.
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
+github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
+github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runc v1.0.0-rc10/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
@@ -1648,8 +1650,8 @@ github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea h1:SXhTLE6pb6eld/
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea/go.mod h1:WPnis/6cRcDZSUvVmezrxJPkiO87ThFYsoUiMwWNDJk=
 github.com/tonistiigi/vt100 v0.0.0-20190402012908-ad4c4a574305 h1:y/1cL5AL2oRcfzz8CAHHhR6kDDfIOT0WEyH5k40sccM=
 github.com/tonistiigi/vt100 v0.0.0-20190402012908-ad4c4a574305/go.mod h1:gXOLibKqQTRAVuVZ9gX7G9Ykky8ll8yb4slxsEMoY0c=
-github.com/traefik/paerser v0.1.4 h1:/IXjV04Gf6di51H8Jl7jyS3OylsLjIasrwXIIwj1aT8=
-github.com/traefik/paerser v0.1.4/go.mod h1:FIdQ4Y92ulQUGSeZgxchtBKEcLw1o551PMNg9PoIq/4=
+github.com/traefik/paerser v0.1.5 h1:crit7KzQ9PUWGCYu+H2acwyr7ZKb3RQDSn6iJCtxBhE=
+github.com/traefik/paerser v0.1.5/go.mod h1:Fuwl9DWJfGpZPPwZY6djYIF0vhvzhLmCizn6P66UeLY=
 github.com/traefik/yaegi v0.11.2 h1:zosveTf5iIa60fAeQpaH4719b+bnlgsOvO7Nb/OTMTo=
 github.com/traefik/yaegi v0.11.2/go.mod h1:RuCwD8/wsX7b6KoQHOaIFUfuH3gQIK4KWnFFmJMw5VA=
 github.com/transip/gotransip/v6 v6.6.1 h1:nsCU1ErZS5G0FeOpgGXc4FsWvBff9GPswSMggsC4564=

integration/consul_catalog_test.go

@@ -277,7 +277,6 @@ func (s *ConsulCatalogSuite) TestDefaultConsulService(c *check.C) {
 		ConsulAddress string
 		DefaultRule   string
 	}{
-
 		ConsulAddress: s.consulURL,
 		DefaultRule:   "Host(`{{ normalize .Name }}.consul.localhost`)",
 	}

integration/fixtures/https/rootcas/https.toml

@@ -9,18 +9,24 @@
   # Use certificate in net/internal/testcert.go
   rootCAs =  [ """
 -----BEGIN CERTIFICATE-----
-MIICEzCCAXygAwIBAgIQMIMChMLGrR+QvmQvpwAU6zANBgkqhkiG9w0BAQsFADAS
+MIIDOTCCAiGgAwIBAgIQSRJrEpBGFc7tNb1fb5pKFzANBgkqhkiG9w0BAQsFADAS
 MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
-MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
-iQKBgQDuLnQAI3mDgey3VBzWnB2L39JUU4txjeVE6myuDqkM/uGlfjb9SjY1bIw4
-iA5sBBZzHi3z0h1YV8QPuxEbi4nW91IJm2gsvvZhIrCHS3l6afab4pZBl2+XsDul
-rKBxKKtD1rGxlG4LjncdabFn9gvLZad2bSysqz/qTAUStTvqJQIDAQABo2gwZjAO
-BgNVHQ8BAf8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUw
-AwEB/zAuBgNVHREEJzAlggtleGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAAAAAAAAAA
-AAAAATANBgkqhkiG9w0BAQsFAAOBgQCEcetwO59EWk7WiJsG4x8SY+UIAA+flUI9
-tyC4lNhbcF2Idq9greZwbYCqTTTr2XiRNSMLCOjKyI7ukPoPjo16ocHj+P3vZGfs
-h1fIw3cSS2OolhloGw/XM6RWPWtPAlGykKLciQrBru5NAPvCMsb/I1DAceTiotQM
-fblo6RBxUQ==
+MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA6Gba5tHV1dAKouAaXO3/ebDUU4rvwCUg/CNaJ2PT5xLD4N1Vcb8r
+bFSW2HXKq+MPfVdwIKR/1DczEoAGf/JWQTW7EgzlXrCd3rlajEX2D73faWJekD0U
+aUgz5vtrTXZ90BQL7WvRICd7FlEZ6FPOcPlumiyNmzUqtwGhO+9ad1W5BqJaRI6P
+YfouNkwR6Na4TzSj5BrqUfP0FwDizKSJ0XXmh8g8G9mtwxOSN3Ru1QFc61Xyeluk
+POGKBV/q6RBNklTNe0gI8usUMlYyoC7ytppNMW7X2vodAelSu25jgx2anj9fDVZu
+h7AXF5+4nJS4AAt0n1lNY7nGSsdZas8PbQIDAQABo4GIMIGFMA4GA1UdDwEB/wQE
+AwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+DgQWBBStsdjh3/JCXXYlQryOrL4Sh7BW5TAuBgNVHREEJzAlggtleGFtcGxlLmNv
+bYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAxWGI
+5NhpF3nwwy/4yB4i/CwwSpLrWUa70NyhvprUBC50PxiXav1TeDzwzLx/o5HyNwsv
+cxv3HdkLW59i/0SlJSrNnWdfZ19oTcS+6PtLoVyISgtyN6DpkKpdG1cOkW3Cy2P2
++tK/tKHRP1Y/Ra0RiDpOAmqn0gCOFGz8+lqDIor/T7MTpibL3IxqWfPrvfVRHL3B
+grw/ZQTTIVjjh4JBSW3WyWgNo/ikC1lrVxzl4iPUGptxT36Cr7Zk2Bsg0XqwbOvK
+5d+NTDREkSnUbie4GeutujmX3Dsx88UiV6UY/4lHJa6I5leHUNOHahRbpbWeOfs/
+WkBKOclmOV2xlTVuPw==
 -----END CERTIFICATE-----
 """]
 

integration/fixtures/https/rootcas/local.crt

@@ -1,14 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIICEzCCAXygAwIBAgIQMIMChMLGrR+QvmQvpwAU6zANBgkqhkiG9w0BAQsFADAS
+MIIDOTCCAiGgAwIBAgIQSRJrEpBGFc7tNb1fb5pKFzANBgkqhkiG9w0BAQsFADAS
 MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
-MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
-iQKBgQDuLnQAI3mDgey3VBzWnB2L39JUU4txjeVE6myuDqkM/uGlfjb9SjY1bIw4
-iA5sBBZzHi3z0h1YV8QPuxEbi4nW91IJm2gsvvZhIrCHS3l6afab4pZBl2+XsDul
-rKBxKKtD1rGxlG4LjncdabFn9gvLZad2bSysqz/qTAUStTvqJQIDAQABo2gwZjAO
-BgNVHQ8BAf8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUw
-AwEB/zAuBgNVHREEJzAlggtleGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAAAAAAAAAA
-AAAAATANBgkqhkiG9w0BAQsFAAOBgQCEcetwO59EWk7WiJsG4x8SY+UIAA+flUI9
-tyC4lNhbcF2Idq9greZwbYCqTTTr2XiRNSMLCOjKyI7ukPoPjo16ocHj+P3vZGfs
-h1fIw3cSS2OolhloGw/XM6RWPWtPAlGykKLciQrBru5NAPvCMsb/I1DAceTiotQM
-fblo6RBxUQ==
+MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA6Gba5tHV1dAKouAaXO3/ebDUU4rvwCUg/CNaJ2PT5xLD4N1Vcb8r
+bFSW2HXKq+MPfVdwIKR/1DczEoAGf/JWQTW7EgzlXrCd3rlajEX2D73faWJekD0U
+aUgz5vtrTXZ90BQL7WvRICd7FlEZ6FPOcPlumiyNmzUqtwGhO+9ad1W5BqJaRI6P
+YfouNkwR6Na4TzSj5BrqUfP0FwDizKSJ0XXmh8g8G9mtwxOSN3Ru1QFc61Xyeluk
+POGKBV/q6RBNklTNe0gI8usUMlYyoC7ytppNMW7X2vodAelSu25jgx2anj9fDVZu
+h7AXF5+4nJS4AAt0n1lNY7nGSsdZas8PbQIDAQABo4GIMIGFMA4GA1UdDwEB/wQE
+AwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+DgQWBBStsdjh3/JCXXYlQryOrL4Sh7BW5TAuBgNVHREEJzAlggtleGFtcGxlLmNv
+bYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAxWGI
+5NhpF3nwwy/4yB4i/CwwSpLrWUa70NyhvprUBC50PxiXav1TeDzwzLx/o5HyNwsv
+cxv3HdkLW59i/0SlJSrNnWdfZ19oTcS+6PtLoVyISgtyN6DpkKpdG1cOkW3Cy2P2
++tK/tKHRP1Y/Ra0RiDpOAmqn0gCOFGz8+lqDIor/T7MTpibL3IxqWfPrvfVRHL3B
+grw/ZQTTIVjjh4JBSW3WyWgNo/ikC1lrVxzl4iPUGptxT36Cr7Zk2Bsg0XqwbOvK
+5d+NTDREkSnUbie4GeutujmX3Dsx88UiV6UY/4lHJa6I5leHUNOHahRbpbWeOfs/
+WkBKOclmOV2xlTVuPw==
 -----END CERTIFICATE-----

integration/simple_test.go

@@ -32,7 +32,7 @@ func (s *SimpleSuite) TestInvalidConfigShouldFail(c *check.C) {
 	defer s.killCmd(cmd)
 
 	err = try.Do(500*time.Millisecond, func() error {
-		expected := "Near line 0 (last key parsed ''): bare keys cannot contain '{'"
+		expected := "expected '.' or '=', but got '{' instead"
 		actual := output.String()
 
 		if !strings.Contains(actual, expected) {

integration/websocket_test.go

@@ -500,7 +500,7 @@ func (s *WebsocketSuite) TestSSLhttp2(c *check.C) {
 	c.Assert(string(msg), checker.Equals, "OK")
 }
 
-func (s *WebsocketSuite) TestHeaderAreForwared(c *check.C) {
+func (s *WebsocketSuite) TestHeaderAreForwarded(c *check.C) {
 	upgrader := gorillawebsocket.Upgrader{} // use default options
 
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

pkg/config/dynamic/http_config.go

@@ -25,7 +25,7 @@ type HTTPConfiguration struct {
 // Model is a set of default router's values.
 type Model struct {
 	Middlewares []string         `json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
-	TLS         *RouterTLSConfig `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	TLS         *RouterTLSConfig `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
 }
 
 // +k8s:deepcopy-gen=true
@@ -46,7 +46,7 @@ type Router struct {
 	Service     string           `json:"service,omitempty" toml:"service,omitempty" yaml:"service,omitempty" export:"true"`
 	Rule        string           `json:"rule,omitempty" toml:"rule,omitempty" yaml:"rule,omitempty"`
 	Priority    int              `json:"priority,omitempty" toml:"priority,omitempty,omitzero" yaml:"priority,omitempty" export:"true"`
-	TLS         *RouterTLSConfig `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	TLS         *RouterTLSConfig `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
 }
 
 // +k8s:deepcopy-gen=true
@@ -65,7 +65,7 @@ type Mirroring struct {
 	Service     string          `json:"service,omitempty" toml:"service,omitempty" yaml:"service,omitempty" export:"true"`
 	MaxBodySize *int64          `json:"maxBodySize,omitempty" toml:"maxBodySize,omitempty" yaml:"maxBodySize,omitempty" export:"true"`
 	Mirrors     []MirrorService `json:"mirrors,omitempty" toml:"mirrors,omitempty" yaml:"mirrors,omitempty" export:"true"`
-	HealthCheck *HealthCheck    `json:"healthCheck,omitempty" toml:"healthCheck,omitempty" yaml:"healthCheck,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	HealthCheck *HealthCheck    `json:"healthCheck,omitempty" toml:"healthCheck,omitempty" yaml:"healthCheck,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
 }
 
