Prepare release v3.0.1

Co-authored-by: Romain <rtribotte@users.noreply.github.com>

.github/workflows/documentation.yml

@@ -47,6 +47,6 @@ jobs:
         run: $HOME/bin/seo -path=./site -product=traefik
 
       - name: Publish documentation
-        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
+        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=traefik --src-repo-name=traefik
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN_REPO }}

.github/workflows/test-conformance.yaml

@@ -0,0 +1,35 @@
+name: Test K8s Gateway API conformance
+
+on:
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'pkg/provider/kubernetes/gateway/**'
+      - 'integration/k8s_conformance_test.go'
+
+env:
+  GO_VERSION: '1.22'
+  CGO_ENABLED: 0
+
+jobs:
+
+  test-conformance:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Avoid generating webui
+        run: touch webui/static/index.html
+
+      - name: K8s Gateway API conformance test
+        run: make test-gateway-api-conformance

.github/workflows/test-integration.yaml

@@ -4,9 +4,6 @@ on:
   pull_request:
     branches:
       - '*'
-  push:
-    branches:
-      - 'gh-actions'
 
 env:
   GO_VERSION: '1.22'

.gitignore

@@ -19,3 +19,4 @@ plugins-storage/
 plugins-local/
 traefik_changelog.md
 integration/tailscale.secret
+integration/conformance-reports/

.golangci.yml

@@ -30,6 +30,10 @@ linters-settings:
             desc: not allowed
           - pkg: "github.com/pkg/errors"
             desc: Should be replaced by standard lib errors package
+          - pkg: "k8s.io/api/networking/v1beta1"
+            desc: This API is deprecated
+          - pkg: "k8s.io/api/extensions/v1beta1"
+            desc: This API is deprecated
   godox:
     keywords:
       - FIXME
@@ -44,14 +48,10 @@ linters-settings:
         pkg: "k8s.io/api/core/v1"
       - alias: netv1
         pkg: "k8s.io/api/networking/v1"
-      - alias: netv1beta1
-        pkg: "k8s.io/api/networking/v1beta1"
       - alias: admv1
         pkg: "k8s.io/api/admission/v1"
       - alias: admv1beta1
         pkg: "k8s.io/api/admission/v1beta1"
-      - alias: extv1beta1
-        pkg: "k8s.io/api/extensions/v1beta1"
       - alias: metav1
         pkg: "k8s.io/apimachinery/pkg/apis/meta/v1"
       - alias: ktypes
@@ -84,18 +84,16 @@ linters-settings:
         pkg: "sigs.k8s.io/gateway-api/apis/v1alpha2"
 
       # Traefik Kubernetes rewrites:
-      - alias: containousv1alpha1
-        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikcontainous/v1alpha1"
       - alias: traefikv1alpha1
-        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikio/v1alpha1"
+        pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/traefikio/v1alpha1"
       - alias: traefikclientset
-        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned"
+        pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned"
       - alias: traefikinformers
-        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/informers/externalversions"
+        pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/informers/externalversions"
       - alias: traefikscheme
-        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme"
+        pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme"
       - alias: traefikcrdfake
-        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake"
+        pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake"
   tagalign:
     align: false
     sort: true
@@ -153,7 +151,10 @@ linters-settings:
       - suite-dont-use-pkg
       - require-error
       - go-require
-
+  staticcheck:
+    checks:
+      - all
+      - -SA1019
 linters:
   enable-all: true
   disable:
@@ -207,6 +208,7 @@ linters:
     - gosmopolitan  # not relevant
     - exportloopref # Useless with go1.22
     - musttag
+    - intrange # bug (fixed in golangci-lint v1.58)
 
 issues:
   exclude-use-default: false
@@ -217,15 +219,6 @@ issues:
   exclude:
     - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked'
     - "should have a package comment, unless it's in another file for this package"
-    - 'SA1019: http.CloseNotifier has been deprecated' # FIXME must be fixed
-    - 'SA1019: cfg.SSLRedirect is deprecated'
-    - 'SA1019: cfg.SSLTemporaryRedirect is deprecated'
-    - 'SA1019: cfg.SSLHost is deprecated'
-    - 'SA1019: cfg.SSLForceHost is deprecated'
-    - 'SA1019: cfg.FeaturePolicy is deprecated'
-    - 'SA1019: c.Providers.ConsulCatalog.Namespace is deprecated'
-    - 'SA1019: c.Providers.Consul.Namespace is deprecated'
-    - 'SA1019: c.Providers.Nomad.Namespace is deprecated'
     - 'fmt.Sprintf can be replaced with string'
   exclude-rules:
     - path: '(.+)_test.go'
@@ -247,7 +240,7 @@ issues:
       text: "Function 'buildConstructor' has too many statements"
       linters:
         - funlen
-    - path: pkg/tracing/haystack/logger.go
+    - path: pkg/logs/haystack.go
       linters:
         - goprintffuncname
     - path: pkg/tracing/tracing.go
@@ -258,6 +251,12 @@ issues:
       text: 'SA1019: config.ClientCAs.Subjects has been deprecated since Go 1.18'
     - path: pkg/types/tls_test.go
       text: 'SA1019: tlsConfig.RootCAs.Subjects has been deprecated since Go 1.18'
+    - path: pkg/provider/kubernetes/crd/kubernetes.go
+      text: 'SA1019: middleware.Spec.IPWhiteList is deprecated: please use IPAllowList instead.'
+    - path: pkg/server/middleware/tcp/middlewares.go
+      text: 'SA1019: config.IPWhiteList is deprecated: please use IPAllowList instead.'
+    - path: pkg/server/middleware/middlewares.go
+      text: 'SA1019: config.IPWhiteList is deprecated: please use IPAllowList instead.'
     - path: pkg/provider/kubernetes/(crd|gateway)/client.go
       linters:
         - interfacebloat
@@ -272,7 +271,17 @@ issues:
       text: 'Duplicate words \(sub\) found'
       linters:
         - dupword
+    - path: pkg/provider/kubernetes/crd/kubernetes.go
+      text: "Function 'loadConfigurationFromCRD' has too many statements"
+      linters:
+        - funlen
     - path: pkg/provider/kubernetes/gateway/client_mock_test.go
       text: 'unusedwrite: unused write to field'
       linters:
         - govet
+    - path: pkg/cli/deprecation.go
+      linters:
+        - goconst
+    - path: pkg/cli/loader_file.go
+      linters:
+        - goconst

.goreleaser.yml.tmpl

@@ -15,7 +15,7 @@ builds:
     env:
       - CGO_ENABLED=0
     ldflags:
-      - -s -w -X github.com/traefik/traefik/v2/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v2/pkg/version.BuildDate={{.Date}}
+      - -s -w -X github.com/traefik/traefik/v3/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v3/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v3/pkg/version.BuildDate={{.Date}}
     flags:
       - -trimpath
     goos:

.semaphore/semaphore.yml

@@ -46,7 +46,7 @@ blocks:
         - name: GH_VERSION
           value: 2.32.1
         - name: CODENAME
-          value: "mimolette"
+          value: "beaufort"
       prologue:
         commands:
           - export VERSION=${SEMAPHORE_GIT_TAG_NAME}

CHANGELOG.md

@@ -1,3 +1,23 @@
+## [v3.0.1](https://github.com/traefik/traefik/tree/v3.0.1) (2024-05-22)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0...v3.0.1)
+
+**Bug fixes:**
+- **[k8s/ingress]** Fix rule syntax version for all internal routers ([#10689](https://github.com/traefik/traefik/pull/10689) by [HalloTschuess](https://github.com/HalloTschuess))
+- **[metrics,tracing]** Allow empty configuration for OpenTelemetry metrics and tracing ([#10729](https://github.com/traefik/traefik/pull/10729) by [rtribotte](https://github.com/rtribotte))
+- **[provider,tls]** Bump tscert dependency to 28a91b69a046 ([#10668](https://github.com/traefik/traefik/pull/10668) by [kevinpollet](https://github.com/kevinpollet))
+- **[rules,tcp]** Fix the rule syntax mechanism for TCP ([#10680](https://github.com/traefik/traefik/pull/10680) by [lbenguigui](https://github.com/lbenguigui))
+- **[tls,server]** Remove deadlines when handling PostgreSQL connections ([#10675](https://github.com/traefik/traefik/pull/10675) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Add support for IP White list ([#10740](https://github.com/traefik/traefik/pull/10740) by [davidbaptista](https://github.com/davidbaptista))
+
+**Documentation:**
+- **[http3]** Add link to the new http3 config in migration ([#10673](https://github.com/traefik/traefik/pull/10673) by [yyewolf](https://github.com/yyewolf))
+- **[logs]** Fix log.compress value ([#10716](https://github.com/traefik/traefik/pull/10716) by [mmatur](https://github.com/mmatur))
+- **[metrics]** Fix OTel documentation ([#10723](https://github.com/traefik/traefik/pull/10723) by [nmengin](https://github.com/nmengin))
+- **[middleware]** Fix doc consistency forwardauth ([#10724](https://github.com/traefik/traefik/pull/10724) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Remove providers not supported in documentation ([#10725](https://github.com/traefik/traefik/pull/10725) by [mmatur](https://github.com/mmatur))
+- **[rules]** Fix typo in PathRegexp explanation ([#10719](https://github.com/traefik/traefik/pull/10719) by [BreadInvasion](https://github.com/BreadInvasion))
+- **[rules]** Fix router documentation example ([#10704](https://github.com/traefik/traefik/pull/10704) by [ldez](https://github.com/ldez))
+
 ## [v2.11.3](https://github.com/traefik/traefik/tree/v2.11.3) (2024-05-17)
 [All Commits](https://github.com/traefik/traefik/compare/v2.11.2...v2.11.3)
 
@@ -14,6 +34,188 @@
 - Consistent entryPoints capitalization in CLI flag usage ([#10650](https://github.com/traefik/traefik/pull/10650) by [jnoordsij](https://github.com/jnoordsij))
 - Fix unfinished migration sentence for v2.11.2 ([#10633](https://github.com/traefik/traefik/pull/10633) by [kevinpollet](https://github.com/kevinpollet))
 
