Merge branch v2.0 to master.

2019-04-17 13:49:49 +02:00 · 2019-04-17 13:49:49 +02:00 · 11f04a453e
commit 11f04a453e
parent 7baa752a9d 01b916eaa0
752 changed files with 13542 additions and 265800 deletions
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@ -76,7 +76,7 @@ Add more configuration information here.
 -->
-### If applicable, please paste the log output at DEBUG level (`--logLevel=DEBUG` switch)
+### If applicable, please paste the log output at DEBUG level (`--log.level=DEBUG` switch)
 ```
 (paste your output here)
--- a/.github/ISSUE_TEMPLATE/Bug_report.md
+++ b/.github/ISSUE_TEMPLATE/Bug_report.md
@ -81,7 +81,7 @@ Add more configuration information here.
 -->
-### If applicable, please paste the log output in DEBUG level (`--logLevel=DEBUG` switch)
+### If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch)
 ```
 (paste your output here)
--- a/.golangci.toml
+++ b/.golangci.toml
@ -1,8 +1,6 @@
 [run]
  deadline = "10m"
-  skip-files = [
+  skip-files = []
    "^old/.*",
  ]
 [linters-settings]
@ -52,12 +50,6 @@
 [[issues.exclude-rules]]
    path = ".+_test.go"
    linters = ["goconst"]
 [[issues.exclude-rules]]
    path = "provider/label/internal/.+_test.go"
    text = "U1000: field `(foo|fuu)` is unused"
 [[issues.exclude-rules]]
    path = "middlewares/recovery/recovery.go"
    text = "`logger` can be `github.com/containous/traefik/vendor/github.com/stretchr/testify/assert.TestingT`"
 [[issues.exclude-rules]]
    path = "integration/.+_test.go"
    text = "Error return value of `cmd\\.Process\\.Kill` is not checked"
@ -68,23 +60,26 @@
    path = "integration/grpc_test.go"
    text = "Error return value of `closer` is not checked"
 [[issues.exclude-rules]]
-    path = "provider/kubernetes/builder_(endpoint|service)_test.go"
+    path = "pkg/h2c/h2c.go"
    text = "Error return value of `rw.Write` is not checked"
 [[issues.exclude-rules]]
    path = "pkg/middlewares/recovery/recovery.go"
    text = "`logger` can be `github.com/containous/traefik/vendor/github.com/stretchr/testify/assert.TestingT`"
 [[issues.exclude-rules]]
    path = "pkg/provider/docker/builder_test.go"
    text = "(U1000: func )?`(.+)` is unused"
 [[issues.exclude-rules]]
-    path = "provider/docker/builder_test.go"
+    path = "pkg/provider/kubernetes/builder_(endpoint|service)_test.go"
    text = "(U1000: func )?`(.+)` is unused"
 [[issues.exclude-rules]]
    path = "pkg/provider/label/internal/.+_test.go"
    text = "U1000: field `(foo|fuu)` is unused"
 [[issues.exclude-rules]]
    path = "pkg/server/service/bufferpool.go"
    text = "SA6002: argument should be pointer-like to avoid allocations"
 [[issues.exclude-rules]]
    path = "cmd/configuration.go"
    text = "string `traefik` has (\\d) occurrences, make it a constant"
 [[issues.exclude-rules]]
    path = "h2c/h2c.go"
    text = "Error return value of `rw.Write` is not checked"
 [[issues.exclude-rules]]
    path = "server/service/bufferpool.go"
    text = "SA6002: argument should be pointer-like to avoid allocations"
 [[issues.exclude-rules]] # FIXME must be fixed
    path = "acme/.+.go"
    text = "(assignment copies lock value to domainsCerts|literal copies lock value from)"
 [[issues.exclude-rules]] # FIXME must be fixed
    path = "cmd/context.go"
    text = "S1000: should use a simple channel send/receive instead of `select` with a single case"
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -51,5 +51,8 @@ archive:
    - LICENSE.md
    - CHANGELOG.md
 checksum:
  name_template: "{{ .ProjectName }}_v{{ .Version }}_checksums.txt"
 release:
  disable: true
--- a/.travis.yml
+++ b/.travis.yml
@ -28,7 +28,7 @@ before_deploy:
      if [ "$TRAVIS_TAG" ]; then
        make release-packages;
      fi;
-      curl -sfL https://raw.githubusercontent.com/containous/structor/master/godownloader.sh | bash -s -- -b "${GOPATH}/bin" v1.7.0
+      curl -sfL https://raw.githubusercontent.com/containous/structor/master/godownloader.sh | bash -s -- -b "${GOPATH}/bin" ${STRUCTOR_VERSION}
      structor -o containous -r traefik --dockerfile-url="https://raw.githubusercontent.com/containous/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/containous/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/containous/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug;
    fi
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,41 @@
 # Change Log
 ## [v2.0.0-alpha4](https://github.com/containous/traefik/tree/v2.0.0-alpha4) (2019-04-17)
 [All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha3...v2.0.0-alpha4)
 **Enhancements:**
 - **[logs]** log.loglevel becomes log.level in configuration ([#4775](https://github.com/containous/traefik/pull/4775) by [juliens](https://github.com/juliens))
 - **[marathon,tcp]** Handle TCP in the marathon provider ([#4728](https://github.com/containous/traefik/pull/4728) by [juliens](https://github.com/juliens))
 - **[middleware]** Enable CORS configuration ([#3809](https://github.com/containous/traefik/pull/3809) by [dtomcej](https://github.com/dtomcej))
 - **[rancher]** Add Rancher provider ([#4647](https://github.com/containous/traefik/pull/4647) by [SantoDE](https://github.com/SantoDE))
 - **[tracing]** Update tracing dependencies ([#4721](https://github.com/containous/traefik/pull/4721) by [ldez](https://github.com/ldez))
 **Bug fixes:**
 - **[docker]** Insensitive case for allow-empty value. ([#4745](https://github.com/containous/traefik/pull/4745) by [ldez](https://github.com/ldez))
 - **[middleware]** Fix response modifier initial building ([#4719](https://github.com/containous/traefik/pull/4719) by [mpl](https://github.com/mpl))
 - **[middleware]** Set X-Forwarded-* headers ([#4707](https://github.com/containous/traefik/pull/4707) by [mpl](https://github.com/mpl))
 - **[tcp]** Fix EOF error ([#4733](https://github.com/containous/traefik/pull/4733) by [juliens](https://github.com/juliens))
 **Documentation:**
 - **[acme]** Use the same case every where for entryPoints. ([#4764](https://github.com/containous/traefik/pull/4764) by [ldez](https://github.com/ldez))
 - **[docker]** Fix two minor nits in Traefik 2.0 docs ([#4692](https://github.com/containous/traefik/pull/4692) by [cfra](https://github.com/cfra))
 - **[k8s,k8s/crd]** k8s static configuration explanation ([#4767](https://github.com/containous/traefik/pull/4767) by [ldez](https://github.com/ldez))
 - **[marathon]** Enhance Marathon documentation ([#4776](https://github.com/containous/traefik/pull/4776) by [ldez](https://github.com/ldez))
 - **[middleware,k8s,k8s/crd]** Fix typo: middleware -&gt; middlewares. ([#4781](https://github.com/containous/traefik/pull/4781) by [ldez](https://github.com/ldez))
 - **[middleware]** Adds middlewares examples for k8s. ([#4713](https://github.com/containous/traefik/pull/4713) by [ldez](https://github.com/ldez))
 - **[middleware]** Remove invalid commas. ([#4706](https://github.com/containous/traefik/pull/4706) by [ldez](https://github.com/ldez))
 - **[middleware]** Fix doc about removing headers ([#4708](https://github.com/containous/traefik/pull/4708) by [mpl](https://github.com/mpl))
 - **[middleware]** Update the middleware documentation ([#4729](https://github.com/containous/traefik/pull/4729) by [jbdoumenjou](https://github.com/jbdoumenjou))
 - **[tracing]** Fix typo in tracing docs ([#4737](https://github.com/containous/traefik/pull/4737) by [timoschwarzer](https://github.com/timoschwarzer))
 - Improve the Documentation with a Reference Section ([#4714](https://github.com/containous/traefik/pull/4714) by [jbdoumenjou](https://github.com/jbdoumenjou))
 - Adds a note in traefik.sample.toml ([#4757](https://github.com/containous/traefik/pull/4757) by [ldez](https://github.com/ldez))
 - Update to v2.0 readme links ([#4700](https://github.com/containous/traefik/pull/4700) by [karnthis](https://github.com/karnthis))
 - Remove dumpcerts.sh ([#4783](https://github.com/containous/traefik/pull/4783) by [ldez](https://github.com/ldez))
 **Misc:**
 - Cherry pick v1.7 into v2.0 ([#4787](https://github.com/containous/traefik/pull/4787) by [ldez](https://github.com/ldez))
 - Cherry pick v1.7 into v2.0 ([#4695](https://github.com/containous/traefik/pull/4695) by [jbdoumenjou](https://github.com/jbdoumenjou))
 ## [v2.0.0-alpha3](https://github.com/containous/traefik/tree/v2.0.0-alpha3) (2019-03-29)
 [All Commits](https://github.com/containous/traefik/compare/v2.0.0-alpha2...v2.0.0-alpha3)
@ -129,6 +165,23 @@
 - Merge v1.7.0-rc4 into master ([#3867](https://github.com/containous/traefik/pull/3867) by [ldez](https://github.com/ldez))
 - Merge v1.7.0-rc2 into master ([#3634](https://github.com/containous/traefik/pull/3634) by [ldez](https://github.com/ldez))
 ## [v1.7.10](https://github.com/containous/traefik/tree/v1.7.10) (2019-03-28)
 [All Commits](https://github.com/containous/traefik/compare/v1.7.9...v1.7.10)
 **Bug fixes:**
 - **[acme]** fix: update lego. ([#4670](https://github.com/containous/traefik/pull/4670) by [ldez](https://github.com/ldez))
 - **[acme]** Migrate to go-acme/lego. ([#4577](https://github.com/containous/traefik/pull/4577) by [ldez](https://github.com/ldez))
 - **[authentication,middleware]** Reorder Auth and TLSClientHeaders middleware ([#4557](https://github.com/containous/traefik/pull/4557) by [tomberek](https://github.com/tomberek))
 - **[k8s/ingress]** Support external name service on global default backend ([#4564](https://github.com/containous/traefik/pull/4564) by [kippandrew](https://github.com/kippandrew))
 - **[k8s/ingress]** Loop through service ports for global backend ([#4486](https://github.com/containous/traefik/pull/4486) by [dtomcej](https://github.com/dtomcej))
 - **[k8s]** Add entrypoints prefix in kubernetes frontend/backend id  ([#4679](https://github.com/containous/traefik/pull/4679) by [juliens](https://github.com/juliens))
 - **[websocket]** Exclude websocket connections from Average Response Time ([#4313](https://github.com/containous/traefik/pull/4313) by [siyu6974](https://github.com/siyu6974))
 - **[middleware]** Added support for configuring trace headers for DataDog tracing ([#4516](https://github.com/containous/traefik/pull/4516) by [aantono](https://github.com/aantono))
 **Documentation:**
 - **[acme]** Add _FILE Environment Variable Documentation ([#4643](https://github.com/containous/traefik/pull/4643) by [dargmuesli](https://github.com/dargmuesli))
 - **[docker]** Add TraefikEE as security workaround ([#4606](https://github.com/containous/traefik/pull/4606) by [emilevauge](https://github.com/emilevauge))
 ## [v1.7.9](https://github.com/containous/traefik/tree/v1.7.9) (2019-02-11)
 [All Commits](https://github.com/containous/traefik/compare/v1.7.8...v1.7.9)
@ -154,7 +207,7 @@
 - **[acme]** Updates lego. ([#4376](https://github.com/containous/traefik/pull/4376) by [ldez](https://github.com/ldez))
 - **[docker]** Fixes docker swarm mode refresh second for KV. ([#4420](https://github.com/containous/traefik/pull/4420) by [ldez](https://github.com/ldez))
 - **[ecs]** Generic awsvpc support, not just Fargate ([#4360](https://github.com/containous/traefik/pull/4360) by [maartenvanderhoef](https://github.com/maartenvanderhoef))
- **[ecs]** Cache exising task definitions to avoid rate limiting ([#4177](https://github.com/containous/traefik/pull/4177) by [hwhelan-CB](https://github.com/hwhelan-CB))
+- **[ecs]** Cache existing task definitions to avoid rate limiting ([#4177](https://github.com/containous/traefik/pull/4177) by [hwhelan-CB](https://github.com/hwhelan-CB))
 - **[tls]** Check for dynamic tls updates on configuration preload ([#4022](https://github.com/containous/traefik/pull/4022) by [ffilippopoulos](https://github.com/ffilippopoulos))
 - **[tracing]** Support Datadog tracer priority sampling ([#4359](https://github.com/containous/traefik/pull/4359) by [jcassee](https://github.com/jcassee))
 - Update to Go 1.11.5 [CVE-2019-6486](https://nvd.nist.gov/vuln/detail/CVE-2019-6486)
@ -279,7 +332,7 @@
 **Bug fixes:**
 - **[acme]** DNS challenge Cloudflare auth zone ([#4042](https://github.com/containous/traefik/pull/4042) by [ldez](https://github.com/ldez))
 - **[acme]** ACME DNS challenges ([#3998](https://github.com/containous/traefik/pull/3998) by [ldez](https://github.com/ldez))
- **[acme]** Don&#39;t initalize ACME provider if storage is empty ([#3988](https://github.com/containous/traefik/pull/3988) by [nmengin](https://github.com/nmengin))
+- **[acme]** Don&#39;t initialize ACME provider if storage is empty ([#3988](https://github.com/containous/traefik/pull/3988) by [nmengin](https://github.com/nmengin))
 - **[acme]** Fix: acme DNS providers ([#4021](https://github.com/containous/traefik/pull/4021) by [ldez](https://github.com/ldez))
 - **[acme]** Prevent some malformed errors in LE. ([#4015](https://github.com/containous/traefik/pull/4015) by [ldez](https://github.com/ldez))
 - **[authentication,consulcatalog,docker,ecs,etcd,kv,marathon,mesos,rancher]** Add the AuthResponseHeaders to the labels ([#3973](https://github.com/containous/traefik/pull/3973) by [Crypto89](https://github.com/Crypto89))
@ -354,7 +407,7 @@
 - **[healthcheck]** Support all 2xx HTTP status code for health check. ([#3362](https://github.com/containous/traefik/pull/3362) by [ldez](https://github.com/ldez))
 - **[healthcheck]** Add HTTP headers to healthcheck. ([#3047](https://github.com/containous/traefik/pull/3047) by [zetaab](https://github.com/zetaab))
 - **[k8s]** Add more k8s tests ([#3491](https://github.com/containous/traefik/pull/3491) by [dtomcej](https://github.com/dtomcej))
- **[k8s]** Substitude hardcoded &#34;&lt;namespace&gt;/&lt;name&gt;&#34; with k8s ListerGetter ([#3470](https://github.com/containous/traefik/pull/3470) by [yue9944882](https://github.com/yue9944882))
+- **[k8s]** Substitute hardcoded &#34;&lt;namespace&gt;/&lt;name&gt;&#34; with k8s ListerGetter ([#3470](https://github.com/containous/traefik/pull/3470) by [yue9944882](https://github.com/yue9944882))
 - **[k8s]** Custom frontend name for test helper ([#3444](https://github.com/containous/traefik/pull/3444) by [ldez](https://github.com/ldez))
 - **[k8s]** Add annotation to allow modifiers to be used properly in kubernetes ([#3481](https://github.com/containous/traefik/pull/3481) by [dtomcej](https://github.com/dtomcej))
 - **[k8s]** Create Global Backend Ingress ([#3404](https://github.com/containous/traefik/pull/3404) by [dtomcej](https://github.com/dtomcej))
@ -651,7 +704,7 @@
 - **[healthcheck]** Support all 2xx HTTP status code for health check. ([#3362](https://github.com/containous/traefik/pull/3362) by [ldez](https://github.com/ldez))
 - **[healthcheck]** Add HTTP headers to healthcheck. ([#3047](https://github.com/containous/traefik/pull/3047) by [zetaab](https://github.com/zetaab))
 - **[k8s]** Add more k8s tests ([#3491](https://github.com/containous/traefik/pull/3491) by [dtomcej](https://github.com/dtomcej))
- **[k8s]** Substitude hardcoded &#34;&lt;namespace&gt;/&lt;name&gt;&#34; with k8s ListerGetter ([#3470](https://github.com/containous/traefik/pull/3470) by [yue9944882](https://github.com/yue9944882))
+- **[k8s]** Substitute hardcoded &#34;&lt;namespace&gt;/&lt;name&gt;&#34; with k8s ListerGetter ([#3470](https://github.com/containous/traefik/pull/3470) by [yue9944882](https://github.com/yue9944882))
 - **[k8s]** Custom frontend name for test helper ([#3444](https://github.com/containous/traefik/pull/3444) by [ldez](https://github.com/ldez))
 - **[k8s]** Add annotation to allow modifiers to be used properly in kubernetes ([#3481](https://github.com/containous/traefik/pull/3481) by [dtomcej](https://github.com/dtomcej))
 - **[k8s]** Create Global Backend Ingress ([#3404](https://github.com/containous/traefik/pull/3404) by [dtomcej](https://github.com/dtomcej))
--- a/Gopkg.lock
+++ b/Gopkg.lock
@ -9,22 +9,6 @@
  revision = "056a55f54a6cc77b440b31a56a5e7c3982d32811"
  version = "v0.22.0"
 [[projects]]
  branch = "master"
  digest = "1:24afd6a7be85997c981693ddcc5f7b37fd3ed5cb119901e14737b9635b944cfb"
  name = "github.com/ArthurHlt/go-eureka-client"
  packages = ["eureka"]
  pruneopts = "NUT"
  revision = "9d0a49cbd39aa3634ae1977e9f519a262b10adaf"
 [[projects]]
  branch = "master"
  digest = "1:922aa650254d0678003e182aeb75f6b094a0bfc40a87d198859d511cdafcfa8a"
  name = "github.com/ArthurHlt/gominlog"
  packages = ["."]
  pruneopts = "NUT"
  revision = "72eebf980f467d3ab3a8b4ddf660f664911ce519"
 [[projects]]
  digest = "1:59f6c2fd10ad014d2907eaa48a19070d5e7af35624328a4fbbf93b7b1c4a19e8"
  name = "github.com/Azure/azure-sdk-for-go"
@ -70,17 +54,6 @@
  pruneopts = "NUT"
  revision = "a368813c5e648fee92e5f6c30e3944ff9d5e8895"
 [[projects]]
  branch = "master"
  digest = "1:28e560d27a06cbebacd86531439aafa31c6da990607ca5a085d0005af325697f"
  name = "github.com/BurntSushi/ty"
  packages = [
    ".",
    "fun",
  ]
  pruneopts = "NUT"
  revision = "6add9cd6ad42d389d6ead1dde60b4ad71e46fd74"
 [[projects]]
  digest = "1:ab7fee312bbdc8070d0325d841de8704cc78bf032b076200f1458659b74b8ed6"
  name = "github.com/JamesClonk/vultr"
@ -88,6 +61,14 @@
  pruneopts = "NUT"
  revision = "2fd0705ce648e602e6c9c57329a174270a4f6688"
 [[projects]]
  digest = "1:25870183293a3fb61cc9afd060a61d63a486f091db72af01a8ea3449f5ca530d"
  name = "github.com/Masterminds/goutils"
  packages = ["."]
  pruneopts = "NUT"
  revision = "41ac8693c5c10a92ea1ff5ac3a7f95646f6123b0"
  version = "v1.1.0"
 [[projects]]
  digest = "1:0ce2a409217f52078c6b8642993deb1025940cded6d5054047c1d5c7379f753c"
  name = "github.com/Masterminds/semver"
@ -97,11 +78,12 @@
  version = "v1.2.2"
 [[projects]]
-  digest = "1:a49472e7d73071005f436b7da85567220f24bb26fbfccbec45d2cd1359d4c67d"
+  digest = "1:876a1121171c083c4e3a4789683d02a40c0f644c8190da521d15b59799f556d6"
  name = "github.com/Masterminds/sprig"
  packages = ["."]
  pruneopts = "NUT"
-  revision = "e039e20e500c2c025d9145be375e27cf42a94174"
+  revision = "9f8fceff796fb9f4e992cd2bece016be0121ab74"
  version = "2.19.0"
 [[projects]]
  digest = "1:915c86626dfd65f8105c48b2972d29f34fd77ff16b31157147cb8ebbddeebbe3"
@ -161,15 +143,11 @@
 [[projects]]
  branch = "master"
-  digest = "1:d4ad87edcd6f6b6cfd1bfe8da6dd090e00901601c9270aa2928842402a361475"
+  digest = "1:28be1959f81e9a6dec3058768a4c4535cf73fcd6e171d21688ad0a7fdf49d43a"
  name = "github.com/abronan/valkeyrie"
  packages = [
    ".",
    "store",
    "store/boltdb",
    "store/consul",
    "store/etcd/v3",
    "store/zookeeper",
  ]
  pruneopts = "NUT"
  revision = "063d875e3c5fd734fa2aa12fac83829f62acfc70"
@ -207,20 +185,12 @@
  version = "1.27.7"
 [[projects]]
-  digest = "1:975108e8d4f5dab096fc991326e96a5716ee8d02e5e7386bb4796171afc4ab9a"
+  digest = "1:b39cf81d5f440b9c0757a25058432d33af867e5201109bf53621356d9dab4b73"
  name = "github.com/aokoli/goutils"
  packages = ["."]
  pruneopts = "NUT"
  revision = "3391d3790d23d03408670993e957e8f408993c34"
  version = "v1.0.1"
 [[projects]]
  digest = "1:9752dad5e89cd779096bf2477a4ded16bea7ac62de453c8d6b4bf841d51a8512"
  name = "github.com/apache/thrift"
  packages = ["lib/go/thrift"]
  pruneopts = "NUT"
-  revision = "b2a4d4ae21c789b689dd162deb819665567f481c"
+  revision = "384647d290e2e4a55a14b1b7ef1b7e66293a2c33"
-  version = "0.10.0"
+  version = "v0.12.0"
 [[projects]]
  branch = "master"
@ -231,7 +201,7 @@
  revision = "48572f11356f1843b694f21a290d4f1006bc5e47"
 [[projects]]
-  digest = "1:bfb036834a43e76abd318f0db39b0bbec6f7865680c1e443475c0297250a89ed"
+  digest = "1:9991a3fc14d9de52a55cdb5a5f1f237140684eab050251ecfaaafa239a8ab5c9"
  name = "github.com/aws/aws-sdk-go"
  packages = [
    "aws",
@ -254,7 +224,6 @@
    "internal/sdkrand",
    "internal/shareddefaults",
    "private/protocol",
    "private/protocol/ec2query",
    "private/protocol/json/jsonutil",
    "private/protocol/jsonrpc",
    "private/protocol/query",
@ -262,11 +231,6 @@
    "private/protocol/rest",
    "private/protocol/restxml",
    "private/protocol/xml/xmlutil",
    "service/dynamodb",
    "service/dynamodb/dynamodbattribute",
    "service/dynamodb/dynamodbiface",
    "service/ec2",
    "service/ecs",
    "service/lightsail",
    "service/route53",
    "service/sts",
@ -350,29 +314,6 @@
  revision = "7a9987c3a6d46be84e141a5c3191347ec10af17d"
  version = "v3.1.2"
 [[projects]]
  digest = "1:4e9c9d51ef5c98f2a71d6fa56a22f0bb8a4463656f9591ba24ebff2c21bcbd1f"
  name = "github.com/coreos/bbolt"
  packages = ["."]
  pruneopts = "NUT"
  revision = "32c383e75ce054674c53b5a07e55de85332aee14"
 [[projects]]
  digest = "1:f07fcc19d52f5d9f559573c6b625142bc4b018fd275029c020d06d2bad6f6c8c"
  name = "github.com/coreos/etcd"
  packages = [
    "auth/authpb",
    "clientv3",
    "clientv3/concurrency",
    "etcdserver/api/v3rpc/rpctypes",
    "etcdserver/etcdserverpb",
    "mvcc/mvccpb",
    "pkg/types",
  ]
  pruneopts = "NUT"
  revision = "70c8726202dd91e482fb4029fd14af1d4ed1d5af"
  version = "v3.3.5"
 [[projects]]
  digest = "1:fa91847d50d3f656fc2d2d608b9749b97d77528e8988ad8001f957640545e91e"
  name = "github.com/coreos/go-systemd"
@ -543,15 +484,6 @@
  pruneopts = "NUT"
  revision = "9e638d38cf6977a37a8ea0078f3ee75a7cdb2dd1"
 [[projects]]
  branch = "master"
  digest = "1:2de676f0b5c5d051ae4343503760069de753c995a3cb3b01544a4924c65a93aa"
  name = "github.com/docker/leadership"
  packages = ["."]
  pruneopts = "NUT"
  revision = "a2e096d9fe0af5b4c37dd37aea719bc9c2e5eec6"
  source = "github.com/containous/leadership"
 [[projects]]
  branch = "master"
  digest = "1:9b26bdc6b9952f728f61f510a48875c38974591c69b0afa77dcfe466c6162e9e"
@ -635,13 +567,6 @@
  revision = "0a91ac8209d6a805f259ff881d0c2654221d0346"
  version = "v0.14.3"
 [[projects]]
  digest = "1:b0d5e98ac0f0a509eb320f542e748582d637aae09e74538212e9712d1e71064b"
  name = "github.com/fatih/color"
  packages = ["."]
  pruneopts = "NUT"
  revision = "62e9147c64a1ed519147b62a56a14e83e2be02c1"
 [[projects]]
  digest = "1:aa3ed0a71c4e66e4ae6486bf97a3f4cab28edc78df2e50c5ad01dc7d91604b88"
  name = "github.com/fatih/structs"
@ -673,8 +598,7 @@
  revision = "73d445a93680fa1a78ae23a5839bad48f32ba1ee"
 [[projects]]
-  branch = "master"
+  digest = "1:a04af13190b67ff69cf8fcd79ee133a24c4a7a900cacbc296261dd43f3fbde5c"
  digest = "1:7dcfb91047873eb70b3a20ed5c400c4d05d9c1e73c9dac0e71ec0d44589d208a"
  name = "github.com/go-acme/lego"
  packages = [
    "acme",
@ -712,6 +636,7 @@
    "providers/dns/dnsmadeeasy",
    "providers/dns/dnsmadeeasy/internal",
    "providers/dns/dnspod",
    "providers/dns/dode",
    "providers/dns/dreamhost",
    "providers/dns/duckdns",
    "providers/dns/dyn",
@ -758,7 +683,8 @@
    "registration",
  ]
  pruneopts = "NUT"
-  revision = "0c87df143e630a1c50b4c36c8fbdda6cd993ebba"
+  revision = "aaecc1ca7254190b71c5f01f57ee3bb6701bc937"
  version = "v2.4.0"
 [[projects]]
  branch = "fork-containous"
@ -821,12 +747,10 @@
  version = "v1.5.4"
 [[projects]]
-  digest = "1:b518b9be1fc76244e246afe09113e3dd6246073b444787d30883877b82a0b90d"
+  digest = "1:6689652ec1f6e30455551da19c707f2bfac75e4df5c7bbe3f0ad7b49b9aa2cfc"
  name = "github.com/gogo/protobuf"
  packages = [
    "gogoproto",
    "proto",
    "protoc-gen-gogo/descriptor",
    "sortkeys",
  ]
  pruneopts = "NUT"
@ -971,29 +895,6 @@
  pruneopts = "NUT"
  revision = "2bcd89a1743fd4b373f7370ce8ddc14dfbd18229"
 [[projects]]
  digest = "1:c3f14b698c0f5c5729896489f4b526f519d1d2522e697d63f532901d0e183dff"
  name = "github.com/hashicorp/consul"
  packages = ["api"]
  pruneopts = "NUT"
  revision = "9a494b5fb9c86180a5702e29c485df1507a47198"
  version = "v1.0.6"
 [[projects]]
  digest = "1:7b699584752575e81e3f4e8b00cfb3e5d6fa5419d5d212ef925e02c798847464"
  name = "github.com/hashicorp/go-cleanhttp"
  packages = ["."]
  pruneopts = "NUT"
  revision = "3573b8b52aa7b37b9358d966a898feb387f62437"
 [[projects]]
  branch = "master"
  digest = "1:cdb5ce76cd7af19e3d2d5ba9b6458a2ee804f0d376711215dd3df5f51100d423"
  name = "github.com/hashicorp/go-rootcerts"
  packages = ["."]
  pruneopts = "NUT"
  revision = "6bb64b370b90e7ef1fa532be9e591a81c3493e00"
 [[projects]]
  digest = "1:f7b3db9cb74d13f6a7cf84b3801e68585745eacaf7d40cc10ecc4734c30503d3"
  name = "github.com/hashicorp/go-version"
@ -1013,18 +914,12 @@
  revision = "0fb14efe8c47ae851c0034ed7a448854d3d34cf3"
 [[projects]]
-  digest = "1:c6552ffc71f7586a9ea624c6b2bdab87a47d9bd52889e3baf5fbf200425a85e2"
+  digest = "1:dc54242755f5b6721dd880843de6e45fe234838ea9149ec8249951880fd5802f"
  name = "github.com/hashicorp/serf"
  packages = ["coordinate"]
  pruneopts = "NUT"
  revision = "19f2c401e122352c047a84d6584dd51e2fb8fcc4"
 [[projects]]
  digest = "1:45e66b20393507035c6a7d15bef5ffe8faf5b083621c1284d9824cc052776de5"
  name = "github.com/huandu/xstrings"
  packages = ["."]
  pruneopts = "NUT"
-  revision = "3959339b333561bf62a38b424fd41517c2c90f40"
+  revision = "f02667b379e2fb5916c3cda2cf31e0eb885d79f8"
  version = "v1.2.0"
 [[projects]]
  branch = "master"
@ -1192,20 +1087,6 @@
  pruneopts = "NUT"
  revision = "c1c17f74874f2a5ea48bfb06b5459d4ef2689749"
 [[projects]]
  digest = "1:4953945f4fdc12cb7aa0263710534fb64b35a85e4047570fdf1cb03284055f0d"
  name = "github.com/mattn/go-colorable"
  packages = ["."]
  pruneopts = "NUT"
  revision = "5411d3eea5978e6cdc258b30de592b60df6aba96"
 [[projects]]
  digest = "1:89e4861dccb76fd84b7de2d88791cc8d23e125805397db27195b4dd83c459713"
  name = "github.com/mattn/go-isatty"
  packages = ["."]
