diff --git a/acme/challengeProvider.go b/acme/challengeProvider.go
index 8bdda2673..d9bccf204 100644
--- a/acme/challengeProvider.go
+++ b/acme/challengeProvider.go
@@ -29,7 +29,7 @@ func (c *wrapperChallengeProvider) getCertificate(domain string) (cert *tls.Cert
 }
 
 func (c *wrapperChallengeProvider) Present(domain, token, keyAuth string) error {
-	cert, err := acme.TLSSNI01ChallengeCert(keyAuth)
+	cert, _, err := acme.TLSSNI01ChallengeCert(keyAuth)
 	if err != nil {
 		return err
 	}
diff --git a/docs/toml.md b/docs/toml.md
index 317da8049..c658fd731 100644
--- a/docs/toml.md
+++ b/docs/toml.md
@@ -666,6 +666,12 @@ domain = "marathon.localhost"
 #
 # [marathon.TLS]
 # InsecureSkipVerify = true
+
+# DCOSToken for DCOS environment, This will override the Authorization header
+#
+# Optional
+#
+# dcosToken = "xxxxxx"
 ```
 
 Labels can be used on containers to override default behaviour:
diff --git a/glide.lock b/glide.lock
index 749d2f43b..e4d70776b 100644
--- a/glide.lock
+++ b/glide.lock
@@ -1,5 +1,5 @@
-hash: 7330fcb934bc52f47319f969bbf918e325bac2436518e3fad74de596f13bbda2
-updated: 2016-06-18T12:59:25.604052029+02:00
+hash: 5a6dbc30a69abd002736bd5113e0f783c448faee20a0791c724ec2c3c1cfb8bb
+updated: 2016-06-03T18:11:43.839017153+02:00
 imports:
 - name: github.com/boltdb/bolt
   version: 3f7947a25d970e1e5f512276c14d5dcf731ccd5e
@@ -21,6 +21,15 @@ imports:
   version: b98687da5c323650f4513fda6b6203fcbdec9313
 - name: github.com/containous/mux
   version: a819b77bba13f0c0cbe36e437bc2e948411b3996
+- name: github.com/containous/oxy
+  version: 183212964e13e7b8afe01a08b193d04300554a68
+  subpackages:
+  - cbreaker
+  - connlimit
+  - forward
+  - roundrobin
+  - stream
+  - utils
 - name: github.com/containous/staert
   version: e2aa88e235a02dd52aa1d5d9de75f9d9139d1602
 - name: github.com/coreos/etcd
@@ -84,7 +93,7 @@ imports:
 - name: github.com/elazarl/go-bindata-assetfs
   version: 57eb5e1fc594ad4b0b1dbea7b286d299e0cb43c2
 - name: github.com/gambol99/go-marathon
-  version: ade11d1dc2884ee1f387078fc28509559b6235d1
+  version: a558128c87724cd7430060ef5aedf39f83937f55
 - name: github.com/go-check/check
   version: 4f90aeace3a26ad7021961c297b22c42160c7b25
 - name: github.com/google/go-querystring
@@ -183,7 +192,7 @@ imports:
   - conntracker
   - router
 - name: github.com/xenolf/lego
-  version: 30a7a8e8821de3532192d1240a45e53c6204f603
+  version: b2fad6198110326662e9e356a97199078a4a775c
   subpackages:
   - acme
 - name: golang.org/x/crypto
diff --git a/glide.yaml b/glide.yaml
index 31d7187c3..b981c716e 100644
--- a/glide.yaml
+++ b/glide.yaml
@@ -42,7 +42,7 @@ import:
   - store/zookeeper
 - package: github.com/elazarl/go-bindata-assetfs
 - package: github.com/gambol99/go-marathon
-  version: ade11d1dc2884ee1f387078fc28509559b6235d1
+  version: a558128c87724cd7430060ef5aedf39f83937f55
 - package: github.com/containous/mux
 - package: github.com/hashicorp/consul
   subpackages:
diff --git a/provider/marathon.go b/provider/marathon.go
index 4efdc390a..d0068e23b 100644
--- a/provider/marathon.go
+++ b/provider/marathon.go
@@ -26,6 +26,7 @@ type Marathon struct {
 	Domain             string `description:"Default domain used"`
 	ExposedByDefault   bool   `description:"Expose Marathon apps by default"`
 	GroupsAsSubDomains bool   `description:"Convert Marathon groups to subdomains"`
+	DCOSToken          string `description:"DCOSToken for DCOS environment, This will override the Authorization header"`
 	Basic              *MarathonBasic
 	TLS                *tls.Config