+## [v3.0.0](https://github.com/traefik/traefik/tree/v3.0.0) (2024-04-29)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0-beta1...v3.0.0)
+
+**Enhancements:**
+- **[consul]** ConsulCatalog StrictChecks ([#10388](https://github.com/traefik/traefik/pull/10388) by [djenriquez](https://github.com/djenriquez))
+- **[docker,docker/swarm]** Split Docker provider ([#9652](https://github.com/traefik/traefik/pull/9652) by [ldez](https://github.com/ldez))
+- **[docker,service]** Adds weight on ServersLoadBalancer ([#10372](https://github.com/traefik/traefik/pull/10372) by [juliens](https://github.com/juliens))
+- **[ecs]** Add option to keep only healthy ECS tasks ([#8027](https://github.com/traefik/traefik/pull/8027) by [Michampt](https://github.com/Michampt))
+- **[file]** Reload provider file configuration on SIGHUP ([#9993](https://github.com/traefik/traefik/pull/9993) by [sokoide](https://github.com/sokoide))
+- **[healthcheck]** Support gRPC healthcheck ([#8583](https://github.com/traefik/traefik/pull/8583) by [jjacque](https://github.com/jjacque))
+- **[healthcheck]** Add a status option to the service health check ([#9463](https://github.com/traefik/traefik/pull/9463) by [guoard](https://github.com/guoard))
+- **[http]** Support custom headers when fetching configuration through HTTP ([#9421](https://github.com/traefik/traefik/pull/9421) by [kevinpollet](https://github.com/kevinpollet))
+- **[http3]** Moves HTTP/3 outside the experimental section ([#9570](https://github.com/traefik/traefik/pull/9570) by [sdelicata](https://github.com/sdelicata))
+- **[k8s,hub]** Remove deprecated code ([#9804](https://github.com/traefik/traefik/pull/9804) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/gatewayapi]** Support for cross-namespace references / GatewayAPI ReferenceGrants ([#10346](https://github.com/traefik/traefik/pull/10346) by [pascal-hofmann](https://github.com/pascal-hofmann))
+- **[k8s,k8s/gatewayapi]** Support HostSNIRegexp in GatewayAPI TLS routes ([#9486](https://github.com/traefik/traefik/pull/9486) by [ddtmachado](https://github.com/ddtmachado))
+- **[k8s,k8s/gatewayapi]** Upgrade gateway api to v1.0.0 ([#10205](https://github.com/traefik/traefik/pull/10205) by [mmatur](https://github.com/mmatur))
+- **[k8s/crd,k8s]** Support file path as input param for Kubernetes token value ([#10232](https://github.com/traefik/traefik/pull/10232) by [sssash18](https://github.com/sssash18))
+- **[k8s/gatewayapi]** Add option to set Gateway status address ([#10582](https://github.com/traefik/traefik/pull/10582) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/gatewayapi]** Toggle support for experimental channel ([#10435](https://github.com/traefik/traefik/pull/10435) by [SantoDE](https://github.com/SantoDE))
+- **[k8s/gatewayapi]** Add option to set Gateway status address ([#10582](https://github.com/traefik/traefik/pull/10582) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/gatewayapi]** Add support for HTTPRequestRedirectFilter in k8s Gateway API ([#9408](https://github.com/traefik/traefik/pull/9408) by [romantomjak](https://github.com/romantomjak))
+- **[k8s/gatewayapi]** Handle middlewares in filters extension reference ([#10511](https://github.com/traefik/traefik/pull/10511) by [youkoulayley](https://github.com/youkoulayley))
+- **[k8s/ingress,k8s/crd,k8s,k8s/gatewayapi]** Use runtime.Object in routerTransform ([#10523](https://github.com/traefik/traefik/pull/10523) by [juliens](https://github.com/juliens))
+- **[k8s/ingress,k8s]** Add option to the Ingress provider to disable IngressClass lookup ([#9281](https://github.com/traefik/traefik/pull/9281) by [jandillenkofer](https://github.com/jandillenkofer))
+- **[k8s/ingress,k8s]** Remove support of the networking.k8s.io/v1beta1 APIVersion ([#9949](https://github.com/traefik/traefik/pull/9949) by [rtribotte](https://github.com/rtribotte))
+- **[logs]** Introduce static config hints ([#10351](https://github.com/traefik/traefik/pull/10351) by [rtribotte](https://github.com/rtribotte))
+- **[logs,performance]** New logger for the Traefik logs ([#9515](https://github.com/traefik/traefik/pull/9515) by [ldez](https://github.com/ldez))
+- **[logs,plugins]** Retry on plugin API calls ([#9530](https://github.com/traefik/traefik/pull/9530) by [ldez](https://github.com/ldez))
+- **[logs,provider]** Improve provider logs ([#9562](https://github.com/traefik/traefik/pull/9562) by [ldez](https://github.com/ldez))
+- **[logs]** Improve test logger assertions ([#9533](https://github.com/traefik/traefik/pull/9533) by [ldez](https://github.com/ldez))
+- **[marathon]** Remove Marathon provider ([#9614](https://github.com/traefik/traefik/pull/9614) by [rtribotte](https://github.com/rtribotte))
+- **[metrics,tracing,accesslogs]** Remove observability for internal resources ([#9633](https://github.com/traefik/traefik/pull/9633) by [rtribotte](https://github.com/rtribotte))
+- **[metrics,tracing]** Upgrade opentelemetry dependencies ([#10472](https://github.com/traefik/traefik/pull/10472) by [mmatur](https://github.com/mmatur))
+- **[metrics]** Add support for sending DogStatsD metrics over Unix Socket ([#10199](https://github.com/traefik/traefik/pull/10199) by [liamvdv](https://github.com/liamvdv))
+- **[metrics]** Remove InfluxDB v1 metrics middleware ([#9612](https://github.com/traefik/traefik/pull/9612) by [tomMoulard](https://github.com/tomMoulard))
+- **[metrics]** Upgrade OpenTelemetry dependencies ([#10181](https://github.com/traefik/traefik/pull/10181) by [mmatur](https://github.com/mmatur))
+- **[metrics]** Support gRPC and gRPC-Web protocol in metrics ([#9483](https://github.com/traefik/traefik/pull/9483) by [longit644](https://github.com/longit644))
+- **[middleware,accesslogs]** Log TLS client subject ([#9285](https://github.com/traefik/traefik/pull/9285) by [xmessi](https://github.com/xmessi))
+- **[middleware,metrics,tracing,otel]** Add OpenTelemetry tracing and metrics support ([#8999](https://github.com/traefik/traefik/pull/8999) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware]** Disable Content-Type auto-detection by default ([#9546](https://github.com/traefik/traefik/pull/9546) by [sdelicata](https://github.com/sdelicata))
+- **[middleware]** Add gRPC-Web middleware ([#9451](https://github.com/traefik/traefik/pull/9451) by [juliens](https://github.com/juliens))
+- **[middleware]** Add support for Brotli ([#9387](https://github.com/traefik/traefik/pull/9387) by [glinton](https://github.com/glinton))
+- **[middleware]** Renaming IPWhiteList to IPAllowList  ([#9457](https://github.com/traefik/traefik/pull/9457) by [wxmbugu](https://github.com/wxmbugu))
+- **[middleware,authentication,tracing]** Add captured headers options for tracing ([#10457](https://github.com/traefik/traefik/pull/10457) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,authentication]** Add forwardAuth.addAuthCookiesToResponse ([#8924](https://github.com/traefik/traefik/pull/8924) by [tgunsch](https://github.com/tgunsch))
+- **[middleware,metrics]** Semconv OTLP stable HTTP metrics ([#10421](https://github.com/traefik/traefik/pull/10421) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Feat re introduce IpWhitelist middleware as deprecated ([#10341](https://github.com/traefik/traefik/pull/10341) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Disable br compression when no Accept-Encoding header is present ([#10178](https://github.com/traefik/traefik/pull/10178) by [robin-moser](https://github.com/robin-moser))
+- **[middleware]** Implements the includedContentTypes option for the compress middleware ([#10207](https://github.com/traefik/traefik/pull/10207) by [rjsocha](https://github.com/rjsocha))
+- **[middleware]** Add `rejectStatusCode` option to `IPAllowList` middleware ([#10130](https://github.com/traefik/traefik/pull/10130) by [jfly](https://github.com/jfly))
+- **[middleware]** Merge v2.11 into v3.0 ([#10426](https://github.com/traefik/traefik/pull/10426) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Add ResponseCode to CircuitBreaker ([#10147](https://github.com/traefik/traefik/pull/10147) by [fahhem](https://github.com/fahhem))
+- **[nomad]** Allow empty services ([#10375](https://github.com/traefik/traefik/pull/10375) by [chrispruitt](https://github.com/chrispruitt))
+- **[nomad]** Support multiple namespaces in the Nomad Provider ([#9332](https://github.com/traefik/traefik/pull/9332) by [0teh](https://github.com/0teh))
+- **[plugins]** Add http-wasm plugin support to Traefik ([#10189](https://github.com/traefik/traefik/pull/10189) by [zetaab](https://github.com/zetaab))
+- **[plugins]** Upgrade http-wasm host to v0.6.0 to support clients using v0.4.0 ([#10475](https://github.com/traefik/traefik/pull/10475) by [jcchavezs](https://github.com/jcchavezs))
+- **[rancher]** Remove Rancher v1 provider ([#9613](https://github.com/traefik/traefik/pull/9613) by [tomMoulard](https://github.com/tomMoulard))
+- **[rules]** Bring back v2 rule matchers ([#10339](https://github.com/traefik/traefik/pull/10339) by [rtribotte](https://github.com/rtribotte))
+- **[rules]** Remove containous/mux from HTTP muxer ([#9558](https://github.com/traefik/traefik/pull/9558) by [tomMoulard](https://github.com/tomMoulard))
+- **[rules]** Update routing syntax ([#9531](https://github.com/traefik/traefik/pull/9531) by [skwair](https://github.com/skwair))
+- **[server]** Add SO_REUSEPORT support for EntryPoints ([#9834](https://github.com/traefik/traefik/pull/9834) by [aofei](https://github.com/aofei))
+- **[server]** Rework servers load-balancer to use the WRR ([#9431](https://github.com/traefik/traefik/pull/9431) by [juliens](https://github.com/juliens))
+- **[server]** Allow default entrypoints definition ([#9100](https://github.com/traefik/traefik/pull/9100) by [applejag](https://github.com/applejag))
+- **[sticky-session]** Support setting sticky cookie max age  ([#10176](https://github.com/traefik/traefik/pull/10176) by [Patrick0308](https://github.com/Patrick0308))
+- **[tls,tcp,service]** Add TCP Servers Transports support ([#9465](https://github.com/traefik/traefik/pull/9465) by [sdelicata](https://github.com/sdelicata))
+- **[tls,service]** Support SPIFFE mTLS between Traefik and Backend servers ([#9394](https://github.com/traefik/traefik/pull/9394) by [jlevesy](https://github.com/jlevesy))
+- **[tls]** Add Tailscale certificate resolver ([#9237](https://github.com/traefik/traefik/pull/9237) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls]** Support SNI routing with Postgres STARTTLS connections ([#9377](https://github.com/traefik/traefik/pull/9377) by [rtribotte](https://github.com/rtribotte))
+- **[tracing,otel]** Migrate to opentelemetry ([#10223](https://github.com/traefik/traefik/pull/10223) by [zetaab](https://github.com/zetaab))
+- **[tracing]** Support OTEL_PROPAGATORS to configure tracing propagation ([#10465](https://github.com/traefik/traefik/pull/10465) by [youkoulayley](https://github.com/youkoulayley))
+- **[webui,middleware,k8s/gatewayapi]** Support RequestHeaderModifier filter ([#10521](https://github.com/traefik/traefik/pull/10521) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Added router priority to webui's list and detail page ([#9004](https://github.com/traefik/traefik/pull/9004) by [bendre90](https://github.com/bendre90))
+- Reintroduce dropped v2 dynamic config ([#10355](https://github.com/traefik/traefik/pull/10355) by [rtribotte](https://github.com/rtribotte))
+- Remove deprecated options ([#9527](https://github.com/traefik/traefik/pull/9527) by [sdelicata](https://github.com/sdelicata))
+
+**Bug fixes:**
+- **[consul,tls]** Enable TLS for Consul Connect TCP services ([#10140](https://github.com/traefik/traefik/pull/10140) by [rtribotte](https://github.com/rtribotte))
+- **[docker]** Fix struct names in comment ([#10503](https://github.com/traefik/traefik/pull/10503) by [hishope](https://github.com/hishope))
+- **[k8s/crd,k8s]** Adds the missing circuit-breaker response code for CRD ([#10625](https://github.com/traefik/traefik/pull/10625) by [ldez](https://github.com/ldez))
+- **[k8s/crd,k8s]** Delete warning in Kubernetes CRD provider about the supported version ([#10414](https://github.com/traefik/traefik/pull/10414) by [nmengin](https://github.com/nmengin))
+- **[logs]** Avoid cumulative send anonymous usage log ([#10579](https://github.com/traefik/traefik/pull/10579) by [mmatur](https://github.com/mmatur))
+- **[logs]** Change traefik cmd error log to error level ([#9569](https://github.com/traefik/traefik/pull/9569) by [tomMoulard](https://github.com/tomMoulard))
+- **[logs]** Fix log level ([#9545](https://github.com/traefik/traefik/pull/9545) by [ldez](https://github.com/ldez))
+- **[metrics]** Fix OpenTelemetry metrics ([#9962](https://github.com/traefik/traefik/pull/9962) by [rtribotte](https://github.com/rtribotte))
+- **[metrics]** Fix OpenTelemetry service name ([#9619](https://github.com/traefik/traefik/pull/9619) by [tomMoulard](https://github.com/tomMoulard))
+- **[metrics]** Fix open connections metric ([#9656](https://github.com/traefik/traefik/pull/9656) by [mpl](https://github.com/mpl))
+- **[metrics]** Remove config reload failure metrics ([#9660](https://github.com/traefik/traefik/pull/9660) by [rtribotte](https://github.com/rtribotte))
+- **[metrics]** Fix OpenTelemetry unit tests ([#10380](https://github.com/traefik/traefik/pull/10380) by [mmatur](https://github.com/mmatur))
+- **[metrics]** Fix ServerUp metric ([#9534](https://github.com/traefik/traefik/pull/9534) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware,authentication,metrics,tracing]** Align OpenTelemetry tracing and metrics configurations ([#10404](https://github.com/traefik/traefik/pull/10404) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Fix brotli response status code when compression is disabled ([#10396](https://github.com/traefik/traefik/pull/10396) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Allow short healthcheck interval with long timeout ([#9832](https://github.com/traefik/traefik/pull/9832) by [kevinmcconnell](https://github.com/kevinmcconnell))
+- **[middleware]** Fix GrpcWeb middleware to clear ContentLength after translating to normal gRPC message ([#9782](https://github.com/traefik/traefik/pull/9782) by [CleverUnderDog](https://github.com/CleverUnderDog))
+- **[provider,tls]** Bump tscert dependency to 28a91b69a046 ([#10668](https://github.com/traefik/traefik/pull/10668) by [kevinpollet](https://github.com/kevinpollet))
+- **[rules]** Rework Host and HostRegexp matchers ([#9559](https://github.com/traefik/traefik/pull/9559) by [tomMoulard](https://github.com/tomMoulard))
+- **[rules]** Support regexp in path/pathprefix in matcher v2 ([#10546](https://github.com/traefik/traefik/pull/10546) by [youkoulayley](https://github.com/youkoulayley))
+- **[sticky-session,server]** Set sameSite field for wrr load balancer sticky cookie ([#10066](https://github.com/traefik/traefik/pull/10066) by [sunyakun](https://github.com/sunyakun))
+- **[tcp]** Don't log EOF or timeout errors while peeking first bytes in Postgres StartTLS hook ([#9663](https://github.com/traefik/traefik/pull/9663) by [rtribotte](https://github.com/rtribotte))
+- **[tls,server]** Compute priority for https forwarder TLS routes ([#10288](https://github.com/traefik/traefik/pull/10288) by [rtribotte](https://github.com/rtribotte))
+- **[tls,service]** Enforce default servers transport SPIFFE config ([#9444](https://github.com/traefik/traefik/pull/9444) by [jlevesy](https://github.com/jlevesy))
+- **[webui]** Detect dashboard assets content types ([#9622](https://github.com/traefik/traefik/pull/9622) by [tomMoulard](https://github.com/tomMoulard))
+- **[webui]** Add missing Docker Swarm logo ([#10529](https://github.com/traefik/traefik/pull/10529) by [ldez](https://github.com/ldez))
+- **[webui]** fix: detect dashboard content types ([#9594](https://github.com/traefik/traefik/pull/9594) by [ldez](https://github.com/ldez))
+- Fix a regression on flags using spaces between key and value ([#10445](https://github.com/traefik/traefik/pull/10445) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[docker/swarm]** Remove documentation of old swarm options ([#10001](https://github.com/traefik/traefik/pull/10001) by [ldez](https://github.com/ldez))
+- **[docker/swarm]** Fix minor typo in swarm example ([#10071](https://github.com/traefik/traefik/pull/10071) by [kaznovac](https://github.com/kaznovac))
+- **[k8s,k8s/gatewayapi]** Add ReferenceGrants to Gateway API Traefik controller RBAC ([#10462](https://github.com/traefik/traefik/pull/10462) by [rtribotte](https://github.com/rtribotte))
+- **[k8s]** Update Kubernetes version for v3 Helm chart ([#10637](https://github.com/traefik/traefik/pull/10637) by [jnoordsij](https://github.com/jnoordsij))
+- **[k8s]** Improve Kubernetes support documentation ([#9974](https://github.com/traefik/traefik/pull/9974) by [rtribotte](https://github.com/rtribotte))
+- **[k8s]** Fix invalid version in docs about Gateway API on Traefik v3 ([#10474](https://github.com/traefik/traefik/pull/10474) by [mloiseleur](https://github.com/mloiseleur))
+- **[rules]** Improve ruleSyntax option documentation ([#10441](https://github.com/traefik/traefik/pull/10441) by [rtribotte](https://github.com/rtribotte))
+- Prepare release v3.0.0 ([#10666](https://github.com/traefik/traefik/pull/10666) by [rtribotte](https://github.com/rtribotte))
+- Prepare release v3.0.0-rc2 ([#10514](https://github.com/traefik/traefik/pull/10514) by [rtribotte](https://github.com/rtribotte))
+- Fix typo in migration docs ([#10478](https://github.com/traefik/traefik/pull/10478) by [Eisberge](https://github.com/Eisberge))
+- Prepare release v3.0.0 rc3 ([#10520](https://github.com/traefik/traefik/pull/10520) by [rtribotte](https://github.com/rtribotte))
+- Fix typo in dialer_test.go ([#10552](https://github.com/traefik/traefik/pull/10552) by [eltociear](https://github.com/eltociear))
+- Fix typo and improve explanation on internal resources ([#10563](https://github.com/traefik/traefik/pull/10563) by [mloiseleur](https://github.com/mloiseleur))
+- Prepare release v3.0.0-rc1 ([#10429](https://github.com/traefik/traefik/pull/10429) by [mmatur](https://github.com/mmatur))
+- Update version comment in quick-start.md ([#10383](https://github.com/traefik/traefik/pull/10383) by [matthieuwerner](https://github.com/matthieuwerner))
+- Improve migration guide ([#10319](https://github.com/traefik/traefik/pull/10319) by [rtribotte](https://github.com/rtribotte))
+- Prepare release v3.0.0 beta5 ([#10273](https://github.com/traefik/traefik/pull/10273) by [rtribotte](https://github.com/rtribotte))
+- Prepare release v3.0.0-beta4 ([#10165](https://github.com/traefik/traefik/pull/10165) by [mmatur](https://github.com/mmatur))
+- Prepare release v3.0.0-rc4 ([#10588](https://github.com/traefik/traefik/pull/10588) by [kevinpollet](https://github.com/kevinpollet))
+- Fix bad anchor on documentation ([#10041](https://github.com/traefik/traefik/pull/10041) by [mmatur](https://github.com/mmatur))
+- Prepare release v3.0.0-rc5 ([#10605](https://github.com/traefik/traefik/pull/10605) by [ldez](https://github.com/ldez))
+- Fix migration guide heading ([#9989](https://github.com/traefik/traefik/pull/9989) by [ldez](https://github.com/ldez))
+- Prepare release v3.0.0-beta3 ([#9978](https://github.com/traefik/traefik/pull/9978) by [ldez](https://github.com/ldez))
+- Fix some typos in comments ([#10626](https://github.com/traefik/traefik/pull/10626) by [hidewrong](https://github.com/hidewrong))
+- Adjust quick start ([#9790](https://github.com/traefik/traefik/pull/9790) by [svx](https://github.com/svx))
+- Mention PathPrefix matcher changes in V3 Migration Guide ([#9727](https://github.com/traefik/traefik/pull/9727) by [aofei](https://github.com/aofei))
+- Fix yaml indentation in the HTTP3 example ([#9724](https://github.com/traefik/traefik/pull/9724) by [benwaffle](https://github.com/benwaffle))
+- Add OpenTelemetry in observability overview ([#9654](https://github.com/traefik/traefik/pull/9654) by [tomMoulard](https://github.com/tomMoulard))
+- Prepare release v3.0.0-beta2 ([#9587](https://github.com/traefik/traefik/pull/9587) by [tomMoulard](https://github.com/tomMoulard))
+- Prepare release v3.0.0-beta1 ([#9577](https://github.com/traefik/traefik/pull/9577) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- Merge current v2.11 into v3.0 ([#10651](https://github.com/traefik/traefik/pull/10651) by [ldez](https://github.com/ldez))
+- Merge current v2.11 into v3.0 ([#10632](https://github.com/traefik/traefik/pull/10632) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.11 into v3.0 ([#10604](https://github.com/traefik/traefik/pull/10604) by [ldez](https://github.com/ldez))
+- Merge branch v2.11 into v3.0 ([#10587](https://github.com/traefik/traefik/pull/10587) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.11 into v3.0 ([#10566](https://github.com/traefik/traefik/pull/10566) by [mmatur](https://github.com/mmatur))
+- Merge current v2.11 into v3.0 ([#10564](https://github.com/traefik/traefik/pull/10564) by [ldez](https://github.com/ldez))
+- Merge branch v2.11 into v3.0 ([#10519](https://github.com/traefik/traefik/pull/10519) by [rtribotte](https://github.com/rtribotte))
+- Merge v2.11 into v3.0 ([#10513](https://github.com/traefik/traefik/pull/10513) by [mmatur](https://github.com/mmatur))
+- Merge v2.11 into v3.0 ([#10417](https://github.com/traefik/traefik/pull/10417) by [mmatur](https://github.com/mmatur))
+- Merge current v2.11 into v3.0 ([#10382](https://github.com/traefik/traefik/pull/10382) by [mmatur](https://github.com/mmatur))
+- Merge back v2.11 into v3.0 ([#10377](https://github.com/traefik/traefik/pull/10377) by [mmatur](https://github.com/mmatur))
+- Merge back v2.11 into v3.0 ([#10353](https://github.com/traefik/traefik/pull/10353) by [youkoulayley](https://github.com/youkoulayley))
+- Merge current v2.11 into v3.0 ([#10328](https://github.com/traefik/traefik/pull/10328) by [mmatur](https://github.com/mmatur))
+- Merge current v2.10 into v3.0 ([#10272](https://github.com/traefik/traefik/pull/10272) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.10 into v3.0 ([#10164](https://github.com/traefik/traefik/pull/10164) by [mmatur](https://github.com/mmatur))
+- Merge current v2.10 into v3.0 ([#10038](https://github.com/traefik/traefik/pull/10038) by [mmatur](https://github.com/mmatur))
+- Merge branch v2.10 into v3.0 ([#9977](https://github.com/traefik/traefik/pull/9977) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9931](https://github.com/traefik/traefik/pull/9931) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9896](https://github.com/traefik/traefik/pull/9896) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9867](https://github.com/traefik/traefik/pull/9867) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9850](https://github.com/traefik/traefik/pull/9850) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9845](https://github.com/traefik/traefik/pull/9845) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9803](https://github.com/traefik/traefik/pull/9803) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9793](https://github.com/traefik/traefik/pull/9793) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into v3.0 ([#9722](https://github.com/traefik/traefik/pull/9722) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.9 into v3.0 ([#9650](https://github.com/traefik/traefik/pull/9650) by [tomMoulard](https://github.com/tomMoulard))
+- Merge branch v2.9 into v3.0 ([#9632](https://github.com/traefik/traefik/pull/9632) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.9 into master ([#9576](https://github.com/traefik/traefik/pull/9576) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.9 into master ([#9554](https://github.com/traefik/traefik/pull/9554) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9536](https://github.com/traefik/traefik/pull/9536) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9532](https://github.com/traefik/traefik/pull/9532) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9482](https://github.com/traefik/traefik/pull/9482) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9464](https://github.com/traefik/traefik/pull/9464) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9449](https://github.com/traefik/traefik/pull/9449) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9419](https://github.com/traefik/traefik/pull/9419) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9351](https://github.com/traefik/traefik/pull/9351) by [rtribotte](https://github.com/rtribotte))
+
+## [v3.0.0-rc5](https://github.com/traefik/traefik/tree/v3.0.0-rc4) (2024-04-11)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0-rc4...v3.0.0-rc5)
+
+**Misc:**
+- Merge current v2.11 into v3.0 ([#10604](https://github.com/traefik/traefik/pull/10604) by [ldez](https://github.com/ldez))
+
 ## [v2.11.2](https://github.com/traefik/traefik/tree/v2.11.2) (2024-04-11)
 [All Commits](https://github.com/traefik/traefik/compare/v2.11.1...v2.11.2)
 