 // SetDefaults Default values for a WRRService.
@@ -93,7 +93,7 @@ type WeightedRoundRobin struct {
 	// and takes it into account (i.e. it ignores the down child) when running the
 	// load-balancing algorithm. In addition, if the parent of this service also has
 	// HealthCheck enabled, this service reports to its parent any status change.
-	HealthCheck *HealthCheck `json:"healthCheck,omitempty" toml:"healthCheck,omitempty" yaml:"healthCheck,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	HealthCheck *HealthCheck `json:"healthCheck,omitempty" toml:"healthCheck,omitempty" yaml:"healthCheck,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
 }
 
 // +k8s:deepcopy-gen=true
@@ -114,7 +114,7 @@ func (w *WRRService) SetDefaults() {
 
 // Sticky holds the sticky configuration.
 type Sticky struct {
-	Cookie *Cookie `json:"cookie,omitempty" toml:"cookie,omitempty" yaml:"cookie,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	Cookie *Cookie `json:"cookie,omitempty" toml:"cookie,omitempty" yaml:"cookie,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
 }
 
 // +k8s:deepcopy-gen=true
@@ -131,7 +131,7 @@ type Cookie struct {
 
 // ServersLoadBalancer holds the ServersLoadBalancer configuration.
 type ServersLoadBalancer struct {
-	Sticky  *Sticky  `json:"sticky,omitempty" toml:"sticky,omitempty" yaml:"sticky,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	Sticky  *Sticky  `json:"sticky,omitempty" toml:"sticky,omitempty" yaml:"sticky,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
 	Servers []Server `json:"servers,omitempty" toml:"servers,omitempty" yaml:"servers,omitempty" label-slice-as-struct:"server" export:"true"`
 	// HealthCheck enables regular active checks of the responsiveness of the
 	// children servers of this load-balancer. To propagate status changes (e.g. all

pkg/config/dynamic/middlewares.go

@@ -30,7 +30,7 @@ type Middleware struct {
 	InFlightReq       *InFlightReq       `json:"inFlightReq,omitempty" toml:"inFlightReq,omitempty" yaml:"inFlightReq,omitempty" export:"true"`
 	Buffering         *Buffering         `json:"buffering,omitempty" toml:"buffering,omitempty" yaml:"buffering,omitempty" export:"true"`
 	CircuitBreaker    *CircuitBreaker    `json:"circuitBreaker,omitempty" toml:"circuitBreaker,omitempty" yaml:"circuitBreaker,omitempty" export:"true"`
-	Compress          *Compress          `json:"compress,omitempty" toml:"compress,omitempty" yaml:"compress,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	Compress          *Compress          `json:"compress,omitempty" toml:"compress,omitempty" yaml:"compress,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
 	PassTLSClientCert *PassTLSClientCert `json:"passTLSClientCert,omitempty" toml:"passTLSClientCert,omitempty" yaml:"passTLSClientCert,omitempty" export:"true"`
 	Retry             *Retry             `json:"retry,omitempty" toml:"retry,omitempty" yaml:"retry,omitempty" export:"true"`
 	ContentType       *ContentType       `json:"contentType,omitempty" toml:"contentType,omitempty" yaml:"contentType,omitempty" export:"true"`
@@ -275,7 +275,7 @@ func (s *IPStrategy) Get() (ip.Strategy, error) {
 // IPWhiteList holds the ip white list configuration.
 type IPWhiteList struct {
 	SourceRange []string    `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
-	IPStrategy  *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty"  label:"allowEmpty" file:"allowEmpty" export:"true"`
+	IPStrategy  *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty"  label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
 }
 
 // +k8s:deepcopy-gen=true

pkg/config/dynamic/tcp_config.go

@@ -52,7 +52,7 @@ type TCPRouter struct {
 	Middlewares []string            `json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
 	Service     string              `json:"service,omitempty" toml:"service,omitempty" yaml:"service,omitempty" export:"true"`
 	Rule        string              `json:"rule,omitempty" toml:"rule,omitempty" yaml:"rule,omitempty"`
-	TLS         *RouterTCPTLSConfig `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	TLS         *RouterTCPTLSConfig `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
 }
 
 // +k8s:deepcopy-gen=true
@@ -75,7 +75,7 @@ type TCPServersLoadBalancer struct {
 	// connection. It is a duration in milliseconds, defaulting to 100. A negative value
 	// means an infinite deadline (i.e. the reading capability is never closed).
 	TerminationDelay *int           `json:"terminationDelay,omitempty" toml:"terminationDelay,omitempty" yaml:"terminationDelay,omitempty" export:"true"`
-	ProxyProtocol    *ProxyProtocol `json:"proxyProtocol,omitempty" toml:"proxyProtocol,omitempty" yaml:"proxyProtocol,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	ProxyProtocol    *ProxyProtocol `json:"proxyProtocol,omitempty" toml:"proxyProtocol,omitempty" yaml:"proxyProtocol,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
 	Servers          []TCPServer    `json:"servers,omitempty" toml:"servers,omitempty" yaml:"servers,omitempty" label-slice-as-struct:"server" export:"true"`
 }
 

pkg/config/kv/kv.go

@@ -25,7 +25,7 @@ func Decode(pairs []*store.KVPair, element interface{}, rootName string) error {
 		return err
 	}
 
-	metaOpts := parser.MetadataOpts{TagName: parser.TagLabel, AllowSliceAsStruct: false}
+	metaOpts := parser.MetadataOpts{TagName: "kv", AllowSliceAsStruct: false}
 	err = parser.AddMetadata(element, node, metaOpts)
 	if err != nil {
 		return err

pkg/config/kv/kv_test.go

@@ -108,7 +108,7 @@ type sample struct {
 	FieldD []string
 	FieldE *struct {
 		Name string
-	} `label:"allowEmpty"`
+	} `kv:"allowEmpty"`
 	FieldF map[string]string
 	FieldG []sub
 	FieldH string

pkg/config/runtime/runtime_http_test.go

@@ -186,7 +186,6 @@ func TestGetRoutersByEntryPoints(t *testing.T) {
 				"webs": {
 					"bar": {
 						Router: &dynamic.Router{
-
 							EntryPoints: []string{"webs"},
 							Service:     "bar-service@myprovider",
 							Rule:        "Host(`foo.bar`)",

pkg/config/runtime/runtime_tcp_test.go

@@ -186,7 +186,6 @@ func TestGetTCPRoutersByEntryPoints(t *testing.T) {
 				"webs": {
 					"bar": {
 						TCPRouter: &dynamic.TCPRouter{
-
 							EntryPoints: []string{"webs"},
 							Service:     "bar-service@myprovider",
 							Rule:        "HostSNI(`foo.bar`)",

pkg/config/runtime/runtime_test.go

@@ -144,7 +144,7 @@ func TestPopulateUsedBy(t *testing.T) {
 			},
 		},
 		{
-			desc: "2 different Services each used by a disctinct router.",
+			desc: "2 different Services each used by a distinct router.",
 			conf: &runtime.Configuration{
 				Services: map[string]*runtime.ServiceInfo{
 					"foo-service@myprovider": {
@@ -384,7 +384,7 @@ func TestPopulateUsedBy(t *testing.T) {
 			},
 		},
 		{
-			desc: "2 middlewares from 2 disctinct providers both used by 2 Routers",
+			desc: "2 middlewares from 2 distinct providers both used by 2 Routers",
 			conf: &runtime.Configuration{
 				Services: map[string]*runtime.ServiceInfo{
 					"foo-service@myprovider": {
@@ -593,7 +593,7 @@ func TestPopulateUsedBy(t *testing.T) {
 			},
 		},
 		{
-			desc: "TCP, 2 different Services each used by a disctinct router.",
+			desc: "TCP, 2 different Services each used by a distinct router.",
 			conf: &runtime.Configuration{
 				TCPServices: map[string]*runtime.TCPServiceInfo{
 					"foo-service@myprovider": {

pkg/config/runtime/runtime_udp_test.go

@@ -169,7 +169,6 @@ func TestGetUDPRoutersByEntryPoints(t *testing.T) {
 				"webs": {
 					"bar": {
 						UDPRouter: &dynamic.UDPRouter{
-
 							EntryPoints: []string{"webs"},
 							Service:     "bar-service@myprovider",
 						},

pkg/config/static/entrypoints.go

@@ -55,8 +55,8 @@ func (ep *EntryPoint) SetDefaults() {
 // HTTPConfig is the HTTP configuration of an entry point.
 type HTTPConfig struct {
 	Redirections *Redirections `description:"Set of redirection" json:"redirections,omitempty" toml:"redirections,omitempty" yaml:"redirections,omitempty" export:"true"`
-	Middlewares  []string      `description:"Default middlewares for the routers linked to the entry point." json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty"  export:"true"`
-	TLS          *TLSConfig    `description:"Default TLS configuration for the routers linked to the entry point." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty"  export:"true"`
+	Middlewares  []string      `description:"Default middlewares for the routers linked to the entry point." json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
+	TLS          *TLSConfig    `description:"Default TLS configuration for the routers linked to the entry point." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
 }
 
 // Redirections is a set of redirection for an entry point.

pkg/healthcheck/healthcheck.go

@@ -44,7 +44,7 @@ type BalancerHandler interface {
 }
 
 // BalancerStatusHandler is an http Handler that does load-balancing,
-// andupdates its parents of its status.
+// and updates its parents of its status.
 type BalancerStatusHandler interface {
 	BalancerHandler
 	StatusUpdater

pkg/metrics/prometheus.go

@@ -131,7 +131,7 @@ func initStandardRegistry(config *types.Prometheus) Registry {
 		Name: configLastReloadFailureName,
 		Help: "Last config reload failure",
 	}, []string{})
-	tlsCertsNotAfterTimesptamp := newGaugeFrom(promState.collectors, stdprometheus.GaugeOpts{
+	tlsCertsNotAfterTimestamp := newGaugeFrom(promState.collectors, stdprometheus.GaugeOpts{
 		Name: tlsCertsNotAfterTimestamp,
 		Help: "Certificate expiration timestamp",
 	}, []string{"cn", "serial", "sans"})
@@ -141,7 +141,7 @@ func initStandardRegistry(config *types.Prometheus) Registry {
 		configReloadsFailures.cv.Describe,
 		lastConfigReloadSuccess.gv.Describe,
 		lastConfigReloadFailure.gv.Describe,
-		tlsCertsNotAfterTimesptamp.gv.Describe,
+		tlsCertsNotAfterTimestamp.gv.Describe,
 	}
 
 	reg := &standardRegistry{
@@ -152,7 +152,7 @@ func initStandardRegistry(config *types.Prometheus) Registry {
 		configReloadsFailureCounter:    configReloadsFailures,
 		lastConfigReloadSuccessGauge:   lastConfigReloadSuccess,
 		lastConfigReloadFailureGauge:   lastConfigReloadFailure,
-		tlsCertsNotAfterTimestampGauge: tlsCertsNotAfterTimesptamp,
+		tlsCertsNotAfterTimestampGauge: tlsCertsNotAfterTimestamp,
 	}
 
 	if config.AddEntryPointsLabels {

pkg/middlewares/metrics/metrics.go

@@ -159,12 +159,27 @@ func containsHeader(req *http.Request, name, value string) bool {
 	return false
 }
 