  pruneopts = "NUT"
  revision = "57fdcb988a5c543893cc61bce354a6e24ab70022"
 [[projects]]
  branch = "master"
  digest = "1:5985ef4caf91ece5d54817c11ea25f182697534f8ae6521eadcd628c142ac4b6"
@ -1214,37 +1095,6 @@
  pruneopts = "NUT"
  revision = "c12348ce28de40eed0136aa2b644d0ee0650e56c"
 [[projects]]
  digest = "1:337c4007f8ecd8092927c3f9d3c7e391a9e7222aa579dd07a6008379d92d61f6"
  name = "github.com/mesos/mesos-go"
  packages = [
    "detector",
    "detector/zoo",
    "mesosproto",
    "mesosutil",
    "upid",
  ]
  pruneopts = "NUT"
  revision = "068d5470506e3780189fe607af40892814197c5e"
 [[projects]]
  branch = "master"
  digest = "1:940a93ac88a908ef0908939181ab048c4172ba7babd32d896ac8b1ef5c1f9036"
  name = "github.com/mesosphere/mesos-dns"
  packages = [
    "detect",
    "errorutil",
    "logging",
    "models",
    "records",
    "records/labels",
    "records/state",
    "util",
  ]
  pruneopts = "NUT"
  revision = "b47dc4c19f215e98da687b15b4c64e70f629bea5"
  source = "https://github.com/containous/mesos-dns.git"
 [[projects]]
  digest = "1:b83995756f9b1a24c518d40052d80f524f0a9024ee0479d8a8e91ec2548074d1"
  name = "github.com/miekg/dns"
@ -1395,7 +1245,7 @@
  version = "v1.0.0"
 [[projects]]
-  digest = "1:7da29c22bcc5c2ffb308324377dc00b5084650348c2799e573ed226d8cc9faf0"
+  digest = "1:6846140b3f116579680eefdc17145f2bcf064b68deb9febf86b4419a454049af"
  name = "github.com/opentracing/opentracing-go"
  packages = [
    ".",
@ -1403,12 +1253,12 @@
    "log",
  ]
  pruneopts = "NUT"
-  revision = "1949ddbfd147afd4d964a9f00b24eb291e0e7c38"
+  revision = "659c90643e714681897ec2521c60567dd21da733"
-  version = "v1.0.2"
+  version = "v1.1.0"
 [[projects]]
-  digest = "1:07c44a0ce6012eafd2f05b715d30852d576aeda7798b8760a2ff51b1e90eb753"
+  digest = "1:0f4793617dc898d3ee99fe1abab076d3976a9d17d14f8327af2dc3f1ec0fd92c"
-  name = "github.com/openzipkin/zipkin-go-opentracing"
+  name = "github.com/openzipkin-contrib/zipkin-go-opentracing"
  packages = [
    ".",
    "flag",
@ -1418,7 +1268,8 @@
    "wire",
  ]
  pruneopts = "NUT"
-  revision = "1f5c07e90700ae93ddcba0c7af7d9c7201646ccc"
+  revision = "f0f479ad013a498e4cbfb369414e5d3880903779"
  version = "v0.3.5"
 [[projects]]
  digest = "1:b52f6b7059f06a11ab6ab039714dda0d93878d9227f84c84ca9b6f046bfb5fef"
@ -1540,20 +1391,13 @@
  pruneopts = "NUT"
  revision = "a1dba9ce8baed984a2495b658c82687f8157b98f"
 [[projects]]
  digest = "1:f140e414b284a500b812b26bda8b9a5110aa110f0473ec97e79f3245000c730a"
  name = "github.com/rancher/go-rancher"
  packages = ["v2"]
  pruneopts = "NUT"
  revision = "52e2f489534007ae843065468c5a1920d542afa4"
 [[projects]]
  branch = "containous-fork"
-  digest = "1:4e63da6276e18c5e12eadef1ec3cabd437698bef5e60ffdce7a75b492cd1c14e"
+  digest = "1:f103263e55945772fcb058736a03dfc2796c6a14b99b1684b8e88327c0fa0f75"
  name = "github.com/rancher/go-rancher-metadata"
  packages = ["metadata"]
  pruneopts = "NUT"
-  revision = "e937e8308985dfd3bc157cc8a284454f0cbf4fef"
+  revision = "c6a65f8b7a28edc424e85732df4cd1c215843a99"
  source = "github.com/containous/go-rancher-metadata"
 [[projects]]
@ -1584,13 +1428,6 @@
  pruneopts = "NUT"
  revision = "306ea89b6ef19334614f7b0fc5aa19595022bb8c"
 [[projects]]
  digest = "1:142520cf3c9bb85449dd0000f820b8c604531587ee654793c54909be7dabadac"
  name = "github.com/samuel/go-zookeeper"
  packages = ["zk"]
  pruneopts = "NUT"
  revision = "1d7be4effb13d2d908342d349d71a284a7542693"
 [[projects]]
  digest = "1:6bc0652ea6e39e22ccd522458b8bdd8665bf23bdc5a20eec90056e4dc7e273ca"
  name = "github.com/satori/go.uuid"
@ -1600,12 +1437,12 @@
  version = "v1.2.0"
 [[projects]]
-  digest = "1:01252cd79aac70f16cac02a72a1067dd136e0ad6d5b597d0129cf74c739fd8d1"
+  digest = "1:bb9033d47c116ea3b981ff159bdef73df8351b0b9700da2066339b97211b1bf0"
  name = "github.com/sirupsen/logrus"
  packages = ["."]
  pruneopts = "NUT"
-  revision = "a67f783a3814b8729bd2dac5780b5f78f8dbd64d"
+  revision = "dae0fa8d5b0c810a8ab733fbd5510c7cae84eca4"
-  version = "v1.1.0"
+  version = "v1.4.0"
 [[projects]]
  digest = "1:9d8420bbf131d1618bde6530af37c3799340d3762cc47210c1d9532a4c3a2779"
@ -1644,11 +1481,11 @@
  revision = "c4434f09ec131ecf30f986d5dcb1636508bfa49a"
 [[projects]]
-  digest = "1:c269070c7f286c941392076d6c42a4a7a062356f7083a48bd202397e877a965e"
+  digest = "1:84b9a5318d8ce3b8a9b1509bf15734f4f9dcd4decf9d9e9c7346a16c7b64d49e"
  name = "github.com/thoas/stats"
  packages = ["."]
  pruneopts = "NUT"
-  revision = "152b5d051953fdb6e45f14b6826962aadc032324"
+  revision = "4975baf6a358ed3ddaa42133996e1959f96c9300"
 [[projects]]
  branch = "master"
@ -1682,14 +1519,7 @@
  revision = "1dc93a7db3567a5ccf865106afac88278ba940cf"
 [[projects]]
-  digest = "1:9b2996458a2f7d1f3e0ebf08152acfe8c1106f3fe855d08121c5ee7d801a063f"
+  digest = "1:dc5b63bdf6fd3b22c970e06ad4fb686f6d08104f50f414644d5ac5e267a7934a"
  name = "github.com/tv42/zbase32"
  packages = ["."]
  pruneopts = "NUT"
  revision = "03389da7e0bf9844767f82690f4d68fc097a1306"
 [[projects]]
  digest = "1:7d3a890e525da3b7014d26dd1d4a0e4d31a479995007cd11989ad31db132e66c"
  name = "github.com/uber/jaeger-client-go"
  packages = [
    ".",
@ -1712,16 +1542,18 @@
    "zipkin",
  ]
  pruneopts = "NUT"
-  revision = "1a782e2da844727691fef1757c72eb190c2909f0"
+  revision = "2f47546e3facd43297739439600bcf43f44cce5d"
-  version = "v2.15.0"
+  source = "github.com/jaegertracing/jaeger-client-go"
  version = "v2.16.0"
 [[projects]]
-  digest = "1:0f09db8429e19d57c8346ad76fbbc679341fa86073d3b8fb5ac919f0357d8f4c"
+  digest = "1:c9d69a04f7fa171f50360bbcc32196b4de8ab8837ef772f6302d0140a1e3e7f6"
  name = "github.com/uber/jaeger-lib"
  packages = ["metrics"]
  pruneopts = "NUT"
-  revision = "ed3a127ec5fef7ae9ea95b01b542c47fbd999ce5"
+  revision = "0e30338a695636fe5bcf7301e8030ce8dd2a8530"
-  version = "v1.5.0"
+  source = "github.com/jaegertracing/jaeger-lib"
  version = "v2.0.0"
 [[projects]]
  digest = "1:fb6d90081ae53fdb35d0fffa7d82a555df936bbc6db9a93126795655b2317604"
@ -1738,13 +1570,6 @@
  pruneopts = "NUT"
  revision = "a1cf62cc2159fff407728f118c41aece76c397fa"
 [[projects]]
  digest = "1:e84e99d5f369afaa9a5c41f55b57fa03047ecd3bac2a65861607882693ceea81"
  name = "github.com/urfave/negroni"
  packages = ["."]
  pruneopts = "NUT"
  revision = "490e6a555d47ca891a89a150d0c1ef3922dfffe9"
 [[projects]]
  digest = "1:a68c3f55d44d225da4f22ffbed2d8572d267cb19aaa1d60537769034ac66bc01"
  name = "github.com/vdemeester/shakers"
@ -1956,7 +1781,7 @@
  revision = "09f6ed296fc66555a25fe4ce95173148778dfa85"
 [[projects]]
-  digest = "1:a893d24a604ae6f45f2d6e00ae9e817476e110e2dd5455152b35bb720ca2f626"
+  digest = "1:a840929a3a2d91282dc853cbd5f586069c14ae373247fb7d4cb4fa02b285326e"
  name = "google.golang.org/grpc"
  packages = [
    ".",
@ -1971,7 +1796,6 @@
    "encoding/proto",
    "grpclb/grpc_lb_v1/messages",
    "grpclog",
    "health/grpc_health_v1",
    "internal",
    "keepalive",
    "metadata",
@ -2348,29 +2172,12 @@
  analyzer-name = "dep"
  analyzer-version = 1
  input-imports = [
    "github.com/ArthurHlt/go-eureka-client/eureka",
    "github.com/BurntSushi/toml",
    "github.com/BurntSushi/ty/fun",
    "github.com/Masterminds/sprig",
    "github.com/NYTimes/gziphandler",
    "github.com/abbot/go-http-auth",
    "github.com/abronan/valkeyrie",
    "github.com/abronan/valkeyrie/store",
    "github.com/abronan/valkeyrie/store/boltdb",
    "github.com/abronan/valkeyrie/store/consul",
    "github.com/abronan/valkeyrie/store/etcd/v3",
    "github.com/abronan/valkeyrie/store/zookeeper",
    "github.com/armon/go-proxyproto",
    "github.com/aws/aws-sdk-go/aws",
    "github.com/aws/aws-sdk-go/aws/credentials",
    "github.com/aws/aws-sdk-go/aws/defaults",
    "github.com/aws/aws-sdk-go/aws/ec2metadata",
    "github.com/aws/aws-sdk-go/aws/session",
    "github.com/aws/aws-sdk-go/service/dynamodb",
    "github.com/aws/aws-sdk-go/service/dynamodb/dynamodbattribute",
    "github.com/aws/aws-sdk-go/service/dynamodb/dynamodbiface",
    "github.com/aws/aws-sdk-go/service/ec2",
    "github.com/aws/aws-sdk-go/service/ecs",
    "github.com/cenkalti/backoff",
    "github.com/containous/alice",
    "github.com/containous/flaeg",
@ -2390,7 +2197,6 @@
    "github.com/docker/docker/pkg/namesgenerator",
    "github.com/docker/go-connections/nat",
    "github.com/docker/go-connections/sockets",
    "github.com/docker/leadership",
    "github.com/eapache/channels",
    "github.com/elazarl/go-bindata-assetfs",
    "github.com/gambol99/go-marathon",
@ -2414,40 +2220,27 @@
    "github.com/golang/protobuf/proto",
    "github.com/google/go-github/github",
    "github.com/gorilla/websocket",
    "github.com/hashicorp/consul/api",
    "github.com/hashicorp/go-version",
    "github.com/influxdata/influxdb/client/v2",
    "github.com/instana/go-sensor",
    "github.com/libkermit/compose/check",
    "github.com/libkermit/docker",
    "github.com/libkermit/docker-check",
    "github.com/mesos/mesos-go/detector",
    "github.com/mesos/mesos-go/detector/zoo",
    "github.com/mesos/mesos-go/upid",
    "github.com/mesosphere/mesos-dns/detect",
    "github.com/mesosphere/mesos-dns/logging",
    "github.com/mesosphere/mesos-dns/records",
    "github.com/mesosphere/mesos-dns/records/state",
    "github.com/mesosphere/mesos-dns/util",
    "github.com/miekg/dns",
    "github.com/mitchellh/copystructure",
    "github.com/mitchellh/hashstructure",
    "github.com/mitchellh/mapstructure",
    "github.com/mvdan/xurls",
    "github.com/ogier/pflag",
    "github.com/opentracing/opentracing-go",
    "github.com/opentracing/opentracing-go/ext",
    "github.com/opentracing/opentracing-go/log",
-    "github.com/openzipkin/zipkin-go-opentracing",
+    "github.com/openzipkin-contrib/zipkin-go-opentracing",
    "github.com/patrickmn/go-cache",
    "github.com/pkg/errors",
    "github.com/prometheus/client_golang/prometheus",
    "github.com/prometheus/client_golang/prometheus/promhttp",
    "github.com/prometheus/client_model/go",
    "github.com/rancher/go-rancher-metadata/metadata",
    "github.com/rancher/go-rancher/v2",
    "github.com/ryanuber/go-glob",
    "github.com/satori/go.uuid",
    "github.com/sirupsen/logrus",
    "github.com/stretchr/testify/assert",
    "github.com/stretchr/testify/mock",
@ -2460,7 +2253,6 @@
    "github.com/uber/jaeger-lib/metrics",
    "github.com/unrolled/render",
    "github.com/unrolled/secure",
    "github.com/urfave/negroni",
    "github.com/vdemeester/shakers",
    "github.com/vulcand/oxy/buffer",
    "github.com/vulcand/oxy/cbreaker",
--- a/Gopkg.toml
+++ b/Gopkg.toml
@ -36,17 +36,17 @@ required = [
    non-go = false
    unused-packages = false
-[[constraint]]
+#[[constraint]]
-  branch = "master"
+#  branch = "master"
-  name = "github.com/ArthurHlt/go-eureka-client"
+#  name = "github.com/ArthurHlt/go-eureka-client"
 [[constraint]]
  branch = "master"
  name = "github.com/BurntSushi/toml"
-[[constraint]]
+#[[constraint]]
-  branch = "master"
+#  branch = "master"
-  name = "github.com/BurntSushi/ty"
+#  name = "github.com/BurntSushi/ty"
 [[constraint]]
  branch = "master"
@ -61,9 +61,9 @@ required = [
  branch = "master"
  name = "github.com/armon/go-proxyproto"
-[[constraint]]
+#[[constraint]]
-  name = "github.com/aws/aws-sdk-go"
+#  name = "github.com/aws/aws-sdk-go"
-  version = "1.13.11"
+#  version = "1.13.11"
 [[constraint]]
  name = "github.com/cenkalti/backoff"
@ -85,18 +85,19 @@ required = [
  name = "github.com/containous/staert"
  version = "3.1.2"
-#[[constraint]]
+[[constraint]]
-#  name = "github.com/containous/traefik-extra-service-fabric"
+  name = "github.com/thoas/stats"
-#  version = "1.3.0"
+  # related to https://github.com/thoas/stats/pull/32
  revision = "4975baf6a358ed3ddaa42133996e1959f96c9300"
 [[constraint]]
  name = "github.com/coreos/go-systemd"
  version = "14.0.0"
-[[constraint]]
+#[[constraint]]
-  branch = "master"
+#  branch = "master"
-  name = "github.com/docker/leadership"
+#  name = "github.com/docker/leadership"
-  source = "github.com/containous/leadership"
+#  source = "github.com/containous/leadership"
 [[constraint]]
  name = "github.com/eapache/channels"
@ -124,9 +125,9 @@ required = [
  branch = "master"
  name = "github.com/gorilla/websocket"
-[[constraint]]
+#[[constraint]]
-  name = "github.com/hashicorp/consul"
+#  name = "github.com/hashicorp/consul"
-  version = "1.0.6"
+#  version = "1.0.6"
 [[constraint]]
  name = "github.com/influxdata/influxdb"
@ -140,9 +141,9 @@ required = [
  branch = "master"
  name = "github.com/abronan/valkeyrie"
-[[constraint]]
+#[[constraint]]
-  name = "github.com/mesosphere/mesos-dns"
+#  name = "github.com/mesosphere/mesos-dns"
-  source = "https://github.com/containous/mesos-dns.git"
+#  source = "https://github.com/containous/mesos-dns.git"
 [[constraint]]
  name = "github.com/opentracing/opentracing-go"
@ -158,8 +159,8 @@ required = [
  name = "github.com/ryanuber/go-glob"
 [[constraint]]
-  name = "github.com/satori/go.uuid"
+  name = "github.com/Masterminds/sprig"
-  version = "1.1.0"
+  version = "2.19.0"
 [[constraint]]
  branch = "master"
@ -171,11 +172,13 @@ required = [
 [[constraint]]
  name = "github.com/uber/jaeger-client-go"
-  version = "2.15.0"
+  source = "github.com/jaegertracing/jaeger-client-go"
  version = "2.16.0"
 [[constraint]]
  name = "github.com/uber/jaeger-lib"
-  version = "1.3.0"
+  source = "github.com/jaegertracing/jaeger-lib"
  version = "2.0.0"
 [[constraint]]
  branch = "v1"
@ -190,9 +193,9 @@ required = [
  name = "github.com/vulcand/oxy"
 [[constraint]]
-  branch = "master"
+#  branch = "master"
  name = "github.com/go-acme/lego"
-#  version = "2.4.0"
+  version = "2.4.0"
 [[constraint]]
  name = "google.golang.org/grpc"
--- a/6
+++ b/6
@ -93,7 +93,11 @@ test-integration: $(PRE_TARGET)
 	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh generate binary test-integration
 	TEST_HOST=1 ./script/make.sh test-integration
-## Validate code, vendor
+## Validate code and docs
 validate-files: $(PRE_TARGET)
 	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
 ## Validate code, docs, and vendor
 validate: $(PRE_TARGET)
 	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell validate-vendor
--- a/README.md
+++ b/README.md
@ -98,6 +98,8 @@ You can access the simple HTML frontend of Traefik.
 You can find the complete documentation at [https://docs.traefik.io](https://docs.traefik.io).
 A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
 :warning: If you're testing out v2, please ensure you are using the [v2 documentation](https://docs.traefik.io/v2.0/).
 ## Support
 To get community support, you can:
@ -128,6 +130,8 @@ git clone https://github.com/containous/traefik
 ## Introductory Videos
 :warning: Please be aware that these videos are for v1.X. The old configurations for Traefik v1.X are NOT compatible with Traefik v2. If you're testing out v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/v2.0/).
 Here is a talk given by [Emile Vauge](https://github.com/emilevauge) at GopherCon 2017.
 You will learn Traefik basics in less than 10 minutes.
--- a/build.Dockerfile
+++ b/build.Dockerfile
@ -1,8 +1,9 @@
 FROM golang:1.12-alpine
 RUN apk --update upgrade \
-&& apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar \
+    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
-&& rm -rf /var/cache/apk/*
+    && update-ca-certificates \
    && rm -rf /var/cache/apk/*
 # Download golangci-lint and misspell binary to bin folder in $GOPATH
 RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.15.0 \
--- a/cmd/configuration.go
+++ b/cmd/configuration.go
@ -11,6 +11,7 @@ import (
 	"github.com/containous/traefik/pkg/provider/file"
 	"github.com/containous/traefik/pkg/provider/kubernetes/ingress"
 	"github.com/containous/traefik/pkg/provider/marathon"
 	"github.com/containous/traefik/pkg/provider/rancher"
 	"github.com/containous/traefik/pkg/provider/rest"
 	"github.com/containous/traefik/pkg/tracing/datadog"
 	"github.com/containous/traefik/pkg/tracing/instana"
@ -172,12 +173,22 @@ func NewTraefikDefaultPointersConfiguration() *TraefikConfiguration {
 	// default Kubernetes
 	var defaultKubernetes ingress.Provider
 	// default Rancher
 	var defaultRancher rancher.Provider
 	defaultRancher.Watch = true
 	defaultRancher.ExposedByDefault = true
 	defaultRancher.EnableServiceHealthFilter = true
 	defaultRancher.RefreshSeconds = 15
 	defaultRancher.DefaultRule = rancher.DefaultTemplateRule
 	defaultRancher.Prefix = "latest"
 	defaultProviders := static.Providers{
 		File:       &defaultFile,
 		Docker:     &defaultDocker,
 		Rest:       &defaultRest,
 		Marathon:   &defaultMarathon,
 		Kubernetes: &defaultKubernetes,
 		Rancher:    &defaultRancher,
 	}
 	return &TraefikConfiguration{
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@ -94,7 +94,7 @@ func main() {
 	// traefik Command init
 	traefikCmd := &flaeg.Command{
 		Name: "traefik",
-		Description: `traefik is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
+		Description: `Traefik is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
 Complete documentation is available at https://traefik.io`,
 		Config:                traefikConfiguration,
 		DefaultPointersConfig: traefikPointersConfiguration,
@ -317,7 +317,7 @@ func configureLogging(staticConfiguration *static.Configuration) {
 	// otherwise.
 	var levelStr string
 	if staticConfiguration.Log != nil {
-		levelStr = strings.ToLower(staticConfiguration.Log.LogLevel)
+		levelStr = strings.ToLower(staticConfiguration.Log.Level)
 	}
 	if levelStr == "" {
 		levelStr = "error"
--- a/contrib/scripts/dumpcerts.sh
+++ b/contrib/scripts/dumpcerts.sh
@ -1,171 +0,0 @@
 #!/usr/bin/env bash
 # Copyright (c) 2017 Brian 'redbeard' Harrington <redbeard@dead-city.org>
 #
 # dumpcerts.sh - A simple utility to explode a Traefik acme.json file into a
 #                directory of certificates and a private key
 #
 # Usage - dumpcerts.sh /etc/traefik/acme.json /etc/ssl/
 #
 # Dependencies -
 #   util-linux
 #   openssl
 #   jq
 # The MIT License (MIT)
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
 # in the Software without restriction, including without limitation the rights
 # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 # copies of the Software, and to permit persons to whom the Software is
 # furnished to do so, subject to the following conditions:
 #
 # The above copyright notice and this permission notice shall be included in
 # all copies or substantial portions of the Software.
 #
 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 # THE SOFTWARE.
 # Exit codes:
 # 1 - A component is missing or could not be read
 # 2 - There was a problem reading acme.json
 # 4 - The destination certificate directory does not exist
 # 8 - Missing private key
 set -o errexit
 set -o pipefail
 set -o nounset
 USAGE="$(basename "$0") <path to acme> <destination cert directory>"
 # Platform variations
 case "$(uname)" in
 	'Linux')
 		# On Linux, -d should always work. --decode does not work with Alpine's busybox-binary
 		CMD_DECODE_BASE64="base64 -d"
 		;;
 	*)
 		# Max OS-X supports --decode and -D, but --decode may be supported by other platforms as well.
 		CMD_DECODE_BASE64="base64 --decode"
 		;;
 esac
 # Allow us to exit on a missing jq binary
 exit_jq() {
 	echo "
 You must have the binary 'jq' to use this.
 jq is available at: https://stedolan.github.io/jq/download/
 ${USAGE}" >&2
 	exit 1
 }
 bad_acme() {
 	echo "
 There was a problem parsing your acme.json file.
 ${USAGE}" >&2
 	exit 2
 }
 if [ $# -ne 2 ]; then
 	echo "
 Insufficient number of parameters.
 ${USAGE}" >&2
 	exit 1
 fi
 readonly acmefile="${1}"
 readonly certdir="${2%/}"
 if [ ! -r "${acmefile}" ]; then
 	echo "
 There was a problem reading from '${acmefile}'
 We need to read this file to explode the JSON bundle... exiting.
 ${USAGE}" >&2
 	exit 2
 fi
 if [ ! -d "${certdir}" ]; then
 	echo "
 Path ${certdir} does not seem to be a directory
 We need a directory in which to explode the JSON bundle... exiting.
 ${USAGE}" >&2
 	exit 4
 fi
 jq=$(command -v jq) || exit_jq
 priv=$(${jq} -e -r '.Account.PrivateKey' "${acmefile}") || bad_acme
 if [ ! -n "${priv}" ]; then
 	echo "
 There didn't seem to be a private key in ${acmefile}.
 Please ensure that there is a key in this file and try again." >&2
 	exit 8
 fi
 # If they do not exist, create the needed subdirectories for our assets
 # and place each in a variable for later use, normalizing the path
 mkdir -p "${certdir}"/{certs,private}
 pdir="${certdir}/private/"
 cdir="${certdir}/certs/"
 # Save the existing umask, change the default mode to 600, then
 # after writing the private key switch it back to the default
 oldumask=$(umask)
 umask 177
 trap 'umask ${oldumask}' EXIT
 # traefik stores the private key in stripped base64 format but the certificates
 # bundled as a base64 object without stripping headers.  This normalizes the
 # headers and formatting.
 #
 # In testing this out it was a balance between the following mechanisms:
 # gawk:
 #  echo ${priv} | awk 'BEGIN {print "-----BEGIN RSA PRIVATE KEY-----"}
 #     {gsub(/.{64}/,"&\n")}1
 #     END {print "-----END RSA PRIVATE KEY-----"}' > "${pdir}/letsencrypt.key"
 #
 # openssl:
 # echo -e "-----BEGIN RSA PRIVATE KEY-----\n${priv}\n-----END RSA PRIVATE KEY-----" \
 #   | openssl rsa -inform pem -out "${pdir}/letsencrypt.key"
 #
 # and sed:
 # echo "-----BEGIN RSA PRIVATE KEY-----" > "${pdir}/letsencrypt.key"
 # echo ${priv} | sed -E 's/(.{64})/\1\n/g' >> "${pdir}/letsencrypt.key"
 # sed -i '$ d' "${pdir}/letsencrypt.key"
 # echo "-----END RSA PRIVATE KEY-----" >> "${pdir}/letsencrypt.key"
 # openssl rsa -noout -in "${pdir}/letsencrypt.key" -check  # To check if the key is valid
 # In the end, openssl was chosen because most users will need this script
 # *because* of openssl combined with the fact that it will refuse to write the
 # key if it does not parse out correctly. The other mechanisms were left as
 # comments so that the user can choose the mechanism most appropriate to them.
 echo -e "-----BEGIN RSA PRIVATE KEY-----\n${priv}\n-----END RSA PRIVATE KEY-----" \
   | openssl rsa -inform pem -out "${pdir}/letsencrypt.key"
 # Process the certificates for each of the domains in acme.json
 domains=$(jq -r '.Certificates[].Domain.Main' ${acmefile}) || bad_acme
 for domain in $domains; do
 	# Traefik stores a cert bundle for each domain.  Within this cert
 	# bundle there is both proper the certificate and the Let's Encrypt CA
 	echo "Extracting cert bundle for ${domain}"
 	cert=$(jq -e -r --arg domain "$domain" '.Certificates[] |
         	select (.Domain.Main == $domain )| .Certificate' ${acmefile}) || bad_acme
 	echo "${cert}" | ${CMD_DECODE_BASE64} > "${cdir}/${domain}.crt"
 	echo "Extracting private key for ${domain}"
 	key=$(jq -e -r --arg domain "$domain" '.Certificates[] |
 		select (.Domain.Main == $domain )| .Key' ${acmefile}) || bad_acme
 	echo "${key}" | ${CMD_DECODE_BASE64} > "${pdir}/${domain}.key"
 done
--- a/docs/.markdownlint.json
+++ b/docs/.markdownlint.json
@ -5,5 +5,6 @@
    "MD013": false,
    "MD026": false,
    "MD033": false,
-    "MD034": false
+    "MD034": false,
    "MD036": false
 }
--- a/docs/content/assets/img/providers/rancher.png
+++ b/docs/content/assets/img/providers/rancher.png
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@ -58,7 +58,7 @@ PRE_TARGET= make test-unit
 ### Method 2: Using `go`
-You need `go` v1.9+.
+You need `go` v1.12+.
 !!! tip "Source Directory"
--- a/docs/content/contributing/data-collection.md
+++ b/docs/content/contributing/data-collection.md
@ -50,8 +50,8 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
 ??? example "Original configuration"
    ```toml
-    [entrypoints]
+    [entryPoints]
-        [entrypoints.web]
+        [entryPoints.web]
           address = ":80"
    [api]
@ -80,8 +80,8 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
 ??? example "Resulting Obfuscated Configuration"
    ```toml
-    [entrypoints]
+    [entryPoints]
-        [entrypoints.web]
+        [entryPoints.web]
           address = ":80"
    [api]
--- a/docs/content/getting-started/concepts.md
+++ b/docs/content/getting-started/concepts.md
@ -5,7 +5,8 @@ Everything You Need to Know
 ## Edge Router
-Traefik is an _Edge Router_, it means that it's the door to your platform, and that it intercepts and routes every incoming request: it knows all the logic and every rule that determine which services handle which requests (based on the [path](../../routing/routers/#rule), the [host](../../routing/routers/#rule), [headers](../../routing/routers/#rule), [and so on](../../routing/routers/#rule) ...).
+Traefik is an _Edge Router_, it means that it's the door to your platform, and that it intercepts and routes every incoming request:
 it knows all the logic and every rule that determine which services handle which requests (based on the [path](../routing/routers/index.md#rule), the [host](../routing/routers/index.md#rule), [headers](../routing/routers/index.md#rule), [and so on](../routing/routers/index.md#rule) ...).
 ![The Door to Your Infrastructure](../assets/img/traefik-concepts-1.png)
@ -18,7 +19,7 @@ Deploying your services, you attach information that tell Traefik the characteri
 ![Decentralized Configuration](../assets/img/traefik-concepts-2.png)
 It means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time.
-The opposite is true: when you remove a service from your infrastructure, the route will disapear accordingly.
+The opposite is true: when you remove a service from your infrastructure, the route will disappear accordingly.
 You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.
--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@ -21,7 +21,7 @@ This configuration can change and is seamlessly hot-reloaded, without any reques
 ## The Dynamic Configuration 
-Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): wether an orchestrator, a service registry, or a plain old configuration file. Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../providers/overview.md).
+Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file. Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../providers/overview.md).
 !!! Note 
--- a/docs/content/glossary.md
+++ b/docs/content/glossary.md
@ -9,8 +9,8 @@ Where Every Technical Word finds its Definition`
 - [ ] Routers
 - [ ] Middleware
 - [ ] Service
- [ ] Static Configuration
+- [ ] [Static configuration](getting-started/configuration-overview.md#the-static-configuration)
- [ ] Dynamic Configuration
+- [ ] [Dynamic configuration](getting-started/configuration-overview.md#the-dynamic-configuration)
 - [ ] ACME
 - [ ] TraefikEE
 - [ ] Tracing
--- a/docs/content/https-tls/acme.md
+++ b/docs/content/https-tls/acme.md
@ -13,11 +13,11 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
 ??? example "Enabling ACME"
    ```toml
-    [entrypoints]
+    [entryPoints]
-      [entrypoints.web]
+      [entryPoints.web]
         address = ":80"
-      [entrypoints.http-tls]
+      [entryPoints.http-tls]
         address = ":443"
    [acme] # every router with TLS enabled will now be able to use ACME for its certificates
@ -31,11 +31,11 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
 ??? example "Configuring Wildcard Certificates"
    ```toml
-    [entrypoints]
+    [entryPoints]
-      [entrypoints.web]
+      [entryPoints.web]
        address = ":80"
-      [entrypoints.http-tls]
+      [entryPoints.http-tls]
        address = ":443"
    [acme]
@ -49,9 +49,13 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
        sans = ["mydomain.com"]
    ```
-!!! note "Configuration Reference"
+??? note "Configuration Reference"
-
+    
-    There are many available options for ACME. For a quick glance at what's possible, browse the [configuration reference](../reference/acme.md).
+    There are many available options for ACME. For a quick glance at what's possible, browse the configuration reference:
    ```toml
    --8<-- "content/https-tls/ref-acme.toml"
    ```
 ## The Different ACME Challenges
@ -110,7 +114,10 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
 Here is a list of supported `providers`, that can automate the DNS verification,
 along with the required environment variables and their [wildcard & root domain support](#wildcard-domains).
-Do not hesitate to complete it. 
+Do not hesitate to complete it.