@@ -21,6 +223,32 @@
 - **[server]** Revert LingeringTimeout and change default value for ReadTimeout ([#10599](https://github.com/traefik/traefik/pull/10599) by [kevinpollet](https://github.com/kevinpollet))
 - **[server]** Set default ReadTimeout value to 60s ([#10602](https://github.com/traefik/traefik/pull/10602) by [rtribotte](https://github.com/rtribotte))
 
+## [v3.0.0-rc4](https://github.com/traefik/traefik/tree/v3.0.0-rc4) (2024-04-10)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0-rc3...v3.0.0-rc4)
+
+**Enhancements:**
+- **[k8s/gatewayapi]** Add option to set Gateway status address ([#10582](https://github.com/traefik/traefik/pull/10582) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/gatewayapi]** Handle middlewares in filters extension reference ([#10511](https://github.com/traefik/traefik/pull/10511) by [youkoulayley](https://github.com/youkoulayley))
+- **[k8s/gatewayapi]** Toggle support for experimental channel ([#10435](https://github.com/traefik/traefik/pull/10435) by [SantoDE](https://github.com/SantoDE))
+- **[k8s/ingress,k8s/crd,k8s,k8s/gatewayapi]** Use runtime.Object in routerTransform ([#10523](https://github.com/traefik/traefik/pull/10523) by [juliens](https://github.com/juliens))
+- **[nomad]** Allow empty services ([#10375](https://github.com/traefik/traefik/pull/10375) by [chrispruitt](https://github.com/chrispruitt))
+- **[webui,middleware,k8s/gatewayapi]** Support RequestHeaderModifier filter ([#10521](https://github.com/traefik/traefik/pull/10521) by [rtribotte](https://github.com/rtribotte))
+
+**Bug fixes:**
+- **[docker]** Fix struct names in comment ([#10503](https://github.com/traefik/traefik/pull/10503) by [hishope](https://github.com/hishope))
+- **[logs]** Avoid cumulative send anonymous usage log ([#10579](https://github.com/traefik/traefik/pull/10579) by [mmatur](https://github.com/mmatur))
+- **[rules]** Support regexp in path/pathprefix in matcher v2 ([#10546](https://github.com/traefik/traefik/pull/10546) by [youkoulayley](https://github.com/youkoulayley))
+- **[webui]** Add missing Docker Swarm logo ([#10529](https://github.com/traefik/traefik/pull/10529) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- Fix typo and improve explanation on internal resources ([#10563](https://github.com/traefik/traefik/pull/10563) by [mloiseleur](https://github.com/mloiseleur))
+- Fix typo in dialer_test.go ([#10552](https://github.com/traefik/traefik/pull/10552) by [eltociear](https://github.com/eltociear))
+
+**Misc:**
+- Merge branch v2.11 into v3.0 ([#10587](https://github.com/traefik/traefik/pull/10587) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.11 into v3.0 ([#10566](https://github.com/traefik/traefik/pull/10566) by [mmatur](https://github.com/mmatur))
+- Merge current v2.11 into v3.0 ([#10564](https://github.com/traefik/traefik/pull/10564) by [ldez](https://github.com/ldez))
+
 ## [v2.11.1](https://github.com/traefik/traefik/tree/v2.11.1) (2024-04-10)
 [All Commits](https://github.com/traefik/traefik/compare/v2.11.0...v2.11.1)
 
@@ -64,6 +292,78 @@
 **Misc:**
 - **[webui]** Modify the Hub Button ([#10583](https://github.com/traefik/traefik/pull/10583) by [mdeliatf](https://github.com/mdeliatf))
 
+## [v3.0.0-rc3](https://github.com/traefik/traefik/tree/v3.0.0-rc3) (2024-03-13)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0-rc2...v3.0.0-rc3)
+
+**Misc:**
+- Merge branch v2.11 into v3.0 ([#10519](https://github.com/traefik/traefik/pull/10519) by [rtribotte](https://github.com/rtribotte))
+
+## [v3.0.0-rc2](https://github.com/traefik/traefik/tree/v3.0.0-rc2) (2024-03-12)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0-rc1...v3.0.0-rc2)
+
+**Enhancements:**
+- **[consul]** ConsulCatalog StrictChecks ([#10388](https://github.com/traefik/traefik/pull/10388) by [djenriquez](https://github.com/djenriquez))
+- **[metrics,tracing]** Upgrade opentelemetry dependencies ([#10472](https://github.com/traefik/traefik/pull/10472) by [mmatur](https://github.com/mmatur))
+- **[middleware,authentication,tracing]** Add captured headers options for tracing ([#10457](https://github.com/traefik/traefik/pull/10457) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,metrics]** Semconv OTLP stable HTTP metrics ([#10421](https://github.com/traefik/traefik/pull/10421) by [mmatur](https://github.com/mmatur))
+- **[plugins]** Upgrade http-wasm host to v0.6.0 to support clients using v0.4.0 ([#10475](https://github.com/traefik/traefik/pull/10475) by [jcchavezs](https://github.com/jcchavezs))
+- **[tracing]** Support OTEL_PROPAGATORS to configure tracing propagation ([#10465](https://github.com/traefik/traefik/pull/10465) by [youkoulayley](https://github.com/youkoulayley))
+
+**Bug fixes:**
+- Fix a regression on flags using spaces between key and value ([#10445](https://github.com/traefik/traefik/pull/10445) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[k8s,k8s/gatewayapi]** Add ReferenceGrants to Gateway API Traefik controller RBAC ([#10462](https://github.com/traefik/traefik/pull/10462) by [rtribotte](https://github.com/rtribotte))
+- **[k8s]** Fix invalid version in docs about Gateway API on Traefik v3 ([#10474](https://github.com/traefik/traefik/pull/10474) by [mloiseleur](https://github.com/mloiseleur))
+- **[rules]** Improve ruleSyntax option documentation ([#10441](https://github.com/traefik/traefik/pull/10441) by [rtribotte](https://github.com/rtribotte))
+- Fix typo in migration docs ([#10478](https://github.com/traefik/traefik/pull/10478) by [Eisberge](https://github.com/Eisberge))
+
+**Misc:**
+- Merge v2.11 into v3.0 ([#10513](https://github.com/traefik/traefik/pull/10513) by [mmatur](https://github.com/mmatur))
+
+## [v3.0.0-rc1](https://github.com/traefik/traefik/tree/v3.0.0-rc1) (2024-02-13)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0-beta5...v3.0.0-rc1)
+
+**Enhancements:**
+- **[docker,service]** Adds weight on ServersLoadBalancer ([#10372](https://github.com/traefik/traefik/pull/10372) by [juliens](https://github.com/juliens))
+- **[file]** Reload provider file configuration on SIGHUP ([#9993](https://github.com/traefik/traefik/pull/9993) by [sokoide](https://github.com/sokoide))
+- **[k8s,k8s/gatewayapi]** Upgrade gateway api to v1.0.0 ([#10205](https://github.com/traefik/traefik/pull/10205) by [mmatur](https://github.com/mmatur))
+- **[k8s,k8s/gatewayapi]** Support for cross-namespace references / GatewayAPI ReferenceGrants ([#10346](https://github.com/traefik/traefik/pull/10346) by [pascal-hofmann](https://github.com/pascal-hofmann))
+- **[logs]** Introduce static config hints ([#10351](https://github.com/traefik/traefik/pull/10351) by [rtribotte](https://github.com/rtribotte))
+- **[metrics,tracing,accesslogs]** Remove observability for internal resources ([#9633](https://github.com/traefik/traefik/pull/9633) by [rtribotte](https://github.com/rtribotte))
+- **[metrics]** Add support for sending DogStatsD metrics over Unix Socket ([#10199](https://github.com/traefik/traefik/pull/10199) by [liamvdv](https://github.com/liamvdv))
+- **[middleware,authentication]** Add forwardAuth.addAuthCookiesToResponse ([#8924](https://github.com/traefik/traefik/pull/8924) by [tgunsch](https://github.com/tgunsch))
+- **[middleware]** Implements the includedContentTypes option for the compress middleware ([#10207](https://github.com/traefik/traefik/pull/10207) by [rjsocha](https://github.com/rjsocha))
+- **[middleware]** Feat re introduce IpWhitelist middleware as deprecated ([#10341](https://github.com/traefik/traefik/pull/10341) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Add ResponseCode to CircuitBreaker ([#10147](https://github.com/traefik/traefik/pull/10147) by [fahhem](https://github.com/fahhem))
+- **[middleware]** Add `rejectStatusCode` option to `IPAllowList` middleware ([#10130](https://github.com/traefik/traefik/pull/10130) by [jfly](https://github.com/jfly))
+- **[plugins]** Add http-wasm plugin support to Traefik ([#10189](https://github.com/traefik/traefik/pull/10189) by [zetaab](https://github.com/zetaab))
+- **[rules]** Bring back v2 rule matchers ([#10339](https://github.com/traefik/traefik/pull/10339) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Add SO_REUSEPORT support for EntryPoints ([#9834](https://github.com/traefik/traefik/pull/9834) by [aofei](https://github.com/aofei))
+- **[sticky-session]** Support setting sticky cookie max age  ([#10176](https://github.com/traefik/traefik/pull/10176) by [Patrick0308](https://github.com/Patrick0308))
+- **[tracing,otel]** Migrate to opentelemetry ([#10223](https://github.com/traefik/traefik/pull/10223) by [zetaab](https://github.com/zetaab))
+- Reintroduce dropped v2 dynamic config ([#10355](https://github.com/traefik/traefik/pull/10355) by [rtribotte](https://github.com/rtribotte))
+
+**Bug fixes:**
+- **[k8s/crd,k8s]** Delete warning in Kubernetes CRD provider about the supported version ([#10414](https://github.com/traefik/traefik/pull/10414) by [nmengin](https://github.com/nmengin))
+- **[metrics]** Fix OpenTelemetry unit tests ([#10380](https://github.com/traefik/traefik/pull/10380) by [mmatur](https://github.com/mmatur))
+- **[middleware,authentication,metrics,tracing]** Align OpenTelemetry tracing and metrics configurations ([#10404](https://github.com/traefik/traefik/pull/10404) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Fix brotli response status code when compression is disabled ([#10396](https://github.com/traefik/traefik/pull/10396) by [rtribotte](https://github.com/rtribotte))
+- **[tls,server]** Compute priority for https forwarder TLS routes ([#10288](https://github.com/traefik/traefik/pull/10288) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- Update version comment in quick-start.md ([#10383](https://github.com/traefik/traefik/pull/10383) by [matthieuwerner](https://github.com/matthieuwerner))
+- Improve migration guide ([#10319](https://github.com/traefik/traefik/pull/10319) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- **[k8s/crd,k8s]** Support file path as input param for Kubernetes token value ([#10232](https://github.com/traefik/traefik/pull/10232) by [sssash18](https://github.com/sssash18))
+- **[middleware]** Disable br compression when no Accept-Encoding header is present ([#10178](https://github.com/traefik/traefik/pull/10178) by [robin-moser](https://github.com/robin-moser))
+- Merge current v2.11 into v3.0 ([#10382](https://github.com/traefik/traefik/pull/10382) by [mmatur](https://github.com/mmatur))
+- Merge back v2.11 into v3.0 ([#10377](https://github.com/traefik/traefik/pull/10377) by [mmatur](https://github.com/mmatur))
+- Merge back v2.11 into v3.0 ([#10353](https://github.com/traefik/traefik/pull/10353) by [youkoulayley](https://github.com/youkoulayley))
+- Merge current v2.11 into v3.0 ([#10328](https://github.com/traefik/traefik/pull/10328) by [mmatur](https://github.com/mmatur))
+- Merge v2.11 into v3.0 ([#10417](https://github.com/traefik/traefik/pull/10417) by [mmatur](https://github.com/mmatur))
+
 ## [v2.11.0](https://github.com/traefik/traefik/tree/v2.11.0) (2024-02-12)
 [All Commits](https://github.com/traefik/traefik/compare/v2.11.0-rc1...v2.11.0)
 
@@ -137,6 +437,15 @@
 **Bug fixes:**
 - **[logs]** Fixed datadog logs json format issue ([#10233](https://github.com/traefik/traefik/pull/10233) by [sssash18](https://github.com/sssash18))
 
+## [v3.0.0-beta5](https://github.com/traefik/traefik/tree/v3.0.0-beta5) (2023-11-29)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0-beta4...v3.0.0-beta5)
+
+**Enhancements:**
+- **[metrics]** Upgrade OpenTelemetry dependencies ([#10181](https://github.com/traefik/traefik/pull/10181) by [mmatur](https://github.com/mmatur))
+
+**Misc:**
+- Merge current v2.10 into v3.0 ([#10272](https://github.com/traefik/traefik/pull/10272) by [rtribotte](https://github.com/rtribotte))
+
 ## [v2.10.6](https://github.com/traefik/traefik/tree/v2.10.6) (2023-11-28)
 [All Commits](https://github.com/traefik/traefik/compare/v2.10.5...v2.10.6)
 
@@ -157,6 +466,24 @@
 - **[middleware]** Improve ErrorPages examples ([#10209](https://github.com/traefik/traefik/pull/10209) by [arendhummeling](https://github.com/arendhummeling))
 - Add @lbenguigui to maintainers ([#10222](https://github.com/traefik/traefik/pull/10222) by [kevinpollet](https://github.com/kevinpollet))
 
+## [v3.0.0-beta4](https://github.com/traefik/traefik/tree/v3.0.0-beta4) (2023-10-11)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0-beta3...v3.0.0-beta4)
+
+**Bug fixes:**
+- **[consul,tls]** Enable TLS for Consul Connect TCP services ([#10140](https://github.com/traefik/traefik/pull/10140) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Allow short healthcheck interval with long timeout ([#9832](https://github.com/traefik/traefik/pull/9832) by [kevinmcconnell](https://github.com/kevinmcconnell))
+- **[middleware]** Fix GrpcWeb middleware to clear ContentLength after translating to normal gRPC message ([#9782](https://github.com/traefik/traefik/pull/9782) by [CleverUnderDog](https://github.com/CleverUnderDog))
+- **[sticky-session,server]** Set sameSite field for wrr load balancer sticky cookie ([#10066](https://github.com/traefik/traefik/pull/10066) by [sunyakun](https://github.com/sunyakun))
+
+**Documentation:**
+- **[docker/swarm]** Fix minor typo in swarm example ([#10071](https://github.com/traefik/traefik/pull/10071) by [kaznovac](https://github.com/kaznovac))
+- **[docker/swarm]** Remove documentation of old swarm options ([#10001](https://github.com/traefik/traefik/pull/10001) by [ldez](https://github.com/ldez))
+- Fix bad anchor on documentation ([#10041](https://github.com/traefik/traefik/pull/10041) by [mmatur](https://github.com/mmatur))
+- Fix migration guide heading ([#9989](https://github.com/traefik/traefik/pull/9989) by [ldez](https://github.com/ldez))
+
+**Misc:**
+- Merge current v2.10 into v3.0 ([#10038](https://github.com/traefik/traefik/pull/10038) by [mmatur](https://github.com/mmatur))
+
 ## [v2.10.5](https://github.com/traefik/traefik/tree/v2.10.5) (2023-10-11)
 [All Commits](https://github.com/traefik/traefik/compare/v2.10.4...v2.10.5)
 
@@ -202,6 +529,52 @@
 **Misc:**
 - **[webui]** Updates the Hub tooltip content using a web component and adds an option to disable Hub button ([#10008](https://github.com/traefik/traefik/pull/10008) by [mdeliatf](https://github.com/mdeliatf))
 