+// getMethod returns the request's method.
+// It checks whether the method is a valid UTF-8 string.
+// To restrict the (potentially infinite) number of accepted values for the method,
+// and avoid unbounded memory issues,
+// values that are not part of the set of HTTP verbs are replaced with EXTENSION_METHOD.
+// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods
+// https://datatracker.ietf.org/doc/html/rfc2616/#section-5.1.1.
 func getMethod(r *http.Request) string {
 	if !utf8.ValidString(r.Method) {
-		log.Warnf("Invalid HTTP method encoding: %s", r.Method)
+		log.WithoutContext().Warnf("Invalid HTTP method encoding: %s", r.Method)
 		return "NON_UTF8_HTTP_METHOD"
 	}
-	return r.Method
+
+	switch r.Method {
+	case "HEAD", "GET", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS", "TRACE", // https://datatracker.ietf.org/doc/html/rfc7231#section-4
+		"PATCH", // https://datatracker.ietf.org/doc/html/rfc5789#section-2
+		"PRI":   // https://datatracker.ietf.org/doc/html/rfc7540#section-11.6
+		return r.Method
+	default:
+		return "EXTENSION_METHOD"
+	}
 }
 
 type retryMetrics interface {

pkg/middlewares/metrics/metrics_test.go

@@ -4,6 +4,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"reflect"
+	"strings"
 	"testing"
 
 	"github.com/go-kit/kit/metrics"
@@ -98,3 +99,33 @@ func TestCloseNotifier(t *testing.T) {
 		})
 	}
 }
+
+func Test_getMethod(t *testing.T) {
+	testCases := []struct {
+		method   string
+		expected string
+	}{
+		{
+			method:   http.MethodGet,
+			expected: http.MethodGet,
+		},
+		{
+			method:   strings.ToLower(http.MethodGet),
+			expected: "EXTENSION_METHOD",
+		},
+		{
+			method:   "THIS_IS_NOT_A_VALID_METHOD",
+			expected: "EXTENSION_METHOD",
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.method, func(t *testing.T) {
+			t.Parallel()
+
+			request := httptest.NewRequest(test.method, "http://example.com", nil)
+			assert.Equal(t, test.expected, getMethod(request))
+		})
+	}
+}

pkg/middlewares/recovery/recovery_test.go

@@ -12,7 +12,7 @@ import (
 
 func TestRecoverHandler(t *testing.T) {
 	fn := func(w http.ResponseWriter, r *http.Request) {
-		panic("I love panicing!")
+		panic("I love panicking!")
 	}
 	recovery, err := New(context.Background(), http.HandlerFunc(fn))
 	require.NoError(t, err)

pkg/middlewares/retry/retry_test.go

@@ -104,11 +104,11 @@ func TestRetry(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
 
-			retryAttemps := 0
+			retryAttempts := 0
 			next := http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-				retryAttemps++
+				retryAttempts++
 
-				if retryAttemps > test.amountFaultyEndpoints {
+				if retryAttempts > test.amountFaultyEndpoints {
 					// calls WroteHeaders on httptrace.
 					_ = r.Write(io.Discard)
 
@@ -275,11 +275,11 @@ func TestRetryWebsocket(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
 
-			retryAttemps := 0
+			retryAttempts := 0
 			next := http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-				retryAttemps++
+				retryAttempts++
 
-				if retryAttemps > test.amountFaultyEndpoints {
+				if retryAttempts > test.amountFaultyEndpoints {
 					upgrader := websocket.Upgrader{}
 					_, err := upgrader.Upgrade(rw, r, nil)
 					if err != nil {

pkg/middlewares/snicheck/snicheck.go

@@ -0,0 +1,107 @@
+package snicheck
+
+import (
+	"net"
+	"net/http"
+	"strings"
+
+	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v2/pkg/middlewares/requestdecorator"
+	traefiktls "github.com/traefik/traefik/v2/pkg/tls"
+)
+
+// SNICheck is an HTTP handler that checks whether the TLS configuration for the server name is the same as for the host header.
+type SNICheck struct {
+	next              http.Handler
+	tlsOptionsForHost map[string]string
+}
+
+// New creates a new SNICheck.
+func New(tlsOptionsForHost map[string]string, next http.Handler) *SNICheck {
+	return &SNICheck{next: next, tlsOptionsForHost: tlsOptionsForHost}
+}
+
+func (s SNICheck) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+	if req.TLS == nil {
+		s.next.ServeHTTP(rw, req)
+		return
+	}
+
+	host := getHost(req)
+	serverName := strings.TrimSpace(req.TLS.ServerName)
+
+	// Domain Fronting
+	if !strings.EqualFold(host, serverName) {
+		tlsOptionHeader := findTLSOptionName(s.tlsOptionsForHost, host, true)
+		tlsOptionSNI := findTLSOptionName(s.tlsOptionsForHost, serverName, false)
+
+		if tlsOptionHeader != tlsOptionSNI {
+			log.WithoutContext().
+				WithField("host", host).
+				WithField("req.Host", req.Host).
+				WithField("req.TLS.ServerName", req.TLS.ServerName).
+				Debugf("TLS options difference: SNI:%s, Header:%s", tlsOptionSNI, tlsOptionHeader)
+			http.Error(rw, http.StatusText(http.StatusMisdirectedRequest), http.StatusMisdirectedRequest)
+			return
+		}
+	}
+
+	s.next.ServeHTTP(rw, req)
+}
+
+func getHost(req *http.Request) string {
+	h := requestdecorator.GetCNAMEFlatten(req.Context())
+	if h != "" {
+		return h
+	}
+
+	h = requestdecorator.GetCanonizedHost(req.Context())
+	if h != "" {
+		return h
+	}
+
+	host, _, err := net.SplitHostPort(req.Host)
+	if err != nil {
+		host = req.Host
+	}
+
+	return strings.TrimSpace(host)
+}
+
+func findTLSOptionName(tlsOptionsForHost map[string]string, host string, fqdn bool) string {
+	name := findTLSOptName(tlsOptionsForHost, host, fqdn)
+	if name != "" {
+		return name
+	}
+
+	name = findTLSOptName(tlsOptionsForHost, strings.ToLower(host), fqdn)
+	if name != "" {
+		return name
+	}
+
+	return traefiktls.DefaultTLSConfigName
+}
+
+func findTLSOptName(tlsOptionsForHost map[string]string, host string, fqdn bool) string {
+	if tlsOptions, ok := tlsOptionsForHost[host]; ok {
+		return tlsOptions
+	}
+
+	if !fqdn {
+		return ""
+	}
+
+	if last := len(host) - 1; last >= 0 && host[last] == '.' {
+		if tlsOptions, ok := tlsOptionsForHost[host[:last]]; ok {
+			return tlsOptions
+		}
+
+		return ""
+	}
+
+	if tlsOptions, ok := tlsOptionsForHost[host+"."]; ok {
+		return tlsOptions
+	}
+
+	return ""
+}

pkg/middlewares/snicheck/snicheck_test.go

@@ -0,0 +1,60 @@
+package snicheck
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSNICheck_ServeHTTP(t *testing.T) {
+	testCases := []struct {
+		desc              string
+		tlsOptionsForHost map[string]string
+		host              string
+		expected          int
+	}{
+		{
+			desc:     "no TLS options",
+			expected: http.StatusOK,
+		},
+		{
+			desc: "with TLS options",
+			tlsOptionsForHost: map[string]string{
+				"example.com": "foo",
+			},
+			expected: http.StatusOK,
+		},
+		{
+			desc: "server name and host doesn't have the same TLS configuration",
+			tlsOptionsForHost: map[string]string{
+				"example.com": "foo",
+			},
+			host:     "example.com",
+			expected: http.StatusMisdirectedRequest,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			next := http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {})
+
+			sniCheck := New(test.tlsOptionsForHost, next)
+
+			req := httptest.NewRequest(http.MethodGet, "https://localhost", nil)
+			if test.host != "" {
+				req.Host = test.host
+			}
+
+			recorder := httptest.NewRecorder()
+
+			sniCheck.ServeHTTP(recorder, req)
+
+			assert.Equal(t, test.expected, recorder.Code)
+		})
+	}
+}

pkg/middlewares/stripprefix/strip_prefix_test.go

@@ -126,7 +126,6 @@ func TestStripPrefix(t *testing.T) {
 		{
 			desc: "earlier prefix matching",
 			config: dynamic.StripPrefix{
-
 				Prefixes: []string{"/stat", "/stat/us"},
 			},
 			path:               "/stat/us",

pkg/middlewares/tracing/forwarder.go

@@ -43,8 +43,8 @@ func (f *forwarderMiddleware) ServeHTTP(rw http.ResponseWriter, req *http.Reques
 	span, req, finish := tr.StartSpanf(req, ext.SpanKindRPCClientEnum, "forward", opParts, "/")
 	defer finish()
 
-	span.SetTag("service.name", f.service)
-	span.SetTag("router.name", f.router)
+	span.SetTag("traefik.service.name", f.service)
+	span.SetTag("traefik.router.name", f.router)
 	ext.HTTPMethod.Set(span, req.Method)
 	ext.HTTPUrl.Set(span, req.URL.String())
 	span.SetTag("http.host", req.Host)

pkg/middlewares/tracing/forwarder_test.go

@@ -36,12 +36,12 @@ func TestNewForwarder(t *testing.T) {
 			router:  "some-service.domain.tld",
 			expected: expected{
 				Tags: map[string]interface{}{
-					"http.host":    "www.test.com",
-					"http.method":  "GET",
-					"http.url":     "http://www.test.com/toto",
-					"service.name": "some-service.domain.tld",
-					"router.name":  "some-service.domain.tld",
-					"span.kind":    ext.SpanKindRPCClientEnum,
+					"http.host":            "www.test.com",
+					"http.method":          "GET",
+					"http.url":             "http://www.test.com/toto",
+					"traefik.service.name": "some-service.domain.tld",
+					"traefik.router.name":  "some-service.domain.tld",
+					"span.kind":            ext.SpanKindRPCClientEnum,
 				},
 				OperationName: "forward some-service.domain.tld/some-service.domain.tld",
 			},
@@ -56,12 +56,12 @@ func TestNewForwarder(t *testing.T) {
 			router:  "some-service-100.slug.namespace.environment.domain.tld",
 			expected: expected{
 				Tags: map[string]interface{}{
-					"http.host":    "www.test.com",
-					"http.method":  "GET",
-					"http.url":     "http://www.test.com/toto",
-					"service.name": "some-service-100.slug.namespace.environment.domain.tld",
-					"router.name":  "some-service-100.slug.namespace.environment.domain.tld",
-					"span.kind":    ext.SpanKindRPCClientEnum,
+					"http.host":            "www.test.com",
+					"http.method":          "GET",
+					"http.url":             "http://www.test.com/toto",
+					"traefik.service.name": "some-service-100.slug.namespace.environment.domain.tld",
+					"traefik.router.name":  "some-service-100.slug.namespace.environment.domain.tld",
+					"span.kind":            ext.SpanKindRPCClientEnum,
 				},
 				OperationName: "forward some-service-100.slug.namespace.enviro.../some-service-100.slug.namespace.enviro.../bc4a0d48",
 			},
@@ -76,12 +76,12 @@ func TestNewForwarder(t *testing.T) {
 			router:  "some-service1.namespace.environment.domain.tld",
 			expected: expected{
 				Tags: map[string]interface{}{
-					"http.host":    "www.test.com",
-					"http.method":  "GET",
-					"http.url":     "http://www.test.com/toto",
-					"service.name": "some-service1.namespace.environment.domain.tld",
-					"router.name":  "some-service1.namespace.environment.domain.tld",
-					"span.kind":    ext.SpanKindRPCClientEnum,
+					"http.host":            "www.test.com",
+					"http.method":          "GET",
+					"http.url":             "http://www.test.com/toto",
+					"traefik.service.name": "some-service1.namespace.environment.domain.tld",
+					"traefik.router.name":  "some-service1.namespace.environment.domain.tld",
+					"span.kind":            ext.SpanKindRPCClientEnum,
 				},
 				OperationName: "forward some-service1.namespace.environment.domain.tld/some-service1.namespace.environment.domain.tld",
 			},
@@ -96,12 +96,12 @@ func TestNewForwarder(t *testing.T) {
 			router:  "some-service1.backend.namespace.environment.domain.tld",
 			expected: expected{
 				Tags: map[string]interface{}{
-					"http.host":    "www.test.com",
-					"http.method":  "GET",
-					"http.url":     "http://www.test.com/toto",
-					"service.name": "some-service1.frontend.namespace.environment.domain.tld",
-					"router.name":  "some-service1.backend.namespace.environment.domain.tld",
-					"span.kind":    ext.SpanKindRPCClientEnum,
+					"http.host":            "www.test.com",
+					"http.method":          "GET",
+					"http.url":             "http://www.test.com/toto",
+					"traefik.service.name": "some-service1.frontend.namespace.environment.domain.tld",
+					"traefik.router.name":  "some-service1.backend.namespace.environment.domain.tld",
+					"span.kind":            ext.SpanKindRPCClientEnum,
 				},
 				OperationName: "forward some-service1.frontend.namespace.envir.../some-service1.backend.namespace.enviro.../fa49dd23",
 			},

pkg/middlewares/tracing/wrapper.go

@@ -10,12 +10,12 @@ import (
 	"github.com/traefik/traefik/v2/pkg/tracing"
 )
 