 Every lego environment variable can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
 For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used to provide a Cloudflare API email address as a Docker secret named `traefik_cf-api-email`.
 | Provider Name                                               | Provider Code  | Environment Variables                                                                                                                       | Wildcard & Root Domain Support |
 |-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|
@ -127,6 +134,7 @@ Do not hesitate to complete it.
 | [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | YES                            |
 | [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | Not tested yet                 |
 | [DNSPod](https://www.dnspod.com/)                           | `dnspod`       | `DNSPOD_API_KEY`                                                                                                                            | Not tested yet                 |
 | [Domain Offensive (do.de)](https://www.do.de/)              | `dode`         | `DODE_TOKEN`                                                                                                                                | YES                            |
 | [DreamHost](https://www.dreamhost.com/)                     | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                         | YES                            |
 | [Duck DNS](https://www.duckdns.org/)                        | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                             | YES                            |
 | [Dyn](https://dyn.com)                                      | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | Not tested yet                 |
@ -138,7 +146,7 @@ Do not hesitate to complete it.
 | [Glesys](https://glesys.com/)                               | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | Not tested yet                 |
 | [GoDaddy](https://godaddy.com/domains)                      | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | Not tested yet                 |
 | [Google Cloud DNS](https://cloud.google.com/dns/docs/)      | `gcloud`       | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                      | YES                            |
-| [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | Not tested yet                 |
+| [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | YES                            |
 | HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | YES                            |
 | [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | Not tested yet                 |
 | [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | YES                            |
@ -209,9 +217,6 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
 !!! note "Double Wildcard Certificates"
    It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`).
 Due to an ACME limitation it is not possible to define wildcards in SANs (alternative domains).
 Thus, the wildcard domain has to be defined as a main domain.
 Most likely the root domain should receive a certificate too, so it needs to be specified as SAN and 2 `DNS-01` challenges are executed.
 In this case the generated DNS TXT record for both domains is the same.
 Even though this behavior is [DNS RFC](https://community.letsencrypt.org/t/wildcard-issuance-two-txt-records-for-the-same-name/54528/2) compliant,
@ -322,7 +327,7 @@ storage = "traefik/acme/account"
    Because key-value stores have limited entry size, the certificates list is compressed _before_ it is saved.
    For example, it is possible to store up to _approximately_ 100 ACME certificates in Consul.
-## Fallbacks
+## Fallback
 If Let's Encrypt is not reachable, the following certificates will apply:
--- a/docs/content/https-tls/ref-acme.toml
+++ b/docs/content/https-tls/ref-acme.toml
@ -0,0 +1,150 @@
 # Enable ACME (Let's Encrypt): automatic SSL.
 [acme]
 # Email address used for registration.
 #
 # Required
 #
 email = "test@traefik.io"
 # File used for certificates storage.
 #
 # Optional (Deprecated)
 #
 #storageFile = "acme.json"
 # File or key used for certificates storage.
 #
 # Required
 #
 storage = "acme.json"
 # or `storage = "traefik/acme/account"` if using KV store.
 # Deprecated, replaced by [acme.dnsChallenge].
 #
 # Optional.
 #
 # dnsProvider = "digitalocean"
 # Deprecated, replaced by [acme.dnsChallenge.delayBeforeCheck].
 #
 # Optional
 # Default: 0
 #
 # delayDontCheckDNS = 0
 # If true, display debug log messages from the acme client library.
 #
 # Optional
 # Default: false
 #
 # acmeLogging = true
 # If true, override certificates in key-value store when using storeconfig.
 #
 # Optional
 # Default: false
 #
 # overrideCertificates = true
 # Deprecated. Enable on demand certificate generation.
 #
 # Optional
 # Default: false
 #
 # onDemand = true
 # Enable certificate generation on frontends host rules.
 #
 # Optional
 # Default: false
 #
 # onHostRule = true
 # CA server to use.
 # Uncomment the line to use Let's Encrypt's staging server,
 # leave commented to go to prod.
 #
 # Optional
 # Default: "https://acme-v02.api.letsencrypt.org/directory"
 #
 # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
 # KeyType to use.
 #
 # Optional
 # Default: "RSA4096"
 #
 # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
 #
 # KeyType = "RSA4096"
 # Use a TLS-ALPN-01 ACME challenge.
 #
 # Optional (but recommended)
 #
 [acme.tlsChallenge]
 # Use a HTTP-01 ACME challenge.
 #
 # Optional
 #
 # [acme.httpChallenge]
  # EntryPoint to use for the HTTP-01 challenges.
  #
  # Required
  #
  # entryPoint = "http"
 # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
 # Note: mandatory for wildcard certificate generation.
 #
 # Optional
 #
 # [acme.dnsChallenge]
  # DNS provider used.
  #
  # Required
  #
  # provider = "digitalocean"
  # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
  # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
  # Useful if internal networks block external DNS queries.
  #
  # Optional
  # Default: 0
  #
  # delayBeforeCheck = 0
  # Use following DNS servers to resolve the FQDN authority.
  #
  # Optional
  # Default: empty
  #
  # resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
  # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
  #
  # NOT RECOMMENDED:
  # Increase the risk of reaching Let's Encrypt's rate limits.
  #
  # Optional
  # Default: false
  #
  # disablePropagationCheck = true
 # Domains list.
 # Only domains defined here can generate wildcard certificates.
 # The certificates for these domains are negotiated at traefik startup only.
 #
 # [[acme.domains]]
 #   main = "local1.com"
 #   sans = ["test1.local1.com", "test2.local1.com"]
 # [[acme.domains]]
 #   main = "local2.com"
 # [[acme.domains]]
 #   main = "*.local3.com"
 #   sans = ["local3.com", "test1.test1.local3.com"]
--- a/docs/content/middlewares/addprefix.md
+++ b/docs/content/middlewares/addprefix.md
@ -12,17 +12,30 @@ The AddPrefix middleware updates the URL Path of the request before forwarding i
 ```yaml tab="Docker"
 # Prefixing with /foo
 labels:
- "traefik.http.middlewares.add-bar.addprefix.prefix=/foo"
+- "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
 ```
 ```yaml tab="Kubernetes"
 # Prefixing with /foo
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: addprefix
+  name: add-foo
 spec:
-  addprefix:
+  addPrefix:
-    prefix: /bar
+    prefix: /foo
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.add-foo.addprefix.prefix": "/foo"
 }
 ```
 ```yaml tab="Rancher"
 # Prefixing with /foo
 labels:
 - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
 ```
 ```toml tab="File"
@ -34,6 +47,6 @@ spec:
 ## Configuration Options
-### prefix
+### `prefix`
 `prefix` is the string to add before the current path in the requested URL. It should include the leading slash (`/`).
--- a/docs/content/middlewares/basicauth.md
+++ b/docs/content/middlewares/basicauth.md
@ -12,15 +12,42 @@ The BasicAuth middleware is a quick way to restrict access to your services to k
 ```yaml tab="Docker"
 # Declaring the user list
 labels:
-  - "traefik.http.middlewares.declared-users-only.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 ```yaml tab="Kubernetes"
 # Declaring the user list
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
 spec:
  basicAuth:
    users:
    - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
    - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 }
 ```
 ```yaml tab="Rancher"
 # Declaring the user list
 labels:
  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 ```toml tab="File"
 # Declaring the user list
 [http.middlewares]
  [http.middlewares.test-auth.basicauth]
-  users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
+  users = [
-  "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
+    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
  ]
 ```
 ## Configuration Options
@ -33,7 +60,7 @@ Passwords must be encoded using MD5, SHA1, or BCrypt.
    Use `htpasswd` to generate the passwords.
-### users
+### `users`
 The `users` option is an array of authorized users. Each user will be declared using the `name:encoded-password` format.
@ -41,7 +68,7 @@ The `users` option is an array of authorized users. Each user will be declared u
    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
-### usersFile
+### `usersFile`
 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
@ -58,22 +85,36 @@ The file content is a list of `name:encoded-password`.
    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
-### realm
+### `realm`
 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 
-### headerField
+### `headerField`
 You can customize the header field for the authenticated user using the `headerField`option.
-??? example "File -- Passing Authenticated Users to Services Via Headers"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
 ```
-    ```toml
+```yaml tab="Kubernetes"
-      [http.middlewares.my-auth.basicauth]
+apiVersion: traefik.containo.us/v1alpha1
-        usersFile = "path-to-file.ext"
+kind: Middleware
-        headerField = "X-WebAuth-User" # header for the authenticated user
+metadata:
-    ```
+  name: my-auth
 spec:
  basicAuth:
    # ...
    headerField: X-WebAuth-User
 ```
-### removeHeader
+```toml tab="File"
 [http.middlewares.my-auth.basicauth]
  # ...
  headerField = "X-WebAuth-User"
 ```
 ### `removeHeader`
 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
--- a/docs/content/middlewares/buffering.md
+++ b/docs/content/middlewares/buffering.md
@ -16,39 +16,62 @@ This can help services deal with large data (multipart/form-data for example), a
 ```yaml tab="Docker"
 # Sets the maximum request body to 2Mb
 labels:
- "traefik.http.middlewares.2Mb-memory.buffering.maxRequestBodyBytes=250000",
+- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=250000"
 ```
 ```yaml tab="Kubernetes"
 # Sets the maximum request body to 2Mb
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: limit
 spec:
  buffering:
    maxRequestBodyBytes: 250000
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "250000"
 }
 ```
 ```yaml tab="Rancher"
 # Sets the maximum request body to 2Mb
 labels:
 - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=250000"
 ```
 ```toml tab="File"
 # Sets the maximum request body to 2Mb
 [http.middlewares]
-  [http.middlewares.2Mb-limit.buffering]
+  [http.middlewares.limit.buffering]
      maxRequestBodyBytes = 250000
 ```
 ## Configuration Options
-### maxRequestBodyBytes
+### `maxRequestBodyBytes`
 With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes).
 If the request exceeds the allowed size, the request is not forwarded to the service and the client gets a `413 (Request Entity Too Large) response.
-### memRequestBodyBytes
+### `memRequestBodyBytes`
 You can configure a thresold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option. 
-### maxResponseBodyBytes
+### `maxResponseBodyBytes`
 With the `maxReesponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
 If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
-### memResponseBodyBytes
+### `memResponseBodyBytes`
 You can configure a thresold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option. 
-### retryExpression
+### `retryExpression`
 You can have the Buffering middleware replay the request with the help of the `retryExpression` option.
--- a/docs/content/middlewares/chain.md
+++ b/docs/content/middlewares/chain.md
@ -1,6 +1,6 @@
 # Chain
-When One Isn't Enougth
+When One Isn't Enough
 {: .subtitle }
 ![Chain](../assets/img/middleware/chain.png)
@ -10,31 +10,129 @@ It makes reusing the same groups easier.
 ## Configuration Example
-??? example "A Chain for WhiteList, BasicAuth, and HTTPS"
+Example "A Chain for WhiteList, BasicAuth, and HTTPS"
-    
+
-    ```toml
+```yaml tab="Docker"
-    # ...    
+labels:
-    [http.routers]
+- "traefik.http.routers.router1.service=service1"
-        [http.routers.router1]
+- "traefik.http.routers.router1.middlewares=secured"
-            service = "service1"
+- "traefik.http.routers.router1.rule=Host(`mydomain`)"
-            middlewares = ["secured"]
+- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
-            rule = "Host: mydomain"
+- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
-    
+- "traefik.http.middlewares.https-only.schemeredirect.scheme=https"
-    [http.middlewares]
+- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
-        [http.middlewares.secured.Chain]
+- "http.services.service1.loadbalancer.server.port=80"
-            middlewares = ["https-only", "known-ips", "auth-users"]
+```
-            
+
-        [http.middlewares.auth-users.BasicAuth]
+```yaml tab="Kubernetes"
-            users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
+apiVersion: traefik.containo.us/v1alpha1
-        [http.middlewares.https-only.SchemeRedirect]
+kind: IngressRoute
-            scheme = "https"
+metadata:
-        [http.middlewares.known-ips.ipWhiteList]
+  name: test
-            sourceRange = ["192.168.1.7", "x.x.x.x", "x.x.x.x"]
+  namespace: default
-    
+
-    [http.services]
+spec:
-      [http.services.service1]
+  entryPoints:
-        [http.services.service1.LoadBalancer]
+    - web
-          [[http.services.service1.LoadBalancer.Servers]]
+
-            URL = "http://127.0.0.1:80"
+  routes:
-            Weight = 1
+    - match: Host(`mydomain`)
-    ```
+      kind: Rule
      services:
        - name: whoami
          port: 80
      middlewares:
        - name: secured
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: secured
 spec:
  chain:
    middlewares:
    - https-only
    - known-ips
    - auth-users
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: auth-users
 spec:
  basicAuth:
    users:
    - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: https-only
 spec:
  schemeRedirect:
    scheme: https
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: known-ips
 spec:
  ipWhiteList:
    sourceRange:
    - 192.168.1.7
    - 127.0.0.1/32
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.routers.router1.service": "service1",
  "traefik.http.routers.router1.middlewares": "secured",
  "traefik.http.routers.router1.rule": "Host(`mydomain`)",
  "traefik.http.middlewares.secured.chain.middlewares": "https-only,known-ips,auth-users",
  "traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
  "traefik.http.middlewares.https-only.schemeredirect.scheme": "https",
  "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
  "http.services.service1.loadbalancer.server.port": "80"
 }
 ```
 ```yaml tab="Rancher"
 labels:
 - "traefik.http.routers.router1.service=service1"
 - "traefik.http.routers.router1.middlewares=secured"
 - "traefik.http.routers.router1.rule=Host(`mydomain`)"
 - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
 - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
 - "traefik.http.middlewares.https-only.schemeredirect.scheme=https"
 - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
 - "http.services.service1.loadbalancer.server.port=80"
 ```
 ```toml tab="File"
 # ...    
 [http.routers]
    [http.routers.router1]
        service = "service1"
        middlewares = ["secured"]
        rule = "Host(`mydomain`)"
 [http.middlewares]
    [http.middlewares.secured.Chain]
        middlewares = ["https-only", "known-ips", "auth-users"]
    [http.middlewares.auth-users.BasicAuth]
        users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
    [http.middlewares.https-only.SchemeRedirect]
        scheme = "https"
    [http.middlewares.known-ips.ipWhiteList]
        sourceRange = ["192.168.1.7", "127.0.0.1/32"]
 [http.services]
  [http.services.service1]
    [http.services.service1.LoadBalancer]
      [[http.services.service1.LoadBalancer.Servers]]
        URL = "http://127.0.0.1:80"
        Weight = 1
 ```
--- a/docs/content/middlewares/circuitbreaker.md
+++ b/docs/content/middlewares/circuitbreaker.md
@ -29,10 +29,33 @@ labels:
 - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
 ```
 ```yaml tab="Kubernetes"
 # Latency Check
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: latency-check
 spec:
  circuitBreaker:
    expression: LatencyAtQuantileMS(50.0) > 100
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.latency-check.circuitbreaker.expression": "LatencyAtQuantileMS(50.0) > 100"
 }
 ```
 ```yaml tab="Rancher"
 # Latency Check
 labels:
 - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
 ```
 ```toml tab="File"
 # Latency Check
 [http.middlewares]
-   [http.middlewares.latency-check.circuitbreaker]
+   [http.middlewares.latency-check.circuitBreaker]
      expression = "LatencyAtQuantileMS(50.0) > 100"
 ```
@ -52,11 +75,14 @@ At specified intervals (`checkPeriod`), it will evaluate `expression` to decide
 ### Open
-While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`. After this duration, it will enter the recovering state.
+While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
 After this duration, it will enter the recovering state.
 ### Recovering
-While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`). If your service fails during recovery, the circuit breaker becomes open again. If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
+While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`).
 If your service fails during recovery, the circuit breaker becomes open again.
 If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
 ## Configuration Options
@ -70,11 +96,11 @@ The `expression` can check three different metrics:
 - The status code ratio (`ResponseCodeRatio`)
 - The latency at quantile, in milliseconds (`LatencyAtQuantileMS`)
-#### NetworkErrorRatio
+#### `NetworkErrorRatio`
 If you want the circuit breaker to trigger at a 30% ratio of network errors, the expression will be `NetworkErrorRatio() > 0.30`
-#### ResponseCodeRatio
+#### `ResponseCodeRatio`
 You can trigger the circuit breaker based on the ratio of a given range of status codes.
@ -89,11 +115,11 @@ The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom
 For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX). 
-#### LatencyAtQuantileMS
+#### `LatencyAtQuantileMS`
 You can trigger the circuit breaker when a given proportion of your requests become too slow.
-For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median lantency (quantile 50) reaches 100MS.
+For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median latency (quantile 50) reaches 100MS.
 !!! Note
@ -106,7 +132,7 @@ You can combine multiple metrics using operators in your expression.
 Supported operators are:
 - AND (`&&`)
- OR (`||)
+- OR (`||`)
 For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%. 
@ -126,15 +152,15 @@ Here is the list of supported operators:
 The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service). This behavior cannot be configured. 
-### CheckPeriod
+### `CheckPeriod`
 The interval used to evaluate `expression` and decide if the state of the circuit breaker must change. By default, `CheckPeriod` is 100Ms. This value cannot be configured.
-### FallbackDuration
+### `FallbackDuration`
 By default, `FallbackDuration` is 10 seconds. This value cannot be configured.
-### RecoveringDuration
+### `RecoveringDuration`
 The duration of the recovering mode (recovering state). 
--- a/docs/content/middlewares/compress.md
+++ b/docs/content/middlewares/compress.md
@ -12,7 +12,19 @@ The Compress middleware enables the gzip compression.
 ```yaml tab="Docker"
 # Enable gzip compression
 labels:
- "traefik.http.middlewares.test-compress.compress=true",
+- "traefik.http.middlewares.test-compress.compress=true"
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-compress.compress": "true"
 }
 ```
 ```yaml tab="Rancher"
 # Enable gzip compression
 labels:
 - "traefik.http.middlewares.test-compress.compress=true"
 ```
 ```toml tab="File"
--- a/docs/content/middlewares/digestauth.md
+++ b/docs/content/middlewares/digestauth.md
@ -11,14 +11,40 @@ The DigestAuth middleware is a quick way to restrict access to your services to
 ```yaml tab="Docker"
 labels:
- "traefik.http.middlewares.declared-users-only.digestauth.usersFile=path-to-file.ext",
+- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 ```yaml tab="Kubernetes"
 # Declaring the user list
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
 spec:
  digestAuth:
    users:
    - test:traefik:a2688e031edb4be6a3797f3882655c05
    - test2:traefik:518845800f9e2bfb1f1f740ec24f074e
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 }
 ```
 ```yaml tab="Rancher"
 labels:
 - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 ```toml tab="File"
 [http.middlewares]
-  [http.middlewares.test-auth.digestauth]
+  [http.middlewares.test-auth.digestAuth]
-    users = ["test:traefik:a2688e031edb4be6a3797f3882655c05",
+    users = [
-    "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
+      "test:traefik:a2688e031edb4be6a3797f3882655c05",
      "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
    ]
 ```
 !!! tip 
@ -27,7 +53,7 @@ labels:
 ## Configuration Options
-### Users
+### `Users`
 The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
@ -35,7 +61,7 @@ The `users` option is an array of authorized users. Each user will be declared u
    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
-### UsersFile
+### `UsersFile`
 The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
@ -52,22 +78,43 @@ The file content is a list of `name:realm:encoded-password`.
    If both `users` and `usersFile` are provided, the two are merged. The content of `usersFile` has precedence over `users`.
-### Realm
+### `Realm`
 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`. 
-### HeaderField
+### `HeaderField`
 You can customize the header field for the authenticated user using the `headerField`option.
-??? example "File -- Passing Authenticated Users to Services Via Headers"
+Example "File -- Passing Authenticated User to Services Via Headers"
-    ```toml
+```yaml tab="Docker"
-      [http.middlewares.my-auth.digestauth]
+labels:
-        usersFile = "path-to-file.ext"
+  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
-        headerField = "X-WebAuth-User" # header for the authenticated user
+```
    ```
-### RemoveHeader
+```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: my-auth
 spec:
  digestAuth:
    # ...
    headerField: X-WebAuth-User
 ```
 ```yaml tab="Rancher"
 labels:
  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
 ```
 ```toml tab="File"
 [http.middlewares.my-auth.digestAuth]
  # ...
  headerField = "X-WebAuth-User"
 ```
 ### `RemoveHeader`
 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
--- a/docs/content/middlewares/errorpages.md
+++ b/docs/content/middlewares/errorpages.md
@ -15,24 +15,48 @@ The ErrorPage middleware returns a custom page in lieu of the default, according
 ```yaml tab="Docker"
 # Dynamic Custom Error Page for 5XX Status Code
 labels:
- "traefik.http.middlewares.test-errorpage.errors.status=500-599",
+- "traefik.http.middlewares.test-errorpage.errors.status=500-599"
- "traefik.http.middlewares.test-errorpage.errors.service=serviceError",
+- "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html",
+- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
 ```
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: test-errorpage
 spec:
  errors:
    status:
    - 500-599
    service: serviceError
    query: /{status}.html
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-errorpage.errors.status": "500-599",
  "traefik.http.middlewares.test-errorpage.errors.service": "serviceError",
  "traefik.http.middlewares.test-errorpage.errors.query": "/{status}.html"
 }
 ```
 ```yaml tab="Rancher"
 # Dynamic Custom Error Page for 5XX Status Code
 labels:
 - "traefik.http.middlewares.test-errorpage.errors.status=500-599"
 - "traefik.http.middlewares.test-errorpage.errors.service=serviceError"
 - "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
 ```
 ```toml tab="File"
 # Custom Error Page for 5XX
 [http.routers]
  [http.routers.router1]
    Service = "my-service"
    Rule = Host(`my-domain`)
 [http.middlewares]
-  [http.middlewares.5XX-errors.Errors]
+  [http.middlewares.test-errorpage.Errors]
    status = ["500-599"]
-    service = "error-handler-service"
+    service = "serviceError"
-    query = "/error.html"
+    query = "/{status}.html"
-            
+
 [http.services]
  # ... definition of error-handler-service and my-service
 ```
@ -42,7 +66,7 @@ labels:
 ## Configuration Options
-### status
+### `status`
 The `status` that will trigger the error page.
@ -52,10 +76,10 @@ The status code ranges are inclusive (`500-599` will trigger with every code bet
    You can define either a status code like `500` or ranges with a syntax like `500-599`.
-### service
+### `service`
 The service that will serve the new requested error page.
-### query
+### `query`
 The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.
--- a/docs/content/middlewares/forwardauth.md
+++ b/docs/content/middlewares/forwardauth.md
@ -11,21 +11,6 @@ Otherwise, the response from the authentication server is returned.
 ## Configuration Examples
 ```toml tab="File"
 # Forward authentication to authserver.com
 [http.middlewares]
  [http.middlewares.test-auth.forwardauth]
    address = "https://authserver.com/auth"
    trustForwardHeader = true
    authResponseHeaders = ["X-Auth-User", "X-Secret"]
    [http.middlewares.test-auth.forwardauth.tls]
      ca = "path/to/local.crt"
      caOptional = true
      cert = "path/to/foo.cert"
      key = "path/to/foo.key"      
 ```
 ```yaml tab="Docker"
 # Forward authentication to authserver.com
 labels:
@ -39,20 +24,80 @@ labels:
 - "traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader=true"
 ```
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
 spec:
  forwardAuth:
    address: https://authserver.com/auth
    trustForwardHeader: true
    authResponseHeaders:
    - X-Auth-User
    - X-Secret
    tls:
      ca: path/to/local.crt
      caOptional: true
      cert: path/to/foo.cert
      key: path/to/foo.key  
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-auth.ForwardAuth.Address": "https://authserver.com/auth",
  "traefik.http.middlewares.test-auth.ForwardAuth.AuthResponseHeaders": "X-Auth-User,X-Secret",
  "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CA": "path/to/local.crt",
  "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CAOptional": "true",
  "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Cert": "path/to/foo.cert",
  "traefik.http.middlewares.test-auth.ForwardAuth.TLS.InsecureSkipVerify": "true",
  "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Key": "path/to/foo.key",
  "traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader": "true"
 }
 ```
 ```yaml tab="Rancher"
 # Forward authentication to authserver.com
 labels:
 - "traefik.http.middlewares.test-auth.ForwardAuth.Address=https://authserver.com/auth"
 - "traefik.http.middlewares.test-auth.ForwardAuth.AuthResponseHeaders=X-Auth-User, X-Secret"
 - "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CA=path/to/local.crt"
 - "traefik.http.middlewares.test-auth.ForwardAuth.TLS.CAOptional=true"
 - "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Cert=path/to/foo.cert"
 - "traefik.http.middlewares.test-auth.ForwardAuth.TLS.InsecureSkipVerify=true"
 - "traefik.http.middlewares.test-auth.ForwardAuth.TLS.Key=path/to/foo.key"
 - "traefik.http.middlewares.test-auth.ForwardAuth.TrustForwardHeader=true"
 ```
 ```toml tab="File"
 # Forward authentication to authserver.com
 [http.middlewares]
  [http.middlewares.test-auth.forwardAuth]
    address = "https://authserver.com/auth"
    trustForwardHeader = true
    authResponseHeaders = ["X-Auth-User", "X-Secret"]
    [http.middlewares.test-auth.forwardauth.tls]
      ca = "path/to/local.crt"
      caOptional = true
      cert = "path/to/foo.cert"
      key = "path/to/foo.key"
 ```
 ## Configuration Options
-### address
+### `address`
 The `address` option defines the authentication server address.
-### trustForwardHeader
+### `trustForwardHeader`
 Set the `trustForwardHeader` option to true to trust all the existing X-Forwarded-* headers.
-### authResponseHeaders
+### `authResponseHeaders`
 The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request.
-### tls
+### `tls`
 The `tls` option is the tls configuration from Traefik to the authentication server.
--- a/docs/content/middlewares/headers.md
+++ b/docs/content/middlewares/headers.md
@ -14,11 +14,35 @@ The Headers middleware can manage the requests/responses headers.
 Add the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` to the response
 ```yaml tab="Docker"
 a-container:
 image: a-container-image 
 labels:
- "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test",
+- "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test"
- "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True",
+- "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True"
 ```
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: testHeader
 spec:
  headers:
    CustomRequestHeaders:
      X-Script-Name: "test"
    CustomResponseHeaders:
      X-Custom-Response-Header: "True"
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name": "test",
  "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header": "True"
 }
 ```
 ```yaml tab="Rancher"
 labels:
 - "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test"
 - "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True"
 ```
 ```toml tab="File"
@ -32,53 +56,122 @@ labels:
 ### Adding and Removing Headers
-`X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request, and the `X-Custom-Response-Header` header removed from the response.
+`X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request,
 and the `X-Custom-Response-Header` header removed from the response.
-??? example "File"
+Please note that is not possible to remove headers through the use of Docker labels for now.
-    ```toml    
+```yaml tab="Kubernetes"
-    [http.middlewares]
+apiVersion: traefik.containo.us/v1alpha1
-      [http.middlewares.testHeader.headers]
+kind: Middleware
-        [http.middlewares.testHeader.headers.CustomRequestHeaders]
+metadata:
-            X-Script-Name = "test"
+  name: testHeader
-        [http.middlewares.testHeader.headers.CustomResponseHeaders]
+spec:
-            X-Custom-Response-Header = "True"
+  headers:
-    ```
+    CustomRequestHeaders:
      X-Script-Name: "test" # Adds
      X-Custom-Request-Header: "" # Removes
    CustomResponseHeaders:
      X-Custom-Response-Header: "" # Removes
 ```
-??? example "Docker"
+```yaml tab="Rancher"
 labels:
  - "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test"
  - "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True"
 ```
-    ```yml
+```toml tab="File"    
-    a-container:
+[http.middlewares]
-          image: a-container-image 
+  [http.middlewares.testHeader.headers]
-            labels:
+    [http.middlewares.testHeader.headers.CustomRequestHeaders]
-              - "traefik.http.middlewares.testHeader.Headers.CustomRequestHeaders.X-Script-Name=test",
+        X-Script-Name = "test" # Adds
-              - "traefik.http.middlewares.testHeader.Headers.CustomResponseHeaders.X-Custom-Response-Header=True",
+        X-Custom-Request-Header = "" # Removes
-    ```
+    [http.middlewares.testHeader.headers.CustomResponseHeaders]
        X-Custom-Response-Header = "" # Removes
 ```
 ### Using Security Headers
 Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured per frontend in a similar manner to the custom headers above.
 This functionality allows for some easy security features to quickly be set.
-??? example "File"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.testHeader.Headers.FrameDeny=true"
  - "traefik.http.middlewares.testHeader.Headers.SSLRedirect=true"
 ```
-    ```toml    
+```yaml tab="Kubernetes"
-    [http.middlewares]
+apiVersion: traefik.containo.us/v1alpha1
-      [http.middlewares.testHeader.headers]
+kind: Middleware
-        FrameDeny = true
+metadata:
-        SSLRedirect = true
+  name: testHeader
-    ```
+spec:
  headers:
    FrameDeny: "true"
    SSLRedirect: "true"
 ```
-??? example "Docker"
+```yaml tab="Rancher"
 labels:
  - "traefik.http.middlewares.testHeader.Headers.FrameDeny=true"
  - "traefik.http.middlewares.testHeader.Headers.SSLRedirect=true"
 ```
 ```toml tab="File"    
 [http.middlewares]
  [http.middlewares.testHeader.headers]
    FrameDeny = true
    SSLRedirect = true
 ```
 ### CORS Headers
 CORS (Cross-Origin Resource Sharing) headers can be added and configured per frontend in a similar manner to the custom headers above.
 This functionality allows for more advanced security features to quickly be set.
 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.testHeader.Headers.AccessControlAllowMethods=GET,OPTIONS,PUT"
  - "traefik.http.middlewares.testHeader.Headers.AccessControlAllowOrigin=origin-list-or-null"
  - "traefik.http.middlewares.testHeader.Headers.AccessControlMaxAge=100"
  - "traefik.http.middlewares.testHeader.Headers.AddVaryHeader=true"
 ```
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: testHeader
 spec:
  headers:
    AccessControlAllowMethods:
      - "GET"
      - "OPTIONS"
      - "PUT"
    AccessControlAllowOrigin: "origin-list-or-null"
    AccessControlMaxAge: 100
    AddVaryHeader: "true"
 ```
 ```yaml tab="Rancher"
 labels:
  - "traefik.http.middlewares.testHeader.Headers.AccessControlAllowMethods=GET,OPTIONS,PUT"
  - "traefik.http.middlewares.testHeader.Headers.AccessControlAllowOrigin=origin-list-or-null"
  - "traefik.http.middlewares.testHeader.Headers.AccessControlMaxAge=100"
  - "traefik.http.middlewares.testHeader.Headers.AddVaryHeader=true"
 ```
 ```toml tab="File"    
 [http.middlewares]
  [http.middlewares.testHeader.headers]
    AccessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
    AccessControlAllowOrigin = "origin-list-or-null"
    AccessControlMaxAge = 100
    AddVaryHeader = true
 ```
    ```yml
    a-container:
          image: a-container-image 
            labels:
              - "traefik.http.middlewares.testHeader.Headers.FrameDeny=true",
              - "traefik.http.middlewares.testHeader.Headers.SSLRedirect=true",
    ```
 ## Configuration Options
 ### General
@ -89,87 +182,123 @@ This functionality allows for some easy security features to quickly be set.
 !!! note
    The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
-### customRequestHeaders
+### `customRequestHeaders`
 The `customRequestHeaders` option lists the Header names and values to apply to the request.
-### allowedHosts 
+### `customResponseHeaders`
 The `customResponseHeaders` option lists the Header names and values to apply to the response.
 ### `accessControlAllowCredentials`
 The `accessControlAllowCredentials` indicates whether the request can include user credentials.
 ### `accessControlAllowHeaders`
 The `accessControlAllowHeaders` indicates which header field names can be used as part of the request.
 ### `accessControlAllowMethods`
 The  `accessControlAllowMethods` indicates which methods can be used during requests.