+## [v3.0.0-beta3](https://github.com/traefik/traefik/tree/v3.0.0-beta3) (2023-06-21)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0-beta2...v3.0.0-beta3)
+
+**Enhancements:**
+- **[docker,docker/swarm]** Split Docker provider ([#9652](https://github.com/traefik/traefik/pull/9652) by [ldez](https://github.com/ldez))
+- **[k8s,hub]** Remove deprecated code ([#9804](https://github.com/traefik/traefik/pull/9804) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/gatewayapi]** Support HostSNIRegexp in GatewayAPI TLS routes ([#9486](https://github.com/traefik/traefik/pull/9486) by [ddtmachado](https://github.com/ddtmachado))
+- **[k8s/gatewayapi]** Add support for HTTPRequestRedirectFilter in k8s Gateway API ([#9408](https://github.com/traefik/traefik/pull/9408) by [romantomjak](https://github.com/romantomjak))
+- **[k8s/ingress,k8s]** Remove support of the networking.k8s.io/v1beta1 APIVersion ([#9949](https://github.com/traefik/traefik/pull/9949) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress,k8s]** Add option to the Ingress provider to disable IngressClass lookup ([#9281](https://github.com/traefik/traefik/pull/9281) by [jandillenkofer](https://github.com/jandillenkofer))
+- **[marathon]** Remove Marathon provider ([#9614](https://github.com/traefik/traefik/pull/9614) by [rtribotte](https://github.com/rtribotte))
+- **[metrics]** Remove InfluxDB v1 metrics middleware ([#9612](https://github.com/traefik/traefik/pull/9612) by [tomMoulard](https://github.com/tomMoulard))
+- **[rancher]** Remove Rancher v1 provider ([#9613](https://github.com/traefik/traefik/pull/9613) by [tomMoulard](https://github.com/tomMoulard))
+- **[rules]** Remove containous/mux from HTTP muxer ([#9558](https://github.com/traefik/traefik/pull/9558) by [tomMoulard](https://github.com/tomMoulard))
+- **[tls,tcp,service]** Add TCP Servers Transports support ([#9465](https://github.com/traefik/traefik/pull/9465) by [sdelicata](https://github.com/sdelicata))
+- **[webui]** Added router priority to webui's list and detail page ([#9004](https://github.com/traefik/traefik/pull/9004) by [bendre90](https://github.com/bendre90))
+
+**Bug fixes:**
+- **[metrics]** Fix OpenTelemetry metrics ([#9962](https://github.com/traefik/traefik/pull/9962) by [rtribotte](https://github.com/rtribotte))
+- **[metrics]** Remove config reload failure metrics ([#9660](https://github.com/traefik/traefik/pull/9660) by [rtribotte](https://github.com/rtribotte))
+- **[metrics]** Fix open connections metric ([#9656](https://github.com/traefik/traefik/pull/9656) by [mpl](https://github.com/mpl))
+- **[metrics]** Fix OpenTelemetry service name ([#9619](https://github.com/traefik/traefik/pull/9619) by [tomMoulard](https://github.com/tomMoulard))
+- **[tcp]** Don't log EOF or timeout errors while peeking first bytes in Postgres StartTLS hook ([#9663](https://github.com/traefik/traefik/pull/9663) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Detect dashboard assets content types ([#9622](https://github.com/traefik/traefik/pull/9622) by [tomMoulard](https://github.com/tomMoulard))
+- **[webui]** fix: detect dashboard content types ([#9594](https://github.com/traefik/traefik/pull/9594) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[k8s]** Improve Kubernetes support documentation ([#9974](https://github.com/traefik/traefik/pull/9974) by [rtribotte](https://github.com/rtribotte))
+- Adjust quick start ([#9790](https://github.com/traefik/traefik/pull/9790) by [svx](https://github.com/svx))
+- Mention PathPrefix matcher changes in V3 Migration Guide ([#9727](https://github.com/traefik/traefik/pull/9727) by [aofei](https://github.com/aofei))
+- Fix yaml indentation in the HTTP3 example ([#9724](https://github.com/traefik/traefik/pull/9724) by [benwaffle](https://github.com/benwaffle))
+- Add OpenTelemetry in observability overview ([#9654](https://github.com/traefik/traefik/pull/9654) by [tomMoulard](https://github.com/tomMoulard))
+
+**Misc:**
+- Merge branch v2.10 into v3.0 ([#9977](https://github.com/traefik/traefik/pull/9977) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9931](https://github.com/traefik/traefik/pull/9931) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9896](https://github.com/traefik/traefik/pull/9896) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9867](https://github.com/traefik/traefik/pull/9867) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9850](https://github.com/traefik/traefik/pull/9850) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9845](https://github.com/traefik/traefik/pull/9845) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9803](https://github.com/traefik/traefik/pull/9803) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9793](https://github.com/traefik/traefik/pull/9793) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into v3.0 ([#9722](https://github.com/traefik/traefik/pull/9722) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.9 into v3.0 ([#9650](https://github.com/traefik/traefik/pull/9650) by [tomMoulard](https://github.com/tomMoulard))
+- Merge branch v2.9 into v3.0 ([#9632](https://github.com/traefik/traefik/pull/9632) by [kevinpollet](https://github.com/kevinpollet))
+
 ## [v2.10.3](https://github.com/traefik/traefik/tree/v2.10.3) (2023-06-17)
 [All Commits](https://github.com/traefik/traefik/compare/v2.10.2...v2.10.3)
 
@@ -364,6 +737,19 @@
 - Update copyright for 2023 ([#9631](https://github.com/traefik/traefik/pull/9631) by [kevinpollet](https://github.com/kevinpollet))
 - Update submitting pull requests to include language about drafts ([#9609](https://github.com/traefik/traefik/pull/9609) by [tfny](https://github.com/tfny))
 
+## [v3.0.0-beta2](https://github.com/traefik/traefik/tree/v3.0.0-beta2) (2022-12-07)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0-beta1...v3.0.0-beta2)
+
+**Enhancements:**
+- **[http3]** Moves HTTP/3 outside the experimental section ([#9570](https://github.com/traefik/traefik/pull/9570) by [sdelicata](https://github.com/sdelicata))
+
+**Bug fixes:**
+- **[logs]** Change traefik cmd error log to error level ([#9569](https://github.com/traefik/traefik/pull/9569) by [tomMoulard](https://github.com/tomMoulard))
+- **[rules]** Rework Host and HostRegexp matchers ([#9559](https://github.com/traefik/traefik/pull/9559) by [tomMoulard](https://github.com/tomMoulard))
+
+**Misc:**
+- Merge current v2.9 into master ([#9586](https://github.com/traefik/traefik/pull/9586) by [tomMoulard](https://github.com/tomMoulard))
+
 ## [v2.9.6](https://github.com/traefik/traefik/tree/v2.9.6) (2022-12-07)
 [All Commits](https://github.com/traefik/traefik/compare/v2.9.5...v2.9.6)
 
@@ -383,6 +769,52 @@
 - **[k8s/helm]** Update Helm installation section ([#9564](https://github.com/traefik/traefik/pull/9564) by [mloiseleur](https://github.com/mloiseleur))
 - **[middleware]** Clarify PathPrefix matcher greediness ([#9519](https://github.com/traefik/traefik/pull/9519) by [mpl](https://github.com/mpl))
 
+## [v3.0.0-beta1](https://github.com/traefik/traefik/tree/v3.0.0-beta1) (2022-12-05)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc1...v3.0.0-beta1)
+
+**Enhancements:**
+- **[ecs]** Add option to keep only healthy ECS tasks ([#8027](https://github.com/traefik/traefik/pull/8027) by [Michampt](https://github.com/Michampt))
+- **[healthcheck]** Support gRPC healthcheck ([#8583](https://github.com/traefik/traefik/pull/8583) by [jjacque](https://github.com/jjacque))
+- **[healthcheck]** Add a status option to the service health check ([#9463](https://github.com/traefik/traefik/pull/9463) by [guoard](https://github.com/guoard))
+- **[http]** Support custom headers when fetching configuration through HTTP ([#9421](https://github.com/traefik/traefik/pull/9421) by [kevinpollet](https://github.com/kevinpollet))
+- **[logs,performance]** New logger for the Traefik logs ([#9515](https://github.com/traefik/traefik/pull/9515) by [ldez](https://github.com/ldez))
+- **[logs,plugins]** Retry on plugin API calls ([#9530](https://github.com/traefik/traefik/pull/9530) by [ldez](https://github.com/ldez))
+- **[logs,provider]** Improve provider logs ([#9562](https://github.com/traefik/traefik/pull/9562) by [ldez](https://github.com/ldez))
+- **[logs]** Improve test logger assertions ([#9533](https://github.com/traefik/traefik/pull/9533) by [ldez](https://github.com/ldez))
+- **[metrics]** Support gRPC and gRPC-Web protocol in metrics ([#9483](https://github.com/traefik/traefik/pull/9483) by [longit644](https://github.com/longit644))
+- **[middleware,accesslogs]** Log TLS client subject ([#9285](https://github.com/traefik/traefik/pull/9285) by [xmessi](https://github.com/xmessi))
+- **[middleware,metrics,tracing]** Add OpenTelemetry tracing and metrics support ([#8999](https://github.com/traefik/traefik/pull/8999) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware]** Disable Content-Type auto-detection by default ([#9546](https://github.com/traefik/traefik/pull/9546) by [sdelicata](https://github.com/sdelicata))
+- **[middleware]** Add gRPC-Web middleware ([#9451](https://github.com/traefik/traefik/pull/9451) by [juliens](https://github.com/juliens))
+- **[middleware]** Add support for Brotli ([#9387](https://github.com/traefik/traefik/pull/9387) by [glinton](https://github.com/glinton))
+- **[middleware]** Renaming IPWhiteList to IPAllowList  ([#9457](https://github.com/traefik/traefik/pull/9457) by [wxmbugu](https://github.com/wxmbugu))
+- **[nomad]** Support multiple namespaces in the Nomad Provider ([#9332](https://github.com/traefik/traefik/pull/9332) by [0teh](https://github.com/0teh))
+- **[rules]** Update routing syntax ([#9531](https://github.com/traefik/traefik/pull/9531) by [skwair](https://github.com/skwair))
+- **[server]** Rework servers load-balancer to use the WRR ([#9431](https://github.com/traefik/traefik/pull/9431) by [juliens](https://github.com/juliens))
+- **[server]** Allow default entrypoints definition ([#9100](https://github.com/traefik/traefik/pull/9100) by [jilleJr](https://github.com/jilleJr))
+- **[tls,service]** Support SPIFFE mTLS between Traefik and Backend servers ([#9394](https://github.com/traefik/traefik/pull/9394) by [jlevesy](https://github.com/jlevesy))
+- **[tls]** Add Tailscale certificate resolver ([#9237](https://github.com/traefik/traefik/pull/9237) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls]** Support SNI routing with Postgres STARTTLS connections ([#9377](https://github.com/traefik/traefik/pull/9377) by [rtribotte](https://github.com/rtribotte))
+- Remove deprecated options ([#9527](https://github.com/traefik/traefik/pull/9527) by [sdelicata](https://github.com/sdelicata))
+
+**Bug fixes:**
+- **[logs]** Fix log level ([#9545](https://github.com/traefik/traefik/pull/9545) by [ldez](https://github.com/ldez))
+- **[metrics]** Fix ServerUp metric ([#9534](https://github.com/traefik/traefik/pull/9534) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls,service]** Enforce default servers transport SPIFFE config ([#9444](https://github.com/traefik/traefik/pull/9444) by [jlevesy](https://github.com/jlevesy))
+
+**Documentation:**
+- **[metrics]** Update and publish official Grafana Dashboard ([#9493](https://github.com/traefik/traefik/pull/9493) by [mloiseleur](https://github.com/mloiseleur))
+
+**Misc:**
+- Merge branch v2.9 into master ([#9554](https://github.com/traefik/traefik/pull/9554) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9536](https://github.com/traefik/traefik/pull/9536) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9532](https://github.com/traefik/traefik/pull/9532) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9482](https://github.com/traefik/traefik/pull/9482) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9464](https://github.com/traefik/traefik/pull/9464) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9449](https://github.com/traefik/traefik/pull/9449) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9419](https://github.com/traefik/traefik/pull/9419) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9351](https://github.com/traefik/traefik/pull/9351) by [rtribotte](https://github.com/rtribotte))
+
 ## [v2.9.5](https://github.com/traefik/traefik/tree/v2.9.5) (2022-11-17)
 [All Commits](https://github.com/traefik/traefik/compare/v2.9.4...v2.9.5)
 

Makefile

@@ -60,9 +60,9 @@ generate:
 binary: generate-webui dist
 	@echo SHA: $(VERSION) $(CODENAME) $(DATE)
 	CGO_ENABLED=0 GOGC=off GOOS=${GOOS} GOARCH=${GOARCH} go build ${FLAGS[*]} -ldflags "-s -w \
-    -X github.com/traefik/traefik/v2/pkg/version.Version=$(VERSION) \
+    -X github.com/traefik/traefik/v3/pkg/version.Version=$(VERSION) \
-    -X github.com/traefik/traefik/v2/pkg/version.Codename=$(CODENAME) \
+    -X github.com/traefik/traefik/v3/pkg/version.Codename=$(CODENAME) \
-    -X github.com/traefik/traefik/v2/pkg/version.BuildDate=$(DATE)" \
+    -X github.com/traefik/traefik/v3/pkg/version.BuildDate=$(DATE)" \
     -installsuffix nocgo -o "./dist/${GOOS}/${GOARCH}/$(BIN_NAME)" ./cmd/traefik
 
 binary-linux-arm64: export GOOS := linux
@@ -100,6 +100,11 @@ test-unit:
 test-integration: binary
 	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -test.timeout=20m -failfast -v $(TESTFLAGS)
 
+.PHONY: test-gateway-api-conformance
+#? test-gateway-api-conformance: Run the conformance tests
+test-gateway-api-conformance: build-image-dirty
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance $(TESTFLAGS)
+
 .PHONY: pull-images
 #? pull-images: Pull all Docker images to avoid timeout during integration tests
 pull-images:

README.md

@@ -15,7 +15,7 @@
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)
 
 Traefik (pronounced _traffic_) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
-Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
+Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher v2](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
 Pointing Traefik at your orchestrator should be the _only_ configuration step you need.
 
 ---
@@ -61,8 +61,8 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 - Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org)  (wildcard certificates support)
 - Circuit breakers, retry
 - See the magic through its clean web UI
-- Websocket, HTTP/2, GRPC ready
+- Websocket, HTTP/2, gRPC ready
-- Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB)
+- Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB 2.X)
 - Keeps access logs (JSON, CLF)
 - Fast
 - Exposes a Rest API
@@ -72,8 +72,6 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 
 - [Docker](https://doc.traefik.io/traefik/providers/docker/) / [Swarm mode](https://doc.traefik.io/traefik/providers/docker/)
 - [Kubernetes](https://doc.traefik.io/traefik/providers/kubernetes-crd/)
-- [Marathon](https://doc.traefik.io/traefik/providers/marathon/)
-- [Rancher](https://doc.traefik.io/traefik/providers/rancher/) (Metadata)
 - [ECS](https://doc.traefik.io/traefik/providers/ecs/)
 - [File](https://doc.traefik.io/traefik/providers/file/)
 

cmd/configuration.go

@@ -4,7 +4,7 @@ import (
 	"time"
 
 	ptypes "github.com/traefik/paerser/types"
-	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v3/pkg/config/static"
 )
 
 // TraefikCmdConfiguration wraps the static configuration and extra parameters.
@@ -28,6 +28,10 @@ func NewTraefikConfiguration() *TraefikCmdConfiguration {
 			ServersTransport: &static.ServersTransport{
 				MaxIdleConnsPerHost: 200,
 			},
+			TCPServersTransport: &static.TCPServersTransport{
+				DialTimeout:   ptypes.Duration(30 * time.Second),
+				DialKeepAlive: ptypes.Duration(15 * time.Second),
+			},
 		},
 		ConfigFile: "",
 	}

cmd/healthcheck/healthcheck.go

@@ -8,7 +8,7 @@ import (
 	"time"
 
 	"github.com/traefik/paerser/cli"
-	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v3/pkg/config/static"
 )
 
 // NewCmd builds a new HealthCheck command.

cmd/internal/gen/main.go

@@ -11,7 +11,7 @@ import (
 	"strings"
 )
 