-// Tracable embeds tracing information.
-type Tracable interface {
+// Traceable embeds tracing information.
+type Traceable interface {
 	GetTracingInformation() (name string, spanKind ext.SpanKindEnum)
 }
 
-// Wrap adds tracability to an alice.Constructor.
+// Wrap adds traceability to an alice.Constructor.
 func Wrap(ctx context.Context, constructor alice.Constructor) alice.Constructor {
 	return func(next http.Handler) (http.Handler, error) {
 		if constructor == nil {
@@ -26,8 +26,8 @@ func Wrap(ctx context.Context, constructor alice.Constructor) alice.Constructor
 			return nil, err
 		}
 
-		if tracableHandler, ok := handler.(Tracable); ok {
-			name, spanKind := tracableHandler.GetTracingInformation()
+		if traceableHandler, ok := handler.(Traceable); ok {
+			name, spanKind := traceableHandler.GetTracingInformation()
 			log.FromContext(ctx).WithField(log.MiddlewareName, name).Debug("Adding tracing to middleware")
 			return NewWrapper(handler, name, spanKind), nil
 		}

pkg/provider/acme/challenge_http.go

@@ -103,7 +103,7 @@ func (c *ChallengeHTTP) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 func (c *ChallengeHTTP) getTokenValue(ctx context.Context, token, domain string) []byte {
 	logger := log.FromContext(ctx)
-	logger.Debugf("Retrieving the ACME challenge for token %s...", token)
+	logger.Debugf("Retrieving the ACME challenge for %s (token %q)...", domain, token)
 
 	var result []byte
 
@@ -112,13 +112,13 @@ func (c *ChallengeHTTP) getTokenValue(ctx context.Context, token, domain string)
 		defer c.lock.RUnlock()
 
 		if _, ok := c.httpChallenges[token]; !ok {
-			return fmt.Errorf("cannot find challenge for token %s", token)
+			return fmt.Errorf("cannot find challenge for token %q (%s)", token, domain)
 		}
 
 		var ok bool
 		result, ok = c.httpChallenges[token][domain]
 		if !ok {
-			return fmt.Errorf("cannot find challenge for domain %s", domain)
+			return fmt.Errorf("cannot find challenge for %s (token %q)", domain, token)
 		}
 
 		return nil
@@ -132,7 +132,7 @@ func (c *ChallengeHTTP) getTokenValue(ctx context.Context, token, domain string)
 	ebo.MaxElapsedTime = 60 * time.Second
 	err := backoff.RetryNotify(safe.OperationWithRecover(operation), ebo, notify)
 	if err != nil {
-		logger.Errorf("Cannot retrieve the ACME challenge for token %v: %v", token, err)
+		logger.Errorf("Cannot retrieve the ACME challenge for %s (token %q): %v", domain, token, err)
 		return []byte{}
 	}
 

pkg/provider/docker/docker.go

@@ -528,7 +528,8 @@ func (p *Provider) parseService(ctx context.Context, service swarmtypes.Service,
 }
 
 func listTasks(ctx context.Context, dockerClient client.APIClient, serviceID string,
-	serviceDockerData dockerData, networkMap map[string]*dockertypes.NetworkResource, isGlobalSvc bool) ([]dockerData, error) {
+	serviceDockerData dockerData, networkMap map[string]*dockertypes.NetworkResource, isGlobalSvc bool,
+) ([]dockerData, error) {
 	serviceIDFilter := filters.NewArgs()
 	serviceIDFilter.Add("service", serviceID)
 	serviceIDFilter.Add("desired-state", "running")
@@ -552,7 +553,8 @@ func listTasks(ctx context.Context, dockerClient client.APIClient, serviceID str
 }
 
 func parseTasks(ctx context.Context, task swarmtypes.Task, serviceDockerData dockerData,
-	networkMap map[string]*dockertypes.NetworkResource, isGlobalSvc bool) dockerData {
+	networkMap map[string]*dockertypes.NetworkResource, isGlobalSvc bool,
+) dockerData {
 	dData := dockerData{
 		ID:              task.ID,
 		ServiceName:     serviceDockerData.Name,

pkg/provider/ecs/ecs.go

@@ -454,7 +454,7 @@ func (p *Provider) lookupTaskDefinitions(ctx context.Context, client *awsClient,
 // chunkIDs ECS expects no more than 100 parameters be passed to a API call;
 // thus, pack each string into an array capped at 100 elements.
 func (p *Provider) chunkIDs(ids []*string) [][]*string {
-	var chuncked [][]*string
+	var chunked [][]*string
 	for i := 0; i < len(ids); i += 100 {
 		var sliceEnd int
 		if i+100 < len(ids) {
@@ -462,7 +462,7 @@ func (p *Provider) chunkIDs(ids []*string) [][]*string {
 		} else {
 			sliceEnd = len(ids)
 		}
-		chuncked = append(chuncked, ids[i:sliceEnd])
+		chunked = append(chunked, ids[i:sliceEnd])
 	}
-	return chuncked
+	return chunked
 }

pkg/provider/kubernetes/crd/client.go

@@ -31,7 +31,6 @@ const resyncPeriod = 10 * time.Minute
 // The stores can then be accessed via the Get* functions.
 type Client interface {
 	WatchAll(namespaces []string, stopCh <-chan struct{}) (<-chan interface{}, error)
-
 	GetIngressRoutes() []*v1alpha1.IngressRoute
 	GetIngressRouteTCPs() []*v1alpha1.IngressRouteTCP
 	GetIngressRouteUDPs() []*v1alpha1.IngressRouteUDP
@@ -42,7 +41,6 @@ type Client interface {
 	GetTLSOptions() []*v1alpha1.TLSOption
 	GetServersTransports() []*v1alpha1.ServersTransport
 	GetTLSStores() []*v1alpha1.TLSStore
-
 	GetService(namespace, name string) (*corev1.Service, bool, error)
 	GetSecret(namespace, name string) (*corev1.Secret, bool, error)
 	GetEndpoints(namespace, name string) (*corev1.Endpoints, bool, error)

pkg/provider/kubernetes/crd/fixtures/tcp/with_different_services_ns.yml

@@ -27,5 +27,5 @@ spec:
       weight: 4
     # with unknown namespace
     - name: whoamitcp
-      namespace: unknwonns
+      namespace: unknowns
       port: 8080

pkg/provider/kubernetes/crd/fixtures/udp/with_different_services_ns.yml

@@ -26,5 +26,5 @@ spec:
       weight: 4
     # with unknown namespace
     - name: whoamiudp
-      namespace: unknwonns
+      namespace: unknowns
       port: 8080

pkg/provider/kubernetes/gateway/client.go

@@ -50,7 +50,6 @@ func (reh *resourceEventHandler) OnDelete(obj interface{}) {
 // The stores can then be accessed via the Get* functions.
 type Client interface {
 	WatchAll(namespaces []string, stopCh <-chan struct{}) (<-chan interface{}, error)
-
 	GetGatewayClasses() ([]*v1alpha2.GatewayClass, error)
 	UpdateGatewayStatus(gateway *v1alpha2.Gateway, gatewayStatus v1alpha2.GatewayStatus) error
 	UpdateGatewayClassStatus(gatewayClass *v1alpha2.GatewayClass, condition metav1.Condition) error
@@ -58,7 +57,6 @@ type Client interface {
 	GetHTTPRoutes(namespaces []string) ([]*v1alpha2.HTTPRoute, error)
 	GetTCPRoutes(namespaces []string) ([]*v1alpha2.TCPRoute, error)
 	GetTLSRoutes(namespaces []string) ([]*v1alpha2.TLSRoute, error)
-
 	GetService(namespace, name string) (*corev1.Service, bool, error)
 	GetSecret(namespace, name string) (*corev1.Secret, bool, error)
 	GetEndpoints(namespace, name string) (*corev1.Endpoints, bool, error)

pkg/provider/kubernetes/gateway/fixtures/httproute/gatewayclass_with_unknown_controller.yml

@@ -4,7 +4,7 @@ apiVersion: gateway.networking.k8s.io/v1alpha2
 metadata:
   name: my-gateway-class
 spec:
-  controllerName: unkown.io/gateway-controller
+  controllerName: unknown.io/gateway-controller
 
 ---
 kind: Gateway

pkg/provider/kubernetes/gateway/fixtures/tcproute/gatewayclass_with_unknown_controller.yml

@@ -4,7 +4,7 @@ apiVersion: gateway.networking.k8s.io/v1alpha2
 metadata:
   name: my-gateway-class
 spec:
-  controllerName: unkown.io/gateway-controller
+  controllerName: unknown.io/gateway-controller
 
 ---
 kind: Gateway

pkg/provider/kubernetes/gateway/fixtures/tlsroute/gatewayclass_with_unknown_controller.yml

@@ -15,7 +15,7 @@ apiVersion: gateway.networking.k8s.io/v1alpha2
 metadata:
   name: my-gateway-class
 spec:
-  controllerName: unkown.io/gateway-controller
+  controllerName: unknown.io/gateway-controller
 
 ---
 kind: Gateway

pkg/server/middleware/chainbuilder.go

@@ -9,7 +9,6 @@ import (
 	"github.com/traefik/traefik/v2/pkg/metrics"
 	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
 	metricsmiddleware "github.com/traefik/traefik/v2/pkg/middlewares/metrics"
-	"github.com/traefik/traefik/v2/pkg/middlewares/requestdecorator"
 	mTracing "github.com/traefik/traefik/v2/pkg/middlewares/tracing"
 	"github.com/traefik/traefik/v2/pkg/tracing"
 	"github.com/traefik/traefik/v2/pkg/tracing/jaeger"
@@ -20,7 +19,6 @@ type ChainBuilder struct {
 	metricsRegistry        metrics.Registry
 	accessLoggerMiddleware *accesslog.Handler
 	tracer                 *tracing.Tracing
-	requestDecorator       *requestdecorator.RequestDecorator
 }
 
 // NewChainBuilder Creates a new ChainBuilder.
@@ -29,7 +27,6 @@ func NewChainBuilder(staticConfiguration static.Configuration, metricsRegistry m
 		metricsRegistry:        metricsRegistry,
 		accessLoggerMiddleware: accessLoggerMiddleware,
 		tracer:                 setupTracing(staticConfiguration.Tracing),
-		requestDecorator:       requestdecorator.New(staticConfiguration.HostResolver),
 	}
 }
 
@@ -49,7 +46,7 @@ func (c *ChainBuilder) Build(ctx context.Context, entryPointName string) alice.C
 		chain = chain.Append(metricsmiddleware.WrapEntryPointHandler(ctx, c.metricsRegistry, entryPointName))
 	}
 
-	return chain.Append(requestdecorator.WrapHandler(c.requestDecorator))
+	return chain
 }
 
 // Close accessLogger and tracer.

pkg/server/router/tcp/router.go

@@ -5,12 +5,11 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
-	"net"
 	"net/http"
-	"strings"
 