 ### `accessControlAllowOrigin`
 The `accessControlAllowOrigin` indicates whether a resource can be shared by returning different values. The three options for this value are:
 - `origin-list-or-null`
 - `*`
 - `null`
 ### `accessControlExposeHeaders`
 The `accessControlExposeHeaders` indicates which headers are safe to expose to the api of a CORS API specification.
 ### `accessControlMaxAge`
 The `accessControlMaxAge` indicates how long a preflight request can be cached.
 ### `addVaryHeader`
 The `addVaryHeader` is used in conjunction with `accessControlAllowOrigin` to determine whether the vary header should be added or modified to demonstrate that server responses can differ beased on the value of the origin header.
 ### `allowedHosts` 
 The `allowedHosts` option lists fully qualified domain names that are allowed.
-### hostsProxyHeaders 
+### `hostsProxyHeaders` 
 The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
-### sslRedirect 
+### `sslRedirect` 
 The `sslRedirect` is set to true, then only allow https requests.
-### sslTemporaryRedirect
+### `sslTemporaryRedirect`
 Set the `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
-### sslHost 
+### `sslHost` 
 The `SSLHost` option is the host name that is used to redirect http requests to https.
-### sslProxyHeaders 
+### `sslProxyHeaders` 
 The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request. Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
-### sslForceHost 
+### `sslForceHost` 
 Set `sslForceHost` to true and set SSLHost to forced requests to use `SSLHost` even the ones that are already using SSL.
-### stsSeconds 
+### `stsSeconds` 
 The `stsSeconds` is the max-age of the Strict-Transport-Security header. If set to 0, would NOT include the header.
-### stsIncludeSubdomains 
+### `stsIncludeSubdomains` 
 The `stsIncludeSubdomains` is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header.
-### stsPreload 
+### `stsPreload` 
 Set `STSPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
-### forceSTSHeader
+### `forceSTSHeader`
 Set `ForceSTSHeader` to true, to add the STS header even when the connection is HTTP.
-### frameDeny 
+### `frameDeny` 
 Set `frameDeny` to true to add the `X-Frame-Options` header with the value of `DENY`.
-### customFrameOptionsValue 
+### `customFrameOptionsValue` 
 The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value. This overrides the FrameDeny option.
-### contentTypeNosniff
+### `contentTypeNosniff`
 Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with the value `nosniff`.
-### browserXssFilter
+### `browserXssFilter`
 Set `BrowserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.
-### customBrowserXSSValue
+### `customBrowserXSSValue`
 The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the BrowserXssFilter option.
-### contentSecurityPolicy
+### `contentSecurityPolicy`
 The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.
-### publicKey
+### `publicKey`
 The `publicKey` implements HPKP to prevent MITM attacks with forged certificates. 
-### referrerPolicy
+### `referrerPolicy`
 The `referrerPolicy` allows sites to control when browsers will pass the Referer header to other sites.
-### isDevelopment
+### `isDevelopment`
 Set `isDevelopment` to true when developing. The AllowedHosts, SSL, and STS options can cause some unwanted effects. Usually testing happens on http, not https, and on localhost, not your production domain.  
 If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false.
--- a/docs/content/middlewares/ipwhitelist.md
+++ b/docs/content/middlewares/ipwhitelist.md
@ -12,7 +12,31 @@ IPWhitelist accepts / refuses requests based on the client IP.
 ```yaml tab="Docker"
 # Accepts request from defined IP
 labels:
- "traefik.http.middlewares.Middleware9.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipwhitelist.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
 ```
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: test-ipwhitelist
 spec:
  ipWhiteList:
    sourceRange:
    - 127.0.0.1/32
    - 192.168.1.7
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-ipwhitelist.IPWhiteList.SourceRange": "127.0.0.1/32,192.168.1.7"
 }
 ```
 ```yaml tab="Rancher"
 # Accepts request from defined IP
 labels:
 - "traefik.http.middlewares.test-ipwhitelist.IPWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
 ```
 ```toml tab="File"
@ -24,19 +48,19 @@ labels:
 ## Configuration Options
-### sourceRange
+### `sourceRange`
 The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs).
-### ipStrategy
+### `ipStrategy`
 The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
-#### ipStrategy.depth 
+#### `ipStrategy.depth`
 The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
-!!! note "Examples of Depth & X-Forwaded-For"
+!!! note "Examples of Depth & X-Forwarded-For"
    If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
@ -47,10 +71,38 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
        | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
-
+    
-??? example "File -- Whitelisting Based on `X-Forwarded-For` with `depth=2`"
+    ```yaml tab="Docker"
-
+    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-    ```toml
+    labels:
        - "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
        - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
    ```
    ```yaml tab="Kubernetes"
    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
    apiVersion: traefik.containo.us/v1alpha1
    kind: Middleware
    metadata:
      name: testIPwhitelist
    spec:
      ipWhiteList:
        SourceRange:
        - 127.0.0.1/32
        - 192.168.1.7
        ipstrategy:
          depth: 2
    ```
    ```yaml tab="Rancher"
    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
    labels:
        - "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
        - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
    ```
    ```toml tab="File"
    # Whitelisting Based on `X-Forwarded-For` with `depth=2`
    [http.middlewares]
      [http.middlewares.test-ipwhitelist.ipWhiteList]
        sourceRange = ["127.0.0.1/32", "192.168.1.7"]
@ -58,26 +110,16 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
            depth = 2
    ```
 ??? example "Docker -- Whitelisting Based on `X-Forwarded-For` with `depth=2`"
    ```yml
     a-container:
        image: a-container-image 
            labels:
                - "traefik.http.middlewares.testIPwhitelist.ipWhiteList.SourceRange=127.0.0.1/32, 192.168.1.7"
                - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
    ```
 !!! note
    - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
    - `depth` is ignored if its value is is lesser than or equal to 0.
-#### ipStrategy.excludedIPs
+#### `ipStrategy.excludedIPs`
 `excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
-!!! note "Examples of ExcludedIPs & X-Forwaded-For"
+!!! note "Examples of ExcludedIPs & X-Forwarded-For"
    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
    |-----------------------------------------|-----------------------|--------------|
@ -90,20 +132,36 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 !!! important
    If `depth` is specified, `excludedIPs` is ignored.
-??? example "File -- Exclude from `X-Forwarded-For`"
+```yaml tab="Docker"
 # Exclude from `X-Forwarded-For`
 labels:
    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
 ```
-    ```toml
+```yaml tab="Kubernetes"
-    [http.middlewares]
+# Exclude from `X-Forwarded-For`
-      [http.middlewares.test-ipwhitelist.ipWhiteList]
+apiVersion: traefik.containo.us/v1alpha1
-        [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+kind: Middleware
-          excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+metadata:
-    ```
+  name: test-ipwhitelist
 spec:
  ipWhiteList:
    ipstrategy:
      excludedIPs:
      - 127.0.0.1/32
      - 192.168.1.7
 ```
-??? example "Docker -- Exclude from `X-Forwarded-For`"
+```yaml tab="Rancher"
 # Exclude from `X-Forwarded-For`
 labels:
    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
 ```
-    ```yml
+```toml tab="File"
-     a-container:
+# Exclude from `X-Forwarded-For`
-        image: a-container-image 
+[http.middlewares]
-            labels:
+  [http.middlewares.test-ipwhitelist.ipWhiteList]
-                - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.excludedIPs=127.0.0.1/32, 192.168.1.7"
+    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
-    ```
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
--- a/docs/content/middlewares/maxconnection.md
+++ b/docs/content/middlewares/maxconnection.md
@ -15,6 +15,28 @@ labels:
 - "traefik.http.middlewares.test-maxconn.maxconn.amount=10"
 ```
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: addprefix
 spec:
  addPrefix:
    prefix: /bar
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-maxconn.maxconn.amount": "10"
 }
 ```
 ```yaml tab="Rancher"
 # Limiting to 10 simultaneous connections
 labels:
 - "traefik.http.middlewares.test-maxconn.maxconn.amount=10"
 ```
 ```toml tab="File"
 # Limiting to 10 simultaneous connections
 [http.middlewares]
@ -24,7 +46,7 @@ labels:
 ## Configuration Options
-### amount
+### `amount`
 The `amount` option defines the maximum amount of allowed simultaneous connections.
 The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `extractorfunc` strategy).
--- a/docs/content/middlewares/overview.md
+++ b/docs/content/middlewares/overview.md
@ -18,7 +18,7 @@ Pieces of middleware can be combined in chains to fit every scenario.
 whoami:
  image: containous/whoami  # A container that exposes an API to show its IP address
  labels:
-    - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo",
+    - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
 ```
 ```yaml tab="Kubernetes"
@ -55,10 +55,22 @@ spec:
 # more fields...
  routes:
    # more fields...
-    middleware:
+    middlewares:
    - name: stripprefix
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo"
 }
 ```
 ```yaml tab="Rancher"
 # As a Rancher Label
 labels:
  - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
 ```
 ```toml tab="File"
 # As Toml Configuration File
 [providers]
@ -111,7 +123,7 @@ If you use multiple `providers` and wish to reference a middleware declared in a
        labels:
          # Attach file.add-foo-prefix middleware (declared in file)
-          - "traefik.http.routers.middlewares=file.add-foo-prefix",
+          - "traefik.http.routers.middlewares=file.add-foo-prefix"
    ```
 ## Available Middlewares
--- a/docs/content/middlewares/passtlsclientcert.md
+++ b/docs/content/middlewares/passtlsclientcert.md
@ -1,4 +1,4 @@
-# TODO - PassTLSClientCert
+# PassTLSClientCert
 Adding Client Certificates in a Header
 {: .subtitle }
@ -14,7 +14,29 @@ Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
 ```yaml tab="Docker"
 # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
 labels:
- "traefik.http.middlewares.Middleware11.passtlsclientcert.pem=true"
+- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: addprefix
 spec:
  passtlsclientcert:
    pem: true
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem": "true"
 }
 ```
 ```yaml tab="Rancher"
 # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
 labels:
 - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```
 ```toml tab="File"
@ -48,6 +70,58 @@ labels:
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
    ```
    ```yaml tab="Kubernetes"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    apiVersion: traefik.containo.us/v1alpha1
    kind: Middleware
    metadata:
      name: test-passtlsclientcert
    spec:
      passtlsclientcert:
        info:
          notAfter: true
          notBefore: true
          sans: true
          subject:
            country: true
            province: true
            locality: true
            organization: true
            commonName: true
            serialNumber: true
            domainComponent: true
          issuer:
            country: true
            province: true
            locality: true
            organization: true
            commonName: true
            serialNumber: true
            domainComponent: true
    ```
    ```yaml tab="Rancher"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    labels:
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
    ```
    ```toml tab="File"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    [http.middlewares]
@ -80,8 +154,8 @@ labels:
 PassTLSClientCert can add two headers to the request: 
-* `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
+- `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
-* `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
+- `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
 !!! note
    The headers are filled with escaped string so it can be safely placed inside a URL query.
@ -192,9 +266,10 @@ In the following example, you can see a complete certificate. We will use each p
    -----END CERTIFICATE-----
    ```
-### pem
+### `pem`
 The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escape certificate.
 In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters :
 ??? example "The data used by the pem option"
@ -243,10 +318,16 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
    The delimiters and `\n` will be removed.  
    If there are more than one certificate, they are separated by a "`;`".
-### info
+!!! note "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"
    The header size limit of web servers is commonly between 4kb and 8kb.  
    You could change the server configuration to allow bigger header or use the `info` option with the needed field(s).
 ### `info`
 The `info` option select the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
 The value of the header will be an escaped concatenation of all the selected certificate details.
 The following example shows an unescaped result that uses all the available fields: 
 ```text
@ -257,9 +338,10 @@ Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TO
    If there are more than one certificate, they are separated by a `;`.
-#### info.notafter 
+#### `info.notafter`
 Set the `info.notafter` option to `true` to add the `Not After` information from the `Validity` part.
 The data are taken from the following certificate part:      
 ```text
@ -273,7 +355,7 @@ The escape `notafter` info part will be like:
 NA=1607166616
 ```
-#### info.notbefore
+#### `info.notbefore`
 Set the `info.notafter` option to `true` to add the `Not Before` information from the `Validity` part.
@ -290,9 +372,10 @@ The escape `notafter` info part will be like:
 NB=1544094616
 ```
-#### info.sans
+#### `info.sans`
 Set the `info.sans` option to `true` to add the `Subject Alternative Name` information from the `Subject Alternative Name` part.
 The data are taken from the following certificate part:
 ```text
@ -310,7 +393,7 @@ SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.
    All the SANs data are separated by a `,`.
-#### info.subject
+#### `info.subject`
 The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
@ -320,7 +403,7 @@ The data are taken from the following certificate part :
 Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@cheese.org/emailAddress=cert@scheese.com
 ```
-##### info.subject.country
+##### `info.subject.country`
 Set the `info.subject.country` option to true to add the `country` information into the subject.  
 The data are taken from the subject part with the `C` key. 
@ -330,7 +413,7 @@ The escape country info in the subject part will be like :
 C=FR,C=US
 ```
-##### info.subject.province
+##### `info.subject.province`
 Set the `info.subject.province` option to true to add the `province` information into the subject.
@ -342,7 +425,7 @@ The escape province info in the subject part will be like :
 ST=Cheese org state,ST=Cheese com state
 ```
-##### info.subject.locality
+##### `info.subject.locality`
 Set the `info.subject.locality` option to true to add the `locality` information into the subject.
@ -354,7 +437,7 @@ The escape locality info in the subject part will be like :
 L=TOULOUSE,L=LYON
 ```
-##### info.subject.organization
+##### `info.subject.organization`
 Set the `info.subject.organization` option to true to add the `organization` information into the subject.
@ -366,31 +449,31 @@ The escape organization info in the subject part will be like :
 O=Cheese,O=Cheese 2
 ```
-##### info.subject.commonname
+##### `info.subject.commonname`
 Set the `info.subject.commonname` option to true to add the `commonname` information into the subject.
 The data are taken from the subject part with the `CN` key.
-The escape commonname info in the subject part will be like :
+The escape common name info in the subject part will be like :
 ```text
 CN=*.cheese.com
 ```
-##### info.subject.serialnumber
+##### `info.subject.serialnumber`
 Set the `info.subject.serialnumber` option to true to add the `serialnumber` information into the subject.
 The data are taken from the subject part with the `SN` key.
-The escape serialnumber info in the subject part will be like :
+The escape serial number info in the subject part will be like :
 ```text
 SN=1234567890
 ```
-##### info.subject.domaincomponent
+##### `info.subject.domaincomponent`
 Set the `info.subject.domaincomponent` option to true to add the `domaincomponent` information into the subject.
@ -402,7 +485,7 @@ The escape domaincomponent info in the subject part will be like :
 DC=org,DC=cheese
 ```
-#### info.issuer
+#### `info.issuer`
 The `info.issuer` select the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
@ -412,7 +495,7 @@ The data are taken from the following certificate part :
 Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
 ```
-##### info.issuer.country
+##### `info.issuer.country`
 Set the `info.issuer.country` option to true to add the `country` information into the issuer.  
 The data are taken from the issuer part with the `C` key. 
@ -422,7 +505,7 @@ The escape country info in the issuer part will be like :
 C=FR,C=US
 ```
-##### info.issuer.province
+##### `info.issuer.province`
 Set the `info.issuer.province` option to true to add the `province` information into the issuer.
@ -434,7 +517,7 @@ The escape province info in the issuer part will be like :
 ST=Signing State,ST=Signing State 2
 ```
-##### info.issuer.locality
+##### `info.issuer.locality`
 Set the `info.issuer.locality` option to true to add the `locality` information into the issuer.
@ -446,7 +529,7 @@ The escape locality info in the issuer part will be like :
 L=TOULOUSE,L=LYON
 ```
-##### info.issuer.organization
+##### `info.issuer.organization`
 Set the `info.issuer.organization` option to true to add the `organization` information into the issuer.
@ -458,37 +541,37 @@ The escape organization info in the issuer part will be like :
 O=Cheese,O=Cheese 2
 ```
-##### info.issuer.commonname
+##### `info.issuer.commonname`
 Set the `info.issuer.commonname` option to true to add the `commonname` information into the issuer.
 The data are taken from the issuer part with the `CN` key.
-The escape commonname info in the issuer part will be like :
+The escape common name info in the issuer part will be like :
 ```text
 CN=Simple Signing CA 2
 ```
-##### info.issuer.serialnumber
+##### `info.issuer.serialnumber`
 Set the `info.issuer.serialnumber` option to true to add the `serialnumber` information into the issuer.
 The data are taken from the issuer part with the `SN` key.
-The escape serialnumber info in the issuer part will be like :
+The escape serial number info in the issuer part will be like :
 ```text
 SN=1234567890
 ```
-##### info.issuer.domaincomponent
+##### `info.issuer.domaincomponent`
 Set the `info.issuer.domaincomponent` option to true to add the `domaincomponent` information into the issuer.
 The data are taken from the issuer part with the `DC` key.
-The escape domaincomponent info in the issuer part will be like :
+The escape domain component info in the issuer part will be like :
 ```text
 DC=org,DC=cheese
--- a/docs/content/middlewares/ratelimit.md
+++ b/docs/content/middlewares/ratelimit.md
@ -1,4 +1,4 @@
-# TODO -- RateLimit
+# RateLimit
 Protection from Too Many Calls
 {: .subtitle }
@ -9,42 +9,87 @@ The RateLimit middleware ensures that services will receive a _fair_ number of r
 ## Configuration Example
-??? example "Limit to 100 requests every 10 seconds (with a possible burst of 200)"
+```yaml tab="Docker"
-    
+# Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.
-    ```toml
+# These can "burst" up to 10 and 200 in each period, respectively.
-    [http.middlewares]
+labels:
-      [http.middlewares.fair-ratelimit.ratelimit]
+- "traefik.http.middlewares.test-ratelimit.ratelimit.extractorfunc=client.ip"
-        extractorfunc = "client.ip"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.period=10s"
-        
+- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.average=100"
-        [http.middlewares.fair-ratelimit.ratelimit.rateset1]
+- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.burst=200"
-          period = "10s"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.period=3s"
-          average = 100
+- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.average=5"
-          burst = 200
+- "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.burst=10"
-    ```
+  		
 ```
-??? example "Combine multiple limits"
+```yaml tab="Kubernetes"
 # Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.
 # These can "burst" up to 10 and 200 in each period, respectively.
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
 spec:
  rateLimit:
    extractorfunc = "client.ip"
    rate0:
        period = "10s"
        average = 100
        burst = 200
    rate1:
        period = "3s"
        average = 5
        burst = 10
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-ratelimit.ratelimit.extractorfunc": "client.ip",
  "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.period": "10s",
  "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.average": "100",
  "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.burst": "200",
  "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.period": "3s",
  "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.average": "5",
  "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.burst": "10"
 }
 ```
 ```yaml tab="Rancher"
 # Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.
 # These can "burst" up to 10 and 200 in each period, respectively.
 labels:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.extractorfunc=client.ip"
 - "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.period=10s"
 - "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.average=100"
 - "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate0.burst=200"
 - "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.period=3s"
 - "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.average=5"
 - "traefik.http.middlewares.test-ratelimit.ratelimit.rateset.rate1.burst=10"
 ```
 ```toml tab="File"
 # Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds.
 # These can "burst" up to 10 and 200 in each period, respectively.
 [http.middlewares]
  [http.middlewares.test-ratelimit.ratelimit]
    extractorfunc = "client.ip"
-    ```toml
+    [http.middlewares.test-ratelimit.ratelimit.rate0]
-    [http.middlewares]
+      period = "10s"
-      [http.middlewares.fair-ratelimit.ratelimit]
+      average = 100
-          extractorfunc = "client.ip"
+      burst = 200
-          [http.middlewares.fair-ratelimit.ratelimit.rateset1]
+    [http.middlewares.test-ratelimit.ratelimit.rate1]
-            period = "10s"
+      period = "3s"
-            average = 100
+      average = 5
-            burst = 200
+      burst = 10
-    
+```
          [http.middlewares.fair-ratelimit.ratelimit.rateset2]
            period = "3s"
            average = 5
            burst = 10
    ```
    Here, an average of 5 requests every 3 seconds is allowed and an average of 100 requests every 10 seconds. These can "burst" up to 10 and 200 in each period, respectively. 
 ## Configuration Options
-### extractorfunc
+### `extractorfunc`
 The `extractorfunc` option defines the strategy used to categorize requests.
@ -54,12 +99,12 @@ The possible values are:
 - `client.ip` categorizes requests based on the client ip.
 - `request.header.ANY_HEADER` categorizes requests based on the provided `ANY_HEADER` value.
-### ratelimit (multiple values)
+### `ratelimit`
-You can combine multiple ratelimit. 
+You can combine multiple rate limits. 
-The ratelimit will trigger with the first reached limit.
+The rate limit will trigger with the first reached limit.
-Each ratelimit has 3 options, `period`, `average`, and `burst`.
+Each rate limit has 3 options, `period`, `average`, and `burst`.
 The rate limit will allow an average of `average` requests every `period`, with a maximum of `burst` request on that period.
--- a/docs/content/middlewares/redirectregex.md
+++ b/docs/content/middlewares/redirectregex.md
@ -1,4 +1,4 @@
-# TODO - RedirectRegex
+# RedirectRegex
 Redirecting the Client to a Different Location
 {: .subtitle }
@ -9,34 +9,56 @@ RegexRedirect redirect a request from an url to another with regex matching and
 ## Configuration Examples
-??? example "File -- Redirect with domain replacement"
+```yaml tab="Docker"
 # Redirect with domain replacement
 labels:
 - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
 - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1"
 ```
-    ```toml
+```yaml tab="Kubernetes"
-    [http.middlewares]
+# Redirect with domain replacement
-      [http.middlewares.test-redirectregex.redirectregex]
+apiVersion: traefik.containo.us/v1alpha1
-        regex = "^http://localhost/(.*)"
+kind: Middleware
-        replacement = "http://mydomain/$1"
+metadata:
-    ```
+  name: test-redirectregex
 spec:
  redirectRegex:
    regex: ^http://localhost/(.*)
    replacement: http://mydomain/$1
 ```
-??? example "Docker -- Redirect with domain replacement"
+```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-redirectregex.redirectregex.regex": "^http://localhost/(.*)",
  "traefik.http.middlewares.test-redirectregex.redirectregex.replacement": "http://mydomain/$1"
 }
 ```
-    ```yml
+```yaml tab="Rancher"
-     a-container:
+# Redirect with domain replacement
-        image: a-container-image 
+labels:
-            labels:
+- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
-                - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
+- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1"
-                - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$1"
+```
-    ```
+
 ```toml tab="File"
 # Redirect with domain replacement
 [http.middlewares]
  [http.middlewares.test-redirectregex.redirectregex]
    regex = "^http://localhost/(.*)"
    replacement = "http://mydomain/$1"
 ```
 ## Configuration Options
-### permanent
+### `permanent`
 Set the `permanent` option to `true` to apply a permanent redirection.
-### regex
+### `regex`
-The `Regex` option is the regular expression to match and capture elements form the request URL.
+The `Regex` option is the regular expression to match and capture elements from the request URL.
 !!! warning
@ -46,7 +68,7 @@ The `Regex` option is the regular expression to match and capture elements form
    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-### replacement
+### `replacement`
 The `replacement` option defines how to modify the URl to have the new target URL.
--- a/docs/content/middlewares/redirectscheme.md
+++ b/docs/content/middlewares/redirectscheme.md
@ -1,4 +1,4 @@
-# TODO - RedirectScheme
+# RedirectScheme
 Redirecting the Client to a Different Scheme/Port
 {: .subtitle }
@ -9,33 +9,52 @@ RegexRedirect redirect request from a scheme to another.
 ## Configuration Examples
-??? example "File -- Redirect to https"
+```yaml tab="Docker"
 # Redirect to https
 labels:
 - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
 ```
-    ```toml
+```yaml tab="Kubernetes"
-    [http.middlewares]
+# Redirect to https
-      [http.middlewares.test-redirectscheme.redirectscheme]
+apiVersion: traefik.containo.us/v1alpha1
-        scheme = "https"
+kind: Middleware
-    ```
+metadata:
  name: test-redirectscheme
 spec:
  redirectScheme:
    scheme: https
 ```
-??? example "Docker -- Redirect to https"
+```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
 }
 ```
-    ```yml
+```yaml tab="Rancher"
-     a-container:
+# Redirect to https
-        image: a-container-image 
+labels:
-            labels:
+- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
-                - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+```
-    ```
+
 ```toml tab="File"
 # Redirect to https
 [http.middlewares]
  [http.middlewares.test-redirectscheme.redirectscheme]
    scheme = "https"
 ```
 ## Configuration Options
-### permanent
+### `permanent`
 Set the `permanent` option to `true` to apply a permanent redirection.
-### scheme
+### `scheme`
 The `scheme` option defines the scheme of the new url.
-### port
+### `port`
 The `port` option defines the port of the new url.
--- a/docs/content/middlewares/replacepath.md
+++ b/docs/content/middlewares/replacepath.md
@ -1,4 +1,4 @@
-# TODO -- ReplacePath
+# ReplacePath
 Updating the Path Before Forwarding the Request
 {: .subtitle }
@ -9,32 +9,51 @@ Replace the path of the request url.
 ## Configuration Examples
-??? example "File -- Replace the path by /foo"
+```yaml tab="Docker"
 # Replace the path by /foo
 labels:
 - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```
-    ```toml
+```yaml tab="Kubernetes"
-    [http.middlewares]
+# Replace the path by /foo
-      [http.middlewares.test-replacepath.ReplacePath]
+apiVersion: traefik.containo.us/v1alpha1
-         path = "/foo"
+kind: Middleware
-    ```
+metadata:
  name: test-replacepath
 spec:
  replacePath:
    path: /foo
 ```
-??? example "Docker --Replace the path by /foo"
+```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-replacepath.replacepath.path": "/foo"
 }
 ```
 ```yaml tab="Rancher"
 # Replace the path by /foo
 labels:
 - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```
 ```toml tab="File"
 # Replace the path by /foo
 [http.middlewares]
  [http.middlewares.test-replacepath.ReplacePath]
     path = "/foo"
 ```
    ```yaml
    a-container:
      image: a-container-image 
        labels:
          - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
    ```
 ## Configuration Options
 ### General
 The ReplacePath middleware will:
-* replace the actual path by the specified one.
+- replace the actual path by the specified one.
-* store the original path in a `X-Replaced-Path` header.
+- store the original path in a `X-Replaced-Path` header.
-### path
+### `path`
 The `path` option defines the path to use as replacement in the request url.
--- a/docs/content/middlewares/replacepathregex.md
+++ b/docs/content/middlewares/replacepathregex.md
@ -1,4 +1,76 @@
-# TODO -- ReplacePathRegex
+# ReplacePathRegex
 Updating the Path Before Forwarding the Request (Using a Regex)
-{: .subtitle }
+{: .subtitle }
 `TODO: add schema`
 The ReplaceRegex replace a path from an url to another with regex matching and replacement.
 ## Configuration Examples
 ```yaml tab="Docker"
 # Replace path with regex
 labels:
 - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
 - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
 ```
 ```yaml tab="Kubernetes"
 # Replace path with regex
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: test-replacepathregex
 spec:
  replacePathRegex:
    regex: ^/foo/(.*)
    replacement: /bar/$1
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex": "^/foo/(.*)",
  "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement": "/bar/$1"
 }
 ```
 ```yaml tab="Rancher"
 # Replace path with regex
 labels:
 - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
 - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
 ```
 ```toml tab="File"
 # Redirect with domain replacement
 [http.middlewares]
  [http.middlewares.test-replacepathregex.replacePathRegex]
    regex = "^/foo/(.*)"
    replacement = "/bar/$1"
 ```
 ## Configuration Options
 ### General
 The ReplacePathRegex middleware will:
 - replace the matching path by the specified one.
 - store the original path in a `X-Replaced-Path` header.
 ### `regex`
 The `Regex` option is the regular expression to match and capture the path from the request URL.
 !!! warning
    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
 !!! tip
    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
 ### `replacement`
 The `replacement` option defines how to modify the path to have the new target path.
--- a/docs/content/middlewares/retry.md
+++ b/docs/content/middlewares/retry.md
@ -1,20 +1,54 @@
-# TODO -- Retry
+# Retry
 Retrying until it Succeeds
 {: .subtitle }
-## Old Content
+`TODO: add schema`
-## Retry Configuration
+Retry to send request on attempt failure.
-```toml
+## Configuration Examples
 # Enable retry sending request if network error
 [retry]
-# Number of attempts
+```yaml tab="Docker"
-#
+# Retry to send request 4 times
-# Optional
+labels:
-# Default: (number servers in backend) -1
+- "traefik.http.middlewares.test-retry.retry.attempts=4"
 #
 # attempts = 3
 ```
 ```yaml tab="Kubernetes"
 # Retry to send request 4 times
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: test-retry
 spec:
  retry:
    attempts: 4
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-retry.retry.attempts": "4"
 }
 ```
 ```yaml tab="Rancher"
 # Retry to send request 4 times
 labels:
 - "traefik.http.middlewares.test-retry.retry.attempts=4"
 ```
 ```toml tab="File"
 # Retry to send request 4 times
 [http.middlewares]
  [http.middlewares.test-retry.Retry]
     attempts = 4
 ```
 ## Configuration Options
 ### `attempts` 
 _mandatory_
 The `attempts` option defines how many times to try sending the request.
--- a/docs/content/middlewares/stripprefix.md
+++ b/docs/content/middlewares/stripprefix.md
@ -1,13 +1,72 @@
-# TODO -- StripPrefix
+# StripPrefix
 Removing Prefixes From the Path Before Forwarding the Request
 {: .subtitle }
-## OldContent
+`TODO: add schema`
- 
+
-Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
+Remove the specified prefixes from the URL path.
-For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.  
+
-Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.  
+## Configuration Examples
 ```yaml tab="Docker"
 # Replace the path by /foo
 labels:
 - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=foobar, fiibar"
 ```
 ```yaml tab="Kubernetes"
 # Replace the path by /foo
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: test-stripprefix
 spec:
  StripPrefix:
    prefixes: "foobar, fiibar"
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "foobar, fiibar"
 }
 ```
 ```yaml tab="Rancher"
 # Replace the path by /foo
 labels:
 - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=foobar, fiibar"
 ```
 ```toml tab="File"
 # Replace the path by /foo
 [http.middlewares]
  [http.middlewares.test-stripprefix.StripPrefix]
     prefixes: "foobar, fiibar"
 ```
 ## Configuration Options
 ### General
 The StripPrefix middleware will:
 - strip the matching path prefix.
 - store the matching path prefix in a `X-Forwarded-Prefix` header.
 !!! tip
    Use a `StripPrefix` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
 ### `prefixes`
 The `prefixes` option defines the prefixes to strip from the request URL.
 For instance, `/products` would match `/products` but also `/products/shoes` and `/products/shirts`.
 Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.
 If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.  
 Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).  
-The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically.
+
 The `X-Forwarded-Prefix` header can be queried to build such URLs dynamically.
--- a/docs/content/middlewares/stripprefixregex.md
+++ b/docs/content/middlewares/stripprefixregex.md
@ -1,13 +1,77 @@
-# TODO -- StripPrefix
+# StripPrefix
 Removing Prefixes From the Path Before Forwarding the Request (Using a Regex)
 {: .subtitle }
-## OldContent
+`TODO: add schema`
 Remove the matching prefixes from the URL path.