-const rootPkg = "github.com/traefik/traefik/v2/pkg/config/dynamic"
+const rootPkg = "github.com/traefik/traefik/v3/pkg/config/dynamic"
 
 const (
 	destModuleName = "github.com/traefik/genconf"
@@ -57,8 +57,8 @@ func run(dest string) error {
 	}
 
 	centrifuge.IncludedImports = []string{
-		"github.com/traefik/traefik/v2/pkg/tls",
+		"github.com/traefik/traefik/v3/pkg/tls",
-		"github.com/traefik/traefik/v2/pkg/types",
+		"github.com/traefik/traefik/v3/pkg/types",
 	}
 
 	centrifuge.ExcludedTypes = []string{
@@ -71,8 +71,8 @@ func run(dest string) error {
 	}
 
 	centrifuge.ExcludedFiles = []string{
-		"github.com/traefik/traefik/v2/pkg/types/logs.go",
+		"github.com/traefik/traefik/v3/pkg/types/logs.go",
-		"github.com/traefik/traefik/v2/pkg/types/metrics.go",
+		"github.com/traefik/traefik/v3/pkg/types/metrics.go",
 	}
 
 	centrifuge.TypeCleaner = cleanType
@@ -87,11 +87,11 @@ func run(dest string) error {
 }
 
 func cleanType(typ types.Type, base string) string {
-	if typ.String() == "github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
+	if typ.String() == "github.com/traefik/traefik/v3/pkg/types.FileOrContent" {
 		return "string"
 	}
 
-	if typ.String() == "[]github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
+	if typ.String() == "[]github.com/traefik/traefik/v3/pkg/types.FileOrContent" {
 		return "[]string"
 	}
 
@@ -103,8 +103,8 @@ func cleanType(typ types.Type, base string) string {
 		return strings.ReplaceAll(typ.String(), base+".", "")
 	}
 
-	if strings.Contains(typ.String(), "github.com/traefik/traefik/v2/pkg/") {
+	if strings.Contains(typ.String(), "github.com/traefik/traefik/v3/pkg/") {
-		return strings.ReplaceAll(typ.String(), "github.com/traefik/traefik/v2/pkg/", "")
+		return strings.ReplaceAll(typ.String(), "github.com/traefik/traefik/v3/pkg/", "")
 	}
 
 	return typ.String()
@@ -114,9 +114,9 @@ func cleanPackage(src string) string {
 	switch src {
 	case "github.com/traefik/paerser/types":
 		return ""
-	case "github.com/traefik/traefik/v2/pkg/tls":
+	case "github.com/traefik/traefik/v3/pkg/tls":
 		return path.Join(destModuleName, destPkg, "tls")
-	case "github.com/traefik/traefik/v2/pkg/types":
+	case "github.com/traefik/traefik/v3/pkg/types":
 		return path.Join(destModuleName, destPkg, "types")
 	default:
 		return src

cmd/traefik/logger.go

@@ -0,0 +1,89 @@
+package main
+
+import (
+	"io"
+	stdlog "log"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/natefinch/lumberjack"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/sirupsen/logrus"
+	"github.com/traefik/traefik/v3/pkg/config/static"
+	"github.com/traefik/traefik/v3/pkg/logs"
+)
+
+func init() {
+	// hide the first logs before the setup of the logger.
+	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
+}
+
+func setupLogger(staticConfiguration *static.Configuration) {
+	// configure log format
+	w := getLogWriter(staticConfiguration)
+
+	// configure log level
+	logLevel := getLogLevel(staticConfiguration)
+
+	// create logger
+	logCtx := zerolog.New(w).With().Timestamp()
+	if logLevel <= zerolog.DebugLevel {
+		logCtx = logCtx.Caller()
+	}
+
+	log.Logger = logCtx.Logger().Level(logLevel)
+	zerolog.DefaultContextLogger = &log.Logger
+	zerolog.SetGlobalLevel(logLevel)
+
+	// Global logrus replacement (related to lib like go-rancher-metadata, docker, etc.)
+	logrus.StandardLogger().Out = logs.NoLevel(log.Logger, zerolog.DebugLevel)
+
+	// configure default standard log.
+	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
+	stdlog.SetOutput(logs.NoLevel(log.Logger, zerolog.DebugLevel))
+}
+
+func getLogWriter(staticConfiguration *static.Configuration) io.Writer {
+	var w io.Writer = os.Stderr
+
+	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
+		_, _ = os.Create(staticConfiguration.Log.FilePath)
+		w = &lumberjack.Logger{
+			Filename:   staticConfiguration.Log.FilePath,
+			MaxSize:    staticConfiguration.Log.MaxSize,
+			MaxBackups: staticConfiguration.Log.MaxBackups,
+			MaxAge:     staticConfiguration.Log.MaxAge,
+			Compress:   true,
+		}
+	}
+
+	if staticConfiguration.Log == nil || staticConfiguration.Log.Format != "json" {
+		w = zerolog.ConsoleWriter{
+			Out:        w,
+			TimeFormat: time.RFC3339,
+			NoColor:    staticConfiguration.Log != nil && (staticConfiguration.Log.NoColor || len(staticConfiguration.Log.FilePath) > 0),
+		}
+	}
+
+	return w
+}
+
+func getLogLevel(staticConfiguration *static.Configuration) zerolog.Level {
+	levelStr := "error"
+	if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
+		levelStr = strings.ToLower(staticConfiguration.Log.Level)
+	}
+
+	logLevel, err := zerolog.ParseLevel(strings.ToLower(levelStr))
+	if err != nil {
+		log.Error().Err(err).
+			Str("logLevel", levelStr).
+			Msg("Unspecified or invalid log level, setting the level to default (ERROR)...")
+
+		logLevel = zerolog.ErrorLevel
+	}
+
+	return logLevel
+}

cmd/traefik/plugins.go

@@ -3,8 +3,8 @@ package main
 import (
 	"fmt"
 
-	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v3/pkg/config/static"
-	"github.com/traefik/traefik/v2/pkg/plugins"
+	"github.com/traefik/traefik/v3/pkg/plugins"
 )
 
 const outputDir = "./plugins-storage/"

cmd/traefik/traefik.go

@@ -5,11 +5,11 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
+	"io"
 	stdlog "log"
 	"net/http"
 	"os"
 	"os/signal"
-	"path/filepath"
 	"sort"
 	"strings"
 	"syscall"
@@ -18,39 +18,41 @@ import (
 	"github.com/coreos/go-systemd/daemon"
 	"github.com/go-acme/lego/v4/challenge"
 	gokitmetrics "github.com/go-kit/kit/metrics"
+	"github.com/rs/zerolog/log"
 	"github.com/sirupsen/logrus"
+	"github.com/spiffe/go-spiffe/v2/workloadapi"
 	"github.com/traefik/paerser/cli"
-	"github.com/traefik/traefik/v2/cmd"
+	"github.com/traefik/traefik/v3/cmd"
-	"github.com/traefik/traefik/v2/cmd/healthcheck"
+	"github.com/traefik/traefik/v3/cmd/healthcheck"
-	cmdVersion "github.com/traefik/traefik/v2/cmd/version"
+	cmdVersion "github.com/traefik/traefik/v3/cmd/version"
-	tcli "github.com/traefik/traefik/v2/pkg/cli"
+	tcli "github.com/traefik/traefik/v3/pkg/cli"
-	"github.com/traefik/traefik/v2/pkg/collector"
+	"github.com/traefik/traefik/v3/pkg/collector"
-	"github.com/traefik/traefik/v2/pkg/config/dynamic"
+	"github.com/traefik/traefik/v3/pkg/config/dynamic"
-	"github.com/traefik/traefik/v2/pkg/config/runtime"
+	"github.com/traefik/traefik/v3/pkg/config/runtime"
-	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v3/pkg/config/static"
-	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v3/pkg/logs"
-	"github.com/traefik/traefik/v2/pkg/metrics"
+	"github.com/traefik/traefik/v3/pkg/metrics"
-	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
+	"github.com/traefik/traefik/v3/pkg/middlewares/accesslog"
-	"github.com/traefik/traefik/v2/pkg/provider/acme"
+	"github.com/traefik/traefik/v3/pkg/provider/acme"
-	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
+	"github.com/traefik/traefik/v3/pkg/provider/aggregator"
-	"github.com/traefik/traefik/v2/pkg/provider/traefik"
+	"github.com/traefik/traefik/v3/pkg/provider/tailscale"
-	"github.com/traefik/traefik/v2/pkg/safe"
+	"github.com/traefik/traefik/v3/pkg/provider/traefik"
-	"github.com/traefik/traefik/v2/pkg/server"
+	"github.com/traefik/traefik/v3/pkg/safe"
-	"github.com/traefik/traefik/v2/pkg/server/middleware"
+	"github.com/traefik/traefik/v3/pkg/server"
-	"github.com/traefik/traefik/v2/pkg/server/service"
+	"github.com/traefik/traefik/v3/pkg/server/middleware"
-	traefiktls "github.com/traefik/traefik/v2/pkg/tls"
+	"github.com/traefik/traefik/v3/pkg/server/service"
-	"github.com/traefik/traefik/v2/pkg/tracing"
+	"github.com/traefik/traefik/v3/pkg/tcp"
-	"github.com/traefik/traefik/v2/pkg/tracing/jaeger"
+	traefiktls "github.com/traefik/traefik/v3/pkg/tls"
-	"github.com/traefik/traefik/v2/pkg/types"
+	"github.com/traefik/traefik/v3/pkg/tracing"
-	"github.com/traefik/traefik/v2/pkg/version"
+	"github.com/traefik/traefik/v3/pkg/types"
-	"github.com/vulcand/oxy/v2/roundrobin"
+	"github.com/traefik/traefik/v3/pkg/version"
 )
 
 func main() {
 	// traefik config inits
 	tConfig := cmd.NewTraefikConfiguration()
 
-	loaders := []cli.ResourceLoader{&tcli.FileLoader{}, &tcli.FlagLoader{}, &tcli.EnvLoader{}}
+	loaders := []cli.ResourceLoader{&tcli.DeprecationLoader{}, &tcli.FileLoader{}, &tcli.FlagLoader{}, &tcli.EnvLoader{}}
 
 	cmdTraefik := &cli.Command{
 		Name: "traefik",
@@ -77,7 +79,7 @@ Complete documentation is available at https://traefik.io`,
 
 	err = cli.Execute(cmdTraefik)
 	if err != nil {
-		stdlog.Println(err)
+		log.Error().Err(err).Msg("Command error")
 		logrus.Exit(1)
 	}
 
@@ -85,27 +87,24 @@ Complete documentation is available at https://traefik.io`,
 }
 
 func runCmd(staticConfiguration *static.Configuration) error {
-	configureLogging(staticConfiguration)
+	setupLogger(staticConfiguration)
 
 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
 
-	if err := roundrobin.SetDefaultWeight(0); err != nil {
-		log.WithoutContext().Errorf("Could not set round robin default weight: %v", err)
-	}
-
 	staticConfiguration.SetEffectiveConfiguration()
 	if err := staticConfiguration.ValidateConfiguration(); err != nil {
 		return err
 	}
 
-	log.WithoutContext().Infof("Traefik version %s built on %s", version.Version, version.BuildDate)
+	log.Info().Str("version", version.Version).
+		Msgf("Traefik version %s built on %s", version.Version, version.BuildDate)
 
 	jsonConf, err := json.Marshal(staticConfiguration)
 	if err != nil {
-		log.WithoutContext().Errorf("Could not marshal static configuration: %v", err)
+		log.Error().Err(err).Msg("Could not marshal static configuration")
-		log.WithoutContext().Debugf("Static configuration loaded [struct] %#v", staticConfiguration)
+		log.Debug().Interface("staticConfiguration", staticConfiguration).Msg("Static configuration loaded [struct]")
 	} else {
-		log.WithoutContext().Debugf("Static configuration loaded %s", string(jsonConf))
+		log.Debug().RawJSON("staticConfiguration", jsonConf).Msg("Static configuration loaded [json]")
 	}
 
 	if staticConfiguration.Global.CheckNewVersion {
@@ -130,16 +129,16 @@ func runCmd(staticConfiguration *static.Configuration) error {
 
 	sent, err := daemon.SdNotify(false, "READY=1")
 	if !sent && err != nil {
-		log.WithoutContext().Errorf("Failed to notify: %v", err)
+		log.Error().Err(err).Msg("Failed to notify")
 	}
 
 	t, err := daemon.SdWatchdogEnabled(false)
 	if err != nil {
-		log.WithoutContext().Errorf("Could not enable Watchdog: %v", err)
+		log.Error().Err(err).Msg("Could not enable Watchdog")
 	} else if t != 0 {
 		// Send a ping each half time given
 		t /= 2
-		log.WithoutContext().Infof("Watchdog activated with timer duration %s", t)
+		log.Info().Msgf("Watchdog activated with timer duration %s", t)
 		safe.Go(func() {
 			tick := time.Tick(t)
 			for range tick {
@@ -150,17 +149,17 @@ func runCmd(staticConfiguration *static.Configuration) error {
 
 				if staticConfiguration.Ping == nil || errHealthCheck == nil {
 					if ok, _ := daemon.SdNotify(false, "WATCHDOG=1"); !ok {
-						log.WithoutContext().Error("Fail to tick watchdog")
+						log.Error().Msg("Fail to tick watchdog")
 					}
 				} else {
-					log.WithoutContext().Error(errHealthCheck)
+					log.Error().Err(errHealthCheck).Send()
 				}
 			}
 		})
 	}
 
 	svr.Wait()
-	log.WithoutContext().Info("Shutting down")
+	log.Info().Msg("Shutting down")
 	return nil
 }
 
@@ -189,9 +188,28 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider)
 
+	// Tailscale
+
+	tsProviders := initTailscaleProviders(staticConfiguration, &providerAggregator)
+
+	// Observability
+
+	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
+	var semConvMetricRegistry *metrics.SemConvMetricsRegistry
+	if staticConfiguration.Metrics != nil && staticConfiguration.Metrics.OTLP != nil {
+		semConvMetricRegistry, err = metrics.NewSemConvMetricRegistry(ctx, staticConfiguration.Metrics.OTLP)
+		if err != nil {
+			return nil, fmt.Errorf("unable to create SemConv metric registry: %w", err)
+		}
+	}
+	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
+	accessLog := setupAccessLog(staticConfiguration.AccessLog)
+	tracer, tracerCloser := setupTracing(staticConfiguration.Tracing)
+	observabilityMgr := middleware.NewObservabilityMgr(*staticConfiguration, metricsRegistry, semConvMetricRegistry, accessLog, tracer, tracerCloser)
+
 	// Entrypoints
 
-	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver)
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver, metricsRegistry)
 	if err != nil {
 		return nil, err
 	}
@@ -201,10 +219,6 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}
 
-	if staticConfiguration.Pilot != nil {
-		log.WithoutContext().Warn("Traefik Pilot has been removed.")
-	}
-
 	if staticConfiguration.API != nil {
 		version.DisableDashboardAd = staticConfiguration.API.DisableDashboardAd
 	}
@@ -213,7 +227,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
 	if err != nil {
-		log.WithoutContext().WithError(err).Error("Plugins are disabled because an error has occurred.")
+		log.Error().Err(err).Msg("Plugins are disabled because an error has occurred.")
 	}
 
 	// Providers plugins
@@ -234,24 +248,35 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		}
 	}
 
-	// Metrics
-
-	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
-	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
-
 	// Service manager factory
 
-	roundTripperManager := service.NewRoundTripperManager()
+	var spiffeX509Source *workloadapi.X509Source
+	if staticConfiguration.Spiffe != nil && staticConfiguration.Spiffe.WorkloadAPIAddr != "" {
+		log.Info().Str("workloadAPIAddr", staticConfiguration.Spiffe.WorkloadAPIAddr).
+			Msg("Waiting on SPIFFE SVID delivery")
+
+		spiffeX509Source, err = workloadapi.NewX509Source(
+			ctx,
+			workloadapi.WithClientOptions(
+				workloadapi.WithAddr(
+					staticConfiguration.Spiffe.WorkloadAPIAddr,
+				),
+			),
+		)
+		if err != nil {
+			return nil, fmt.Errorf("unable to create SPIFFE x509 source: %w", err)
+		}
+		log.Info().Msg("Successfully obtained SPIFFE SVID.")
+	}
+
+	roundTripperManager := service.NewRoundTripperManager(spiffeX509Source)
+	dialerManager := tcp.NewDialerManager(spiffeX509Source)
 	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
-	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry, roundTripperManager, acmeHTTPHandler)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, observabilityMgr, roundTripperManager, acmeHTTPHandler)
 
 	// Router factory
 
-	accessLog := setupAccessLog(staticConfiguration.AccessLog)
+	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, observabilityMgr, pluginBuilder, dialerManager)
-	tracer := setupTracing(staticConfiguration.Tracing)
-
-	chainBuilder := middleware.NewChainBuilder(metricsRegistry, accessLog, tracer)
-	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder, metricsRegistry)
 
 	// Watcher
 
@@ -282,6 +307,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	// Server Transports
 	watcher.AddListener(func(conf dynamic.Configuration) {
 		roundTripperManager.Update(conf.HTTP.ServersTransports)
+		dialerManager.Update(conf.TCP.ServersTransports)
 	})
 
 	// Switch router
@@ -301,13 +327,22 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	// TLS challenge
 	watcher.AddListener(tlsChallengeProvider.ListenConfiguration)
 
-	// ACME
+	// Certificate Resolvers
+
 	resolverNames := map[string]struct{}{}
+
+	// ACME
 	for _, p := range acmeProviders {
 		resolverNames[p.ResolverName] = struct{}{}
 		watcher.AddListener(p.ListenConfiguration)
 	}
 