 	"github.com/traefik/traefik/v2/pkg/config/runtime"
 	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v2/pkg/middlewares/snicheck"
 	"github.com/traefik/traefik/v2/pkg/rules"
 	"github.com/traefik/traefik/v2/pkg/server/provider"
 	tcpservice "github.com/traefik/traefik/v2/pkg/server/service/tcp"
@@ -161,38 +160,7 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
 		}
 	}
 
-	sniCheck := http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
-		if req.TLS == nil {
-			handlerHTTPS.ServeHTTP(rw, req)
-			return
-		}
-
-		host, _, err := net.SplitHostPort(req.Host)
-		if err != nil {
-			host = req.Host
-		}
-
-		host = strings.TrimSpace(host)
-		serverName := strings.TrimSpace(req.TLS.ServerName)
-
-		// Domain Fronting
-		if !strings.EqualFold(host, serverName) {
-			tlsOptionSNI := findTLSOptionName(tlsOptionsForHost, serverName)
-			tlsOptionHeader := findTLSOptionName(tlsOptionsForHost, host)
-
-			if tlsOptionHeader != tlsOptionSNI {
-				log.WithoutContext().
-					WithField("host", host).
-					WithField("req.Host", req.Host).
-					WithField("req.TLS.ServerName", req.TLS.ServerName).
-					Debugf("TLS options difference: SNI=%s, Header:%s", tlsOptionSNI, tlsOptionHeader)
-				http.Error(rw, http.StatusText(http.StatusMisdirectedRequest), http.StatusMisdirectedRequest)
-				return
-			}
-		}
-
-		handlerHTTPS.ServeHTTP(rw, req)
-	})
+	sniCheck := snicheck.New(tlsOptionsForHost, handlerHTTPS)
 
 	router.HTTPSHandler(sniCheck, defaultTLSConf)
 
@@ -321,17 +289,3 @@ func (m *Manager) buildTCPHandler(ctx context.Context, router *runtime.TCPRouter
 
 	return tcp.NewChain().Extend(*mHandler).Then(sHandler)
 }
-
-func findTLSOptionName(tlsOptionsForHost map[string]string, host string) string {
-	tlsOptions, ok := tlsOptionsForHost[host]
-	if ok {
-		return tlsOptions
-	}
-
-	tlsOptions, ok = tlsOptionsForHost[strings.ToLower(host)]
-	if ok {
-		return tlsOptions
-	}
-
-	return traefiktls.DefaultTLSConfigName
-}

pkg/server/router/tcp/router_test.go

@@ -59,7 +59,6 @@ func TestRuntimeConfiguration(t *testing.T) {
 				},
 				"bar": {
 					TCPRouter: &dynamic.TCPRouter{
-
 						EntryPoints: []string{"web"},
 						Service:     "foo-service",
 						Rule:        "HostSNI(`foo.bar`)",
@@ -136,7 +135,6 @@ func TestRuntimeConfiguration(t *testing.T) {
 				},
 				"bar": {
 					Router: &dynamic.Router{
-
 						EntryPoints: []string{"web"},
 						Service:     "foo-service",
 						Rule:        "Host(`bar.foo`) && PathPrefix(`/path`)",
@@ -240,7 +238,6 @@ func TestRuntimeConfiguration(t *testing.T) {
 				},
 				"bar": {
 					TCPRouter: &dynamic.TCPRouter{
-
 						EntryPoints: []string{"web"},
 						Service:     "foo-service",
 						Rule:        "HostSNI(`foo.bar`)",
@@ -340,9 +337,26 @@ func TestRuntimeConfiguration(t *testing.T) {
 }
 
 func TestDomainFronting(t *testing.T) {
+	tlsOptionsBase := map[string]traefiktls.Options{
+		"default": {
+			MinVersion: "VersionTLS10",
+		},
+		"host1@file": {
+			MinVersion: "VersionTLS12",
+		},
+		"host1@crd": {
+			MinVersion: "VersionTLS12",
+		},
+	}
+
+	entryPoints := []string{"web"}
+
 	tests := []struct {
 		desc           string
 		routers        map[string]*runtime.RouterInfo
+		tlsOptions     map[string]traefiktls.Options
+		host           string
+		ServerName     string
 		expectedStatus int
 	}{
 		{
@@ -350,7 +364,7 @@ func TestDomainFronting(t *testing.T) {
 			routers: map[string]*runtime.RouterInfo{
 				"router-1@file": {
 					Router: &dynamic.Router{
-						EntryPoints: []string{"web"},
+						EntryPoints: entryPoints,
 						Rule:        "Host(`host1.local`)",
 						TLS: &dynamic.RouterTLSConfig{
 							Options: "host1",
@@ -359,12 +373,15 @@ func TestDomainFronting(t *testing.T) {
 				},
 				"router-2@file": {
 					Router: &dynamic.Router{
-						EntryPoints: []string{"web"},
+						EntryPoints: entryPoints,
 						Rule:        "Host(`host2.local`)",
 						TLS:         &dynamic.RouterTLSConfig{},
 					},
 				},
 			},
+			tlsOptions:     tlsOptionsBase,
+			host:           "host1.local",
+			ServerName:     "host2.local",
 			expectedStatus: http.StatusMisdirectedRequest,
 		},
 		{
@@ -372,7 +389,7 @@ func TestDomainFronting(t *testing.T) {
 			routers: map[string]*runtime.RouterInfo{
 				"router-1@file": {
 					Router: &dynamic.Router{
-						EntryPoints: []string{"web"},
+						EntryPoints: entryPoints,
 						Rule:        "Host(`host1.local`)",
 						TLS: &dynamic.RouterTLSConfig{
 							Options: "host1",
@@ -381,7 +398,7 @@ func TestDomainFronting(t *testing.T) {
 				},
 				"router-2@file": {
 					Router: &dynamic.Router{
-						EntryPoints: []string{"web"},
+						EntryPoints: entryPoints,
 						Rule:        "Host(`host2.local`)",
 						TLS: &dynamic.RouterTLSConfig{
 							Options: "host1",
@@ -389,6 +406,9 @@ func TestDomainFronting(t *testing.T) {
 					},
 				},
 			},
+			tlsOptions:     tlsOptionsBase,
+			host:           "host1.local",
+			ServerName:     "host2.local",
 			expectedStatus: http.StatusOK,
 		},
 		{
@@ -396,7 +416,7 @@ func TestDomainFronting(t *testing.T) {
 			routers: map[string]*runtime.RouterInfo{
 				"router-1@file": {
 					Router: &dynamic.Router{
-						EntryPoints: []string{"web"},
+						EntryPoints: entryPoints,
 						Rule:        "Host(`host1.local`)",
 						TLS: &dynamic.RouterTLSConfig{
 							Options: "host1",
@@ -405,7 +425,7 @@ func TestDomainFronting(t *testing.T) {
 				},
 				"router-2@file": {
 					Router: &dynamic.Router{
-						EntryPoints: []string{"web"},
+						EntryPoints: entryPoints,
 						Rule:        "Host(`host1.local`) && PathPrefix(`/foo`)",
 						TLS: &dynamic.RouterTLSConfig{
 							Options: "default",
@@ -414,7 +434,7 @@ func TestDomainFronting(t *testing.T) {
 				},
 				"router-3@file": {
 					Router: &dynamic.Router{
-						EntryPoints: []string{"web"},
+						EntryPoints: entryPoints,
 						Rule:        "Host(`host2.local`)",
 						TLS: &dynamic.RouterTLSConfig{
 							Options: "host1",
@@ -422,6 +442,9 @@ func TestDomainFronting(t *testing.T) {
 					},
 				},
 			},
+			tlsOptions:     tlsOptionsBase,
+			host:           "host1.local",
+			ServerName:     "host2.local",
 			expectedStatus: http.StatusMisdirectedRequest,
 		},
 		{
@@ -429,7 +452,7 @@ func TestDomainFronting(t *testing.T) {
 			routers: map[string]*runtime.RouterInfo{
 				"router-1@file": {
 					Router: &dynamic.Router{
-						EntryPoints: []string{"web"},
+						EntryPoints: entryPoints,
 						Rule:        "Host(`host1.local`)",
 						TLS: &dynamic.RouterTLSConfig{
 							Options: "host1",
@@ -438,7 +461,7 @@ func TestDomainFronting(t *testing.T) {
 				},
 				"router-2@file": {
 					Router: &dynamic.Router{
-						EntryPoints: []string{"web"},
+						EntryPoints: entryPoints,
 						Rule:        "Host(`host1.local`) && PathPrefix(`/bar`)",
 						TLS: &dynamic.RouterTLSConfig{
 							Options: "host1",
@@ -447,7 +470,7 @@ func TestDomainFronting(t *testing.T) {
 				},
 				"router-3@file": {
 					Router: &dynamic.Router{
-						EntryPoints: []string{"web"},
+						EntryPoints: entryPoints,
 						Rule:        "Host(`host2.local`)",
 						TLS: &dynamic.RouterTLSConfig{
 							Options: "host1",
@@ -455,6 +478,9 @@ func TestDomainFronting(t *testing.T) {
 					},
 				},
 			},
+			tlsOptions:     tlsOptionsBase,
+			host:           "host1.local",
+			ServerName:     "host2.local",
 			expectedStatus: http.StatusOK,
 		},
 		{
@@ -462,7 +488,7 @@ func TestDomainFronting(t *testing.T) {
 			routers: map[string]*runtime.RouterInfo{
 				"router-1@file": {
 					Router: &dynamic.Router{
-						EntryPoints: []string{"web"},
+						EntryPoints: entryPoints,
 						Rule:        "Host(`host1.local`)",
 						TLS: &dynamic.RouterTLSConfig{
 							Options: "host1",
@@ -471,7 +497,7 @@ func TestDomainFronting(t *testing.T) {
 				},
 				"router-2@crd": {
 					Router: &dynamic.Router{
-						EntryPoints: []string{"web"},
+						EntryPoints: entryPoints,
 						Rule:        "Host(`host2.local`)",
 						TLS: &dynamic.RouterTLSConfig{
 							Options: "host1",
@@ -479,6 +505,9 @@ func TestDomainFronting(t *testing.T) {
 					},
 				},
 			},
+			tlsOptions:     tlsOptionsBase,
+			host:           "host1.local",
+			ServerName:     "host2.local",
 			expectedStatus: http.StatusMisdirectedRequest,
 		},
 		{
@@ -486,7 +515,7 @@ func TestDomainFronting(t *testing.T) {
 			routers: map[string]*runtime.RouterInfo{
 				"router-1@file": {
 					Router: &dynamic.Router{
-						EntryPoints: []string{"web"},
+						EntryPoints: entryPoints,
 						Rule:        "Host(`host1.local`)",
 						TLS: &dynamic.RouterTLSConfig{
 							Options: "host1@crd",
@@ -495,7 +524,7 @@ func TestDomainFronting(t *testing.T) {
 				},
 				"router-2@crd": {
 					Router: &dynamic.Router{
-						EntryPoints: []string{"web"},
+						EntryPoints: entryPoints,
 						Rule:        "Host(`host2.local`)",
 						TLS: &dynamic.RouterTLSConfig{
 							Options: "host1@crd",
@@ -503,25 +532,63 @@ func TestDomainFronting(t *testing.T) {
 					},
 				},
 			},
+			tlsOptions:     tlsOptionsBase,
+			host:           "host1.local",
+			ServerName:     "host2.local",
 			expectedStatus: http.StatusOK,
 		},
+		{
+			desc: "Request is misdirected when server name is empty and the host name is an FQDN, but router's rule is not",
+			routers: map[string]*runtime.RouterInfo{
+				"router-1@file": {
+					Router: &dynamic.Router{
+						EntryPoints: entryPoints,
+						Rule:        "Host(`host1.local`)",
+						TLS: &dynamic.RouterTLSConfig{
+							Options: "host1@file",
+						},
+					},
+				},
+			},
+			tlsOptions: map[string]traefiktls.Options{
+				"default": {
+					MinVersion: "VersionTLS13",
+				},
+				"host1@file": {
+					MinVersion: "VersionTLS12",
+				},
+			},
+			host:           "host1.local.",
+			expectedStatus: http.StatusMisdirectedRequest,
+		},
+		{
+			desc: "Request is misdirected when server name is empty and the host name is not FQDN, but router's rule is",
+			routers: map[string]*runtime.RouterInfo{
+				"router-1@file": {
+					Router: &dynamic.Router{
+						EntryPoints: entryPoints,
+						Rule:        "Host(`host1.local.`)",
+						TLS: &dynamic.RouterTLSConfig{
+							Options: "host1@file",
+						},
+					},
+				},
+			},
+			tlsOptions: map[string]traefiktls.Options{
+				"default": {
+					MinVersion: "VersionTLS13",
+				},
+				"host1@file": {
+					MinVersion: "VersionTLS12",
+				},
+			},
+			host:           "host1.local",
+			expectedStatus: http.StatusMisdirectedRequest,
+		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
-			entryPoints := []string{"web"}
-			tlsOptions := map[string]traefiktls.Options{
-				"default": {
-					MinVersion: "VersionTLS10",
-				},
-				"host1@file": {
-					MinVersion: "VersionTLS12",
-				},
-				"host1@crd": {
-					MinVersion: "VersionTLS12",
-				},
-			}
-
 			conf := &runtime.Configuration{
 				Routers: test.routers,
 			}
@@ -529,7 +596,7 @@ func TestDomainFronting(t *testing.T) {
 			serviceManager := tcp.NewManager(conf)
 