 ## Configuration Examples
 ```yaml tab="Docker"
 # Replace the path by /foo
 labels:
 - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=^/foo/(.*)",
 ```
 ```yaml tab="Kubernetes"
 # Replace the path by /foo
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: test-stripprefixregex
 spec:
  StripPrefixRegex:
    regex: "^/foo/(.*)"
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex": "^/foo/(.*)"
 }
 ```
 ```yaml tab="Rancher"
 # Replace the path by /foo
 labels:
 - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=^/foo/(.*)",
 ```
 ```toml tab="File"
 # Replace the path by /foo
 [http.middlewares]
  [http.middlewares.test-stripprefixregex.StripPrefixRegex]
     regex: "^/foo/(.*)"
 ```
 ## Configuration Options
 ### General
 The StripPrefixRegex middleware will:
 - strip the matching path prefix.
 - store the matching path prefix in a `X-Forwarded-Prefix` header.
 !!! tip
    Use a `StripPrefixRegex` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
 ### `regex`
 The `regex` option is the regular expression to match the path prefix from the request URL.
 !!! tip
    Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
 For instance, `/products` would match `/products` but also `/products/shoes` and `/products/shirts`.  
 Use a `*Strip` matcher if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
 For instance, `PathPrefixStrip: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.  
 Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.  
 If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.  
 Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).  
-The `X-Forwarded-Prefix` header (available since Traefik 1.3) can be queried to build such URLs dynamically.
+
 The `X-Forwarded-Prefix` header can be queried to build such URLs dynamically.
--- a/docs/content/observability/logs.md
+++ b/docs/content/observability/logs.md
@ -37,9 +37,9 @@ You can configure a file path instead using the `filePath` option.
 By default, the logs use a text format (`common`), but you can also ask for the `json` format in the `format` option.   
-#### logLevel
+#### log level
-By default, the `logLevel` is set to `error`, but you can choose amongst `debug`, `panic`, `fatal`, `error`, `warn`, and `info`. 
+By default, the `level` is set to `error`, but you can choose amongst `debug`, `panic`, `fatal`, `error`, `warn`, and `info`. 
 ## Log Rotation
--- a/docs/content/observability/tracing.md
+++ b/docs/content/observability/tracing.md
@ -7,7 +7,7 @@ The tracing system allows developers to visualize call flows in their infrastruc
 Traefik uses OpenTracing, an open standard designed for distributed tracing.
-Traefik supports three tracing backends: Jaeger, Zipkin, DataDog, and Instana.
+Traefik supports four tracing backends: Jaeger, Zipkin, DataDog, and Instana.
 ## Configuration Reference
--- a/docs/content/operations/ping.md
+++ b/docs/content/operations/ping.md
@ -14,11 +14,11 @@ Checking the Health of Your Traefik Instances
 ??? example "Enabling /ping on a dedicated EntryPoint"
    ```toml
-    [entrypoints]
+    [entryPoints]
-      [entrypoints.web]
+      [entryPoints.web]
        address = ":80"
-      [entrypoints.ping]
+      [entryPoints.ping]
        address = ":8082"
    [ping]
--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@ -63,9 +63,9 @@ Attach labels to your containers and let Traefik do the rest!
 ## Provider Configuration Options
 !!! tip "Browse the Reference"
-    If you're in a hurry, maybe you'd rather go through the [Docker Reference](../reference/providers/docker.md).
+    If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration.md) and the [dynamic](../reference/dynamic-configuration/docker.md) configuration references.
-### endpoint
+### `endpoint`
 Traefik requires access to the docker socket to get its dynamic configuration.
@ -140,7 +140,9 @@ Traefik requires access to the docker socket to get its dynamic configuration.
          endpoint = "unix:///var/run/docker.sock"
    ```
-### usebindportip (_Optional_, _Default=false_)
+### `usebindportip`
 _Optional, Default=false_
 Traefik routes requests to the IP/Port of the matching container.
 When setting `usebindportip=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.
@ -163,29 +165,42 @@ If it can't find such a binding, Traefik falls back on the internal network IP o
    !!! note
        In the above table, ExtIp stands for "external IP found in the binding", IntIp stands for "internal network container's IP", ExtPort stands for "external Port found in the binding", and IntPort stands for "internal network container's port."
-### exposedByDefault (_Optional_, _Default=true_)
+### `exposedByDefault`
 _Optional, Default=true_
 Expose containers by default through Traefik.
 If set to false, containers that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
-### network (_Optional_)
+### `network`
 _Optional_
 Defines a default docker network to use for connections to all containers.
 This option can be overridden on a container basis with the `traefik.docker.network` label.
-### domain (_Optional_, _Default=docker.localhost_)
+### `defaultRule`
-This is the default base domain used for the router rules.
+_Optional, Default=Host(`{{ normalize .Name }}`)_
-This option can be overridden on a container basis with the
+For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
-`traefik.domain` label.
+It must be a valid [Go template](https://golang.org/pkg/text/template/),
 augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
 The container service name can be accessed as the Name identifier,
 and the template has access to all the labels defined on this container.
-### swarmMode (_Optional_, _Default=false_)
+``defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"``
 ### `swarmMode`
 _Optional, Default=false_
 Activates the Swarm Mode.
-### swarmModeRefreshSeconds (_Optional_, _Default=15_)
+### `swarmModeRefreshSeconds`
 _Optional, Default=15_
 Defines the polling interval (in seconds) in Swarm Mode.
@ -195,11 +210,12 @@ Defines the polling interval (in seconds) in Swarm Mode.
 Traefik creates, for each container, a corresponding [service](../routing/services/index.md) and [router](../routing/routers/index.md).
-The Service automatically gets a server per instance of the container, and the router gets a default rule attached to it, based on the container name.
+The Service automatically gets a server per instance of the container,
 and the router automatically gets a rule defined by defaultRule (if no rule for it was defined in labels).
 ### Routers
-To update the configuration of the Router automatically attached to the container, add labels starting with `traefik.routers.{name-of-your-choice}.` and followed by the option you want to change. For example, to change the rule, you could add the label `traefik.http.routers.my-container.rule=Host(my-domain)`.
+To update the configuration of the Router automatically attached to the container, add labels starting with `traefik.http.routers.{name-of-your-choice}.` and followed by the option you want to change. For example, to change the rule, you could add the label `traefik.http.routers.my-container.rule=Host(my-domain)`.
 Every [Router](../routing/routers/index.md) parameter can be updated this way.
@ -211,7 +227,7 @@ Every [Service](../routing/services/index.md) parameter can be updated this way.
 ### Middleware
-You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options. For example, to declare a middleware [`schemeredirect`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.schemeredirect.scheme: https`.
+You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options. For example, to declare a middleware [`redirectscheme`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.redirectscheme.scheme: https`.
 ??? example "Declaring and Referencing a Middleware"
@ -251,17 +267,17 @@ You can declare TCP Routers and/or Services using labels.
 ### Specific Options
-#### traefik.enable
+#### `traefik.enable`
 You can tell Traefik to consider (or not) the container by setting `traefik.enable` to true or false.
 This option overrides the value of `exposedByDefault`.
-#### traefik.tags
+#### `traefik.tags`
 Sets the tags for [constraints filtering](./overview.md#constraints-configuration).
-#### traefik.docker.network
+#### `traefik.docker.network`
 Overrides the default docker network to use for connections to the container.
@ -269,3 +285,10 @@ If a container is linked to several networks, be sure to set the proper network
 !!! warning
    When deploying a stack from a compose file `stack`, the networks defined are prefixed with `stack`.
 #### `traefik.docker.lbswarm`
 Enables Swarm's inbuilt load balancer (only relevant in Swarm Mode).
 If you enable this option, Traefik will use the virtual IP provided by docker swarm instead of the containers IPs.
 Which means that Traefik will not perform any kind of load balancing and will delegate this task to swarm.
--- a/docs/content/providers/file.md
+++ b/docs/content/providers/file.md
@ -28,7 +28,7 @@ You can write these configuration elements:
      # Add the router
      [http.routers]
        [http.routers.router0]
-          entrypoints = ["web"]
+          entryPoints = ["web"]
          middlewares = ["my-basic-auth"]
          service = "service-foo"
          rule = "Path(`foo`)"
@ -56,9 +56,9 @@ You can write these configuration elements:
 ## Provider Configuration Options
 !!! tip "Browse the Reference"
-    If you're in a hurry, maybe you'd rather go through the [File Reference](../reference/providers/file.md).
+    If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration.md) and the [dynamic](../reference/dynamic-configuration/file.md) configuration references.
-
+    
-### filename (_Optional_)
+### `filename` (_Optional_)
 Defines the path of the configuration file.
@ -68,7 +68,7 @@ Defines the path of the configuration file.
    filename = "rules.toml"
 ```
-### directory (_Optional_)
+### `directory` (_Optional_)
 Defines the directory that contains the configuration files.
@ -78,7 +78,7 @@ Defines the directory that contains the configuration files.
    directory = "/path/to/config"
 ```
-### watch (_Optional_)
+### `watch` (_Optional_)
 Set the `watch` option to `true` to allow Traefik to automatically watch for file changes.  
 It works with both the `filename` and the `directory` options.
--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@ -13,7 +13,133 @@ it would manage access to a cluster services by supporting the [Ingress](https:/
 However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
 we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
-## Traefik IngressRoute definition
+## Provider Configuration
 ### `endpoint`
 _Optional, Default=empty_
 The Kubernetes server endpoint as URL.
 When deployed into Kubernetes, Traefik will read the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
 The access token will be looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
 Both are provided mounted automatically when deployed inside Kubernetes.
 The endpoint may be specified to override the environment variable values inside a cluster.
 When the environment variables are not found, Traefik will try to connect to the Kubernetes API server with an external-cluster client.
 In this case, the endpoint is required.
 Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
 ```toml tab="File"
 [Providers.KubernetesCRD]
  endpoint = "http://localhost:8080"
  # ...
 ```
 ```txt tab="CLI"
 --providers.kubernetescrd
 --providers.kubernetescrd.endpoint="http://localhost:8080"
 ```
 ### `token`
 _Optional, Default=empty_
 Bearer token used for the Kubernetes client configuration.
 ```toml tab="File"
 [Providers.KubernetesCRD]
  token = "mytoken"
  # ...
 ```
 ```txt tab="CLI"
 --providers.kubernetescrd
 --providers.kubernetescrd.token="mytoken"
 ```
 ### `certAuthFilePath`
 _Optional, Default=empty_
 Path to the certificate authority file.
 Used for the Kubernetes client configuration.
 ```toml tab="File"
 [Providers.KubernetesCRD]
  certAuthFilePath = "/my/ca.crt"
  # ...
 ```
 ```txt tab="CLI"
 --providers.kubernetescrd
 --providers.kubernetescrd.certauthfilepath="/my/ca.crt"
 ```
 ### `namespaces`
 _Optional, Default: all namespaces (empty array)_
 Array of namespaces to watch.
 ```toml tab="File"
 [Providers.KubernetesCRD]
  namespaces = ["default", "production"]
  # ...
 ```
 ```txt tab="CLI"
 --providers.kubernetescrd
 --providers.kubernetescrd.namespaces="default,production"
 ```
 ### `labelselector`
 _Optional,Default: empty (process all Ingresses)_
 By default, Traefik processes all Ingress objects in the configured namespaces.
 A label selector can be defined to filter on specific Ingress objects only.
 See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
 ```toml tab="File"
 [Providers.KubernetesCRD]
  labelselector = "A and not B"
  # ...
 ```
 ```txt tab="CLI"
 --providers.kubernetescrd
 --providers.kubernetescrd.labelselector="A and not B"
 ```
 ### `ingressClass`
 _Optional, Default: empty_
 Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
 If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed.
 Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
 ```toml tab="File"
 [Providers.KubernetesCRD]
  ingressClass = "traefik-internal"
  # ...
 ```
 ```txt tab="CLI"
 --providers.kubernetescrd
 --providers.kubernetescrd.ingressclass="traefik-internal"
 ```
 ## Resource Configuration
 If you're in a hurry, maybe you'd rather go through the [dynamic](../reference/dynamic-configuration/kubernetes-crd.md) configuration reference.
 ### Traefik IngressRoute definition
 ```yaml
 --8<-- "content/providers/crd_ingress_route.yml"
@ -28,7 +154,7 @@ metadata:
  name: ingressroutefoo.crd
 spec:
-  entrypoints:
+  entryPoints:
    - web
  routes:
  # Match is the rule corresponding to an underlying router.
@ -46,7 +172,7 @@ spec:
      port: 80
 ```
-## Middleware
+### Middleware
 Additionally, to allow for the use of middlewares in an `IngressRoute`, we defined the CRD below for the `Middleware` kind.
@ -63,7 +189,7 @@ metadata:
  name: stripprefix
 spec:
-  stripprefix:
+  stripPrefix:
    prefixes:
      - /stripit
@ -74,7 +200,7 @@ metadata:
  name: ingressroutebar.crd
 spec:
-  entrypoints:
+  entryPoints:
    - web
  routes:
  - match: Host(`bar.com`) && PathPrefix(`/stripit`)
@ -86,7 +212,7 @@ spec:
    - name: stripprefix
 ```
-## TLS
+### TLS
 To allow for TLS, we made use of the `Secret` kind, as it was already defined, and it can be directly used in an `IngressRoute`:
@ -119,10 +245,6 @@ spec:
    secretName: supersecret
 ```
 ## Full reference example
 [Traefik IngressRoute Reference](../reference/providers/kubernetescrd.md).
 ## Further
 Also see the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.
--- a/docs/content/providers/marathon.md
+++ b/docs/content/providers/marathon.md
@ -0,0 +1,325 @@
 # Traefik & Marathon
 Traefik can be configured to use Marathon as a provider.
 {: .subtitle }
 See also [Marathon user guide](../user-guides/marathon.md).
 ## Configuration Examples
 ??? example "Configuring Marathon & Deploying / Exposing Applications"
    Enabling the marathon provider
    ```toml tab="File"
    [providers.marathon]
    endpoint = "http://127.0.0.1:8080"
    ```
    ```txt tab="CLI"
    --providers.marathon
    --providers.marathon.endpoint="http://127.0.0.1:8080"
    ```
    Attaching labels to marathon applications
    ```json
 	{
 		"id": "/whoami",
 		"container": {
 			"type": "DOCKER",
 			"docker": {
 				"image": "containous/whoami",
 				"network": "BRIDGE",
 				"portMappings": [
 					{
 						"containerPort": 80,
 						"hostPort": 0,
 						"protocol": "tcp"
 					}
 				]
 			}
 		},
 		"labels": {
 			"traefik.http.Routers.app.Rule": "PathPrefix(`/app`)"
 		}
 	}
    ```
 ## Provider Configuration Options
 !!! tip "Browse the Reference"
    If you're in a hurry, maybe you'd rather go through the [static](../reference/static-configuration.md) and the [dynamic](../reference/dynamic-configuration/marathon.md) configuration references.
 ### `basic`
 _Optional_
 Enables Marathon basic authentication.
 ```toml tab="File"
 [marathon.basic]
 httpBasicAuthUser = "foo"
 httpBasicPassword = "bar"
 ```
 ```txt tab="CLI"
 --providers.marathon
 --providers.marathon.basic.httpbasicauthuser="foo"
 --providers.marathon.basic.httpbasicpassword="bar"
 ```
 ### `dcosToken`
 _Optional_
 DCOSToken for DCOS environment.
 If set, it overrides the Authorization header.
 ```toml tab="File"
 [marathon]
 dcosToken = "xxxxxx"
 # ...
 ```
 ```txt tab="CLI"
 --providers.marathon
 --providers.marathon.dcosToken="xxxxxx"
 ```
 ### `defaultRule`
 _Optional, Default=```Host(`{{ normalize .Name }}`)```_
 For a given application if no routing rule was defined by a label, it is defined by this defaultRule instead.
 It must be a valid [Go template](https://golang.org/pkg/text/template/),
 augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
 The app ID can be accessed as the Name identifier,
 and the template has access to all the labels defined on this Marathon application.
 ```toml tab="File"
 [marathon]
 defaultRule = ""
 # ...
 ```
 ```txt tab="CLI"
 --providers.marathon
 --providers.marathon.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
 ```
 ### `dialerTimeout`
 _Optional, Default=5s_
 Overrides DialerTimeout.
 Amount of time the Marathon provider should wait before timing out,
 when trying to open a TCP connection to a Marathon master.
 Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
 or directly as a number of seconds.
 ### `endpoint`
 _Optional, Default=http://127.0.0.1:8080_
 Marathon server endpoint.
 You can optionally specify multiple endpoints:
 ```toml tab="File"
 [marathon]
 endpoint = "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
 # ...
 ```
 ```txt tab="CLI"
 --providers.marathon
 --providers.marathon.endpoint="http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
 ```
 ### `exposedByDefault`
 _Optional, Default=true_
 Exposes Marathon applications by default through Traefik.
 If set to false, applications that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
 ### `filterMarathonConstraints`
 _Optional, Default=false_
 Enables filtering using Marathon constraints.
 If enabled, Traefik will take into account Marathon constraints, as defined in [Marathon constraints](https://mesosphere.github.io/marathon/docs/constraints.html).
 Each individual constraint will be treated as a verbatim compounded tag,
 e.g. "rack_id:CLUSTER:rack-1", with all constraint groups concatenated together using ":".
 ### `forceTaskHostname`
 _Optional, Default=false_
 By default, a task's IP address (as returned by the Marathon API) is used as backend server if an IP-per-task configuration can be found;
 otherwise, the name of the host running the task is used.
 The latter behavior can be enforced by enabling this switch.
 ### `keepAlive`
 _Optional, Default=10s_
 Set the TCP Keep Alive interval for the Marathon HTTP Client.
 Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
 or directly as a number of seconds.
 ### `respectReadinessChecks`
 _Optional, Default=false_
 Applications may define readiness checks which are probed by Marathon during deployments periodically, and these check results are exposed via the API.
 Enabling respectReadinessChecks causes Traefik to filter out tasks whose readiness checks have not succeeded.
 Note that the checks are only valid at deployment times.
 See the Marathon guide for details.
 ### `responseHeaderTimeout`
 _Optional, Default=60s_
 Overrides ResponseHeaderTimeout.
 Amount of time the Marathon provider should wait before timing out,
 when waiting for the first response header from a Marathon master.
 Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration), or directly as a number of seconds.
 ### `TLS`
 _Optional_
 TLS client configuration. [tls/#Config](https://golang.org/pkg/crypto/tls/#Config).
 ```toml tab="File"
 [marathon.TLS]
 CA = "/etc/ssl/ca.crt"
 Cert = "/etc/ssl/marathon.cert"
 Key = "/etc/ssl/marathon.key"
 insecureSkipVerify = true
 ```
 ```txt tab="CLI"
 --providers.marathon.tls
 --providers.marathon.tls.ca="/etc/ssl/ca.crt"
 --providers.marathon.tls.cert="/etc/ssl/marathon.cert"
 --providers.marathon.tls.key="/etc/ssl/marathon.key"
 --providers.marathon.tls.insecureskipverify=true
 ```
 ### `TLSHandshakeTimeout`
 _Optional, Default=5s_
 Overrides TLSHandshakeTimeout.
 Amount of time the Marathon provider should wait before timing out,
 when waiting for the TLS handshake to complete.
 Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
 or directly as a number of seconds.
 ### `trace`
 _Optional, Default=false_
 Displays additional provider logs (if available).
 ### `watch`
 _Optional, Default=true_
 Enables watching for Marathon changes.
 ## Routing Configuration Options
 ### General
 Traefik creates, for each Marathon application, a corresponding [service](../routing/services/index.md) and [router](../routing/routers/index.md).
 The Service automatically gets a server per instance of the application,
 and the router automatically gets a rule defined by defaultRule (if no rule for it was defined in labels).
 ### Routers
 To update the configuration of the Router automatically attached to the application,
 add labels starting with `traefik.HTTP.Routers.{router-name-of-your-choice}.` and followed by the option you want to change.
 For example, to change the routing rule, you could add the label ```traefik.HTTP.Routers.Routername.Rule=Host(`my-domain`)```.
 Every [Router](../routing/routers/index.md) parameter can be updated this way.
 ### Services
 To update the configuration of the Service automatically attached to the container,
 add labels starting with `traefik.HTTP.Services.{service-name-of-your-choice}.`, followed by the option you want to change.
 For example, to change the load balancer method, you'd add the label `traefik.HTTP.Services.Servicename.LoadBalancer.Method=drr`.
 Every [Service](../routing/services/index.md) parameter can be updated this way.
 ### Middleware
 You can declare pieces of middleware using labels starting with `traefik.HTTP.Middlewares.{middleware-name-of-your-choice}.`, followed by the middleware type/options.
 For example, to declare a middleware [`schemeredirect`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.HTTP.Middlewares.my-redirect.RedirectScheme.Scheme: https`.
 ??? example "Declaring and Referencing a Middleware"
    ```json
 	{
 		...
 		"labels": {
 			"traefik.http.middlewares.my-redirect.schemeredirect.scheme": "https",
 			"traefik.http.routers.middlewares": "my-redirect"
 		}
 	}
    ```
 !!! warning "Conflicts in Declaration"
    If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
 ### TCP
 You can declare TCP Routers and/or Services using labels.
 ??? example "Declaring TCP Routers and Services"
    ```json
 	{
 		...
 		"labels": {
 			"traefik.tcp.routers.my-router.rule": "HostSNI(`my-host.com`)",
 			"traefik.tcp.routers.my-router.tls": "true",
 			"traefik.tcp.services.my-service.loadbalancer.server.port": "4123"
 		}
 	}
    ```
 !!! warning "TCP and HTTP"
    If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (as it would by default if no TCP Router/Service is defined).
    Both a TCP Router/Service and an HTTP Router/Service can be created for the same application, but it has to be done explicitly in the config.
 ### Specific Options
 #### `traefik.enable`
 Setting this option controls whether Traefik exposes the application.
 It overrides the value of `exposedByDefault`.
 #### `traefik.tags`
 Sets the tags for [constraints filtering](./overview.md#constraints-configuration).
 #### `traefik.marathon.ipadressidx`
 If a task has several IP addresses, this option specifies which one, in the list of available addresses, to select.
--- a/docs/content/providers/overview.md
+++ b/docs/content/providers/overview.md
@ -31,11 +31,15 @@ Below is the list of the currently supported providers in Traefik.
 | [Docker](./docker.md)           | Orchestrator | Label              |
 | [File](./file.md)               | Orchestrator | Custom Annotation  |
 | [Kubernetes](kubernetes-crd.md) | Orchestrator | Custom Resource    |
-| Marathon (not yet documented)   | Orchestrator | Label              |
+| [Marathon](marathon.md)         | Orchestrator | Label              |
 !!! note "More Providers"
    The current version of Traefik is in development and doesn't support (yet) every provider. See the previous version (1.7) for more providers.
 <!--
 TODO (document TCP VS HTTP dynamic configuration)
 -->
 ## Constraints Configuration
--- a/docs/content/providers/rancher.md
+++ b/docs/content/providers/rancher.md
@ -0,0 +1,177 @@
 # Traefik & Rancher
 A Story of Labels, Services & Container
 {: .subtitle }
 ![Rancher](../assets/img/providers/rancher.png)
 Attach labels to your services and let Traefik do the rest!
 ## Configuration Examples
 ??? example "Configuring Docker & Deploying / Exposing Services"
    Enabling the rancher provider
    ```toml
    [provider.rancher]
    ```
    Attaching labels to services
    ```yaml
    labels:
      - traefik.http.services.my-service.rule=Host(my-domain)
    ```
 ## Provider Configuration Options
 !!! tip "Browse the Reference"
    If you're in a hurry, maybe you'd rather go through the configuration reference:
    ```toml
    ################################################################
    # Rancher Provider
    ################################################################
    # Enable Docker Provider.
    [rancher]
    # The default host rule for all services.
    #
    # Optionnal
    #
    DefaultRule = "unix:///var/run/docker.sock"
    # Expose Rancher services by default in Traefik.
    #
    # Optional
    #
    ExposedByDefault = "docker.localhost"
    # Enable watch docker changes.
    #
    # Optional
    #
    watch = true
    # Filter services with unhealthy states and inactive states.
    #
    # Optional
    #
    EnableServiceHealthFilter = true
    # Defines the polling interval (in seconds).
    #
    # Optional
    #
    RefreshSeconds = true
    # Poll the Rancher metadata service for changes every `rancher.refreshSeconds`, which is less accurate
    #
    # Optional
    #
    IntervalPoll = false
    # Prefix used for accessing the Rancher metadata service
    #
    # Optional
    #
    Prefix = 15
    ```
 ### `ExposedByDefault`
 _Optional, Default=true_
 Expose Rancher services by default in Traefik.
 If set to false, services that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
 ### `DefaultRule`
 _Optional_
 The default host rule for all services.
 This option can be overridden on a container basis with the `traefik.http.routers.Router1.rule` label.
 ### `EnableServiceHealthFilter`
 _Optional, Default=true_
 Filter services with unhealthy states and inactive states.
 ### `RefreshSeconds`
 _Optional, Default=15_
 Defines the polling interval (in seconds).
 ### `IntervalPoll`
 _Optional, Default=false_
 Poll the Rancher metadata service for changes every `rancher.refreshSeconds`,
 which is less accurate than the default long polling technique which will provide near instantaneous updates to Traefik.
 ### `Prefix`
 _Optional, Default=/latest_
 Prefix used for accessing the Rancher metadata service
 ### General
 Traefik creates, for each rancher service, a corresponding [service](../routing/services/index.md) and [router](../routing/routers/index.md).
 The Service automatically gets a server per container in this rancher service, and the router gets a default rule attached to it, based on the service name.
 ### Routers
 To update the configuration of the Router automatically attached to the container, add labels starting with `traefik.routers.{name-of-your-choice}.` and followed by the option you want to change.
 For example, to change the rule, you could add the label `traefik.http.routers.my-container.rule=Host(my-domain)`.
 Every [Router](../routing/routers/index.md) parameter can be updated this way.
 ### Services
 To update the configuration of the Service automatically attached to the container, add labels starting with `traefik.http.services.{name-of-your-choice}.`,
 followed by the option you want to change. For example, to change the load balancer method,
 you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.method=drr`.
 Every [Service](../routing/services/index.md) parameter can be updated this way.
 ### Middleware
 You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options.
 For example, to declare a middleware [`schemeredirect`](../middlewares/redirectscheme.md) named `my-redirect`, you'd write `traefik.http.middlewares.my-redirect.schemeredirect.scheme: https`.
 ??? example "Declaring and Referencing a Middleware"
    ```yaml
    # ...
    labels:
     - traefik.http.middlewares.my-redirect.schemeredirect.scheme=https
     - traefik.http.routers.middlewares=my-redirect
    ```
 !!! warning "Conflicts in Declaration"
    If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
 ### Specific Options
 #### `traefik.enable`
 You can tell Traefik to consider (or not) the container by setting `traefik.enable` to true or false.
 This option overrides the value of `exposedByDefault`.
 #### `traefik.tags`
 Sets the tags for [constraints filtering](./overview.md#constraints-configuration).
 #### Port Lookup
 Traefik is now capable of detecting the port to use, by following the default rancher flow.
 That means, if you just expose lets say port :1337 on the rancher ui, traefik will pick up this port and use it.
--- a/docs/content/reference/acme.md
+++ b/docs/content/reference/acme.md
@ -1,166 +0,0 @@
 # ACME - Reference
 Every Options for ACME
 {: .subtitle} 
 ## TOML
 ```toml
    # Sample entrypoint configuration when using ACME.
    [entrypoints]
      [entrypoints.web]
      address = ":80"
      [entrypoints.web-secure]
      address = ":443"
    # Enable ACME (Let's Encrypt): automatic SSL.
    [acme]
    # Email address used for registration.
    #
    # Required
    #
    email = "test@traefik.io"
    # File used for certificates storage.
    #
    # Optional (Deprecated)
    #
    #storageFile = "acme.json"
    # File or key used for certificates storage.
    #
    # Required
    #
    storage = "acme.json"
    # or `storage = "traefik/acme/account"` if using KV store.
    # Deprecated, replaced by [acme.dnsChallenge].
    #
    # Optional.
    #
    # dnsProvider = "digitalocean"
    # Deprecated, replaced by [acme.dnsChallenge.delayBeforeCheck].
    #
    # Optional
    # Default: 0
    #
    # delayDontCheckDNS = 0
    # If true, display debug log messages from the acme client library.
    #
    # Optional
    # Default: false
    #
    # acmeLogging = true
    # If true, override certificates in key-value store when using storeconfig.
    #
    # Optional
    # Default: false
    #
    # overrideCertificates = true
    # Deprecated. Enable on demand certificate generation.
    #
    # Optional
    # Default: false
    #
    # onDemand = true
    # Enable certificate generation on frontends host rules.
    #
    # Optional
    # Default: false
    #
    # onHostRule = true
    # CA server to use.
    # Uncomment the line to use Let's Encrypt's staging server,
    # leave commented to go to prod.
    #
    # Optional
    # Default: "https://acme-v02.api.letsencrypt.org/directory"
    #
    # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
    # KeyType to use.
    #
    # Optional
    # Default: "RSA4096"
    #
    # Available values : "EC256", "EC384", "RSA2048", "RSA4096", "RSA8192"
    #
    # KeyType = "RSA4096"
    # Use a TLS-ALPN-01 ACME challenge.
    #
    # Optional (but recommended)
    #
    [acme.tlsChallenge]
    # Use a HTTP-01 ACME challenge.
    #
    # Optional
    #
    # [acme.httpChallenge]
      # EntryPoint to use for the HTTP-01 challenges.
      #
      # Required
      #
      # entryPoint = "http"
    # Use a DNS-01 ACME challenge rather than HTTP-01 challenge.
    # Note: mandatory for wildcard certificate generation.
    #
    # Optional
    #
    # [acme.dnsChallenge]
      # DNS provider used.
      #
      # Required
      #
      # provider = "digitalocean"
      # By default, the provider will verify the TXT DNS challenge record before letting ACME verify.
      # If delayBeforeCheck is greater than zero, this check is delayed for the configured duration in seconds.
      # Useful if internal networks block external DNS queries.
      #
      # Optional
      # Default: 0
      #
      # delayBeforeCheck = 0
      # Use following DNS servers to resolve the FQDN authority.
      #
      # Optional
      # Default: empty
      #
      # resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
      # Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.