+	// Tailscale
+	for _, p := range tsProviders {
+		resolverNames[p.ResolverName] = struct{}{}
+		watcher.AddListener(p.HandleConfigUpdate)
+	}
+
 	// Certificate resolver logs
 	watcher.AddListener(func(config dynamic.Configuration) {
 		for rtName, rt := range config.HTTP.Routers {
@@ -316,12 +351,13 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 			}
 
 			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
-				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
+				log.Error().Err(err).Str(logs.RouterName, rtName).Str("certificateResolver", rt.TLS.CertResolver).
+					Msg("Router uses a non-existent certificate resolver")
 			}
 		}
 	})
 
-	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, chainBuilder, accessLog), nil
+	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, observabilityMgr), nil
 }
 
 func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvider http.Handler) http.Handler {
@@ -337,11 +373,27 @@ func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvid
 
 func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string {
 	var defaultEntryPoints []string
+
+	// Determines if at least one EntryPoint is configured to be used by default.
+	var hasDefinedDefaults bool
+	for _, ep := range staticConfiguration.EntryPoints {
+		if ep.AsDefault {
+			hasDefinedDefaults = true
+			break
+		}
+	}
+
 	for name, cfg := range staticConfiguration.EntryPoints {
+		// By default all entrypoints are considered.
+		// If at least one is flagged, then only flagged entrypoints are included.
+		if hasDefinedDefaults && !cfg.AsDefault {
+			continue
+		}
+
 		protocol, err := cfg.GetProtocol()
 		if err != nil {
 			// Should never happen because Traefik should not start if protocol is invalid.
-			log.WithoutContext().Errorf("Invalid protocol: %v", err)
+			log.Error().Err(err).Msg("Invalid protocol")
 		}
 
 		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
@@ -364,7 +416,7 @@ func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP serv
 	}
 }
 
-// initACMEProvider creates an acme provider from the ACME part of globalConfiguration.
+// initACMEProvider creates and registers acme.Provider instances corresponding to the configured ACME certificate resolvers.
 func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider) []*acme.Provider {
 	localStores := map[string]*acme.LocalStore{}
 
@@ -387,7 +439,7 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 		}
 
 		if err := providerAggregator.AddProvider(p); err != nil {
-			log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
+			log.Error().Err(err).Str("resolver", name).Msg("The ACME resolve is skipped from the resolvers list")
 			continue
 		}
 
@@ -401,6 +453,27 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 	return resolvers
 }
 
+// initTailscaleProviders creates and registers tailscale.Provider instances corresponding to the configured Tailscale certificate resolvers.
+func initTailscaleProviders(cfg *static.Configuration, providerAggregator *aggregator.ProviderAggregator) []*tailscale.Provider {
+	var providers []*tailscale.Provider
+	for name, resolver := range cfg.CertificatesResolvers {
+		if resolver.Tailscale == nil {
+			continue
+		}
+
+		tsProvider := &tailscale.Provider{ResolverName: name}
+
+		if err := providerAggregator.AddProvider(tsProvider); err != nil {
+			log.Error().Err(err).Str(logs.ProviderName, name).Msg("Unable to create Tailscale provider")
+			continue
+		}
+
+		providers = append(providers, tsProvider)
+	}
+
+	return providers
+}
+
 func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	if metricsConfig == nil {
 		return nil
@@ -409,42 +482,59 @@ func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	var registries []metrics.Registry
 
 	if metricsConfig.Prometheus != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "prometheus"))
+		logger := log.With().Str(logs.MetricsProviderName, "prometheus").Logger()
-		prometheusRegister := metrics.RegisterPrometheus(ctx, metricsConfig.Prometheus)
+
+		prometheusRegister := metrics.RegisterPrometheus(logger.WithContext(context.Background()), metricsConfig.Prometheus)
 		if prometheusRegister != nil {
 			registries = append(registries, prometheusRegister)
-			log.FromContext(ctx).Debug("Configured Prometheus metrics")
+			logger.Debug().Msg("Configured Prometheus metrics")
 		}
 	}
 
 	if metricsConfig.Datadog != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "datadog"))
+		logger := log.With().Str(logs.MetricsProviderName, "datadog").Logger()
-		registries = append(registries, metrics.RegisterDatadog(ctx, metricsConfig.Datadog))
+
-		log.FromContext(ctx).Debugf("Configured Datadog metrics: pushing to %s once every %s",
+		registries = append(registries, metrics.RegisterDatadog(logger.WithContext(context.Background()), metricsConfig.Datadog))
-			metricsConfig.Datadog.Address, metricsConfig.Datadog.PushInterval)
+		logger.Debug().
+			Str("address", metricsConfig.Datadog.Address).
+			Str("pushInterval", metricsConfig.Datadog.PushInterval.String()).
+			Msgf("Configured Datadog metrics")
 	}
 
 	if metricsConfig.StatsD != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "statsd"))
+		logger := log.With().Str(logs.MetricsProviderName, "statsd").Logger()
-		registries = append(registries, metrics.RegisterStatsd(ctx, metricsConfig.StatsD))
-		log.FromContext(ctx).Debugf("Configured StatsD metrics: pushing to %s once every %s",
-			metricsConfig.StatsD.Address, metricsConfig.StatsD.PushInterval)
-	}
 
-	if metricsConfig.InfluxDB != nil {
+		registries = append(registries, metrics.RegisterStatsd(logger.WithContext(context.Background()), metricsConfig.StatsD))
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb"))
+		logger.Debug().
-		registries = append(registries, metrics.RegisterInfluxDB(ctx, metricsConfig.InfluxDB))
+			Str("address", metricsConfig.StatsD.Address).
-		log.FromContext(ctx).Debugf("Configured InfluxDB metrics: pushing to %s once every %s",
+			Str("pushInterval", metricsConfig.StatsD.PushInterval.String()).
-			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
+			Msg("Configured StatsD metrics")
 	}
 
 	if metricsConfig.InfluxDB2 != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb2"))
+		logger := log.With().Str(logs.MetricsProviderName, "influxdb2").Logger()
-		influxDB2Register := metrics.RegisterInfluxDB2(ctx, metricsConfig.InfluxDB2)
+
+		influxDB2Register := metrics.RegisterInfluxDB2(logger.WithContext(context.Background()), metricsConfig.InfluxDB2)
 		if influxDB2Register != nil {
 			registries = append(registries, influxDB2Register)
-			log.FromContext(ctx).Debugf("Configured InfluxDB v2 metrics: pushing to %s (%s org/%s bucket) once every %s",
+			logger.Debug().
-				metricsConfig.InfluxDB2.Address, metricsConfig.InfluxDB2.Org, metricsConfig.InfluxDB2.Bucket, metricsConfig.InfluxDB2.PushInterval)
+				Str("address", metricsConfig.InfluxDB2.Address).
+				Str("bucket", metricsConfig.InfluxDB2.Bucket).
+				Str("organization", metricsConfig.InfluxDB2.Org).
+				Str("pushInterval", metricsConfig.InfluxDB2.PushInterval.String()).
+				Msg("Configured InfluxDB v2 metrics")
+		}
+	}
+
+	if metricsConfig.OTLP != nil {
+		logger := log.With().Str(logs.MetricsProviderName, "openTelemetry").Logger()
+
+		openTelemetryRegistry := metrics.RegisterOpenTelemetry(logger.WithContext(context.Background()), metricsConfig.OTLP)
+		if openTelemetryRegistry != nil {
+			registries = append(registries, openTelemetryRegistry)
+			logger.Debug().
+				Str("pushInterval", metricsConfig.OTLP.PushInterval.String()).
+				Msg("Configured OpenTelemetry metrics")
 		}
 	}
 
@@ -472,130 +562,25 @@ func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
 
 	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
 	if err != nil {
-		log.WithoutContext().Warnf("Unable to create access logger: %v", err)
+		log.Warn().Err(err).Msg("Unable to create access logger")
 		return nil
 	}
 
 	return accessLoggerMiddleware
 }
 
-func setupTracing(conf *static.Tracing) *tracing.Tracing {
+func setupTracing(conf *static.Tracing) (*tracing.Tracer, io.Closer) {
 	if conf == nil {
-		return nil
+		return nil, nil
 	}
 
-	var backend tracing.Backend
+	tracer, closer, err := tracing.NewTracing(conf)
-
-	if conf.Jaeger != nil {
-		backend = conf.Jaeger
-	}
-
-	if conf.Zipkin != nil {
-		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Zipkin backend.")
-		} else {
-			backend = conf.Zipkin
-		}
-	}
-
-	if conf.Datadog != nil {
-		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Datadog backend.")
-		} else {
-			backend = conf.Datadog
-		}
-	}
-
-	if conf.Instana != nil {
-		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Instana backend.")
-		} else {
-			backend = conf.Instana
-		}
-	}
-
-	if conf.Haystack != nil {
-		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Haystack backend.")
-		} else {
-			backend = conf.Haystack
-		}
-	}
-
-	if conf.Elastic != nil {
-		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Elastic backend.")
-		} else {
-			backend = conf.Elastic
-		}
-	}
-
-	if backend == nil {
-		log.WithoutContext().Debug("Could not initialize tracing, using Jaeger by default")
-		defaultBackend := &jaeger.Config{}
-		defaultBackend.SetDefaults()
-		backend = defaultBackend
-	}
-
-	tracer, err := tracing.NewTracing(conf.ServiceName, conf.SpanNameLimit, backend)
 	if err != nil {
-		log.WithoutContext().Warnf("Unable to create tracer: %v", err)
+		log.Warn().Err(err).Msg("Unable to create tracer")
-		return nil
+		return nil, nil
-	}
-	return tracer
-}
-
-func configureLogging(staticConfiguration *static.Configuration) {
-	// configure default log flags
-	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
-
-	// configure log level
-	// an explicitly defined log level always has precedence. if none is
-	// given and debug mode is disabled, the default is ERROR, and DEBUG
-	// otherwise.
-	levelStr := "error"
-	if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
-		levelStr = strings.ToLower(staticConfiguration.Log.Level)
 	}
 
-	level, err := logrus.ParseLevel(levelStr)
+	return tracer, closer
-	if err != nil {
-		log.WithoutContext().Errorf("Error getting level: %v", err)
-	}
-	log.SetLevel(level)
-
-	var logFile string
-	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
-		logFile = staticConfiguration.Log.FilePath
-	}
-
-	// configure log format
-	var formatter logrus.Formatter
-	if staticConfiguration.Log != nil && staticConfiguration.Log.Format == "json" {
-		formatter = &logrus.JSONFormatter{}
-	} else {
-		disableColors := len(logFile) > 0
-		formatter = &logrus.TextFormatter{DisableColors: disableColors, FullTimestamp: true, DisableSorting: true}
-	}
-	log.SetFormatter(formatter)
-
-	if len(logFile) > 0 {
-		dir := filepath.Dir(logFile)
-
-		if err := os.MkdirAll(dir, 0o755); err != nil {
-			log.WithoutContext().Errorf("Failed to create log path %s: %s", dir, err)
-		}
-
-		err = log.OpenFile(logFile)
-		logrus.RegisterExitHandler(func() {
-			if err := log.CloseFile(); err != nil {
-				log.WithoutContext().Errorf("Error while closing log: %v", err)
-			}
-		})
-		if err != nil {
-			log.WithoutContext().Errorf("Error while opening log file %s: %v", logFile, err)
-		}
-	}
 }
 
 func checkNewVersion() {
@@ -608,16 +593,16 @@ func checkNewVersion() {
 }
 
 func stats(staticConfiguration *static.Configuration) {
-	logger := log.WithoutContext()
+	logger := log.With().Logger()
 
 	if staticConfiguration.Global.SendAnonymousUsage {
-		logger.Info(`Stats collection is enabled.`)
+		logger.Info().Msg(`Stats collection is enabled.`)
-		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
+		logger.Info().Msg(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
-		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
+		logger.Info().Msg(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Info(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
+		logger.Info().Msg(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
-		logger.Info(`
+		logger.Info().Msg(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
 More details on: https://doc.traefik.io/traefik/contributing/data-collection/
@@ -630,7 +615,7 @@ func collect(staticConfiguration *static.Configuration) {
 	safe.Go(func() {
 		for time.Sleep(10 * time.Minute); ; <-ticker {
 			if err := collector.Collect(staticConfiguration); err != nil {
-				log.WithoutContext().Debug(err)
+				log.Debug().Err(err).Send()
 			}
 		}
 	})

cmd/traefik/traefik_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/go-kit/kit/metrics"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/traefik/traefik/v3/pkg/config/static"
 )
 
 // FooCert is a PEM-encoded TLS cert.
@@ -113,3 +114,73 @@ func TestAppendCertMetric(t *testing.T) {
 		})
 	}
 }
+
+func TestGetDefaultsEntrypoints(t *testing.T) {
+	testCases := []struct {
+		desc        string
+		entrypoints static.EntryPoints
+		expected    []string
+	}{
+		{
+			desc: "Skips special names",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address: ":80",
+				},
+				"traefik": {
+					Address: ":8080",
+				},
+			},
+			expected: []string{"web"},
+		},
+		{
+			desc: "Two EntryPoints not attachable",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address: ":80",
+				},
+				"websecure": {
+					Address: ":443",
+				},
+			},
+			expected: []string{"web", "websecure"},
+		},
+		{
+			desc: "Two EntryPoints only one attachable",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address: ":80",
+				},
+				"websecure": {
+					Address:   ":443",
+					AsDefault: true,
+				},
+			},
+			expected: []string{"websecure"},
+		},
+		{
+			desc: "Two attachable EntryPoints",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address:   ":80",
+					AsDefault: true,
+				},
+				"websecure": {
+					Address:   ":443",
+					AsDefault: true,
+				},
+			},
+			expected: []string{"web", "websecure"},
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			actual := getDefaultsEntrypoints(&static.Configuration{
+				EntryPoints: test.entrypoints,
+			})
+
+			assert.ElementsMatch(t, test.expected, actual)
+		})
+	}
+}

cmd/version/version.go

@@ -8,7 +8,7 @@ import (
 	"text/template"
 
 	"github.com/traefik/paerser/cli"
-	"github.com/traefik/traefik/v2/pkg/version"
+	"github.com/traefik/traefik/v3/pkg/version"
 )
 
 var versionTemplate = `Version:      {{.Version}}

docs/content/contributing/data-collection.md

@@ -66,7 +66,6 @@ providers:
   docker:
     endpoint: "tcp://10.10.10.10:2375"
     exposedByDefault: true
-    swarmMode: true
 
     tls:
       ca: dockerCA
@@ -86,7 +85,6 @@ providers:
   docker:
     endpoint: "xxxx"
     exposedByDefault: true
-    swarmMode: true
 
     tls:
       ca: xxxx

docs/content/deprecation/features.md

@@ -3,42 +3,24 @@
 This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.
 
 | Feature                                                                                                              | Deprecated | End of Support | Removal |
-|-------------------------------------------------------------------------------------------------------------|------------|----------------|---------|
+|----------------------------------------------------------------------------------------------------------------------|------------|----------------|---------|
-| [Pilot](#pilot)                                                                                             | 2.7        | 2.8            | 2.9     |
+| [Kubernetes CRD Provider API Version `traefik.io/v1alpha1`](#kubernetes-crd-provider-api-version-traefikiov1alpha1)  | 3.0        | N/A            | 4.0     |
-| [Consul Enterprise Namespace](#consul-enterprise-namespace)                                                 | 2.8        | N/A            | 3.0     |
+| [Kubernetes Ingress API Version `networking.k8s.io/v1beta1`](#kubernetes-ingress-api-version-networkingk8siov1beta1) | N/A        | N/A            | 3.0     |
-| [TLS 1.0 and 1.1 Support](#tls-10-and-11)                                                                   | N/A        | 2.8            | N/A     |
+| [CRD API Version `apiextensions.k8s.io/v1beta1`](#kubernetes-ingress-api-version-networkingk8siov1beta1)             | N/A        | N/A            | 3.0     |
-| [Nomad Namespace](#nomad-namespace)                                                                         | 2.10       | N/A            | 3.0     |
-| [Kubernetes CRDs API Group `traefik.containo.us`](#kubernetes-crd-provider-api-group-traefikcontainous)     | 2.10       | N/A            | 3.0     |
-| [Kubernetes CRDs API Version `traefik.io/v1alpha1`](#kubernetes-crd-provider-api-version-traefikiov1alpha1) | 3.0        | N/A            | 4.0     |
 
 ## Impact
 
-### Pilot
-
-Metrics will continue to function normally up to 2.8, when they will be disabled.  
-In 2.9, the Pilot platform and all Traefik integration code will be permanently removed.
-
-Starting on 2.7 the pilot token will not be a requirement anymore for plugins.  
-Since 2.8, a [new plugin catalog](https://plugins.traefik.io) is available, decoupled from Pilot.
-
-### Consul Enterprise Namespace
-
-Starting on 2.8 the `namespace` option of Consul and Consul Catalog providers is deprecated, 
-please use the `namespaces` options instead.  
-
-### TLS 1.0 and 1.1
-
-Starting on 2.8 the default TLS options will use the minimum version of TLS 1.2. Of course, it can still be overridden with custom configuration.  
-
-### Nomad Namespace
-
-Starting on 2.10 the `namespace` option of the Nomad provider is deprecated,
-please use the `namespaces` options instead.
-
-### Kubernetes CRD Provider API Group `traefik.containo.us`
-
-In v2.10, the Kubernetes CRD provider API Group `traefik.containo.us` is deprecated, and its support will end starting with Traefik v3. Please use the API Group `traefik.io` instead.
-
 ### Kubernetes CRD Provider API Version `traefik.io/v1alpha1`
 