 			tlsManager := traefiktls.NewManager()
-			tlsManager.UpdateConfigs(context.Background(), map[string]traefiktls.Store{}, tlsOptions, []*traefiktls.CertAndStores{})
+			tlsManager.UpdateConfigs(context.Background(), map[string]traefiktls.Store{}, test.tlsOptions, []*traefiktls.CertAndStores{})
 
 			httpsHandler := map[string]http.Handler{
 				"web": http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {}),
@@ -545,9 +612,9 @@ func TestDomainFronting(t *testing.T) {
 			require.True(t, ok)
 
 			req := httptest.NewRequest(http.MethodGet, "/", nil)
-			req.Host = "host1.local"
+			req.Host = test.host
 			req.TLS = &tls.ConnectionState{
-				ServerName: "host2.local",
+				ServerName: test.ServerName,
 			}
 
 			rw := httptest.NewRecorder()

pkg/server/router/udp/router_test.go

@@ -46,7 +46,6 @@ func TestRuntimeConfiguration(t *testing.T) {
 				},
 				"bar": {
 					UDPRouter: &dynamic.UDPRouter{
-
 						EntryPoints: []string{"web"},
 						Service:     "foo-service",
 					},
@@ -78,7 +77,6 @@ func TestRuntimeConfiguration(t *testing.T) {
 				},
 				"bar": {
 					UDPRouter: &dynamic.UDPRouter{
-
 						EntryPoints: []string{"web"},
 						Service:     "foo-service",
 					},

pkg/server/routerfactory.go

@@ -36,7 +36,8 @@ type RouterFactory struct {
 
 // NewRouterFactory creates a new RouterFactory.
 func NewRouterFactory(staticConfiguration static.Configuration, managerFactory *service.ManagerFactory, tlsManager *tls.Manager,
-	chainBuilder *middleware.ChainBuilder, pluginBuilder middleware.PluginsBuilder, metricsRegistry metrics.Registry) *RouterFactory {
+	chainBuilder *middleware.ChainBuilder, pluginBuilder middleware.PluginsBuilder, metricsRegistry metrics.Registry,
+) *RouterFactory {
 	var entryPointsTCP, entryPointsUDP []string
 	for name, cfg := range staticConfiguration.EntryPoints {
 		protocol, err := cfg.GetProtocol()

pkg/server/server.go

@@ -31,7 +31,8 @@ type Server struct {
 
 // NewServer returns an initialized Server.
 func NewServer(routinesPool *safe.Pool, entryPoints TCPEntryPoints, entryPointsUDP UDPEntryPoints, watcher *ConfigurationWatcher,
-	chainBuilder *middleware.ChainBuilder, accessLoggerMiddleware *accesslog.Handler) *Server {
+	chainBuilder *middleware.ChainBuilder, accessLoggerMiddleware *accesslog.Handler,
+) *Server {
 	srv := &Server{
 		watcher:                watcher,
 		tcpEntryPoints:         entryPoints,

pkg/server/server_entrypoint_tcp.go

@@ -11,6 +11,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/containous/alice"
 	"github.com/pires/go-proxyproto"
 	"github.com/sirupsen/logrus"
 	"github.com/traefik/traefik/v2/pkg/config/static"
@@ -18,9 +19,11 @@ import (
 	"github.com/traefik/traefik/v2/pkg/log"
 	"github.com/traefik/traefik/v2/pkg/middlewares"
 	"github.com/traefik/traefik/v2/pkg/middlewares/forwardedheaders"
+	"github.com/traefik/traefik/v2/pkg/middlewares/requestdecorator"
 	"github.com/traefik/traefik/v2/pkg/safe"
 	"github.com/traefik/traefik/v2/pkg/server/router"
 	"github.com/traefik/traefik/v2/pkg/tcp"
+	"github.com/traefik/traefik/v2/pkg/types"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
 )
@@ -60,7 +63,7 @@ func (h *httpForwarder) Accept() (net.Conn, error) {
 type TCPEntryPoints map[string]*TCPEntryPoint
 
 // NewTCPEntryPoints creates a new TCPEntryPoints.
-func NewTCPEntryPoints(entryPointsConfig static.EntryPoints) (TCPEntryPoints, error) {
+func NewTCPEntryPoints(entryPointsConfig static.EntryPoints, hostResolverConfig *types.HostResolverConfig) (TCPEntryPoints, error) {
 	serverEntryPointsTCP := make(TCPEntryPoints)
 	for entryPointName, config := range entryPointsConfig {
 		protocol, err := config.GetProtocol()
@@ -74,7 +77,7 @@ func NewTCPEntryPoints(entryPointsConfig static.EntryPoints) (TCPEntryPoints, er
 
 		ctx := log.With(context.Background(), log.Str(log.EntryPointName, entryPointName))
 
-		serverEntryPointsTCP[entryPointName], err = NewTCPEntryPoint(ctx, config)
+		serverEntryPointsTCP[entryPointName], err = NewTCPEntryPoint(ctx, config, hostResolverConfig)
 		if err != nil {
 			return nil, fmt.Errorf("error while building entryPoint %s: %w", entryPointName, err)
 		}
@@ -130,7 +133,7 @@ type TCPEntryPoint struct {
 }
 
 // NewTCPEntryPoint creates a new TCPEntryPoint.
-func NewTCPEntryPoint(ctx context.Context, configuration *static.EntryPoint) (*TCPEntryPoint, error) {
+func NewTCPEntryPoint(ctx context.Context, configuration *static.EntryPoint, hostResolverConfig *types.HostResolverConfig) (*TCPEntryPoint, error) {
 	tracker := newConnectionTracker()
 
 	listener, err := buildListener(ctx, configuration)
@@ -140,14 +143,16 @@ func NewTCPEntryPoint(ctx context.Context, configuration *static.EntryPoint) (*T
 
 	rt := &tcp.Router{}
 
-	httpServer, err := createHTTPServer(ctx, listener, configuration, true)
+	reqDecorator := requestdecorator.New(hostResolverConfig)
+
+	httpServer, err := createHTTPServer(ctx, listener, configuration, true, reqDecorator)
 	if err != nil {
 		return nil, fmt.Errorf("error preparing httpServer: %w", err)
 	}
 
 	rt.HTTPForwarder(httpServer.Forwarder)
 
-	httpsServer, err := createHTTPServer(ctx, listener, configuration, false)
+	httpsServer, err := createHTTPServer(ctx, listener, configuration, false, reqDecorator)
 	if err != nil {
 		return nil, fmt.Errorf("error preparing httpsServer: %w", err)
 	}
@@ -500,16 +505,19 @@ type httpServer struct {
 	Switcher  *middlewares.HTTPHandlerSwitcher
 }
 
-func createHTTPServer(ctx context.Context, ln net.Listener, configuration *static.EntryPoint, withH2c bool) (*httpServer, error) {
+func createHTTPServer(ctx context.Context, ln net.Listener, configuration *static.EntryPoint, withH2c bool, reqDecorator *requestdecorator.RequestDecorator) (*httpServer, error) {
 	httpSwitcher := middlewares.NewHandlerSwitcher(router.BuildDefaultHTTPRouter())
 
+	next, err := alice.New(requestdecorator.WrapHandler(reqDecorator)).Then(httpSwitcher)
+	if err != nil {
+		return nil, err
+	}
+
 	var handler http.Handler
-	var err error
 	handler, err = forwardedheaders.NewXForwarded(
 		configuration.ForwardedHeaders.Insecure,
 		configuration.ForwardedHeaders.TrustedIPs,
-		httpSwitcher)
-
+		next)
 	if err != nil {
 		return nil, err
 	}

pkg/server/server_entrypoint_tcp_http3_test.go

@@ -17,38 +17,57 @@ import (
 // LocalhostCert is a PEM-encoded TLS cert with SAN IPs
 // "127.0.0.1" and "[::1]", expiring at Jan 29 16:00:00 2084 GMT.
 // generated from src/crypto/tls:
-// go run generate_cert.go  --rsa-bits 1024 --host 127.0.0.1,::1,example.com --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
+// go run generate_cert.go  --rsa-bits 2048 --host 127.0.0.1,::1,example.com --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
 var (
 	localhostCert = traefiktls.FileOrContent(`-----BEGIN CERTIFICATE-----
-MIICEzCCAXygAwIBAgIQMIMChMLGrR+QvmQvpwAU6zANBgkqhkiG9w0BAQsFADAS
+MIIDOTCCAiGgAwIBAgIQSRJrEpBGFc7tNb1fb5pKFzANBgkqhkiG9w0BAQsFADAS
 MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
-MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
-iQKBgQDuLnQAI3mDgey3VBzWnB2L39JUU4txjeVE6myuDqkM/uGlfjb9SjY1bIw4
-iA5sBBZzHi3z0h1YV8QPuxEbi4nW91IJm2gsvvZhIrCHS3l6afab4pZBl2+XsDul
-rKBxKKtD1rGxlG4LjncdabFn9gvLZad2bSysqz/qTAUStTvqJQIDAQABo2gwZjAO
-BgNVHQ8BAf8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUw
-AwEB/zAuBgNVHREEJzAlggtleGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAAAAAAAAAA
-AAAAATANBgkqhkiG9w0BAQsFAAOBgQCEcetwO59EWk7WiJsG4x8SY+UIAA+flUI9
-tyC4lNhbcF2Idq9greZwbYCqTTTr2XiRNSMLCOjKyI7ukPoPjo16ocHj+P3vZGfs
-h1fIw3cSS2OolhloGw/XM6RWPWtPAlGykKLciQrBru5NAPvCMsb/I1DAceTiotQM
-fblo6RBxUQ==
+MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA6Gba5tHV1dAKouAaXO3/ebDUU4rvwCUg/CNaJ2PT5xLD4N1Vcb8r
+bFSW2HXKq+MPfVdwIKR/1DczEoAGf/JWQTW7EgzlXrCd3rlajEX2D73faWJekD0U
+aUgz5vtrTXZ90BQL7WvRICd7FlEZ6FPOcPlumiyNmzUqtwGhO+9ad1W5BqJaRI6P
+YfouNkwR6Na4TzSj5BrqUfP0FwDizKSJ0XXmh8g8G9mtwxOSN3Ru1QFc61Xyeluk
+POGKBV/q6RBNklTNe0gI8usUMlYyoC7ytppNMW7X2vodAelSu25jgx2anj9fDVZu
+h7AXF5+4nJS4AAt0n1lNY7nGSsdZas8PbQIDAQABo4GIMIGFMA4GA1UdDwEB/wQE
+AwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+DgQWBBStsdjh3/JCXXYlQryOrL4Sh7BW5TAuBgNVHREEJzAlggtleGFtcGxlLmNv
+bYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAxWGI
+5NhpF3nwwy/4yB4i/CwwSpLrWUa70NyhvprUBC50PxiXav1TeDzwzLx/o5HyNwsv
+cxv3HdkLW59i/0SlJSrNnWdfZ19oTcS+6PtLoVyISgtyN6DpkKpdG1cOkW3Cy2P2
++tK/tKHRP1Y/Ra0RiDpOAmqn0gCOFGz8+lqDIor/T7MTpibL3IxqWfPrvfVRHL3B
+grw/ZQTTIVjjh4JBSW3WyWgNo/ikC1lrVxzl4iPUGptxT36Cr7Zk2Bsg0XqwbOvK
+5d+NTDREkSnUbie4GeutujmX3Dsx88UiV6UY/4lHJa6I5leHUNOHahRbpbWeOfs/
+WkBKOclmOV2xlTVuPw==
 -----END CERTIFICATE-----`)
 