      #
      # NOT RECOMMENDED:
      # Increase the risk of reaching Let's Encrypt's rate limits.
      #
      # Optional
      # Default: false
      #
      # disablePropagationCheck = true
    # Domains list.
    # Only domains defined here can generate wildcard certificates.
    # The certificates for these domains are negotiated at traefik startup only.
    #
    # [[acme.domains]]
    #   main = "local1.com"
    #   sans = ["test1.local1.com", "test2.local1.com"]
    # [[acme.domains]]
    #   main = "local2.com"
    # [[acme.domains]]
    #   main = "*.local3.com"
    #   sans = ["local3.com", "test1.test1.local3.com"]
 ```
--- a/docs/content/reference/dynamic-configuration/docker.md
+++ b/docs/content/reference/dynamic-configuration/docker.md
@ -0,0 +1,8 @@
 # Docker Configuration Reference
 Dynamic configuration with Docker Labels
 {: .subtitle }
 ```yaml
 --8<-- "content/reference/dynamic-configuration/labels.yml"
 ```
--- a/docs/content/reference/dynamic-configuration/file.md
+++ b/docs/content/reference/dynamic-configuration/file.md
@ -0,0 +1,8 @@
 # File Configuration Reference
 Dynamic configuration with toml files
 {: .subtitle }
 ```toml
 --8<-- "content/reference/dynamic-configuration/file.toml"
 ```
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@ -0,0 +1,265 @@
 [HTTP]
  [HTTP.Routers]
    [HTTP.Routers.Router0]
      EntryPoints = ["foobar", "foobar"]
      Middlewares = ["foobar", "foobar"]
      Service = "foobar"
      Rule = "foobar"
      priority = 42
      [HTTP.Routers.Router0.tls]
  [HTTP.Middlewares]
      [HTTP.Middlewares.Middleware0.AddPrefix]
        Prefix = "foobar"
      [HTTP.Middlewares.Middleware1.StripPrefix]
        Prefixes = ["foobar", "foobar"]
      [HTTP.Middlewares.Middleware2.StripPrefixRegex]
        Regex = ["foobar", "foobar"]
      [HTTP.Middlewares.Middleware3.ReplacePath]
        Path = "foobar"
      [HTTP.Middlewares.Middleware4.ReplacePathRegex]
        Regex = "foobar"
        Replacement = "foobar"
      [HTTP.Middlewares.Middleware5.Chain]
        Middlewares = ["foobar", "foobar"]
      [HTTP.Middlewares.Middleware6.IPWhiteList]
        SourceRange = ["foobar", "foobar"]
        [HTTP.Middlewares.Middleware7.IPWhiteList.IPStrategy]
          Depth = 42
          ExcludedIPs = ["foobar", "foobar"]
      [HTTP.Middlewares.Middleware8.Headers]
        AccessControlAllowCredentials = true
        AccessControlAllowHeaders = ["foobar", "foobar"]
        AccessControlAllowMethods = ["foobar", "foobar"]
        AccessControlAllowOrigin = "foobar"
        AccessControlExposeHeaders = ["foobar", "foobar"]
        AccessControlMaxAge = 42
        AddVaryHeader = true
        AllowedHosts = ["foobar", "foobar"]
        HostsProxyHeaders = ["foobar", "foobar"]
        SSLRedirect = true
        SSLTemporaryRedirect = true
        SSLHost = "foobar"
        SSLForceHost = true
        STSSeconds = 42
        STSIncludeSubdomains = true
        STSPreload = true
        ForceSTSHeader = true
        FrameDeny = true
        CustomFrameOptionsValue = "foobar"
        ContentTypeNosniff = true
        BrowserXSSFilter = true
        CustomBrowserXSSValue = "foobar"
        ContentSecurityPolicy = "foobar"
        PublicKey = "foobar"
        ReferrerPolicy = "foobar"
        IsDevelopment = true
        [HTTP.Middlewares.Middleware8.Headers.CustomRequestHeaders]
          name0 = "foobar"
          name1 = "foobar"
        [HTTP.Middlewares.Middleware8.Headers.CustomResponseHeaders]
          name0 = "foobar"
          name1 = "foobar"
        [HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders]
          name0 = "foobar"
          name1 = "foobar"
      [HTTP.Middlewares.Middleware9.Errors]
        Status = ["foobar", "foobar"]
        Service = "foobar"
        Query = "foobar"
      [HTTP.Middlewares.Middleware10.RateLimit]
        ExtractorFunc = "foobar"
        [HTTP.Middlewares.Middleware10.RateLimit.RateSet]
          [HTTP.Middlewares.Middleware10.RateLimit.RateSet.Rate0]
            Period = 42
            Average = 42
            Burst = 42
          [HTTP.Middlewares.Middleware10.RateLimit.RateSet.Rate1]
            Period = 42
            Average = 42
            Burst = 42
      [HTTP.Middlewares.Middleware11.RedirectRegex]
        Regex = "foobar"
        Replacement = "foobar"
        Permanent = true
      [HTTP.Middlewares.Middleware12.RedirectScheme]
        Scheme = "foobar"
        Port = "foobar"
        Permanent = true
      [HTTP.Middlewares.Middleware13.BasicAuth]
        Users = ["foobar", "foobar"]
        UsersFile = "foobar"
        Realm = "foobar"
        RemoveHeader = true
        HeaderField = "foobar"
      [HTTP.Middlewares.Middleware14.DigestAuth]
        Users = ["foobar", "foobar"]
        UsersFile = "foobar"
        RemoveHeader = true
        Realm = "foobar"
        HeaderField = "foobar"
      [HTTP.Middlewares.Middleware15.ForwardAuth]
        Address = "foobar"
        TrustForwardHeader = true
        AuthResponseHeaders = ["foobar", "foobar"]
        [HTTP.Middlewares.Middleware15.ForwardAuth.TLS]
          CA = "foobar"
          CAOptional = true
          Cert = "foobar"
          Key = "foobar"
          InsecureSkipVerify = true
      [HTTP.Middlewares.Middleware16.MaxConn]
        Amount = 42
        ExtractorFunc = "foobar"
      [HTTP.Middlewares.Middleware17.Buffering]
        MaxRequestBodyBytes = 42
        MemRequestBodyBytes = 42
        MaxResponseBodyBytes = 42
        MemResponseBodyBytes = 42
        RetryExpression = "foobar"
      [HTTP.Middlewares.Middleware18.CircuitBreaker]
        Expression = "foobar"
      [HTTP.Middlewares.Middleware19.Compress]
      [HTTP.Middlewares.Middleware20.PassTLSClientCert]
        PEM = true
        [HTTP.Middlewares.Middleware20.PassTLSClientCert.Info]
          NotAfter = true
          NotBefore = true
          Sans = true
          [HTTP.Middlewares.Middleware20.PassTLSClientCert.Info.Subject]
            Country = true
            Province = true
            Locality = true
            Organization = true
            CommonName = true
            SerialNumber = true
            DomainComponent = true
          [HTTP.Middlewares.Middleware20.PassTLSClientCert.Info.Issuer]
            Country = true
            Province = true
            Locality = true
            Organization = true
            CommonName = true
            SerialNumber = true
            DomainComponent = true
      [HTTP.Middlewares.Middleware21.Retry]
        Attempts = 42
  [HTTP.Services]
    [HTTP.Services.Service0]
      [HTTP.Services.Service0.LoadBalancer]
        Method = "foobar"
        PassHostHeader = true
        [[HTTP.Services.Service0.LoadBalancer.Servers]]
          URL = "foobar"
          Weight = 42
        [HTTP.Services.Service0.LoadBalancer.Stickiness]
          CookieName = "foobar"
        [[HTTP.Services.Service0.LoadBalancer.Servers]]
          URL = "foobar"
          Weight = 42
        [HTTP.Services.Service0.LoadBalancer.HealthCheck]
          Scheme = "foobar"
          Path = "foobar"
          Port = 42
          Interval = "foobar"
          Timeout = "foobar"
          Hostname = "foobar"
          [HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers]
            name0 = "foobar"
            name1 = "foobar"
        [HTTP.Services.Service0.LoadBalancer.ResponseForwarding]
          FlushInterval = "foobar"
 [TCP]
  [TCP.Routers]
    [TCP.Routers.TCPRouter0]
      EntryPoints = ["foobar", "foobar"]
      Service = "foobar"
      Rule = "foobar"
      [TCP.Routers.TCPRouter0.tls]
        passthrough = true
  [TCP.Services]
    [TCP.Services.TCPService0]
      [TCP.Services.TCPService0.LoadBalancer]
        Method = "foobar"
        [[TCP.Services.TCPService0.LoadBalancer.Servers]]
          Address = "foobar"
          Weight = 42
        [[TCP.Services.TCPService0.LoadBalancer.Servers]]
          Address = "foobar"
          Weight = 42
 [[TLS]]
  Stores = ["foobar", "foobar"]
  [TLS.Certificate]
    CertFile = "foobar"
    KeyFile = "foobar"
 [[TLS]]
  Stores = ["foobar", "foobar"]
  [TLS.Certificate]
    CertFile = "foobar"
    KeyFile = "foobar"
 [TLSOptions]
  [TLSOptions.TLS0]
    MinVersion = "foobar"
    CipherSuites = ["foobar", "foobar"]
    SniStrict = true
    [TLSOptions.TLS0.ClientCA]
      Files = ["foobar", "foobar"]
      Optional = true
  [TLSOptions.TLS1]
    MinVersion = "foobar"
    CipherSuites = ["foobar", "foobar"]
    SniStrict = true
    [TLSOptions.TLS1.ClientCA]
      Files = ["foobar", "foobar"]
      Optional = true
 [TLSStores]
  [TLSStores.Store0]
    [TLSStores.Store0.DefaultCertificate]
      CertFile = "foobar"
      KeyFile = "foobar"
  [TLSStores.Store1]
    [TLSStores.Store1.DefaultCertificate]
      CertFile = "foobar"
      KeyFile = "foobar"
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd.md
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd.md
@ -0,0 +1,8 @@
 # Kubernetes Configuration Reference
 Dynamic configuration with Kubernetes Custom Resource
 {: .subtitle }
 ```yaml
 --8<-- "content/reference/dynamic-configuration/kubernetes-crd.yml"
 ```
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd.yml
@ -0,0 +1,71 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: ingressroutes.traefik.containo.us
 spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: middlewares.traefik.containo.us
 spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
  name: ingressroute.crd
 spec:
  entryPoints:
    - web
    - web-secure
  routes:
    - match: Host(`foo.com`) && PathPrefix(`/bar`)
      kind: Rule
      priority: 12
      # defining several services is possible and allowed, but for now the servers of
      # all the services (for a given route) get merged altogether under the same
      # load-balancing strategy.
      services:
        - name: s1
          port: 80
          healthCheck:
            path: /health
            host: baz.com
            intervalSeconds: 7
            timeoutSeconds: 60
          # strategy defines the load balancing strategy between the servers. It defaults
          # to Round Robin, and for now only Round Robin is supported anyway.
          strategy: RoundRobin
        - name: s2
          port: 433
          healthCheck:
            path: /health
            host: baz.com
            intervalSeconds: 7
            timeoutSeconds: 60
    - match: PathPrefix(`/misc`)
      services:
        - name: s3
          port: 80
      middlewares:
        - name: stripprefix
        - name: addprefix
  tls:
    secretName: supersecret
--- a/docs/content/reference/dynamic-configuration/labels.yml
+++ b/docs/content/reference/dynamic-configuration/labels.yml
@ -0,0 +1,159 @@
 labels:
 - "traefik.HTTP.Middlewares.Middleware0.AddPrefix.Prefix=foobar"
 - "traefik.HTTP.Middlewares.Middleware1.BasicAuth.HeaderField=foobar"
 - "traefik.HTTP.Middlewares.Middleware1.BasicAuth.Realm=foobar"
 - "traefik.HTTP.Middlewares.Middleware1.BasicAuth.RemoveHeader=true"
 - "traefik.HTTP.Middlewares.Middleware1.BasicAuth.Users=foobar, fiibar"
 - "traefik.HTTP.Middlewares.Middleware1.BasicAuth.UsersFile=foobar"
 - "traefik.HTTP.Middlewares.Middleware2.Buffering.MaxRequestBodyBytes=42"
 - "traefik.HTTP.Middlewares.Middleware2.Buffering.MaxResponseBodyBytes=42"
 - "traefik.HTTP.Middlewares.Middleware2.Buffering.MemRequestBodyBytes=42"
 - "traefik.HTTP.Middlewares.Middleware2.Buffering.MemResponseBodyBytes=42"
 - "traefik.HTTP.Middlewares.Middleware2.Buffering.RetryExpression=foobar"
 - "traefik.HTTP.Middlewares.Middleware3.Chain.Middlewares=foobar, fiibar"
 - "traefik.HTTP.Middlewares.Middleware4.CircuitBreaker.Expression=foobar"
 - "traefik.HTTP.Middlewares.Middleware5.DigestAuth.HeaderField=foobar"
 - "traefik.HTTP.Middlewares.Middleware5.DigestAuth.Realm=foobar"
 - "traefik.HTTP.Middlewares.Middleware5.DigestAuth.RemoveHeader=true"
 - "traefik.HTTP.Middlewares.Middleware5.DigestAuth.Users=foobar, fiibar"
 - "traefik.HTTP.Middlewares.Middleware5.DigestAuth.UsersFile=foobar"
 - "traefik.HTTP.Middlewares.Middleware6.Errors.Query=foobar"
 - "traefik.HTTP.Middlewares.Middleware6.Errors.Service=foobar"
 - "traefik.HTTP.Middlewares.Middleware6.Errors.Status=foobar, fiibar"
 - "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.Address=foobar"
 - "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.AuthResponseHeaders=foobar, fiibar"
 - "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CA=foobar"
 - "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CAOptional=true"
 - "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Cert=foobar"
 - "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.InsecureSkipVerify=true"
 - "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Key=foobar"
 - "traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TrustForwardHeader=true"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowCredentials=true"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowHeaders=X-foobar, X-fiibar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowMethods=GET, PUT"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowOrigin=foobar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlExposeHeaders=X-foobar, X-fiibar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlMaxAge=200"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.AddVaryHeader=true"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.AllowedHosts=foobar, fiibar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.BrowserXSSFilter=true"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.ContentSecurityPolicy=foobar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.ContentTypeNosniff=true"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.CustomBrowserXSSValue=foobar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.CustomFrameOptionsValue=foobar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.CustomRequestHeaders.name0=foobar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.CustomRequestHeaders.name1=foobar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.CustomResponseHeaders.name0=foobar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.CustomResponseHeaders.name1=foobar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.ForceSTSHeader=true"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.FrameDeny=true"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.HostsProxyHeaders=foobar, fiibar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.IsDevelopment=true"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.PublicKey=foobar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.ReferrerPolicy=foobar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.SSLForceHost=true"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.SSLHost=foobar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name0=foobar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name1=foobar"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.SSLRedirect=true"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.SSLTemporaryRedirect=true"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.STSIncludeSubdomains=true"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.STSPreload=true"
 - "traefik.HTTP.Middlewares.Middleware8.Headers.STSSeconds=42"
 - "traefik.HTTP.Middlewares.Middleware9.IPWhiteList.IPStrategy.Depth=42"
 - "traefik.HTTP.Middlewares.Middleware9.IPWhiteList.IPStrategy.ExcludedIPs=foobar, fiibar"
 - "traefik.HTTP.Middlewares.Middleware9.IPWhiteList.SourceRange=foobar, fiibar"
 - "traefik.HTTP.Middlewares.Middleware10.MaxConn.Amount=42"
 - "traefik.HTTP.Middlewares.Middleware10.MaxConn.ExtractorFunc=foobar"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.NotAfter=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.NotBefore=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Sans=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Country=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Province=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Locality=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Organization=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.CommonName=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.SerialNumber=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.DomainComponent=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Country=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Province=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Locality=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.Organization=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.CommonName=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.SerialNumber=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Issuer.DomainComponent=true"
 - "traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.PEM=true"
 - "traefik.HTTP.Middlewares.Middleware12.RateLimit.ExtractorFunc=foobar"
 - "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate0.Average=42"
 - "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate0.Burst=42"
 - "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate0.Period=42"
 - "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate1.Average=42"
 - "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate1.Burst=42"
 - "traefik.HTTP.Middlewares.Middleware12.RateLimit.RateSet.Rate1.Period=42"
 - "traefik.HTTP.Middlewares.Middleware13.RedirectRegex.Regex=foobar"
 - "traefik.HTTP.Middlewares.Middleware13.RedirectRegex.Replacement=foobar"
 - "traefik.HTTP.Middlewares.Middleware13.RedirectRegex.Permanent=true"
 - "traefik.HTTP.Middlewares.Middleware13b.RedirectScheme.Scheme=https"
 - "traefik.HTTP.Middlewares.Middleware13b.RedirectScheme.Port=80"
 - "traefik.HTTP.Middlewares.Middleware13b.RedirectScheme.Permanent=true"
 - "traefik.HTTP.Middlewares.Middleware14.ReplacePath.Path=foobar"
 - "traefik.HTTP.Middlewares.Middleware15.ReplacePathRegex.Regex=foobar"
 - "traefik.HTTP.Middlewares.Middleware15.ReplacePathRegex.Replacement=foobar"
 - "traefik.HTTP.Middlewares.Middleware16.Retry.Attempts=42"
 - "traefik.HTTP.Middlewares.Middleware17.StripPrefix.Prefixes=foobar, fiibar"
 - "traefik.HTTP.Middlewares.Middleware18.StripPrefixRegex.Regex=foobar, fiibar"
 - "traefik.HTTP.Middlewares.Middleware19.Compress=true"
 - "traefik.HTTP.Routers.Router0.EntryPoints=foobar, fiibar"
 - "traefik.HTTP.Routers.Router0.Middlewares=foobar, fiibar"
 - "traefik.HTTP.Routers.Router0.Priority=42"
 - "traefik.HTTP.Routers.Router0.Rule=foobar"
 - "traefik.HTTP.Routers.Router0.Service=foobar"
 - "traefik.HTTP.Routers.Router0.TLS=true"
 - "traefik.HTTP.Routers.Router1.EntryPoints=foobar, fiibar"
 - "traefik.HTTP.Routers.Router1.Middlewares=foobar, fiibar"
 - "traefik.HTTP.Routers.Router1.Priority=42"
 - "traefik.HTTP.Routers.Router1.Rule=foobar"
 - "traefik.HTTP.Routers.Router1.Service=foobar"
 - "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name1=foobar"
 - "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Hostname=foobar"
 - "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Interval=foobar"
 - "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Path=foobar"
 - "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Port=42"
 - "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Scheme=foobar"
 - "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Timeout=foobar"
 - "traefik.HTTP.Services.Service0.LoadBalancer.Method=foobar"
 - "traefik.HTTP.Services.Service0.LoadBalancer.PassHostHeader=true"
 - "traefik.HTTP.Services.Service0.LoadBalancer.ResponseForwarding.FlushInterval=foobar"
 - "traefik.HTTP.Services.Service0.LoadBalancer.server.Port=8080"
 - "traefik.HTTP.Services.Service0.LoadBalancer.server.Scheme=foobar"
 - "traefik.HTTP.Services.Service0.LoadBalancer.server.Weight=42"
 - "traefik.HTTP.Services.Service0.LoadBalancer.Stickiness.CookieName=foobar"
 - "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Headers.name0=foobar"
 - "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Headers.name1=foobar"
 - "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Hostname=foobar"
 - "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Interval=foobar"
 - "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Path=foobar"
 - "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Port=42"
 - "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Scheme=foobar"
 - "traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Timeout=foobar"
 - "traefik.HTTP.Services.Service1.LoadBalancer.Method=foobar"
 - "traefik.HTTP.Services.Service1.LoadBalancer.PassHostHeader=true"
 - "traefik.HTTP.Services.Service1.LoadBalancer.ResponseForwarding.FlushInterval=foobar"
 - "traefik.HTTP.Services.Service1.LoadBalancer.server.Port=8080"
 - "traefik.HTTP.Services.Service1.LoadBalancer.server.Scheme=foobar"
 - "traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name0=foobar"
 - "traefik.HTTP.Services.Service1.LoadBalancer.server.Weight=42"
 - "traefik.TCP.Routers.Router0.Rule=foobar"
 - "traefik.TCP.Routers.Router0.EntryPoints=foobar, fiibar"
 - "traefik.TCP.Routers.Router0.Service=foobar"
 - "traefik.TCP.Routers.Router0.TLS.Passthrough=false"
 - "traefik.TCP.Routers.Router1.Rule=foobar"
 - "traefik.TCP.Routers.Router1.EntryPoints=foobar, fiibar"
 - "traefik.TCP.Routers.Router1.Service=foobar"
 - "traefik.TCP.Routers.Router1.TLS.Passthrough=false"
 - "traefik.TCP.Services.Service0.LoadBalancer.Method=foobar"
 - "traefik.TCP.Services.Service0.LoadBalancer.server.Port=42"
 - "traefik.TCP.Services.Service0.LoadBalancer.server.Weight=42"
 - "traefik.TCP.Services.Service1.LoadBalancer.Method=foobar"
 - "traefik.TCP.Services.Service1.LoadBalancer.server.Port=42"
 - "traefik.TCP.Services.Service1.LoadBalancer.server.Weight=42"
--- a/docs/content/reference/dynamic-configuration/marathon.md
+++ b/docs/content/reference/dynamic-configuration/marathon.md
@ -0,0 +1,8 @@
 # Marathon Configuration Reference
 Dynamic configuration with Marathon Labels
 {: .subtitle }
 ```yaml
 --8<-- "content/reference/dynamic-configuration/labels.yml"
 ```
--- a/docs/content/reference/entrypoints.md
+++ b/docs/content/reference/entrypoints.md
@ -1,35 +0,0 @@
 # EntryPoints - Reference
 Every Options for EntryPoints
 {: .subtitle} 
 ## TOML
 ```toml
 # ...
 [entrypoints]
  [entrypoints.web]
    address = ":80"
    [entrypoints.web.proxyProtocol]
      insecure = true
      trustedIPs = ["10.10.10.1", "10.10.10.2"]
    [entrypoints.web.forwardedHeaders]
      trustedIPs = ["10.10.10.1", "10.10.10.2"]
      insecure = false
  [entrypoints.web-secure]
    # ...
 ```
 ## CLI
 ```ini
 Name:foo
 Address::80
 ProxyProtocol.TrustedIPs:192.168.0.1
 ProxyProtocol.Insecure:true
 ForwardedHeaders.TrustedIPs:10.0.0.3/24,20.0.0.3/24
 ```
--- a/docs/content/reference/logs.md
+++ b/docs/content/reference/logs.md
@ -1,53 +0,0 @@
 # Logs - Reference
 ## TOML
 ```toml
 logLevel = "INFO"
 [traefikLog]
  filePath = "/path/to/traefik.log"
  format   = "json"
 [accessLog]
  filePath = "/path/to/access.log"
  format = "json"
  [accessLog.filters]
    statusCodes = ["200", "300-302"]
    retryAttempts = true
    minDuration = "10ms"
  [accessLog.fields]
    defaultMode = "keep"
    [accessLog.fields.names]
      "ClientUsername" = "drop"
      # ...
    [accessLog.fields.headers]
      defaultMode = "keep"
      [accessLog.fields.headers.names]
        "User-Agent" = "redact"
        "Authorization" = "drop"
        "Content-Type" = "keep"
        # ...
 ```
 ## CLI
 For more information about the CLI, see the documentation about [Traefik command](../../operations/cli).
 ```shell
 --logLevel="DEBUG"
 --traefikLog.filePath="/path/to/traefik.log"
 --traefikLog.format="json"
 --accessLog.filePath="/path/to/access.log"
 --accessLog.format="json"
 --accessLog.filters.statusCodes="200,300-302"
 --accessLog.filters.retryAttempts="true"
 --accessLog.filters.minDuration="10ms"
 --accessLog.fields.defaultMode="keep"
 --accessLog.fields.names="Username=drop Hostname=drop"
 --accessLog.fields.headers.defaultMode="keep"
 --accessLog.fields.headers.names="User-Agent=redact Authorization=drop Content-Type=keep"
 ```
--- a/docs/content/reference/providers/docker.md
+++ b/docs/content/reference/providers/docker.md
@ -1,180 +0,0 @@
 # Docker -- Reference
 ## Docker
 ```toml
 ################################################################
 # Docker Provider
 ################################################################
 # Enable Docker Provider.
 [docker]
 # Docker server endpoint. Can be a tcp or a unix socket endpoint.
 #
 # Required
 #
 endpoint = "unix:///var/run/docker.sock"
 # Default base domain used for the frontend rules.
 # Can be overridden by setting the "traefik.domain" label on a container.
 #
 # Optional
 #
 domain = "docker.localhost"
 # Enable watch docker changes.
 #
 # Optional
 #
 watch = true
 # Override default configuration template.
 # For advanced users :)
 #
 # Optional
 #
 # filename = "docker.tmpl"
 # Override template version
 # For advanced users :)
 #
 # Optional
 # - "1": previous template version (must be used only with older custom templates, see "filename")
 # - "2": current template version (must be used to force template version when "filename" is used)
 #
 # templateVersion = 2
 # Expose containers by default in Traefik.
 # If set to false, containers that don't have `traefik.enable=true` will be ignored.
 #
 # Optional
 # Default: true
 #
 exposedByDefault = true
 # Use the IP address from the binded port instead of the inner network one.
 #
 # In case no IP address is attached to the binded port (or in case 
 # there is no bind), the inner network one will be used as a fallback.     
 #
 # Optional
 # Default: false
 #
 usebindportip = true
 # Use Swarm Mode services as data provider.
 #
 # Optional
 # Default: false
 #
 swarmMode = false
 # Polling interval (in seconds) for Swarm Mode.
 #
 # Optional
 # Default: 15
 #
 swarmModeRefreshSeconds = 15
 # Define a default docker network to use for connections to all containers.
 # Can be overridden by the traefik.docker.network label.
 #
 # Optional
 #
 network = "web"
 # Enable docker TLS connection.
 #
 # Optional
 #
 #  [docker.tls]
 #  ca = "/etc/ssl/ca.crt"
 #  cert = "/etc/ssl/docker.crt"
 #  key = "/etc/ssl/docker.key"
 #  insecureSkipVerify = true
 ```
 ## Docker Swarm Mode
 ```toml
 ################################################################
 # Docker Swarm Mode Provider
 ################################################################
 # Enable Docker Provider.
 [docker]
 # Docker server endpoint.
 # Can be a tcp or a unix socket endpoint.
 #
 # Required
 # Default: "unix:///var/run/docker.sock"
 #
 # swarm classic (1.12-)
 # endpoint = "tcp://127.0.0.1:2375"
 # docker swarm mode (1.12+)
 endpoint = "tcp://127.0.0.1:2377"
 # Default base domain used for the frontend rules.
 # Can be overridden by setting the "traefik.domain" label on a services.
 #
 # Optional
 # Default: ""
 #
 domain = "docker.localhost"
 # Enable watch docker changes.
 #
 # Optional
 # Default: true
 #
 watch = true
 # Use Docker Swarm Mode as data provider.
 #
 # Optional
 # Default: false
 #
 swarmMode = true
 # Define a default docker network to use for connections to all containers.
 # Can be overridden by the traefik.docker.network label.
 #
 # Optional
 #
 network = "web"
 # Override default configuration template.
 # For advanced users :)
 #
 # Optional
 #
 # filename = "docker.tmpl"
 # Override template version
 # For advanced users :)
 #
 # Optional
 # - "1": previous template version (must be used only with older custom templates, see "filename")
 # - "2": current template version (must be used to force template version when "filename" is used)
 #
 # templateVersion = 2
 # Expose services by default in Traefik.
 #
 # Optional
 # Default: true
 #
 exposedByDefault = false
 # Enable docker TLS connection.
 #
 # Optional
 #
 #  [docker.tls]
 #  ca = "/etc/ssl/ca.crt"
 #  cert = "/etc/ssl/docker.crt"
 #  key = "/etc/ssl/docker.key"
 #  insecureSkipVerify = true
 ```
--- a/docs/content/reference/providers/file.md
+++ b/docs/content/reference/providers/file.md
@ -1,261 +0,0 @@
 # File -- Reference
 ## File
 ```toml
 ################################################################
 # File Provider
 ################################################################
 [providers]
  # Enable File Provider.
  [providers.file]
    # Define one separated configuration file.
    #
    # Optional
    #     
    filename = "my-conf.toml"
    # Define directory that contains a set of configuration files.
    #
    # Optional
    #     
    directory = "/path/to/config"
    # Enable watch file changes.
    #
    # Optional
    #
    watch = true
    [http]
      [http.routers]
        [http.routers.router0]
          entrypoints = ["foo", "bar"]
          middlewares = ["foo", "bar"]
          service = "service-foo"
          rule = "Path(`foo`)"
          priority = 42
          [http.routers.router0.tls]
      [http.middlewares]
          [http.middlewares.my-add-prefix.AddPrefix]
            prefix = "/foo"
          [http.middlewares.my-strip-prefix.StripPrefix]
            prefixes = ["/foo", "/bar"]
          [http.middlewares.my-strip-prefix-regex.StripPrefixRegex]
            regex = ["/foo/api/", "/bar/{category}/{id:[0-9]+}/"]
          [http.middlewares.my-replace-path.ReplacePath]
            path = "/foo"
          [http.middlewares.my-replace-path-regex.ReplacePathRegex]
            regex = "foo/(.*)"
            replacement = "/foobar/$1"
          [http.middlewares.my-chain.Chain]
            middlewares = ["my-add-prefix", "my-basic-auth"]
          [http.middlewares.Middleware0.IPWhiteList]
            sourceRange = ["127.0.0.1/32", "192.168.1.7"]
            [http.middlewares.Middleware0.IPWhiteList.IPStrategy]
              depth = 2
              excludedIPs = ["127.0.0.1/16", "192.168.1.7"]
          [http.middlewares.my-headers.Headers]
            allowedHosts = ["foobar", "foobar"]
            hostsProxyHeaders = ["foobar", "foobar"]
            sslRedirect = true
            sslTemporaryRedirect = true
            sslHost = "foobar"
            sslForceHost = true
            stsSeconds = 42
            stsIncludeSubdomains = true
            stsPreload = true
            forceSTSHeader = true
            frameDeny = true
            customFrameOptionsValue = "foobar"
            contentTypeNosniff = true
            browserXSSFilter = true
            customBrowserXSSValue = "foobar"
            contentSecurityPolicy = "foobar"
            publicKey = "foobar"
            referrerPolicy = "foobar"
            isDevelopment = true
            [http.middlewares.my-headers.Headers.CustomRequestHeaders]
              X-Script-Name = "foo"
            [http.middlewares.my-headers.Headers.CustomResponseHeaders]
              X-Custom-Response-Header = "True"
            [http.middlewares.my-headers.Headers.SSLProxyHeaders]
              X-Forwarded-Proto = "https"
          [http.middlewares.my-errors.Errors]
            status = ["400-404", "500-599"]
            service = "foo-errors-service"
            query = "/error.html"
          [http.middlewares.my-rate-limit.RateLimit]
            extractorFunc = "client.ip"
            [http.middlewares.Middleware0.RateLimit.RateSet]
              [http.middlewares.Middleware0.RateLimit.RateSet.Rate0]
                period = 10
                average = 100
                burst = 200
          [http.middlewares.my-redirect-regex.RedirectRegex]
            regex = "^http://localhost/(.*)"
            replacement = "http://mydomain/$1"
            permanent = true
          [http.middlewares.my-redirect-scheme.RedirectScheme]
            scheme = "https"
            port = "8443"
            permanent = true
          [http.middlewares.my-basic-auth.BasicAuth]
            users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
                      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
            usersFile = "etc/traefik/.htpasswd"
            realm = "myRealm"
            removeHeader = true
            headerField = "X-WebAuth-User"
          [http.middlewares.my-digest-auth.DigestAuth]
            users = ["test:traefik:a2688e031edb4be6a3797f3882655c05", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
            usersFile = "etc/traefik/.htdigest"
            removeHeader = true
            realm = "traefik"
            headerField = "X-WebAuth-User"
          [http.middlewares.my-forward-auth.ForwardAuth]
            address = "https://myauth.server:443"
            trustForwardHeader = true
            authResponseHeaders = ["X-Forwarded-Foo", "X-Forwarded-Bar"]
            [http.middlewares.my-forward-auth.ForwardAuth.TLS]
              ca = "/etc/traefik/crt/ca.pem"
              caOptional = true
              cert = "/etc/traefik/crt/cert.pem"
              key = "/etc/traefik/crt/cert.key"
              insecureSkipVerify = true
          [http.middlewares.my-maxconn.MaxConn]
            amount = 10
            extractorFunc = "request.host"
          [http.middlewares.my-buffering.Buffering]
            maxRequestBodyBytes = 25000
            memRequestBodyBytes = 25000
            maxResponseBodyBytes = 25000
            memResponseBodyBytes = 25000
            retryExpression = "foobar"
          [http.middlewares.my-circuit-breaker.CircuitBreaker]
            Expression = "LatencyAtQuantileMS(50.0) > 100"
          [http.middlewares.my-compress.Compress]
          [http.middlewares.my-pass-tls-client-cert.PassTLSClientCert]
            pem = true
            [http.middlewares.Middleware0.PassTLSClientCert.Info]
              notAfter = true
              notBefore = true
              sans = true
              [http.middlewares.Middleware0.PassTLSClientCert.Info.Subject]
                country = true
                province = true
                locality = true
                organization = true
                commonName = true
                serialNumber = true
                domainComponent = true
              [http.middlewares.Middleware0.PassTLSClientCert.Info.Issuer]
                country = true
                province = true
                locality = true
                organization = true
                commonName = true
                serialNumber = true
                domainComponent = true
          [http.middlewares.my-retry.Retry]
            attempts = 4
      [http.services]
        [http.services.service0]
          [http.services.service0.LoadBalancer]
            method = "wrr"
            passHostHeader = true
            [http.services.service0.LoadBalancer.Stickiness]
              cookieName = "my-stickiness-cookie-name"
            [[http.services.service0.LoadBalancer.Servers]]
              url = "http://foo/"
              weight = 30
            [[http.services.service0.LoadBalancer.Servers]]
              url = "http://bar/"
              weight = 70
            [http.services.service0.LoadBalancer.HealthCheck]
              scheme = "https"
              path = "/health"
              port = 9443
              interval = "10s"
              timeout = "30s"
              hostname = "foobar"
              [http.services.service0.LoadBalancer.HealthCheck.Headers]
                My-Custom-Header = "foobar"
            [http.services.service0.LoadBalancer.ResponseForwarding]
              flushInterval = "4s"
    [tcp]
      [tcp.routers]
        [tcp.routers.tcpRouter0]
          entryPoints = ["foobar", "foobar"]
          service = "foobar"
          rule = "foobar"
          [tcp.routers.tcpRouter0.tlst]
            passthrough = true
      [tcp.services]
        [tcp.services.tcpService0]
          [tcp.services.tcpService0.tcpLoadBalancer]
            method = "foobar"
            [[tcp.services.tcpService0.tcpLoadBalancer.Servers]]
              address = "foobar"
              weight = 42
            [[tcp.services.tcpService0.tcpLoadBalancer.Servers]]
              address = "foobar"
              weight = 42
    [[tls]]
      Store = ["my-store-foo", "my-store-bar"]
      [tls.Certificate]
        certFile = "/etc/traefik/cert.pem"
        keyFile = "/etc/traefik/cert.key"
    [tlsconfig]
      [tlsconfig.TLS0]
        minVersion = "VersionTLS12"
        cipherSuites = [ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384"]
        [tlsconfig.TLS0.ClientCA]
          files = ["/etc/traefik/ca-foo.pem", "/etc/traefik/ca-bar.pem"]
          optional = true
    [tlsstore]
      [tlsstore.my-store-foo]
        sniStrict = true
        [tlsstore.my-store-foo.DefaultCertificate]
          certFile = "/etc/traefik/cert.pem"
          keyFile = "/etc/traefik/cert.key"
 ```
--- a/docs/content/reference/providers/kubernetescrd.md
+++ b/docs/content/reference/providers/kubernetescrd.md
@ -1,81 +0,0 @@
 # Kubernetes -- Reference
 ## Kubernetes
 ```yaml
 ################################################################
 # Kubernetes Provider
 ################################################################
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: ingressroutes.traefik.containo.us
 spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: middlewares.traefik.containo.us
 spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
  name: ingressroute.crd
 spec:
  entrypoints:
    - web
    - web-secure
  routes:
  - match: Host(`foo.com`) && PathPrefix(`/bar`)