-The Kubernetes CRD provider API Version `traefik.io/v1alpha1` will subsequently be deprecated in Traefik v3. The next version will be `traefik.io/v1`.
+The Kubernetes CRD provider API Version `traefik.io/v1alpha1` is deprecated in Traefik v3.
+Please use the API Group `traefik.io/v1` instead.
+
+### Kubernetes Ingress API Version `networking.k8s.io/v1beta1`
+
+The Kubernetes Ingress API Version `networking.k8s.io/v1beta1` support is removed in v3. 
+Please use the API Group `networking.k8s.io/v1` instead.
+
+### Traefik CRD Definitions API Version `apiextensions.k8s.io/v1beta1`
+
+The Traefik CRD definitions API Version `apiextensions.k8s.io/v1beta1` support is removed in v3.
+Please use the API Group `apiextensions.k8s.io/v1` instead.

docs/content/getting-started/configuration-overview.md

@@ -79,7 +79,7 @@ traefik --help
 # or
 
 docker run traefik[:version] --help
-# ex: docker run traefik:v2.11 --help
+# ex: docker run traefik:v3.0 --help
 ```
 
 Check the [CLI reference](../reference/static-configuration/cli.md "Link to CLI reference overview") for an overview about all available arguments.

docs/content/getting-started/install-traefik.md

@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:
 
 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
 
-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.11/traefik.sample.yml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.0/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.11/traefik.sample.toml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.0/traefik.sample.toml)
 
 ```shell
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.11
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.0
 ```
 
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip
 
     * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v2.11`
+    ex: `traefik:v3.0`
     * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
     * Any orchestrator using docker images can fetch the official Traefik docker image.
 
@@ -44,7 +44,7 @@ Traefik can be installed in Kubernetes using the Helm chart from <https://github
 
 Ensure that the following requirements are met:
 
-* Kubernetes 1.16+
+* Kubernetes 1.22+
 * Helm version 3.9+ is [installed](https://helm.sh/docs/intro/install/)
 
 Add Traefik Labs chart repository to Helm:

docs/content/getting-started/quick-start-with-kubernetes.md

@@ -130,7 +130,7 @@ spec:
       serviceAccountName: traefik-account
       containers:
         - name: traefik
-          image: traefik:v2.11
+          image: traefik:v3.0
           args:
             - --api.insecure
             - --providers.kubernetesingress

docs/content/getting-started/quick-start.md

@@ -19,8 +19,8 @@ version: '3'
 
 services:
   reverse-proxy:
-    # The official v2 Traefik docker image
+    # The official v3 Traefik docker image
-    image: traefik:v2.11
+    image: traefik:v3.0
     # Enables the web UI and tells Traefik to listen to docker
     command: --api.insecure=true --providers.docker
     ports:
@@ -71,9 +71,9 @@ Start the `whoami` service with the following command:
 docker-compose up -d whoami
 ```
 
-Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new container and updated its own configuration.
+Browse `http://localhost:8080/api/rawdata` and see that Traefik has automatically detected the new container and updated its own configuration.
 
-When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_  (Here, you're using curl)
+When Traefik detects new services, it creates the corresponding routes, so you can call them ... _let's see!_  (Here, you're using curl)
 
 ```shell
 curl -H Host:whoami.docker.localhost http://127.0.0.1
@@ -95,7 +95,7 @@ Run more instances of your `whoami` service with the following command:
 docker-compose up -d --scale whoami=2
 ```
 
-Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new instance of the container.
+Browse to `http://localhost:8080/api/rawdata` and see that Traefik has automatically detected the new instance of the container.
 
 Finally, see that Traefik load-balances between the two instances of your service by running the following command twice:
 
@@ -119,6 +119,6 @@ IP: 172.27.0.4
 
 !!! question "Where to Go Next?"
 
-    Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the documentation](/) and let Traefik work for you!
+    Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the documentation](/ "Link to the docs landing page") and let Traefik work for you!
 
 {!traefik-for-business-applications.md!}

docs/content/https/include-acme-multiple-domains-example.md

@@ -1,5 +1,5 @@
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 ## Dynamic configuration
 labels:
   - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
@@ -43,27 +43,6 @@ spec:
       - '*.example.org'
 ```
 
-```json tab="Marathon"
-labels: {
-  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
-  "traefik.http.routers.blog.tls": "true",
-  "traefik.http.routers.blog.tls.certresolver": "myresolver",
-  "traefik.http.routers.blog.tls.domains[0].main": "example.com",
-  "traefik.http.routers.blog.tls.domains[0].sans": "*.example.com",
-  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
-}
-```
-
-```yaml tab="Rancher"
-## Dynamic configuration
-labels:
-  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
-  - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=myresolver
-  - traefik.http.routers.blog.tls.domains[0].main=example.org
-  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
-```
-
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:

docs/content/https/include-acme-multiple-domains-from-rule-example.md

@@ -1,5 +1,5 @@
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 ## Dynamic configuration
 labels:
   - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
@@ -35,23 +35,6 @@ spec:
     certResolver: myresolver
 ```
 
-```json tab="Marathon"
-labels: {
-  "traefik.http.routers.blog.rule": "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)",
-  "traefik.http.routers.blog.tls": "true",
-  "traefik.http.routers.blog.tls.certresolver": "myresolver",
-  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
-}
-```
-
-```yaml tab="Rancher"
-## Dynamic configuration
-labels:
-  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
-  - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=myresolver
-```
-
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:

docs/content/https/include-acme-single-domain-example.md

@@ -1,5 +1,5 @@
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 ## Dynamic configuration
 labels:
   - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
@@ -35,23 +35,6 @@ spec:
     certResolver: myresolver
 ```
 
-```json tab="Marathon"
-labels: {
-  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
-  "traefik.http.routers.blog.tls": "true",
-  "traefik.http.routers.blog.tls.certresolver": "myresolver",
-  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
-}
-```
-
-```yaml tab="Rancher"
-## Dynamic configuration
-labels:
-  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
-  - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=myresolver
-```
-
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:

docs/content/https/spiffe.md

@@ -0,0 +1,56 @@
+---
+title: "Traefik SPIFFE Documentation"
+description: "Learn how to configure Traefik to use SPIFFE. Read the technical documentation."
+---
+
+# SPIFFE
+
+Secure the backend connection with SPIFFE.
+{: .subtitle }
+
+[SPIFFE](https://spiffe.io/docs/latest/spiffe-about/overview/) (Secure Production Identity Framework For Everyone), 
+provides a secure identity in the form of a specially crafted X.509 certificate, 
+to every workload in an environment.
+
+Traefik is able to connect to the Workload API to obtain an x509-SVID used to secure the connection with SPIFFE enabled backends.
+
+## Configuration
+
+### General
+
+Enabling SPIFFE is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
+It can be defined by using a file (YAML or TOML) or CLI arguments.
+
+### Workload API
+
+The `workloadAPIAddr` configuration defines the address of the SPIFFE [Workload API](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-workload-api).
+
+!!! info "Enabling SPIFFE in ServersTransports"
+
+    Enabling SPIFFE does not imply that backend connections are going to use it automatically.
+    Each [ServersTransport](../routing/services/index.md#serverstransport_1) or [TCPServersTransport](../routing/services/index.md#serverstransport_2),
+	that is meant to be secured with SPIFFE,
+	must explicitly enable it (see [SPIFFE with ServersTransport](../routing/services/index.md#spiffe) or [SPIFFE with TCPServersTransport](../routing/services/index.md#spiffe_1)).
+
+!!! warning "SPIFFE can cause Traefik to stall"
+	When using SPIFFE,
+	Traefik will wait for the first SVID to be delivered before starting.
+	If Traefik is hanging when waiting on SPIFFE SVID delivery,
+	please double check that it is correctly registered as workload in your SPIFFE infrastructure.
+
+```yaml tab="File (YAML)"
+## Static configuration
+spiffe:
+    workloadAPIAddr: localhost
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[spiffe]
+    workloadAPIAddr: localhost
+```
+
+```bash tab="CLI"
+## Static configuration
+--spiffe.workloadAPIAddr=localhost
+```

docs/content/https/tailscale.md

@@ -0,0 +1,207 @@
+---
+title: "Traefik Tailscale Documentation"
+description: "Learn how to configure Traefik Proxy to resolve TLS certificates for your Tailscale services. Read the technical documentation."
+---
+
+# Tailscale
+
+Provision TLS certificates for your internal Tailscale services.
+{: .subtitle }
+
+To protect a service with TLS, a certificate from a public Certificate Authority is needed.
+In addition to its vpn role, Tailscale can also [provide certificates](https://tailscale.com/kb/1153/enabling-https/) for the machines in your Tailscale network.
+
+## Certificate resolvers
+
+To obtain a TLS certificate from the Tailscale daemon,
+a Tailscale certificate resolver needs to be configured as below.
+
+!!! info "Referencing a certificate resolver"
+
+    Defining a certificate resolver does not imply that routers are going to use it automatically.
+    Each router or entrypoint that is meant to use the resolver must explicitly [reference](../routing/routers/index.md#certresolver) it.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+    myresolver:
+        tailscale: {}
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.tailscale]
+```
+
+```bash tab="CLI"
+--certificatesresolvers.myresolver.tailscale=true
+```
+
+## Domain Definition
+
+A certificate resolver requests certificates for a set of domain names inferred from routers, according to the following:
+
+- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
+  then the certificate resolver derives this router domain name from the `main` option of `tls.domains`.
+
+- Otherwise, the certificate resolver derives the domain name from any `Host()` or `HostSNI()` matchers
+  in the [router's rule](../routing/routers/index.md#rule).
+
+!!! info "Tailscale Domain Format"
+
+    The domain is only taken into account if it is a Tailscale-specific one,
+    i.e. of the form `machine-name.domains-alias.ts.net`.
+
+## Configuration Example
+
+!!! example "Enabling Tailscale certificate resolution"
+
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+
+      websecure:
+        address: ":443"
+
+    certificatesResolvers:
+      myresolver:
+        tailscale: {}
+    ```
+
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+      [entryPoints.websecure]
+        address = ":443"
+
+    [certificatesResolvers.myresolver.tailscale]
+    ```
+
+    ```bash tab="CLI"
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
+    # ...
+    --certificatesresolvers.myresolver.tailscale=true
+    ```
+
+!!! example "Domain from Router's Rule Example"
+
+    ```yaml tab="Docker & Swarm"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+    ```
+
+    ```yaml tab="Docker (Swarm)"
+    ## Dynamic configuration
+    deploy:
+      labels:
+        - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+        - traefik.http.routers.blog.tls.certresolver=myresolver
+    ```
+
+    ```yaml tab="Kubernetes"
+    apiVersion: traefik.io/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: blogtls
+    spec:
+      entryPoints:
+        - websecure
+      routes:
+        - match: Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+          kind: Rule
+          services:
+            - name: blog
+              port: 8080
+      tls:
+        certResolver: myresolver
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
+    http:
+      routers:
+        blog:
+          rule: "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
+          tls:
+            certResolver: myresolver
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+    [http.routers]
+      [http.routers.blog]
+      rule = "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
+      [http.routers.blog.tls]
+        certResolver = "myresolver"
+    ```
+
+!!! example "Domain from Router's tls.domain Example"
+
+    ```yaml tab="Docker & Swarm"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+      - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
+    ```
+
+    ```yaml tab="Docker (Swarm)"
+    ## Dynamic configuration
+    deploy:
+      labels:
+        - traefik.http.routers.blog.rule=Path(`/metrics`)
+        - traefik.http.routers.blog.tls.certresolver=myresolver
+        - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
+    ```
+
+    ```yaml tab="Kubernetes"
+    apiVersion: traefik.io/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: blogtls
+    spec:
+      entryPoints:
+        - websecure
+      routes:
+        - match: Path(`/metrics`)
+          kind: Rule
+          services:
+            - name: blog
+              port: 8080
+      tls:
+        certResolver: myresolver
+        domains:
+          - main: monitoring.yak-bebop.ts.net
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
+    http:
+      routers:
+        blog:
+          rule: "Path(`/metrics`)"
+          tls:
+            certResolver: myresolver
+            domains:
+              - main: "monitoring.yak-bebop.ts.net"
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+    [http.routers]
+      [http.routers.blog]
+        rule = "Path(`/metrics`)"
+        [http.routers.blog.tls]
+          certResolver = "myresolver"
+          [[http.routers.blog.tls.domains]]
+            main = "monitoring.yak-bebop.ts.net"
+    ```
+
+## Automatic Renewals
+
+Traefik automatically tracks the expiry date of each Tailscale certificate it fetches,
+and starts to renew a certificate 14 days before its expiry to match Tailscale daemon renew policy.

docs/content/https/tls.md

@@ -211,7 +211,7 @@ spec:
         - bar.example.org
 ```
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 ## Dynamic configuration
 labels:
   - "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
@@ -219,14 +219,6 @@ labels:
   - "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org"
 ```
 
-```json tab="Marathon"
-labels: {
-  "traefik.tls.stores.default.defaultgeneratedcert.resolver": "myresolver",
-  "traefik.tls.stores.default.defaultgeneratedcert.domain.main": "example.org",
-  "traefik.tls.stores.default.defaultgeneratedcert.domain.sans": "foo.example.org, bar.example.org",
-}
-```
-
 ## TLS Options
 
 The TLS options allow one to configure some parameters of the TLS connection.

docs/content/includes/kubernetes-requirements.md

@@ -0,0 +1,3 @@
+Traefik follows the [Kubernetes support policy](https://kubernetes.io/releases/version-skew-policy/#supported-versions),
+and supports at least the latest three minor versions of Kubernetes.
+General functionality cannot be guaranteed for versions older than that.

docs/content/index.md

@@ -13,7 +13,7 @@ It receives requests on behalf of your system and finds out which components are
 What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
 The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request. 
 
-Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker, Docker Swarm, AWS, Mesos, Marathon, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
+Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker, Docker Swarm, AWS, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
  
 With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions).
 With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.   

docs/content/middlewares/http/addprefix.md

@@ -14,7 +14,7 @@ The AddPrefix middleware updates the path of a request before forwarding it.
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Prefixing with /foo
 labels:
   - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
@@ -36,18 +36,6 @@ spec:
 - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.add-foo.addprefix.prefix": "/foo"
-}
-```
-
-```yaml tab="Rancher"
-# Prefixing with /foo
-labels:
-  - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
-```
-
 ```yaml tab="File (YAML)"
 # Prefixing with /foo
 http:

docs/content/middlewares/http/basicauth.md

@@ -14,7 +14,7 @@ The BasicAuth middleware grants access to services to authorized users only.
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Declaring the user list
 #
 # Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
@@ -41,18 +41,6 @@ spec:
 - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
-}
-```
-
-```yaml tab="Rancher"
-# Declaring the user list
-labels:
-  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
-```
-
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -100,7 +88,7 @@ The `users` option is an array of authorized users. Each user must be declared u
     Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than other methods.
     You can find more information on the [Kubernetes Basic Authentication Secret Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret)
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Declaring the user list
 #
 # Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
@@ -157,18 +145,6 @@ data:
 - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
-}
-```
-
-```yaml tab="Rancher"
-# Declaring the user list
-labels:
-  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
-```
-
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -201,7 +177,7 @@ The file content is a list of `name:hashed-password`.
     - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
     - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
 ```
@@ -232,17 +208,6 @@ data:
 - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.basicauth.usersfile": "/path/to/my/usersfile"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -268,7 +233,7 @@ http:
 
 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
 ```
@@ -287,17 +252,6 @@ spec:
 - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.basicauth.realm": "MyRealm"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -316,7 +270,7 @@ http:
 
 You can define a header field to store the authenticated user using the `headerField`option.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
 ```
@@ -336,12 +290,6 @@ spec:
 - "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.my-auth.basicauth.headerField": "X-WebAuth-User"
-}
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -361,7 +309,7 @@ http:
 
 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
 ```
@@ -380,17 +328,6 @@ spec:
 - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.basicauth.removeheader": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:

docs/content/middlewares/http/buffering.md

@@ -18,7 +18,7 @@ This can help services avoid large amounts of data (`multipart/form-data` for ex
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Sets the maximum request body to 2MB
 labels:
   - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
@@ -40,18 +40,6 @@ spec:
 - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
-}
-```
-
-```yaml tab="Rancher"
-# Sets the maximum request body to 2MB
-labels:
-  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
-```
-
 ```yaml tab="File (YAML)"
 # Sets the maximum request body to 2MB
 http:
@@ -78,7 +66,7 @@ The `maxRequestBodyBytes` option configures the maximum allowed body size for th
 
 If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a `413` (Request Entity Too Large) response.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
@@ -97,17 +85,6 @@ spec:
 - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -128,7 +105,7 @@ _Optional, Default=1048576_
 
 You can configure a threshold (in bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
 ```
@@ -147,17 +124,6 @@ spec:
 - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.limit.buffering.memRequestBodyBytes": "2000000"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -180,7 +146,7 @@ The `maxResponseBodyBytes` option configures the maximum allowed response size f
 
 If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `500` (Internal Server Error) response instead.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
 ```
@@ -199,17 +165,6 @@ spec:
 - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes": "2000000"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -230,7 +185,7 @@ _Optional, Default=1048576_
 
 You can configure a threshold (in bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
 ```
@@ -249,17 +204,6 @@ spec:
 - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.limit.buffering.memResponseBodyBytes": "2000000"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -282,7 +226,7 @@ You can have the Buffering middleware replay the request using `retryExpression`
 
 ??? example "Retries once in the case of a network error"
 
-    ```yaml tab="Docker"
+    ```yaml tab="Docker & Swarm"
     labels:
       - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
     ```
@@ -301,17 +245,6 @@ You can have the Buffering middleware replay the request using `retryExpression`
     - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
     ```
 
-    ```json tab="Marathon"
-    "labels": {
-      "traefik.http.middlewares.limit.buffering.retryExpression": "IsNetworkError() && Attempts() < 2"
-    }
-    ```
-
-    ```yaml tab="Rancher"
-    labels:
-      - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
-    ```
-
     ```yaml tab="File (YAML)"
     http:
       middlewares:

docs/content/middlewares/http/chain.md

@@ -15,9 +15,9 @@ It makes reusing the same groups easier.
 