 	// LocalhostKey is the private key for localhostCert.
 	localhostKey = traefiktls.FileOrContent(`-----BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDuLnQAI3mDgey3VBzWnB2L39JUU4txjeVE6myuDqkM/uGlfjb9
-SjY1bIw4iA5sBBZzHi3z0h1YV8QPuxEbi4nW91IJm2gsvvZhIrCHS3l6afab4pZB
-l2+XsDulrKBxKKtD1rGxlG4LjncdabFn9gvLZad2bSysqz/qTAUStTvqJQIDAQAB
-AoGAGRzwwir7XvBOAy5tM/uV6e+Zf6anZzus1s1Y1ClbjbE6HXbnWWF/wbZGOpet
-3Zm4vD6MXc7jpTLryzTQIvVdfQbRc6+MUVeLKwZatTXtdZrhu+Jk7hx0nTPy8Jcb
-uJqFk541aEw+mMogY/xEcfbWd6IOkp+4xqjlFLBEDytgbIECQQDvH/E6nk+hgN4H
-qzzVtxxr397vWrjrIgPbJpQvBsafG7b0dA4AFjwVbFLmQcj2PprIMmPcQrooz8vp
-jy4SHEg1AkEA/v13/5M47K9vCxmb8QeD/asydfsgS5TeuNi8DoUBEmiSJwma7FXY
-fFUtxuvL7XvjwjN5B30pNEbc6Iuyt7y4MQJBAIt21su4b3sjXNueLKH85Q+phy2U
-fQtuUE9txblTu14q3N7gHRZB4ZMhFYyDy8CKrN2cPg/Fvyt0Xlp/DoCzjA0CQQDU
-y2ptGsuSmgUtWj3NM9xuwYPm+Z/F84K6+ARYiZ6PYj013sovGKUFfYAqVXVlxtIX
-qyUBnu3X9ps8ZfjLZO7BAkEAlT4R5Yl6cGhaJQYZHOde3JEMhNRcVFMO8dJDaFeo
-f9Oeos0UUothgiDktdQHxdNEwLjQf7lJJBzV+5OtwswCWA==
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDoZtrm0dXV0Aqi
+4Bpc7f95sNRTiu/AJSD8I1onY9PnEsPg3VVxvytsVJbYdcqr4w99V3AgpH/UNzMS
+gAZ/8lZBNbsSDOVesJ3euVqMRfYPvd9pYl6QPRRpSDPm+2tNdn3QFAvta9EgJ3sW
+URnoU85w+W6aLI2bNSq3AaE771p3VbkGolpEjo9h+i42TBHo1rhPNKPkGupR8/QX
+AOLMpInRdeaHyDwb2a3DE5I3dG7VAVzrVfJ6W6Q84YoFX+rpEE2SVM17SAjy6xQy
+VjKgLvK2mk0xbtfa+h0B6VK7bmODHZqeP18NVm6HsBcXn7iclLgAC3SfWU1jucZK
+x1lqzw9tAgMBAAECggEABWzxS1Y2wckblnXY57Z+sl6YdmLV+gxj2r8Qib7g4ZIk
+lIlWR1OJNfw7kU4eryib4fc6nOh6O4AWZyYqAK6tqNQSS/eVG0LQTLTTEldHyVJL
+dvBe+MsUQOj4nTndZW+QvFzbcm2D8lY5n2nBSxU5ypVoKZ1EqQzytFcLZpTN7d89
+EPj0qDyrV4NZlWAwL1AygCwnlwhMQjXEalVF1ylXwU3QzyZ/6MgvF6d3SSUlh+sq
+XefuyigXw484cQQgbzopv6niMOmGP3of+yV4JQqUSb3IDmmT68XjGd2Dkxl4iPki
+6ZwXf3CCi+c+i/zVEcufgZ3SLf8D99kUGE7v7fZ6AQKBgQD1ZX3RAla9hIhxCf+O
+3D+I1j2LMrdjAh0ZKKqwMR4JnHX3mjQI6LwqIctPWTU8wYFECSh9klEclSdCa64s
+uI/GNpcqPXejd0cAAdqHEEeG5sHMDt0oFSurL4lyud0GtZvwlzLuwEweuDtvT9cJ
+Wfvl86uyO36IW8JdvUprYDctrQKBgQDycZ697qutBieZlGkHpnYWUAeImVA878sJ
+w44NuXHvMxBPz+lbJGAg8Cn8fcxNAPqHIraK+kx3po8cZGQywKHUWsxi23ozHoxo
++bGqeQb9U661TnfdDspIXia+xilZt3mm5BPzOUuRqlh4Y9SOBpSWRmEhyw76w4ZP
+OPxjWYAgwQKBgA/FehSYxeJgRjSdo+MWnK66tjHgDJE8bYpUZsP0JC4R9DL5oiaA
+brd2fI6Y+SbyeNBallObt8LSgzdtnEAbjIH8uDJqyOmknNePRvAvR6mP4xyuR+Bv
+m+Lgp0DMWTw5J9CKpydZDItc49T/mJ5tPhdFVd+am0NAQnmr1MCZ6nHxAoGABS3Y
+LkaC9FdFUUqSU8+Chkd/YbOkuyiENdkvl6t2e52jo5DVc1T7mLiIrRQi4SI8N9bN
+/3oJWCT+uaSLX2ouCtNFunblzWHBrhxnZzTeqVq4SLc8aESAnbslKL4i8/+vYZlN
+s8xtiNcSvL+lMsOBORSXzpj/4Ot8WwTkn1qyGgECgYBKNTypzAHeLE6yVadFp3nQ
+Ckq9yzvP/ib05rvgbvrne00YeOxqJ9gtTrzgh7koqJyX1L4NwdkEza4ilDWpucn0
+xiUZS4SoaJq6ZvcBYS62Yr1t8n09iG47YL8ibgtmH3L+svaotvpVxVK+d7BLevA/
+ZboOWVe3icTy64BT3OQhmg==
 -----END RSA PRIVATE KEY-----`)
 )
 
@@ -72,7 +91,7 @@ func TestHTTP3AdvertisedPort(t *testing.T) {
 		HTTP3: &static.HTTP3Config{
 			AdvertisedPort: 8080,
 		},
-	})
+	}, nil)
 	require.NoError(t, err)
 
 	router := &tcp.Router{}

pkg/server/server_entrypoint_tcp_test.go

@@ -79,7 +79,7 @@ func testShutdown(t *testing.T, router *tcp.Router) {
 		Address:          "127.0.0.1:0",
 		Transport:        epConfig,
 		ForwardedHeaders: &static.ForwardedHeaders{},
-	})
+	}, nil)
 	require.NoError(t, err)
 
 	conn, err := startEntrypoint(entryPoint, router)
@@ -162,7 +162,7 @@ func TestReadTimeoutWithoutFirstByte(t *testing.T) {
 		Address:          ":0",
 		Transport:        epConfig,
 		ForwardedHeaders: &static.ForwardedHeaders{},
-	})
+	}, nil)
 	require.NoError(t, err)
 
 	router := &tcp.Router{}
@@ -198,7 +198,7 @@ func TestReadTimeoutWithFirstByte(t *testing.T) {
 		Address:          ":0",
 		Transport:        epConfig,
 		ForwardedHeaders: &static.ForwardedHeaders{},
-	})
+	}, nil)
 	require.NoError(t, err)
 
 	router := &tcp.Router{}

pkg/server/service/loadbalancer/wrr/wrr.go

@@ -86,7 +86,7 @@ func (b *Balancer) Push(x interface{}) {
 	b.handlers = append(b.handlers, h)
 }
 
-// Pop implements heap.Interface for poping an item from the heap.
+// Pop implements heap.Interface for popping an item from the heap.
 // It panics if b.Len() < 1.
 func (b *Balancer) Pop() interface{} {
 	h := b.handlers[len(b.handlers)-1]

pkg/tcp/chain_test.go

@@ -144,7 +144,7 @@ func TestAppendRespectsImmutability(t *testing.T) {
 	newChain := chain.Append(tagMiddleware(""))
 
 	if &chain.constructors[0] == &newChain.constructors[0] {
-		t.Error("Apppend does not respect immutability")
+		t.Error("Append does not respect immutability")
 	}
 }
 

pkg/tls/tlsmanager_test.go

@@ -17,35 +17,54 @@ import (
 // go run generate_cert.go  --rsa-bits 1024 --host 127.0.0.1,::1,example.com --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
 var (
 	localhostCert = FileOrContent(`-----BEGIN CERTIFICATE-----
-MIICEzCCAXygAwIBAgIQMIMChMLGrR+QvmQvpwAU6zANBgkqhkiG9w0BAQsFADAS
+MIIDOTCCAiGgAwIBAgIQSRJrEpBGFc7tNb1fb5pKFzANBgkqhkiG9w0BAQsFADAS
 MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
-MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
-iQKBgQDuLnQAI3mDgey3VBzWnB2L39JUU4txjeVE6myuDqkM/uGlfjb9SjY1bIw4
-iA5sBBZzHi3z0h1YV8QPuxEbi4nW91IJm2gsvvZhIrCHS3l6afab4pZBl2+XsDul
-rKBxKKtD1rGxlG4LjncdabFn9gvLZad2bSysqz/qTAUStTvqJQIDAQABo2gwZjAO
-BgNVHQ8BAf8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUw
-AwEB/zAuBgNVHREEJzAlggtleGFtcGxlLmNvbYcEfwAAAYcQAAAAAAAAAAAAAAAA
-AAAAATANBgkqhkiG9w0BAQsFAAOBgQCEcetwO59EWk7WiJsG4x8SY+UIAA+flUI9
-tyC4lNhbcF2Idq9greZwbYCqTTTr2XiRNSMLCOjKyI7ukPoPjo16ocHj+P3vZGfs
-h1fIw3cSS2OolhloGw/XM6RWPWtPAlGykKLciQrBru5NAPvCMsb/I1DAceTiotQM
-fblo6RBxUQ==
+MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA6Gba5tHV1dAKouAaXO3/ebDUU4rvwCUg/CNaJ2PT5xLD4N1Vcb8r
+bFSW2HXKq+MPfVdwIKR/1DczEoAGf/JWQTW7EgzlXrCd3rlajEX2D73faWJekD0U
+aUgz5vtrTXZ90BQL7WvRICd7FlEZ6FPOcPlumiyNmzUqtwGhO+9ad1W5BqJaRI6P
+YfouNkwR6Na4TzSj5BrqUfP0FwDizKSJ0XXmh8g8G9mtwxOSN3Ru1QFc61Xyeluk
+POGKBV/q6RBNklTNe0gI8usUMlYyoC7ytppNMW7X2vodAelSu25jgx2anj9fDVZu
+h7AXF5+4nJS4AAt0n1lNY7nGSsdZas8PbQIDAQABo4GIMIGFMA4GA1UdDwEB/wQE
+AwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+DgQWBBStsdjh3/JCXXYlQryOrL4Sh7BW5TAuBgNVHREEJzAlggtleGFtcGxlLmNv
+bYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAxWGI
+5NhpF3nwwy/4yB4i/CwwSpLrWUa70NyhvprUBC50PxiXav1TeDzwzLx/o5HyNwsv
+cxv3HdkLW59i/0SlJSrNnWdfZ19oTcS+6PtLoVyISgtyN6DpkKpdG1cOkW3Cy2P2
++tK/tKHRP1Y/Ra0RiDpOAmqn0gCOFGz8+lqDIor/T7MTpibL3IxqWfPrvfVRHL3B
+grw/ZQTTIVjjh4JBSW3WyWgNo/ikC1lrVxzl4iPUGptxT36Cr7Zk2Bsg0XqwbOvK
+5d+NTDREkSnUbie4GeutujmX3Dsx88UiV6UY/4lHJa6I5leHUNOHahRbpbWeOfs/
+WkBKOclmOV2xlTVuPw==
 -----END CERTIFICATE-----`)
 