    kind: Rule
    priority: 12
    # defining several services is possible and allowed, but for now the servers of
    # all the services (for a given route) get merged altogether under the same
    # load-balancing strategy.
    services:
    - name: s1
      port: 80
      healthcheck:
        path: /health
        host: baz.com
        intervalseconds: 7
        timeoutseconds: 60
      # strategy defines the load balancing strategy between the servers. It defaults
      # to Round Robin, and for now only Round Robin is supported anyway.
      strategy: RoundRobin
    - name: s2
      port: 433
      healthcheck:
        path: /health
        host: baz.com
        intervalseconds: 7
        timeoutseconds: 60
  - match: PathPrefix(`/misc`)
    services:
    - name: s3
      port: 80
    middleware:
    - name: stripprefix
    - name: addprefix
  tls:
    secretName: supersecret
 ```
--- a/docs/content/reference/static-configuration.md
+++ b/docs/content/reference/static-configuration.md
@ -0,0 +1,13 @@
 # Static Configuration
 ## File
 ```toml
 --8<-- "content/reference/static-configuration.toml"
 ```
 ## CLI
 ```txt
 --8<-- "content/reference/static-configuration.txt"
 ```
--- a/docs/content/reference/static-configuration.toml
+++ b/docs/content/reference/static-configuration.toml
@ -0,0 +1,238 @@
 [Global]
  Debug = true
  CheckNewVersion = true
  SendAnonymousUsage = true
 [ServersTransport]
  InsecureSkipVerify = true
  RootCAs = ["foobar", "foobar"]
  MaxIdleConnsPerHost = 42
  [ServersTransport.ForwardingTimeouts]
    DialTimeout = 42
    ResponseHeaderTimeout = 42
 [EntryPoints]
  [EntryPoints.EntryPoint0]
    Address = "foobar"
    [EntryPoints.EntryPoint0.Transport]
      [EntryPoints.EntryPoint0.Transport.LifeCycle]
        RequestAcceptGraceTimeout = 42
        GraceTimeOut = 42
      [EntryPoints.EntryPoint0.Transport.RespondingTimeouts]
        ReadTimeout = 42
        WriteTimeout = 42
        IdleTimeout = 42
    [EntryPoints.EntryPoint0.ProxyProtocol]
      Insecure = true
      TrustedIPs = ["foobar", "foobar"]
    [EntryPoints.EntryPoint0.ForwardedHeaders]
      Insecure = true
      TrustedIPs = ["foobar", "foobar"]
 [Providers]
  ProvidersThrottleDuration = 42
  [Providers.Docker]
    Watch = true
    Endpoint = "foobar"
    DefaultRule = "foobar"
    ExposedByDefault = true
    UseBindPortIP = true
    SwarmMode = true
    Network = "foobar"
    SwarmModeRefreshSeconds = 42
    [[Providers.Docker.Constraints]]
      Key = "foobar"
      MustMatch = true
      Regex = "foobar"
    [[Providers.Docker.Constraints]]
      Key = "foobar"
      MustMatch = true
      Regex = "foobar"
    [Providers.Docker.TLS]
      CA = "foobar"
      CAOptional = true
      Cert = "foobar"
      Key = "foobar"
      InsecureSkipVerify = true
  [Providers.File]
    Directory = "foobar"
    Watch = true
    Filename = "foobar"
    DebugLogGeneratedTemplate = true
    TraefikFile = "foobar"
  [Providers.Marathon]
    Trace = true
    Watch = true
    Endpoint = "foobar"
    DefaultRule = "foobar"
    ExposedByDefault = true
    DCOSToken = "foobar"
    FilterMarathonConstraints = true
    DialerTimeout = 42
    ResponseHeaderTimeout = 42
    TLSHandshakeTimeout = 42
    KeepAlive = 42
    ForceTaskHostname = true
    RespectReadinessChecks = true
    [[Providers.Marathon.Constraints]]
      Key = "foobar"
      MustMatch = true
      Regex = "foobar"
    [[Providers.Marathon.Constraints]]
      Key = "foobar"
      MustMatch = true
      Regex = "foobar"
    [Providers.Marathon.TLS]
      CA = "foobar"
      CAOptional = true
      Cert = "foobar"
      Key = "foobar"
      InsecureSkipVerify = true
    [Providers.Marathon.Basic]
      HTTPBasicAuthUser = "foobar"
      HTTPBasicPassword = "foobar"
  [Providers.Kubernetes]
    Endpoint = "foobar"
    Token = "foobar"
    CertAuthFilePath = "foobar"
    DisablePassHostHeaders = true
    Namespaces = ["foobar", "foobar"]
    LabelSelector = "foobar"
    IngressClass = "foobar"
    [Providers.Kubernetes.IngressEndpoint]
      IP = "foobar"
      Hostname = "foobar"
      PublishedService = "foobar"
  [Providers.KubernetesCRD]
    Endpoint = "foobar"
    Token = "foobar"
    CertAuthFilePath = "foobar"
    DisablePassHostHeaders = true
    Namespaces = ["foobar", "foobar"]
    LabelSelector = "foobar"
    IngressClass = "foobar"
  [Providers.Rest]
    EntryPoint = "foobar"
 [API]
  EntryPoint = "foobar"
  Dashboard = true
  Middlewares = ["foobar", "foobar"]
  [API.Statistics]
    RecentErrors = 42
 [Metrics]
  [Metrics.Prometheus]
    Buckets = [42.0, 42.0]
    EntryPoint = "foobar"
    Middlewares = ["foobar", "foobar"]
  [Metrics.Datadog]
    Address = "foobar"
    PushInterval = "foobar"
  [Metrics.StatsD]
    Address = "foobar"
    PushInterval = "foobar"
  [Metrics.InfluxDB]
    Address = "foobar"
    Protocol = "foobar"
    PushInterval = "foobar"
    Database = "foobar"
    RetentionPolicy = "foobar"
    Username = "foobar"
    Password = "foobar"
 [Ping]
  EntryPoint = "foobar"
  Middlewares = ["foobar", "foobar"]
 [Log]
  Level = "foobar"
  FilePath = "foobar"
  Format = "foobar"
 [AccessLog]
  FilePath = "foobar"
  Format = "foobar"
  BufferingSize = 42
  [AccessLog.Filters]
    StatusCodes = ["foobar", "foobar"]
    RetryAttempts = true
    MinDuration = 42
  [AccessLog.Fields]
    DefaultMode = "foobar"
    [AccessLog.Fields.Names]
      name0 = "foobar"
      name1 = "foobar"
    [AccessLog.Fields.Headers]
      DefaultMode = "foobar"
      [AccessLog.Fields.Headers.Names]
        name0 = "foobar"
        name1 = "foobar"
 [Tracing]
  Backend = "foobar"
  ServiceName = "foobar"
  SpanNameLimit = 42
  [Tracing.Jaeger]
    SamplingServerURL = "foobar"
    SamplingType = "foobar"
    SamplingParam = 42.0
    LocalAgentHostPort = "foobar"
    Gen128Bit = true
    Propagation = "foobar"
    TraceContextHeaderName = "foobar"
  [Tracing.Zipkin]
    HTTPEndpoint = "foobar"
    SameSpan = true
    ID128Bit = true
    Debug = true
    SampleRate = 42.0
  [Tracing.DataDog]
    LocalAgentHostPort = "foobar"
    GlobalTag = "foobar"
    Debug = true
    PrioritySampling = true
    TraceIDHeaderName = "foobar"
    ParentIDHeaderName = "foobar"
    SamplingPriorityHeaderName = "foobar"
    BagagePrefixHeaderName = "foobar"
  [Tracing.Instana]
    LocalAgentHost = "foobar"
    LocalAgentPort = 42
    Level = "foobar"
 [HostResolver]
  CnameFlattening = true
  ResolvConfig = "foobar"
  ResolvDepth = 42
 [ACME]
  Email = "foobar"
  ACMELogging = true
  CAServer = "foobar"
  Storage = "foobar"
  EntryPoint = "foobar"
  KeyType = "foobar"
  OnHostRule = true
  [ACME.DNSChallenge]
    Provider = "foobar"
    DelayBeforeCheck = 42
    Resolvers = ["foobar", "foobar"]
    DisablePropagationCheck = true
  [ACME.HTTPChallenge]
    EntryPoint = "foobar"
  [ACME.TLSChallenge]
  [[ACME.Domains]]
    Main = "foobar"
    SANs = ["foobar", "foobar"]
  [[ACME.Domains]]
    Main = "foobar"
    SANs = ["foobar", "foobar"]
--- a/docs/content/reference/static-configuration.txt
+++ b/docs/content/reference/static-configuration.txt
@ -0,0 +1,203 @@
 --accesslog                                                 Access log settings                                                             (default "false")
 --accesslog.bufferingsize                                   Number of access log lines to process in a buffered way. Default 0.             (default "0")
 --accesslog.fields                                          AccessLogFields                                                                 (default "false")
 --accesslog.fields.defaultmode                              Default mode for fields: keep | drop                                            (default "keep")
 --accesslog.fields.headers                                  Headers to keep, drop or redact                                                 (default "false")
 --accesslog.fields.headers.defaultmode                      Default mode for fields: keep | drop | redact                                   (default "keep")
 --accesslog.fields.headers.names                            Override mode for headers                                                       (default "map[]")
 --accesslog.fields.names                                    Override mode for fields                                                        (default "map[]")
 --accesslog.filepath                                        Access log file path. Stdout is used when omitted or empty
 --accesslog.filters                                         Access log filters, used to keep only specific access logs                      (default "false")
 --accesslog.filters.minduration                             Keep access logs when request took longer than the specified duration           (default "0s")
 --accesslog.filters.retryattempts                           Keep access logs when at least one retry happened                               (default "false")
 --accesslog.filters.statuscodes                             Keep access logs with status codes in the specified range                       (default "[]")
 --accesslog.format                                          Access log format: json | common                                                (default "common")
 --acme                                                      Enable ACME (Let's Encrypt): automatic SSL                                      (default "false")
 --acme.acmelogging                                          Enable debug logging of ACME actions.                                           (default "false")
 --acme.caserver                                             CA server to use.
 --acme.dnschallenge                                         Activate DNS-01 Challenge                                                       (default "false")
 --acme.dnschallenge.delaybeforecheck                        Assume DNS propagates after a delay in seconds rather than finding and querying (default "0s")
                                                            nameservers.
 --acme.dnschallenge.disablepropagationcheck                 Disable the DNS propagation checks before notifying ACME that the DNS challenge (default "false")
                                                            is ready. [not recommended]
 --acme.dnschallenge.provider                                Use a DNS-01 based challenge provider rather than HTTPS.
 --acme.dnschallenge.resolvers                               Use following DNS servers to resolve the FQDN authority.
 --acme.domains                                              CN and SANs (alternative domains) to each main domain using format:             (default "[]")
                                                            --acme.domains='main.com,san1.com,san2.com' --acme.domains='*.main.net'. No
                                                            SANs for wildcards domain. Wildcard domains only accepted with DNSChallenge
 --acme.email                                                Email address used for registration
 --acme.entrypoint                                           EntryPoint to use.
 --acme.httpchallenge                                        Activate HTTP-01 Challenge                                                      (default "false")
 --acme.httpchallenge.entrypoint                             HTTP challenge EntryPoint
 --acme.keytype                                              KeyType used for generating certificate private key. Allow value 'EC256',
                                                            'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. Default to 'RSA4096'
 --acme.onhostrule                                           Enable certificate generation on frontends Host rules.                          (default "false")
 --acme.storage                                              Storage to use.
 --acme.tlschallenge                                         Activate TLS-ALPN-01 Challenge                                                  (default "false")
 --api                                                       Enable api/dashboard                                                            (default "false")
 --api.dashboard                                             Activate dashboard                                                              (default "true")
 --api.entrypoint                                            EntryPoint                                                                      (default "traefik")
 --api.middlewares                                           Middleware list
 --api.statistics                                            Enable more detailed statistics                                                 (default "true")
 --api.statistics.recenterrors                               Number of recent errors logged                                                  (default "10")
 -c, --configfile                                            Configuration file to use (TOML).
 --entrypoints                                               Entrypoints definition using format: --entryPoints='Name:http Address::8000     (default "map[]")
                                                            Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442
                                                            TLS:tests/traefik.crt,tests/traefik.key;prod/traefik.crt,prod/traefik.key'
 --global                                                    Global configuration options                                                    (default "true")
 --global.checknewversion                                    Periodically check if a new version has been released                           (default "true")
 -d, --global.debug                                          Enable debug mode                                                               (default "false")
 --global.sendanonymoususage                                 send periodically anonymous usage statistics                                    (default "false")
 --hostresolver                                              Enable CNAME Flattening                                                         (default "false")
 --hostresolver.cnameflattening                              A flag to enable/disable CNAME flattening                                       (default "false")
 --hostresolver.resolvconfig                                 resolv.conf used for DNS resolving                                              (default "/etc/resolv.conf")
 --hostresolver.resolvdepth                                  The maximal depth of DNS recursive resolving                                    (default "5")
 --log                                                       Traefik log settings                                                            (default "false")
 --log.filepath                                              Traefik log file path. Stdout is used when omitted or empty
 --log.format                                                Traefik log format: json | common                                               (default "common")
 --log.level                                                 Log level set to traefik logs.
 --metrics                                                   Enable a metrics exporter                                                       (default "false")
 --metrics.datadog                                           DataDog metrics exporter type                                                   (default "false")
 --metrics.datadog.address                                   DataDog's address                                                               (default "localhost:8125")
 --metrics.datadog.pushinterval                              DataDog push interval                                                           (default "10s")
 --metrics.influxdb                                          InfluxDB metrics exporter type                                                  (default "false")
 --metrics.influxdb.address                                  InfluxDB address                                                                (default "localhost:8089")
 --metrics.influxdb.database                                 InfluxDB database used when protocol is http
 --metrics.influxdb.password                                 InfluxDB password (only with http)
 --metrics.influxdb.protocol                                 InfluxDB address protocol (udp or http)                                         (default "udp")
 --metrics.influxdb.pushinterval                             InfluxDB push interval                                                          (default "10s")
 --metrics.influxdb.retentionpolicy                          InfluxDB retention policy used when protocol is http
 --metrics.influxdb.username                                 InfluxDB username (only with http)
 --metrics.prometheus                                        Prometheus metrics exporter type                                                (default "false")
 --metrics.prometheus.buckets                                Buckets for latency metrics                                                     (default "[0.1 0.3 1.2 5]")
 --metrics.prometheus.entrypoint                             EntryPoint                                                                      (default "traefik")
 --metrics.prometheus.middlewares                            Middlewares
 --metrics.statsd                                            StatsD metrics exporter type                                                    (default "false")
 --metrics.statsd.address                                    StatsD address                                                                  (default "localhost:8125")
 --metrics.statsd.pushinterval                               StatsD push interval                                                            (default "10s")
 --ping                                                      Enable ping                                                                     (default "false")
 --ping.entrypoint                                           Ping entryPoint                                                                 (default "traefik")
 --ping.middlewares                                          Middleware list
 --providers                                                 Providers configuration                                                         (default "false")
 --providers.docker                                          Enable Docker backend with default settings                                     (default "false")
 --providers.docker.constraints                              Filter services by constraint, matching with Traefik tags.                      (default "[]")
 --providers.docker.defaultrule                              Default rule                                                                    (default "Host(`{{ normalize .Name }}`)")
 --providers.docker.endpoint                                 Docker server endpoint. Can be a tcp or a unix socket endpoint                  (default "unix:///var/run/docker.sock")
 --providers.docker.exposedbydefault                         Expose containers by default                                                    (default "true")
 --providers.docker.network                                  Default Docker network used
 --providers.docker.swarmmode                                Use Docker on Swarm Mode                                                        (default "false")
 --providers.docker.swarmmoderefreshseconds                  Polling interval for swarm mode (in seconds)                                    (default "15")
 --providers.docker.tls                                      Enable Docker TLS support                                                       (default "false")
 --providers.docker.tls.ca                                   TLS CA
 --providers.docker.tls.caoptional                           TLS CA.Optional                                                                 (default "false")
 --providers.docker.tls.cert                                 TLS cert
 --providers.docker.tls.insecureskipverify                   TLS insecure skip verify                                                        (default "false")
 --providers.docker.tls.key                                  TLS key
 --providers.docker.usebindportip                            Use the ip address from the bound port, rather than from the inner network      (default "false")
 --providers.docker.watch                                    Watch provider                                                                  (default "true")
 --providers.file                                            Enable File backend with default settings                                       (default "true")
 --providers.file.debugloggeneratedtemplate                  Enable debug logging of generated configuration template.                       (default "false")
 --providers.file.directory                                  Load configuration from one or more .toml files in a directory
 --providers.file.filename                                   Override default configuration template. For advanced users :)
 --providers.file.watch                                      Watch provider                                                                  (default "true")
 --providers.kubernetes                                      Enable Kubernetes backend with default settings                                 (default "true")
 --providers.kubernetes.certauthfilepath                     Kubernetes certificate authority file path (not needed for in-cluster client)
 --providers.kubernetes.disablepasshostheaders               Kubernetes disable PassHost Headers                                             (default "false")
 --providers.kubernetes.endpoint                             Kubernetes server endpoint (required for external cluster client)
 --providers.kubernetes.ingressclass                         Value of kubernetes.io/ingress.class annotation to watch for
 --providers.kubernetes.ingressendpoint                      Kubernetes Ingress Endpoint                                                     (default "false")
 --providers.kubernetes.ingressendpoint.hostname             Hostname used for Kubernetes Ingress endpoints
 --providers.kubernetes.ingressendpoint.ip                   IP used for Kubernetes Ingress endpoints
 --providers.kubernetes.ingressendpoint.publishedservice     Published Kubernetes Service to copy status from
 --providers.kubernetes.labelselector                        Kubernetes Ingress label selector to use
 --providers.kubernetes.namespaces                           Kubernetes namespaces                                                           (default "[]")
 --providers.kubernetes.token                                Kubernetes bearer token (not needed for in-cluster client)
 --providers.kubernetescrd                                   Enable Kubernetes backend with default settings                                 (default "false")
 --providers.kubernetescrd.certauthfilepath                  Kubernetes certificate authority file path (not needed for in-cluster client)
 --providers.kubernetescrd.disablepasshostheaders            Kubernetes disable PassHost Headers                                             (default "false")
 --providers.kubernetescrd.endpoint                          Kubernetes server endpoint (required for external cluster client)
 --providers.kubernetescrd.ingressclass                      Value of kubernetes.io/ingress.class annotation to watch for
 --providers.kubernetescrd.labelselector                     Kubernetes label selector to use
 --providers.kubernetescrd.namespaces                        Kubernetes namespaces                                                           (default "[]")
 --providers.kubernetescrd.token                             Kubernetes bearer token (not needed for in-cluster client)
 --providers.marathon                                        Enable Marathon backend with default settings                                   (default "false")
 --providers.marathon.basic                                  Enable basic authentication                                                     (default "false")
 --providers.marathon.basic.httpbasicauthuser                Basic authentication User
 --providers.marathon.basic.httpbasicpassword                Basic authentication Password
 --providers.marathon.constraints                            Filter services by constraint, matching with Traefik tags.                      (default "[]")
 --providers.marathon.dcostoken                              DCOSToken for DCOS environment, This will override the Authorization header
 --providers.marathon.defaultrule                            Default rule                                                                    (default "Host(`{{ normalize .Name }}`)")
 --providers.marathon.dialertimeout                          Set a dialer timeout for Marathon                                               (default "5s")
 --providers.marathon.endpoint                               Marathon server endpoint. You can also specify multiple endpoint for Marathon   (default "http://127.0.0.1:8080")
 --providers.marathon.exposedbydefault                       Expose Marathon apps by default                                                 (default "true")
 --providers.marathon.filtermarathonconstraints              Enable use of Marathon constraints in constraint filtering                      (default "false")
 --providers.marathon.forcetaskhostname                      Force to use the task's hostname.                                               (default "false")
 --providers.marathon.keepalive                              Set a TCP Keep Alive time in seconds                                            (default "10s")
 --providers.marathon.respectreadinesschecks                 Filter out tasks with non-successful readiness checks during deployments        (default "false")
 --providers.marathon.responseheadertimeout                  Set a response header timeout for Marathon                                      (default "1m0s")
 --providers.marathon.tls                                    Enable TLS support                                                              (default "false")
 --providers.marathon.tls.ca                                 TLS CA
 --providers.marathon.tls.caoptional                         TLS CA.Optional                                                                 (default "false")
 --providers.marathon.tls.cert                               TLS cert
 --providers.marathon.tls.insecureskipverify                 TLS insecure skip verify                                                        (default "false")
 --providers.marathon.tls.key                                TLS key
 --providers.marathon.tlshandshaketimeout                    Set a TLS handhsake timeout for Marathon                                        (default "5s")
 --providers.marathon.trace                                  Display additional provider logs.                                               (default "false")
 --providers.marathon.watch                                  Watch provider                                                                  (default "true")
 --providers.providersthrottleduration                       Backends throttle duration: minimum duration between 2 events from providers    (default "2s")
                                                            before applying a new configuration. It avoids unnecessary reloads if multiples
                                                            events are sent in a short amount of time.
 --providers.rancher                                         Enable Rancher backend with default settings                                     (default "true")
 --providers.rancher.constraints                             Filter services by constraint, matching with Traefik tags.                       (default "[]")
 --providers.rancher.defaultrule                             Default rule                                                                     (default "Host(`{{ normalize .Name }}`)")
 --providers.rancher.exposedbydefault                        Expose containers by default                                                     (default "true")
 --providers.rancher.intervalpoll                            Poll the Rancher metadata service every 'rancher.refreshseconds' (less accurate) (default "false")
 --providers.rancher.prefix                                  Prefix used for accessing the Rancher metadata service                           (default "latest")
 --providers.rancher.watch                                   Watch provider                                                                   (default "true")
 --providers.rest                                            Enable Rest backend with default settings                                       (default "true")
 --providers.rest.entrypoint                                 EntryPoint                                                                      (default "traefik")
 --serverstransport                                          Servers default transport                                                       (default "true")
 --serverstransport.forwardingtimeouts                       Timeouts for requests forwarded to the backend servers                          (default "true")
 --serverstransport.forwardingtimeouts.dialtimeout           The amount of time to wait until a connection to a backend server can be        (default "0s")
                                                            established. Defaults to 30 seconds. If zero, no timeout exists
 --serverstransport.forwardingtimeouts.responseheadertimeout The amount of time to wait for a server's response headers after fully writing  (default "0s")
                                                            the request (including its body, if any). If zero, no timeout exists
 --serverstransport.insecureskipverify                       Disable SSL certificate verification                                            (default "false")
 --serverstransport.maxidleconnsperhost                      If non-zero, controls the maximum idle (keep-alive) to keep per-host.  If zero, (default "200")
                                                            DefaultMaxIdleConnsPerHost is used
 --serverstransport.rootcas                                  Add cert file for self-signed certificate
 --tracing                                                   OpenTracing configuration                                                       (default "false")
 --tracing.backend                                           Selects the tracking backend ('jaeger','zipkin','datadog','instana').           (default "jaeger")
 --tracing.datadog                                           Settings for DataDog                                                            (default "false")
 --tracing.datadog.bagageprefixheadername                    specifies the header name prefix that will be used to store baggage items in a
                                                            map.
 --tracing.datadog.debug                                     Enable DataDog debug.                                                           (default "false")
 --tracing.datadog.globaltag                                 Key:Value tag to be set on all the spans.
 --tracing.datadog.localagenthostport                        Set datadog-agent's host:port that the reporter will used. Defaults to          (default "localhost:8126")
                                                            localhost:8126
 --tracing.datadog.parentidheadername                        Specifies the header name that will be used to store the parent ID.
 --tracing.datadog.prioritysampling                          Enable priority sampling. When using distributed tracing, this option must be   (default "false")
                                                            enabled in order to get all the parts of a distributed trace sampled.
 --tracing.datadog.samplingpriorityheadername                Specifies the header name that will be used to store the sampling priority.
 --tracing.datadog.traceidheadername                         Specifies the header name that will be used to store the trace ID.
 --tracing.instana                                           Settings for Instana                                                            (default "false")
 --tracing.instana.localagenthost                            Set instana-agent's host that the reporter will used.                           (default "localhost")
 --tracing.instana.localagentport                            Set instana-agent's port that the reporter will used.                           (default "42699")
 --tracing.instana.loglevel                                  Set instana-agent's log level. ('error','warn','info','debug')                  (default "info")
 --tracing.jaeger                                            Settings for jaeger                                                             (default "false")
 --tracing.jaeger.gen128bit                                  generate 128 bit span IDs.                                                      (default "false")
 --tracing.jaeger.localagenthostport                         set jaeger-agent's host:port that the reporter will used.                       (default "127.0.0.1:6831")
 --tracing.jaeger.propagation                                which propgation format to use (jaeger/b3).                                     (default "jaeger")
 --tracing.jaeger.samplingparam                              set the sampling parameter.                                                     (default "1")
 --tracing.jaeger.samplingserverurl                          set the sampling server url.                                                    (default "http://localhost:5778/sampling")
 --tracing.jaeger.samplingtype                               set the sampling type.                                                          (default "const")
 --tracing.jaeger.tracecontextheadername                     set the header to use for the trace-id.                                         (default "uber-trace-id")
 --tracing.servicename                                       Set the name for this service                                                   (default "traefik")
 --tracing.spannamelimit                                     Set the maximum character limit for Span names (default 0 = no limit)           (default "0")
 --tracing.zipkin                                            Settings for zipkin                                                             (default "false")
 --tracing.zipkin.debug                                      Enable Zipkin debug.                                                            (default "false")
 --tracing.zipkin.httpendpoint                               HTTP Endpoint to report traces to.                                              (default "http://localhost:9411/api/v1/spans")
 --tracing.zipkin.id128bit                                   Use Zipkin 128 bit root span IDs.                                               (default "true")
 --tracing.zipkin.samespan                                   Use Zipkin SameSpan RPC style traces.                                           (default "false")
 --tracing.zipkin.samplerate                                 The rate between 0.0 and 1.0 of requests to trace.                              (default "1")
 -h, --help                                                  Print Help (this message) and exit
--- a/docs/content/routing/entrypoints.md
+++ b/docs/content/routing/entrypoints.md
@ -5,7 +5,7 @@ Opening Connections for Incoming Requests
 ![EntryPoints](../assets/img/entrypoints.png)
-Entrypoints are the network entry points into Traefik.
+EntryPoints are the network entry points into Traefik.
 They define the port which will receive the requests (whether HTTP or TCP).
 ## Configuration Examples
@ -13,8 +13,8 @@ They define the port which will receive the requests (whether HTTP or TCP).
 ??? example "Port 80 only"
    ```toml
-    [entrypoints]
+    [entryPoints]
-      [entrypoints.web]
+      [entryPoints.web]
         address = ":80"
    ```
@ -23,11 +23,11 @@ They define the port which will receive the requests (whether HTTP or TCP).
 ??? example "Port 80 & 443" 
    ```toml
-    [entrypoints]
+    [entryPoints]
-      [entrypoints.web]
+      [entryPoints.web]
        address = ":80"
-      [entrypoints.web-secure]
+      [entryPoints.web-secure]
        address = ":443"
    ```
@ -38,7 +38,45 @@ They define the port which will receive the requests (whether HTTP or TCP).
 ### General
-Entrypoints are part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration). You can define them using a toml file, CLI arguments, or a key-value store. See the [complete reference](../reference/entrypoints.md) for the list of available options. 
+EntryPoints are part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
 You can define them using a toml file, CLI arguments, or a key-value store.
 See the complete reference for the list of available options:
 ```toml tab="File"
 [EntryPoints]
  [EntryPoints.EntryPoint0]
    Address = "foobar"
    [EntryPoints.EntryPoint0.Transport]
      [EntryPoints.EntryPoint0.Transport.LifeCycle]
        RequestAcceptGraceTimeout = 42
        GraceTimeOut = 42
      [EntryPoints.EntryPoint0.Transport.RespondingTimeouts]
        ReadTimeout = 42
        WriteTimeout = 42
        IdleTimeout = 42
    [EntryPoints.EntryPoint0.ProxyProtocol]
      Insecure = true
      TrustedIPs = ["foobar", "foobar"]
    [EntryPoints.EntryPoint0.ForwardedHeaders]
      Insecure = true
      TrustedIPs = ["foobar", "foobar"]
 ```
 ```ini tab="CLI"
 Name:EntryPoint0
 Address:foobar
 Transport.LifeCycle.RequestAcceptGraceTimeout:42
 Transport.LifeCycle.GraceTimeOut:42
 Transport.RespondingTimeouts.ReadTimeout:42
 Transport.RespondingTimeouts.WriteTimeout:42
 Transport.RespondingTimeouts.IdleTimeout:42
 ProxyProtocol.Insecure:true
 ProxyProtocol.TrustedIPs:foobar,foobar
 ForwardedHeaders.Insecure:true
 ForwardedHeaders.TrustedIPs:foobar,foobar
 ```
 ??? example "Using the CLI"
@ -50,7 +88,7 @@ Entrypoints are part of the [static configuration](../getting-started/configurat
    ```
    !!! note
-        The whitespace character (` `) is the option separator, and the comma (`,`) is the value separator for lists.  