 	marathonClient     marathon.Marathon
@@ -54,6 +55,9 @@ func (provider *Marathon) Provide(configurationChan chan<- types.ConfigMessage,
 			config.HTTPBasicAuthUser = provider.Basic.HTTPBasicAuthUser
 			config.HTTPBasicPassword = provider.Basic.HTTPBasicPassword
 		}
+		if len(provider.DCOSToken) > 0 {
+			config.DCOSToken = provider.DCOSToken
+		}
 		config.HTTPClient = &http.Client{
 			Transport: &http.Transport{
 				TLSClientConfig: provider.TLS,
@@ -67,7 +71,7 @@ func (provider *Marathon) Provide(configurationChan chan<- types.ConfigMessage,
 		provider.marathonClient = client
 		update := make(marathon.EventsChannel, 5)
 		if provider.Watch {
-			if err := client.AddEventsListener(update, marathon.EVENTS_APPLICATIONS); err != nil {
+			if err := client.AddEventsListener(update, marathon.EventIDApplications); err != nil {
 				log.Errorf("Failed to register for events, %s", err)
 				return err
 			}
@@ -179,8 +183,8 @@ func taskFilter(task marathon.Task, applications *marathon.Applications, exposed
 	}
 
 	//filter indeterminable task port
-	portIndexLabel := application.Labels["traefik.portIndex"]
-	portValueLabel := application.Labels["traefik.port"]
+	portIndexLabel := (*application.Labels)["traefik.portIndex"]
+	portValueLabel := (*application.Labels)["traefik.port"]
 	if portIndexLabel != "" && portValueLabel != "" {
 		log.Debugf("Filtering marathon task %s specifying both traefik.portIndex and traefik.port labels", task.AppID)
 		return false
@@ -190,14 +194,14 @@ func taskFilter(task marathon.Task, applications *marathon.Applications, exposed
 		return false
 	}
 	if portIndexLabel != "" {
-		index, err := strconv.Atoi(application.Labels["traefik.portIndex"])
+		index, err := strconv.Atoi((*application.Labels)["traefik.portIndex"])
 		if err != nil || index < 0 || index > len(application.Ports)-1 {
 			log.Debugf("Filtering marathon task %s with unexpected value for traefik.portIndex label", task.AppID)
 			return false
 		}
 	}
 	if portValueLabel != "" {
-		port, err := strconv.Atoi(application.Labels["traefik.port"])
+		port, err := strconv.Atoi((*application.Labels)["traefik.port"])
 		if err != nil {
 			log.Debugf("Filtering marathon task %s with unexpected value for traefik.port label", task.AppID)
 			return false
@@ -251,11 +255,11 @@ func getApplication(task marathon.Task, apps []marathon.Application) (marathon.A
 }
 
 func isApplicationEnabled(application marathon.Application, exposedByDefault bool) bool {
-	return exposedByDefault && application.Labels["traefik.enable"] != "false" || application.Labels["traefik.enable"] == "true"
+	return exposedByDefault && (*application.Labels)["traefik.enable"] != "false" || (*application.Labels)["traefik.enable"] == "true"
 }
 
 func (provider *Marathon) getLabel(application marathon.Application, label string) (string, error) {
-	for key, value := range application.Labels {
+	for key, value := range *application.Labels {
 		if key == label {
 			return value, nil
 		}
diff --git a/traefik.sample.toml b/traefik.sample.toml
index 33e755136..88f610cad 100644
--- a/traefik.sample.toml
+++ b/traefik.sample.toml
@@ -318,12 +318,11 @@
 #  httpBasicAuthUser = "foo"
 #  httpBasicPassword = "bar"
 
-# TLS client configuration. https://golang.org/pkg/crypto/tls/#Config
+# DCOSToken for DCOS environment, This will override the Authorization header
 #
 # Optional
 #
-# [marathon.TLS]
-# InsecureSkipVerify = true
+# dcosToken = "xxxxxx"
 
 ################################################################
 # Kubernetes Ingress configuration backend