 	// LocalhostKey is the private key for localhostCert.
 	localhostKey = FileOrContent(`-----BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDuLnQAI3mDgey3VBzWnB2L39JUU4txjeVE6myuDqkM/uGlfjb9
-SjY1bIw4iA5sBBZzHi3z0h1YV8QPuxEbi4nW91IJm2gsvvZhIrCHS3l6afab4pZB
-l2+XsDulrKBxKKtD1rGxlG4LjncdabFn9gvLZad2bSysqz/qTAUStTvqJQIDAQAB
-AoGAGRzwwir7XvBOAy5tM/uV6e+Zf6anZzus1s1Y1ClbjbE6HXbnWWF/wbZGOpet
-3Zm4vD6MXc7jpTLryzTQIvVdfQbRc6+MUVeLKwZatTXtdZrhu+Jk7hx0nTPy8Jcb
-uJqFk541aEw+mMogY/xEcfbWd6IOkp+4xqjlFLBEDytgbIECQQDvH/E6nk+hgN4H
-qzzVtxxr397vWrjrIgPbJpQvBsafG7b0dA4AFjwVbFLmQcj2PprIMmPcQrooz8vp
-jy4SHEg1AkEA/v13/5M47K9vCxmb8QeD/asydfsgS5TeuNi8DoUBEmiSJwma7FXY
-fFUtxuvL7XvjwjN5B30pNEbc6Iuyt7y4MQJBAIt21su4b3sjXNueLKH85Q+phy2U
-fQtuUE9txblTu14q3N7gHRZB4ZMhFYyDy8CKrN2cPg/Fvyt0Xlp/DoCzjA0CQQDU
-y2ptGsuSmgUtWj3NM9xuwYPm+Z/F84K6+ARYiZ6PYj013sovGKUFfYAqVXVlxtIX
-qyUBnu3X9ps8ZfjLZO7BAkEAlT4R5Yl6cGhaJQYZHOde3JEMhNRcVFMO8dJDaFeo
-f9Oeos0UUothgiDktdQHxdNEwLjQf7lJJBzV+5OtwswCWA==
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDoZtrm0dXV0Aqi
+4Bpc7f95sNRTiu/AJSD8I1onY9PnEsPg3VVxvytsVJbYdcqr4w99V3AgpH/UNzMS
+gAZ/8lZBNbsSDOVesJ3euVqMRfYPvd9pYl6QPRRpSDPm+2tNdn3QFAvta9EgJ3sW
+URnoU85w+W6aLI2bNSq3AaE771p3VbkGolpEjo9h+i42TBHo1rhPNKPkGupR8/QX
+AOLMpInRdeaHyDwb2a3DE5I3dG7VAVzrVfJ6W6Q84YoFX+rpEE2SVM17SAjy6xQy
+VjKgLvK2mk0xbtfa+h0B6VK7bmODHZqeP18NVm6HsBcXn7iclLgAC3SfWU1jucZK
+x1lqzw9tAgMBAAECggEABWzxS1Y2wckblnXY57Z+sl6YdmLV+gxj2r8Qib7g4ZIk
+lIlWR1OJNfw7kU4eryib4fc6nOh6O4AWZyYqAK6tqNQSS/eVG0LQTLTTEldHyVJL
+dvBe+MsUQOj4nTndZW+QvFzbcm2D8lY5n2nBSxU5ypVoKZ1EqQzytFcLZpTN7d89
+EPj0qDyrV4NZlWAwL1AygCwnlwhMQjXEalVF1ylXwU3QzyZ/6MgvF6d3SSUlh+sq
+XefuyigXw484cQQgbzopv6niMOmGP3of+yV4JQqUSb3IDmmT68XjGd2Dkxl4iPki
+6ZwXf3CCi+c+i/zVEcufgZ3SLf8D99kUGE7v7fZ6AQKBgQD1ZX3RAla9hIhxCf+O
+3D+I1j2LMrdjAh0ZKKqwMR4JnHX3mjQI6LwqIctPWTU8wYFECSh9klEclSdCa64s
+uI/GNpcqPXejd0cAAdqHEEeG5sHMDt0oFSurL4lyud0GtZvwlzLuwEweuDtvT9cJ
+Wfvl86uyO36IW8JdvUprYDctrQKBgQDycZ697qutBieZlGkHpnYWUAeImVA878sJ
+w44NuXHvMxBPz+lbJGAg8Cn8fcxNAPqHIraK+kx3po8cZGQywKHUWsxi23ozHoxo
++bGqeQb9U661TnfdDspIXia+xilZt3mm5BPzOUuRqlh4Y9SOBpSWRmEhyw76w4ZP
+OPxjWYAgwQKBgA/FehSYxeJgRjSdo+MWnK66tjHgDJE8bYpUZsP0JC4R9DL5oiaA
+brd2fI6Y+SbyeNBallObt8LSgzdtnEAbjIH8uDJqyOmknNePRvAvR6mP4xyuR+Bv
+m+Lgp0DMWTw5J9CKpydZDItc49T/mJ5tPhdFVd+am0NAQnmr1MCZ6nHxAoGABS3Y
+LkaC9FdFUUqSU8+Chkd/YbOkuyiENdkvl6t2e52jo5DVc1T7mLiIrRQi4SI8N9bN
+/3oJWCT+uaSLX2ouCtNFunblzWHBrhxnZzTeqVq4SLc8aESAnbslKL4i8/+vYZlN
+s8xtiNcSvL+lMsOBORSXzpj/4Ot8WwTkn1qyGgECgYBKNTypzAHeLE6yVadFp3nQ
+Ckq9yzvP/ib05rvgbvrne00YeOxqJ9gtTrzgh7koqJyX1L4NwdkEza4ilDWpucn0
+xiUZS4SoaJq6ZvcBYS62Yr1t8n09iG47YL8ibgtmH3L+svaotvpVxVK+d7BLevA/
+ZboOWVe3icTy64BT3OQhmg==
 -----END RSA PRIVATE KEY-----`)
 )
 

pkg/types/metrics.go

@@ -93,7 +93,7 @@ type InfluxDB struct {
 	AddEntryPointsLabels bool              `description:"Enable metrics on entry points." json:"addEntryPointsLabels,omitempty" toml:"addEntryPointsLabels,omitempty" yaml:"addEntryPointsLabels,omitempty" export:"true"`
 	AddRoutersLabels     bool              `description:"Enable metrics on routers." json:"addRoutersLabels,omitempty" toml:"addRoutersLabels,omitempty" yaml:"addRoutersLabels,omitempty" export:"true"`
 	AddServicesLabels    bool              `description:"Enable metrics on services." json:"addServicesLabels,omitempty" toml:"addServicesLabels,omitempty" yaml:"addServicesLabels,omitempty" export:"true"`
-	AdditionalLabels     map[string]string `description:"Additional labels (influxdb tags) on all metrics" json:"additionalLabels,omitempty" toml:"additionalLabels,omitEmpty" yaml:"additionalLabels,omitEmpty" export:"true"`
+	AdditionalLabels     map[string]string `description:"Additional labels (influxdb tags) on all metrics" json:"additionalLabels,omitempty" toml:"additionalLabels,omitempty" yaml:"additionalLabels,omitempty" export:"true"`
 }
 
 // SetDefaults sets the default values.

script/gcg/traefik-bugfix.toml

@@ -4,11 +4,11 @@ RepositoryName = "traefik"
 OutputType = "file"
 FileName = "traefik_changelog.md"
 
-# example new bugfix v2.5.7
-CurrentRef = "v2.5"
-PreviousRef = "v2.5.6"
-BaseBranch = "v2.5"
-FutureCurrentRefName = "v2.5.7"
+# example new bugfix v2.6.2
+CurrentRef = "v2.6"
+PreviousRef = "v2.6.1"
+BaseBranch = "v2.6"
+FutureCurrentRefName = "v2.6.2"
 
 ThresholdPreviousRef = 10
 ThresholdCurrentRef = 10

webui/.gitignore

@@ -26,3 +26,7 @@ yarn-error.log*
 # local env files
 .env.local
 .env.*.local
+
+# static assets (ignore all except the DO NOT EDIT file)
+static/*
+!static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md

webui/dev/scripts/transfer.js

@@ -5,6 +5,7 @@ const folder = process.argv[2]
 async function execute () {
   try {
     await fs.emptyDir('./static')
+    await fs.outputFile('./static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md', 'For more information show `webui/readme.md`')
     console.log('Deleted static folder contents!')
     await fs.copy(`./dist/${folder}`, './static', { overwrite: true })
     console.log('Installed new files in static folder!')

webui/readme.md

@@ -14,15 +14,15 @@ Traefik Web UI provide 2 types of information:
 Use the make file :
 
 ```shell
-make build-image      # Generate Docker image
-make generate-webui   # Generate static contents in `traefik/webui/static/` folder.
+make build-image                # Generate Docker image.
+make clean-webui generate-webui # Generate static contents in `webui/static/` folder.
 ```
 
 ## How to build (only for frontend developer)
 
 - prerequisite: [Node 12.11+](https://nodejs.org) [Npm](https://www.npmjs.com/)
 
-- Go to the `webui` directory
+- Go to the `webui/` directory
 
 - To install dependencies, execute the following commands:
 
@@ -32,9 +32,9 @@ make generate-webui   # Generate static contents in `traefik/webui/static/` fold
 
   - `npm run build`
 
-- Static contents are built in the `webui/static` directory
+- Static contents are built in the `webui/static/` directory
 
-**Do not manually change the files in the `webui/static` directory**
+**Do not manually change the files in the `webui/static/` directory**
 
 - The build allows to:
   - optimize all JavaScript
@@ -46,10 +46,10 @@ make generate-webui   # Generate static contents in `traefik/webui/static/` fold
 
 ## How to edit (only for frontend developer)
 
-**Do not manually change the files in the `webui/static` directory**
+**Do not manually change the files in the `webui/static/` directory**
 
-- Go to the `webui` directory
-- Edit files in `webui/src`
+- Go to the `webui/` directory
+- Edit files in `webui/src/`
 - Run in development mode :
   - `npm run dev`
 

webui/src/components/_commons/ChartDoughnut.vue

@@ -16,7 +16,7 @@ export default {
   },
   watch: {
     chartdata: function (newData, oldData) {
-      // TODO - bug, 'update()' not update the chart, remplace for renderChart()
+      // TODO - bug, 'update()' not update the chart, replace for renderChart()
       // console.log('new data from watcher...', newData, oldData, isEqual(newData.datasets[0].data, oldData.datasets[0].data))
       if (!isEqual(newData.datasets[0].data, oldData.datasets[0].data)) {
         // this.$data._chart.update()

webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md

@@ -0,0 +1 @@
+For more information show `webui/readme.md`