+        The whitespace character (` `) is the option separator, and the comma (`,`) is the value separator for lists inside an option.  
        The option names are case-insensitive.
    !!! warning "Using Docker Compose Files"
@ -80,11 +118,11 @@ Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-
 ??? example "Enabling Proxy Protocol with Trusted IPs" 
    ```toml
-    [entrypoints]
+    [entryPoints]
-      [entrypoints.web]
+      [entryPoints.web]
        address = ":80"
-        [entrypoints.web.proxyProtocol]
+        [entryPoints.web.proxyProtocol]
          trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
    ```
@ -95,11 +133,11 @@ Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-
    In a test environments, you can configure Traefik to trust every incoming connection. Doing so, every remote client address will be replaced (`trustedIPs` won't have any effect)
    ```toml
-    [entrypoints]
+    [entryPoints]
-      [entrypoints.web]
+      [entryPoints.web]
        address = ":80"
-        [entrypoints.web.proxyProtocol]
+        [entryPoints.web.proxyProtocol]
          insecure = true
    ```
@ -115,21 +153,21 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward
 ??? example "Trusting Forwarded Headers from specific IPs"
    ```toml
-    [entrypoints]
+    [entryPoints]
-      [entrypoints.web]
+      [entryPoints.web]
        address = ":80"
-        [entrypoints.web.forwardedHeaders]
+        [entryPoints.web.forwardedHeaders]
          trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
    ```
 ??? example "Insecure Mode -- Always Trusting Forwarded Headers"
    ```toml
-    [entrypoints]
+    [entryPoints]
-      [entrypoints.web]
+      [entryPoints.web]
        address = ":80"
-        [entrypoints.web.forwardedHeaders]
+        [entryPoints.web.forwardedHeaders]
           insecure = true
    ```
--- a/docs/content/routing/overview.md
+++ b/docs/content/routing/overview.md
@ -25,8 +25,8 @@ Below is an example of a full configuration file for the [file provider](../prov
 In the process, Traefik will make sure that the user is authenticated (using the [BasicAuth middleware](../middlewares/basicauth.md)).
 ```toml
-[entrypoints]
+[entryPoints]
-   [entrypoints.web]
+   [entryPoints.web]
      address = ":8081" # Listen on port 8081 for incoming requests
 [providers]
@ -62,8 +62,8 @@ In the process, Traefik will make sure that the user is authenticated (using the
    ??? example "Adding a TCP route for TLS requests on whoami.traefik.io"
        ```toml
-        [entrypoints]
+        [entryPoints]
-           [entrypoints.web]
+           [entryPoints.web]
              address = ":8081" # Listen on port 8081 for incoming requests
        [providers]
--- a/docs/content/routing/routers/index.md
+++ b/docs/content/routing/routers/index.md
@ -32,16 +32,16 @@ In the process, routers may use pieces of [middleware](../../middlewares/overvie
 ??? example "Forwarding all (non-tls) requests on port 3306 to a database service"
    ```toml
-      [entrypoints]
+      [entryPoints]
-        [entrypoints.mysql-default]
+        [entryPoints.mysql-default]
          address = ":80"
-        [entrypoints.mysql-default]
+        [entryPoints.mysql-default]
          address = ":3306"
      [tcp]
        [tcp.routers]
          [tcp.routers.to-database]
-            entrypoints = ["mysql-default"]
+            entryPoints = ["mysql-default"]
            rule = "HostSNI(`*`)" # Catch every request (only available rule for non-tls routers. See below.)
            service = "database"
    ```
@ -56,12 +56,12 @@ If you want to limit the router scope to a set of entrypoint, set the entrypoint
 ??? example "Listens to Every EntryPoint"
    ```toml
-    [entrypoints]
+    [entryPoints]
-       [entrypoints.web]
+       [entryPoints.web]
          # ...
-       [entrypoints.web-secure]
+       [entryPoints.web-secure]
          # ...
-       [entrypoints.other]
+       [entryPoints.other]
          # ...
    [http.routers]
@ -74,12 +74,12 @@ If you want to limit the router scope to a set of entrypoint, set the entrypoint
 ??? example "Listens to Specific EntryPoints"
    ```toml
-    [entrypoints]
+    [entryPoints]
-       [entrypoints.web]
+       [entryPoints.web]
          # ...
-       [entrypoint.web-secure]
+       [entryPoints.web-secure]
          # ...
-       [entrypoint.other]
+       [entryPoints.other]
          # ...
    [http.routers]
@ -211,12 +211,12 @@ If you want to limit the router scope to a set of entrypoints, set the entrypoin
 ??? example "Listens to Every EntryPoint"
    ```toml
-    [entrypoints]
+    [entryPoints]
-       [entrypoints.web]
+       [entryPoints.web]
          # ...
-       [entrypoints.web-secure]
+       [entryPoints.web-secure]
          # ...
-       [entrypoints.other]
+       [entryPoints.other]
          # ...
    [tcp.routers]
@ -230,12 +230,12 @@ If you want to limit the router scope to a set of entrypoints, set the entrypoin
 ??? example "Listens to Specific EntryPoints"
    ```toml
-    [entrypoints]
+    [entryPoints]
-       [entrypoints.web]
+       [entryPoints.web]
          # ...
-       [entrypoint.web-secure]
+       [entryPoints.web-secure]
          # ...
-       [entrypoint.other]
+       [entryPoints.other]
          # ...
    [tcp.routers]
--- a/docs/content/user-guides/crd-acme/04-ingressroutes.yml
+++ b/docs/content/user-guides/crd-acme/04-ingressroutes.yml
@ -3,7 +3,7 @@ kind: IngressRoute
 metadata:
  name: simpleingressroute
 spec:
-  entrypoints:
+  entryPoints:
    - web
  routes:
  - match: Host(`your.domain.com`) && PathPrefix(`/notls`)
@ -18,7 +18,7 @@ kind: IngressRoute
 metadata:
  name: ingressroutetls
 spec:
-  entrypoints:
+  entryPoints:
    - websecure
  routes:
  - match: Host(`your.domain.com`) && PathPrefix(`/tls`)
--- a/docs/content/user-guides/crd-acme/index.md
+++ b/docs/content/user-guides/crd-acme/index.md
@ -16,7 +16,7 @@ In the following, the Kubernetes resources defined in YAML configuration files c
 - the first, and usual way, is simply with the `kubectl apply` command.
 - the second, which can be used for this tutorial, is to directly place the files in the directory used by the k3s docker image for such inputs (`/var/lib/rancher/k3s/server/manifests`).
-## k3s Docker-compose Configuration ##
+## k3s Docker-compose Configuration
 Our starting point is the docker-compose configuration file, to start the k3s cluster.
 You can start it with:
@ -29,11 +29,11 @@ docker-compose -f k3s.yml up
 --8<-- "content/user-guides/crd-acme/k3s.yml"
 ```
-## Cluster Resources ##
+## Cluster Resources
 Let's now have a look (in the order they should be applied, if using `kubectl apply`) at all the required resources for the full setup.
-### IngressRoute Definition ###
+### IngressRoute Definition
 First, the definition of the `IngressRoute` and the `Middleware` kinds.
 Also note the RBAC authorization resources; they'll be referenced through the `serviceAccountName` of the deployment, later on.
@ -42,7 +42,7 @@ Also note the RBAC authorization resources; they'll be referenced through the `s
 --8<-- "content/user-guides/crd-acme/01-crd.yml"
 ```
-### Services ###
+### Services
 Then, the services. One for Traefik itself, and one for the app it routes for, i.e. in this case our demo HTTP server: [whoami](https://github.com/containous/whoami).
@ -50,7 +50,7 @@ Then, the services. One for Traefik itself, and one for the app it routes for, i
 --8<-- "content/user-guides/crd-acme/02-services.yml"
 ```
-### Deployments ###
+### Deployments
 Next, the deployments, i.e. the actual pods behind the services.
 Again, one pod for Traefik, and one for the whoami app.
@ -59,7 +59,7 @@ Again, one pod for Traefik, and one for the whoami app.
 --8<-- "content/user-guides/crd-acme/03-deployments.yml"
 ```
-### Port Forwarding ###
+### Port Forwarding
 Now, as an exception to what we said above, please note that you should not let the ingressRoute resources below be applied automatically to your cluster.
 The reason is, as soon as the ACME provider of Traefik detects we have TLS routers, it will try to generate the certificates for the corresponding domains.
@ -74,7 +74,7 @@ Also, and this is out of the scope if this guide, please note that because of th
 In which case you can use tricks such as elevating caps of `kubectl` with `setcaps`, or using `authbind`, or setting up a NAT between your host and the WAN.
 Look it up.
-### Traefik Routers ###
+### Traefik Routers
 We can now finally apply the actual ingressRoutes, with:
--- a/docs/content/user-guides/marathon.md
+++ b/docs/content/user-guides/marathon.md
@ -0,0 +1,120 @@
 # Marathon
 This guide explains how to integrate Marathon and operate the cluster in a reliable way from Traefik's standpoint.
 ## Host detection
 Marathon offers multiple ways to run (Docker-containerized) applications, the most popular ones being
 - BRIDGE-networked containers with dynamic high ports exposed
 - HOST-networked containers with host machine ports
 - containers with dedicated IP addresses ([IP-per-task](https://mesosphere.github.io/marathon/docs/ip-per-task.html)).
 Traefik tries to detect the configured mode and route traffic to the right IP addresses. It is possible to force using task hosts with the `forceTaskHostname` option.
 ## Port detection
 Traefik also attempts to determine the right port (which is a [non-trivial matter in Marathon](https://mesosphere.github.io/marathon/docs/ports.html)).
 Following is the order by which Traefik tries to identify the port (the first one that yields a positive result will be used):
 1. A arbitrary port specified through the `traefik.HTTP.Services.ServiceName.LoadBalancer.server.Port=8080`
 1. The task port (possibly indexed through the `traefik.HTTP.Services.ServiceName.LoadBalancer.server.Port=index:0` label, otherwise the first one).
 1. The port from the application's `portDefinitions` field (possibly indexed through the `traefik.HTTP.Services.ServiceName.LoadBalancer.server.Port=index:0` label, otherwise the first one).
 1. The port from the application's `ipAddressPerTask` field (possibly indexed through the `traefik.HTTP.Services.ServiceName.LoadBalancer.server.Port=index:0` label, otherwise the first one).
 ## Achieving high availability
 ### Scenarios
 There are three scenarios where the availability of a Marathon application could be impaired along with the risk of losing or failing requests:
 - During the startup phase when Traefik already routes requests to the backend even though it has not completed its bootstrapping process yet.
 - During the shutdown phase when Traefik still routes requests to the backend while the backend is already terminating.
 - During a failure of the application when Traefik has not yet identified the backend as being erroneous.
 The first two scenarios are common with every rolling upgrade of an application (i.e. a new version release or configuration update).
 The following sub-sections describe how to resolve or mitigate each scenario.
 #### Startup
 It is possible to define [readiness checks](https://mesosphere.github.io/marathon/docs/readiness-checks.html) (available since Marathon version 1.1) per application and have Marathon take these into account during the startup phase.
 The idea is that each application provides an HTTP endpoint that Marathon queries periodically during an ongoing deployment in order to mark the associated readiness check result as successful if and only if the endpoint returns a response within the configured HTTP code range.
 As long as the check keeps failing, Marathon will not proceed with the deployment (within the configured upgrade strategy bounds).
 Beginning with version 1.4, Traefik respects readiness check results if the Traefik option is set and checks are configured on the applications accordingly.
 !!! note
    Due to the way readiness check results are currently exposed by the Marathon API, ready tasks may be taken into rotation with a small delay.
    It is on the order of one readiness check timeout interval (as configured on the application specifiation) and guarantees that non-ready tasks do not receive traffic prematurely.
 If readiness checks are not possible, a current mitigation strategy is to enable [retries](../middlewares/retry.md) and make sure that a sufficient number of healthy application tasks exist so that one retry will likely hit one of those.
 Apart from its probabilistic nature, the workaround comes at the price of increased latency.
 #### Shutdown
 It is possible to install a [termination handler](https://mesosphere.github.io/marathon/docs/health-checks.html) (available since Marathon version 1.3) with each application whose responsibility it is to delay the shutdown process long enough until the backend has been taken out of load-balancing rotation with reasonable confidence (i.e., Traefik has received an update from the Marathon event bus, recomputes the available Marathon backends, and applies the new configuration).
 Specifically, each termination handler should install a signal handler listening for a SIGTERM signal and implement the following steps on signal reception:
 1. Disable Keep-Alive HTTP connections.
 1. Keep accepting HTTP requests for a certain period of time.
 1. Stop accepting new connections.
 1. Finish serving any in-flight requests.
 1. Shut down.
 Traefik already ignores Marathon tasks whose state does not match `TASK_RUNNING`; since terminating tasks transition into the `TASK_KILLING` and eventually `TASK_KILLED` state, there is nothing further that needs to be done on Traefik's end.
 How long HTTP requests should continue to be accepted in step 2 depends on how long Traefik needs to receive and process the Marathon configuration update.
 Under regular operational conditions, it should be on the order of seconds, with 10 seconds possibly being a good default value.
 Again, configuring Traefik to do retries (as discussed in the previous section) can serve as a decent workaround strategy.
 Paired with termination handlers, they would cover for those cases where either the termination sequence or Traefik cannot complete their part of the orchestration process in time.
 #### Failure
 A failing application always happens unexpectedly, and hence, it is very difficult or even impossible to rule out the adversal effects categorically.
 Failure reasons vary broadly and could stretch from unacceptable slowness, a task crash, or a network split.
 There are two mitigaton efforts:
 1. Configure [Marathon health checks](https://mesosphere.github.io/marathon/docs/health-checks.html) on each application.
 2. Configure Traefik health checks (possibly via the `traefik.HTTP.Services.YourServiceName.LoadBalancer.HealthCheck.*` labels) and make sure they probe with proper frequency.
 The Marathon health check makes sure that applications once deemed dysfunctional are being rescheduled to different slaves.
 However, they might take a while to get triggered and the follow-up processes to complete.
 For that reason, the Treafik health check provides an additional check that responds more rapidly and does not require a configuration reload to happen.
 Additionally, it protects from cases that the Marathon health check may not be able to cover, such as a network split.
 ### (Non-)Alternatives
 There are a few alternatives of varying quality that are frequently asked for.
 The remaining section is going to explore them along with a benefit/cost trade-off.
 #### Reusing Marathon health checks
 It may seem obvious to reuse the Marathon health checks as a signal to Traefik whether an application should be taken into load-balancing rotation or not.
 Apart from the increased latency a failing health check may have, a major problem with this is is that Marathon does not persist the health check results.
 Consequently, if a master re-election occurs in the Marathon clusters, all health check results will revert to the _unknown_ state, effectively causing all applications inside the cluster to become unavailable and leading to a complete cluster failure.
 Re-elections do not only happen during regular maintenance work (often requiring rolling upgrades of the Marathon nodes) but also when the Marathon leader fails spontaneously.
 As such, there is no way to handle this situation deterministically.
 Finally, Marathon health checks are not mandatory (the default is to use the task state as reported by Mesos), so requiring them for Traefik would raise the entry barrier for Marathon users.
 Traefik used to use the health check results as a strict requirement but moved away from it as [users reported the dramatic consequences](https://github.com/containous/traefik/issues/653).
 #### Draining
 Another common approach is to let a proxy drain backends that are supposed to shut down.
 That is, once a backend is supposed to shut down, Traefik would stop forwarding requests.
 On the plus side, this would not require any modifications to the application in question.
 However, implementing this fully within Traefik seems like a non-trivial undertaking.
 Additionally, the approach is less flexible compared to a custom termination handler since only the latter allows for the implementation of custom termination sequences that go beyond simple request draining (e.g., persisting a snapshot state to disk prior to terminating).
 The feature is currently not implemented; a request for draining in general is at [issue 41](https://github.com/containous/traefik/issues/41).
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@ -66,12 +66,6 @@ markdown_extensions:
 # Page tree
 nav:
  - '': 'providers/kubernetes-ingress.md'
  - '': 'reference/acme.md'
  - '': 'reference/providers/docker.md'
  - '': 'reference/providers/file.md'
  - '': 'reference/providers/kubernetescrd.md'
  - '': 'reference/entrypoints.md'
  - 'Welcome': 'index.md'
  - 'Getting Started':
      - 'Concepts' : 'getting-started/concepts.md'
@ -80,8 +74,11 @@ nav:
  - 'Configuration Discovery':
      - 'Overview': 'providers/overview.md'
      - 'Docker': 'providers/docker.md'
      - 'File': 'providers/file.md'
      - 'Kubernetes IngressRoute': 'providers/kubernetes-crd.md'
 #     - 'Kubernetes Ingress': 'providers/kubernetes-ingress.md'
      - 'Rancher': 'providers/rancher.md'
      - 'File': 'providers/file.md'
      - 'Marathon': 'providers/marathon.md'
  - 'Routing & Load Balancing':
      - 'Overview': 'routing/overview.md'
      - 'Entrypoints': 'routing/entrypoints.md'
@ -124,6 +121,7 @@ nav:
      - 'Tracing': 'observability/tracing.md'
  - 'User Guides':
      - 'Kubernetes and Let''s Encrypt': 'user-guides/crd-acme/index.md'
      - 'Marathon': 'user-guides/marathon.md'
  - 'Contributing':
      - 'Thank You!': 'contributing/thank-you.md'
      - 'Submitting Issues': 'contributing/submitting-issues.md'
@ -134,3 +132,9 @@ nav:
      - 'Advocating': 'contributing/advocating.md'
      - 'Maintainers': 'contributing/maintainers.md'
  - 'Glossary': 'glossary.md'
  - 'References':
      - 'Static Configuration': 'reference/static-configuration.md'
      - 'Dynamic Configuration':
        - 'Docker': 'reference/dynamic-configuration/docker.md'
        - 'Kubernetes CRD': 'reference/dynamic-configuration/kubernetes-crd.md'
        - 'File': 'reference/dynamic-configuration/file.md'
--- a/exp.Dockerfile
+++ b/exp.Dockerfile
@ -15,8 +15,9 @@ RUN npm run build
 FROM golang:1.12-alpine as gobuild
 RUN apk --update upgrade \
-&& apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar \
+    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
-&& rm -rf /var/cache/apk/*
+    && update-ca-certificates \
    && rm -rf /var/cache/apk/*
 RUN mkdir -p /usr/local/bin \
    && curl -fsSL -o /usr/local/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata \
@ -33,7 +34,8 @@ RUN ./script/make.sh generate binary
 ## IMAGE
 FROM scratch
-COPY script/ca-certificates.crt /etc/ssl/certs/
+COPY --from=gobuild /usr/share/zoneinfo /usr/share/zoneinfo
 COPY --from=gobuild /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=gobuild /go/src/github.com/containous/traefik/dist/traefik /
 EXPOSE 80
--- a/integration/fixtures/access_log_config.toml
+++ b/integration/fixtures/access_log_config.toml
@ -1,24 +1,24 @@
 [log]
 logLevel = "ERROR"
 filePath = "traefik.log"
 [global]
 checkNewVersion = false
 sendAnonymousUsage = false
 [log]
 level = "ERROR"
 filePath = "traefik.log"
 [accessLog]
  filePath = "access.log"
-[entrypoints]
+[entryPoints]
-  [entrypoints.web]
+  [entryPoints.web]
    address = ":8000"
-  [entrypoints.frontendRedirect]
+  [entryPoints.frontendRedirect]
    address = ":8005"
-  [entrypoints.httpFrontendAuth]
+  [entryPoints.httpFrontendAuth]
    address = ":8006"
-  [entrypoints.httpRateLimit]
+  [entryPoints.httpRateLimit]
    address = ":8007"
-  [entrypoints.digestAuth]
+  [entryPoints.digestAuth]
    address = ":8008"
 [api]
--- a/integration/fixtures/acme/acme_base.toml
+++ b/integration/fixtures/acme/acme_base.toml
@ -1,10 +1,14 @@
-[log]
+[global]
-  logLevel = "DEBUG"
+checkNewVersion = false
 sendAnonymousUsage = false
-[entrypoints]
+[log]
-  [entrypoints.web]
+level = "DEBUG"
 [entryPoints]
  [entryPoints.web]
    address = "{{ .PortHTTP }}"
-  [entrypoints.web-secure]
+  [entryPoints.web-secure]
    address = "{{ .PortHTTPS }}"
 [acme]
--- a/integration/fixtures/acme/acme_tls.toml
+++ b/integration/fixtures/acme/acme_tls.toml
@ -1,10 +1,14 @@
-[log]
+[global]
-  logLevel = "DEBUG"
+checkNewVersion = false
 sendAnonymousUsage = false
-[entrypoints]
+[log]
-  [entrypoints.web]
+level = "DEBUG"
 [entryPoints]
  [entryPoints.web]
    address = "{{ .PortHTTP }}"
-  [entrypoints.web-secure]
+  [entryPoints.web-secure]
    address = "{{ .PortHTTPS }}"
 [acme]
--- a/integration/fixtures/acme/acme_tls_dynamic.toml
+++ b/integration/fixtures/acme/acme_tls_dynamic.toml
@ -1,10 +1,14 @@
-[log]
+[global]
-logLevel = "DEBUG"
+checkNewVersion = false
 sendAnonymousUsage = false
-[entrypoints]
+[log]
-  [entrypoints.web]
+level = "DEBUG"
 [entryPoints]
  [entryPoints.web]
  address = "{{ .PortHTTP }}"
-  [entrypoints.web-secure]
+  [entryPoints.web-secure]
  address = "{{ .PortHTTPS }}"
 [acme]
--- a/integration/fixtures/acme/acme_tls_multiple_entrypoints.toml
+++ b/integration/fixtures/acme/acme_tls_multiple_entrypoints.toml
@ -1,18 +1,22 @@
-[log]
+[global]
-logLevel = "DEBUG"
+checkNewVersion = false
 sendAnonymousUsage = false
-[entrypoints]
+[log]
-  [entrypoints.web]
+level = "DEBUG"
 [entryPoints]
  [entryPoints.web]
    address = "{{ .PortHTTP }}"
-  [entrypoints.web-secure]
+  [entryPoints.web-secure]
    address = "{{ .PortHTTPS }}"
-  [entrypoints.traefik]
+  [entryPoints.traefik]
    address = ":9000"
 #       FIXME
-#      [entrypoints.traefik.tls]
+#      [entryPoints.traefik.tls]
-#        [entrypoints.traefik.tls.DefaultCertificate]
+#        [entryPoints.traefik.tls.DefaultCertificate]
 #        certFile = "fixtures/acme/ssl/wildcard.crt"
 #        keyFile = "fixtures/acme/ssl/wildcard.key"
--- a/integration/fixtures/docker/minimal.toml
+++ b/integration/fixtures/docker/minimal.toml
@ -1,9 +1,12 @@
 [global]
 checkNewVersion = false
 sendAnonymousUsage = false
 [log]
-logLevel = "DEBUG"
+level = "DEBUG"
-[entrypoints]
+[entryPoints]
-  [entrypoints.web]
+  [entryPoints.web]
  address = ":8000"
 [api]
--- a/integration/fixtures/docker/simple.toml
+++ b/integration/fixtures/docker/simple.toml
@ -1,8 +1,12 @@
-[log]
+[global]
-logLevel = "DEBUG"
+checkNewVersion = false
 sendAnonymousUsage = false
-[entrypoints]
+[log]
-  [entrypoints.web]
+level = "DEBUG"
 [entryPoints]
  [entryPoints.web]
  address = ":8000"
 [api]
--- a/integration/fixtures/error_pages/error.toml
+++ b/integration/fixtures/error_pages/error.toml
@ -1,8 +1,12 @@
-[log]
+[global]
-logLevel = "DEBUG"
+checkNewVersion = false
 sendAnonymousUsage = false
-[entrypoints]
+[log]
-  [entrypoints.web]
+level = "DEBUG"
 [entryPoints]
  [entryPoints.web]
  address = ":8080"
 [providers]
--- a/integration/fixtures/error_pages/simple.toml
+++ b/integration/fixtures/error_pages/simple.toml
@ -1,8 +1,12 @@
-[log]
+[global]
-logLevel = "DEBUG"
+checkNewVersion = false
 sendAnonymousUsage = false
-[entrypoints]
+[log]
-  [entrypoints.web]
+level = "DEBUG"
 [entryPoints]
  [entryPoints.web]
  address = ":8080"
 [providers]
--- a/integration/fixtures/file/56-simple-panic.toml
+++ b/integration/fixtures/file/56-simple-panic.toml
@ -1,8 +1,12 @@
-[log]
+[global]
-  logLevel = "DEBUG"
+checkNewVersion = false
 sendAnonymousUsage = false
-[entrypoints]
+[log]
-  [entrypoints.web]
+level = "DEBUG"
 [entryPoints]
  [entryPoints.web]
  address = ":8000"
--- a/integration/fixtures/file/directory.toml
+++ b/integration/fixtures/file/directory.toml
@ -1,8 +1,12 @@
-[log]
+[global]
-logLevel = "DEBUG"
+checkNewVersion = false
 sendAnonymousUsage = false
-[entrypoints]
+[log]
-  [entrypoints.web]
+level = "DEBUG"
 [entryPoints]
  [entryPoints.web]
  address = ":8000"
 [providers]
--- a/integration/fixtures/file/simple.toml
+++ b/integration/fixtures/file/simple.toml
@ -1,10 +1,13 @@
-
+[global]
-[entrypoints]
+checkNewVersion = false
-  [entrypoints.web]
+sendAnonymousUsage = false
    address = ":8000"
 [log]
-logLevel = "DEBUG"
+level = "DEBUG"
 [entryPoints]
  [entryPoints.web]
    address = ":8000"
 [providers]
   [providers.file]
--- a/integration/fixtures/grpc/config.toml
+++ b/integration/fixtures/grpc/config.toml
@ -1,11 +1,15 @@
 [global]
 checkNewVersion = false
 sendAnonymousUsage = false
 [log]
 level = "DEBUG"
 [serversTransport]
 rootCAs = [ """{{ .CertContent }}""" ]
-[global]
+[entryPoints]
-debug = true
+  [entryPoints.web-secure]
 [entrypoints]
  [entrypoints.web-secure]
    address = ":4443"
 [api]
--- a/integration/fixtures/grpc/config_h2c.toml
+++ b/integration/fixtures/grpc/config_h2c.toml
@ -1,8 +1,12 @@
 [global]
-debug = true
+checkNewVersion = false
 sendAnonymousUsage = false
-[entrypoints]
+[log]
-  [entrypoints.web]
+level = "DEBUG"
 [entryPoints]
  [entryPoints.web]
    address = ":8081"
 [api]
--- a/integration/fixtures/grpc/config_h2c_termination.toml
+++ b/integration/fixtures/grpc/config_h2c_termination.toml
@ -1,8 +1,12 @@
 [global]
-debug = true
+checkNewVersion = false
 sendAnonymousUsage = false
-[entrypoints]
+[log]
-  [entrypoints.web-secure]
+level = "DEBUG"
 [entryPoints]
  [entryPoints.web-secure]
    address = ":4443"
--- a/integration/fixtures/grpc/config_insecure.toml
+++ b/integration/fixtures/grpc/config_insecure.toml
@ -1,12 +1,15 @@
 [global]
 checkNewVersion = false
 sendAnonymousUsage = false
 [log]
 level = "DEBUG"
 [serversTransport]
 insecureSkipVerify = true
-[global]
+[entryPoints]
-debug = true
+  [entryPoints.web-secure]
 [entrypoints]
  [entrypoints.web-secure]
    address = ":4443"
 [api]
--- a/integration/fixtures/grpc/config_retry.toml
+++ b/integration/fixtures/grpc/config_retry.toml
@ -1,8 +1,15 @@
 [global]
 checkNewVersion = false
 sendAnonymousUsage = false
 [log]
 level = "DEBUG"
 [serversTransport]
 rootCAs = [ """{{ .CertContent }}""" ]
-[entrypoints]
+[entryPoints]
-  [entrypoints.web-secure]
+  [entryPoints.web-secure]
  address = ":4443"
 [api]
--- a/integration/fixtures/grpc/config_with_flush.toml
+++ b/integration/fixtures/grpc/config_with_flush.toml
@ -1,9 +1,15 @@
 [global]
 checkNewVersion = false
 sendAnonymousUsage = false
 [log]
 level = "DEBUG"
 [serversTransport]
 rootCAs = [ """{{ .CertContent }}""" ]
-[entrypoints]
+[entryPoints]
-  [entrypoints.web-secure]
+  [entryPoints.web-secure]
    address = ":4443"
 [api]
--- a/integration/fixtures/headers/basic.toml
+++ b/integration/fixtures/headers/basic.toml
@ -0,0 +1,24 @@
 [global]
 checkNewVersion = false
 sendAnonymousUsage = false
 [log]
 level = "DEBUG"
 [entryPoints]
  [entryPoints.web]
    address = ":8000"
 [providers]
   [providers.file]
 [http.routers]
  [http.routers.router1]
    rule = "Host(`test.localhost`)"
    service = "service1"
 [http.services]
  [http.services.service1.loadbalancer]
    [[http.services.service1.loadbalancer.servers]]
      url = "http://172.17.0.2:80"
      weight = 1
--- a/integration/fixtures/headers/cors.toml
+++ b/integration/fixtures/headers/cors.toml
@ -0,0 +1,31 @@
 [global]
 checkNewVersion = false
 sendAnonymousUsage = false
 [log]
 level = "DEBUG"
 [entryPoints]
  [entryPoints.web]
    address = ":8000"
 [providers]
   [providers.file]
 [http.routers]
  [http.routers.router1]
    rule = "Host(`test.localhost`)"
    service = "service1"
 [http.middlewares]
  [http.middlewares.cors.Headers]
    AccessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
    AccessControlAllowOrigin = "origin-list-or-null"
    AccessControlMaxAge = 100
    AddVaryHeader = true
 [http.services]
  [http.services.service1.loadbalancer]
    [[http.services.service1.loadbalancer.servers]]
      url = "http://172.17.0.2:80"
      weight = 1
--- a/integration/fixtures/healthcheck/multiple-entrypoints-drr.toml
+++ b/integration/fixtures/healthcheck/multiple-entrypoints-drr.toml
@ -1,10 +1,14 @@
-[log]
+[global]
-logLevel = "DEBUG"
+checkNewVersion = false
 sendAnonymousUsage = false
-[entrypoints]
+[log]
-  [entrypoints.http1]
+level = "DEBUG"
 [entryPoints]
  [entryPoints.http1]
    address = ":8000"
-  [entrypoints.http2]
+  [entryPoints.http2]
    address = ":9000"
 [api]
--- a/integration/fixtures/healthcheck/multiple-entrypoints-wrr.toml
+++ b/integration/fixtures/healthcheck/multiple-entrypoints-wrr.toml
@ -1,10 +1,14 @@
-[log]
+[global]
-logLevel = "DEBUG"
+checkNewVersion = false
 sendAnonymousUsage = false
-[entrypoints]
+[log]
-  [entrypoints.http1]
+level = "DEBUG"
 [entryPoints]
  [entryPoints.http1]
    address = ":8000"
-  [entrypoints.http2]
+  [entryPoints.http2]
    address = ":9000"
 [api]
--- a/Show more
+++ b/Show more