 ## Configuration Example
 
-Below is an example of a Chain containing `WhiteList`, `BasicAuth`, and `RedirectScheme`.
+Below is an example of a Chain containing `AllowList`, `BasicAuth`, and `RedirectScheme`.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.routers.router1.service=service1"
   - "traefik.http.routers.router1.middlewares=secured"
@@ -25,7 +25,7 @@ labels:
   - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
   - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
   - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
   - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```
 
@@ -80,7 +80,7 @@ kind: Middleware
 metadata:
   name: known-ips
 spec:
-  ipWhiteList:
+  ipAllowList:
     sourceRange:
     - 192.168.1.7
     - 127.0.0.1/32
@@ -93,35 +93,10 @@ spec:
 - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
 - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
 - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
 - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.routers.router1.service": "service1",
-  "traefik.http.routers.router1.middlewares": "secured",
-  "traefik.http.routers.router1.rule": "Host(`mydomain`)",
-  "traefik.http.middlewares.secured.chain.middlewares": "https-only,known-ips,auth-users",
-  "traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
-  "traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
-  "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
-  "traefik.http.services.service1.loadbalancer.server.port": "80"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.routers.router1.service=service1"
-  - "traefik.http.routers.router1.middlewares=secured"
-  - "traefik.http.routers.router1.rule=Host(`mydomain`)"
-  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
-  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
-  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
-  - "traefik.http.services.service1.loadbalancer.server.port=80"
-```
-
 ```yaml tab="File (YAML)"
 # ...
 http:
@@ -150,7 +125,7 @@ http:
         scheme: https
 
     known-ips:
-      ipWhiteList:
+      ipAllowList:
         sourceRange:
           - "192.168.1.7"
           - "127.0.0.1/32"
@@ -180,7 +155,7 @@ http:
   [http.middlewares.https-only.redirectScheme]
     scheme = "https"
 
-  [http.middlewares.known-ips.ipWhiteList]
+  [http.middlewares.known-ips.ipAllowList]
     sourceRange = ["192.168.1.7", "127.0.0.1/32"]
 
 [http.services]

docs/content/middlewares/http/circuitbreaker.md

@@ -30,7 +30,7 @@ To assess if your system is healthy, the circuit breaker constantly monitors the
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Latency Check
 labels:
   - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
@@ -52,18 +52,6 @@ spec:
 - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.latency-check.circuitbreaker.expression": "LatencyAtQuantileMS(50.0) > 100"
-}
-```
-
-```yaml tab="Rancher"
-# Latency Check
-labels:
-  - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
-```
-
 ```yaml tab="File (YAML)"
 # Latency Check
 http:
@@ -97,6 +85,7 @@ At specified intervals (`checkPeriod`), the circuit breaker evaluates `expressio
 ### Open
 
 While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
+The fallback mechanism returns a `HTTP 503` (or `ResponseCode`) to the client.
 After this duration, it enters the recovering state.
 
 ### Recovering
@@ -191,3 +180,9 @@ The duration for which the circuit breaker will wait before trying to recover (f
 _Optional, Default="10s"_
 
 The duration for which the circuit breaker will try to recover (as soon as it is in recovering state).
+
+### `ResponseCode`
+
+_Optional, Default="503"_
+
+The status code that the circuit breaker will return while it is in the open state.

docs/content/middlewares/http/compress.md

@@ -5,23 +5,24 @@ description: "Traefik Proxy's HTTP middleware lets you compress responses before
 
 # Compress
 
-Compress Responses before Sending them to the Client
+Compress Allows Compressing Responses before Sending them to the Client
 {: .subtitle }
 
 ![Compress](../../assets/img/middleware/compress.png)
 
-The Compress middleware uses gzip compression.
+The Compress middleware supports gzip and Brotli compression.
+The activation of compression, and the compression method choice rely (among other things) on the request's `Accept-Encoding` header.
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
-# Enable gzip compression
+# Enable compression
 labels:
   - "traefik.http.middlewares.test-compress.compress=true"
 ```
 
 ```yaml tab="Kubernetes"
-# Enable gzip compression
+# Enable compression
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -31,24 +32,12 @@ spec:
 ```
 
 ```yaml tab="Consul Catalog"
-# Enable gzip compression
+# Enable compression
 - "traefik.http.middlewares.test-compress.compress=true"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-compress.compress": "true"
-}
-```
-
-```yaml tab="Rancher"
-# Enable gzip compression
-labels:
-  - "traefik.http.middlewares.test-compress.compress=true"
-```
-
 ```yaml tab="File (YAML)"
-# Enable gzip compression
+# Enable compression
 http:
   middlewares:
     test-compress:
@@ -56,7 +45,7 @@ http:
 ```
 
 ```toml tab="File (TOML)"
-# Enable gzip compression
+# Enable compression
 [http.middlewares]
   [http.middlewares.test-compress.compress]
 ```
@@ -65,24 +54,39 @@ http:
 
     Responses are compressed when the following criteria are all met:
 
-    * The response body is larger than the configured minimum amount of bytes (default is `1024`).
+    * The `Accept-Encoding` request header contains `gzip`, `*`, and/or `br` with or without [quality values](https://developer.mozilla.org/en-US/docs/Glossary/Quality_values).
-    * The `Accept-Encoding` request header contains `gzip`.
+    If the `Accept-Encoding` request header is absent, the response won't be encoded.
+    If it is present, but its value is the empty string, then compression is disabled.
     * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
-
+    * The response`Content-Type` header is not one among the [excludedContentTypes options](#excludedcontenttypes), or is one among the [includedContentTypes options](#includedcontenttypes).
-    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
+    * The response body is larger than the [configured minimum amount of bytes](#minresponsebodybytes) (default is `1024`).
-    It will also set the `Content-Type` header according to the detected MIME type.
 
 ## Configuration Options
 
 ### `excludedContentTypes`
 
+_Optional, Default=""_ 
+
 `excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests and responses before compressing.
 
 The responses with content types defined in `excludedContentTypes` are not compressed.
 
 Content types are compared in a case-insensitive, whitespace-ignored manner.
 
-```yaml tab="Docker"
+!!! info 
+
+    The `excludedContentTypes` and `includedContentTypes` options are mutually exclusive.
+
+!!! info "In the case of gzip"
+
+    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
+    It will also set the `Content-Type` header according to the detected MIME type.
+
+!!! info "gRPC"
+
+    Note that `application/grpc` is never compressed.
+
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
 ```
@@ -102,17 +106,6 @@ spec:
 - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-compress.compress.excludedcontenttypes": "text/event-stream"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -128,15 +121,68 @@ http:
     excludedContentTypes = ["text/event-stream"]
 ```
 
+### `includedContentTypes`
+
+_Optional, Default=""_
+
+`includedContentTypes` specifies a list of content types to compare the `Content-Type` header of the responses before compressing.
+
+The responses with content types defined in `includedContentTypes` are compressed. 
+
+Content types are compared in a case-insensitive, whitespace-ignored manner.
+
+!!! info
+
+    The `excludedContentTypes` and `includedContentTypes` options are mutually exclusive.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.includedcontenttypes=application/json,text/html,text/plain"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-compress
+spec:
+  compress:
+    includedContentTypes:
+      - application/json
+      - text/html
+      - text/plain
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-compress.compress.includedcontenttypes=application/json,text/html,text/plain"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-compress:
+      compress:
+        includedContentTypes:
+          - application/json
+          - text/html
+          - text/plain
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+    includedContentTypes = ["application/json","text/html","text/plain"]
+```
+
 ### `minResponseBodyBytes`
 
+_Optional, Default=1024_
+
 `minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.
 
-The default value is `1024`, which should be a reasonable value for most cases.
-
 Responses smaller than the specified values will not be compressed.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
 ```
@@ -155,17 +201,6 @@ spec:
 - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-compress.compress.minresponsebodybytes": 1200
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:

docs/content/middlewares/http/contenttype.md

@@ -1,6 +1,6 @@
 ---
 title: "Traefik ContentType Documentation"
-description: "Traefik Proxy's HTTP middleware can automatically specify the content-type header if it has not been defined by the backend. Read the technical documentation."
+description: "Traefik Proxy's HTTP middleware automatically sets the `Content-Type` header value when it is not set by the backend. Read the technical documentation."
 ---
 
 # ContentType
@@ -8,84 +8,60 @@ description: "Traefik Proxy's HTTP middleware can automatically specify the cont
 Handling Content-Type auto-detection
 {: .subtitle }
 
-The Content-Type middleware - or rather its `autoDetect` option -
+The Content-Type middleware sets the `Content-Type` header value to the media type detected from the response content,
-specifies whether to let the `Content-Type` header,
+when it is not set by the backend.
-if it has not been defined by the backend,
-be automatically set to a value derived from the contents of the response.
-
-As a proxy, the default behavior should be to leave the header alone,
-regardless of what the backend did with it.
-However, the historic default was to always auto-detect and set the header if it was not already defined,
-and altering this behavior would be a breaking change which would impact many users.
-
-This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
 
 !!! info
 
-    As explained above, for compatibility reasons the default behavior on a router (without this middleware),
-    is still to automatically set the `Content-Type` header.
-    Therefore, given the default value of the `autoDetect` option (false),
-    simply enabling this middleware for a router switches the router's behavior.
-
     The scope of the Content-Type middleware is the MIME type detection done by the core of Traefik (the server part).
     Therefore, it has no effect against any other `Content-Type` header modifications (e.g.: in another middleware such as compress).
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
-# Disable auto-detection
+# Enable auto-detection
 labels:
-  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+  - "traefik.http.middlewares.autodetect.contenttype=true"
 ```
 
 ```yaml tab="Kubernetes"
-# Disable auto-detection
+# Enable auto-detection
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
   name: autodetect
 spec:
-  contentType:
+  contentType: {}
-    autoDetect: false
 ```
 
 ```yaml tab="Consul Catalog"
-# Disable auto-detection
+# Enable auto-detection
-- "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+- "traefik.http.middlewares.autodetect.contenttype=true"
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.autodetect.contenttype.autodetect": "false"
-}
-```
-
-```yaml tab="Rancher"
-# Disable auto-detection
-labels:
-  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
 ```
 
 ```yaml tab="File (YAML)"
-# Disable auto-detection
+# Enable auto-detection
 http:
   middlewares:
     autodetect:
-      contentType:
+      contentType: {}
-        autoDetect: false
 ```
 
 ```toml tab="File (TOML)"
-# Disable auto-detection
+# Enable auto-detection
 [http.middlewares]
   [http.middlewares.autodetect.contentType]
-     autoDetect=false
 ```
 
 ## Configuration Options
 
 ### `autoDetect`
 
+!!! warning
+
+    `autoDetect` option is deprecated and should not be used.
+    Moreover, it is redundant with an empty ContentType middleware declaration.
+
 `autoDetect` specifies whether to let the `Content-Type` header,
 if it has not been set by the backend,
 be automatically set to a value derived from the contents of the response.

docs/content/middlewares/http/digestauth.md

@@ -14,7 +14,7 @@ The DigestAuth middleware grants access to services to authorized users only.
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Declaring the user list
 labels:
   - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
@@ -36,18 +36,6 @@ spec:
 - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
-}
-```
-
-```yaml tab="Rancher"
-# Declaring the user list
-labels:
-  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
-```
-
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -84,7 +72,7 @@ The `users` option is an array of authorized users. Each user will be declared u
     - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
     - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
@@ -114,17 +102,6 @@ data:
 - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -155,7 +132,7 @@ The file content is a list of `name:realm:encoded-password`.
     - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
     - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
 ```
@@ -186,17 +163,6 @@ data:
 - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.digestauth.usersfile": "/path/to/my/usersfile"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -222,7 +188,7 @@ http:
 
 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
 ```
@@ -241,17 +207,6 @@ spec:
 - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.digestauth.realm": "MyRealm"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -270,7 +225,7 @@ http:
 
 You can customize the header field for the authenticated user using the `headerField`option.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
 ```
@@ -290,17 +245,6 @@ spec:
 - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.my-auth.digestauth.headerField": "X-WebAuth-User"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -320,7 +264,7 @@ http:
 
 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
 ```
@@ -339,17 +283,6 @@ spec:
 - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.digestauth.removeheader": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:

docs/content/middlewares/http/errorpages.md

@@ -18,7 +18,7 @@ The Errors middleware returns a custom page in lieu of the default, according to
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Dynamic Custom Error Page for 5XX Status Code
 labels:
   - "traefik.http.middlewares.test-errors.errors.status=500,501,503,505-599"
@@ -51,22 +51,6 @@ spec:
 - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-errors.errors.status": "500,501,503,505-599",
-  "traefik.http.middlewares.test-errors.errors.service": "serviceError",
-  "traefik.http.middlewares.test-errors.errors.query": "/{status}.html"
-}
-```
-
-```yaml tab="Rancher"
-# Dynamic Custom Error Page for 5XX Status Code excluding 502 and 504
-labels:
-  - "traefik.http.middlewares.test-errors.errors.status=500,501,503,505-599"
-  - "traefik.http.middlewares.test-errors.errors.service=serviceError"
-  - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic Custom Error Page for 5XX Status Code excluding 502 and 504
 http:

docs/content/middlewares/http/forwardauth.md

@@ -16,7 +16,7 @@ Otherwise, the response from the authentication server is returned.
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Forward authentication to example.com
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
@@ -38,18 +38,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
-}
-```
-
-```yaml tab="Rancher"
-# Forward authentication to example.com
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
-```
-
 ```yaml tab="File (YAML)"
 # Forward authentication to example.com
 http:
@@ -84,7 +72,7 @@ The following request properties are provided to the forward-auth target endpoin
 
 The `address` option defines the authentication server address.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
@@ -103,17 +91,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -132,7 +109,7 @@ http:
 
 Set the `trustForwardHeader` option to `true` to trust all `X-Forwarded-*` headers.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```
@@ -152,17 +129,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -184,7 +150,7 @@ http:
 The `authResponseHeaders` option is the list of headers to copy from the authentication server response and set on
 forwarded request, replacing any existing conflicting headers.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
 ```
@@ -206,17 +172,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders": "X-Auth-User,X-Secret"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -242,7 +197,7 @@ set on forwarded request, after stripping all headers that match the regex.
 It allows partial matching of the regular expression against the header key.
 The start of string (`^`) and end of string (`$`) anchors should be used to ensure a full match against the header key.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
 ```
@@ -262,17 +217,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex": "^X-"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -301,7 +245,7 @@ The `authRequestHeaders` option is the list of the headers to copy from the requ
 It allows filtering headers that should not be passed to the authentication server.
 If not set or empty then all request headers are passed.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
 ```
@@ -323,17 +267,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders": "Accept,X-CustomHeader"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -352,6 +285,55 @@ http:
     authRequestHeaders = "Accept,X-CustomHeader"
 ```
 
+### `addAuthCookiesToResponse`
+
+The `addAuthCookiesToResponse` option is the list of cookies to copy from the authentication server to the response, 
+replacing any existing conflicting cookie from the forwarded response.
+
+!!! info
+
+    Please note that all backend cookies matching the configured list will not be added to the response.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.addAuthCookiesToResponse=Session-Cookie,State-Cookie"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    addAuthCookiesToResponse:
+      - Session-Cookie
+      - State-Cookie
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.addAuthCookiesToResponse=Session-Cookie,State-Cookie"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        addAuthCookiesToResponse:
+          - "Session-Cookie"
+          - "State-Cookie"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    addAuthCookiesToResponse = ["Session-Cookie", "State-Cookie"]
+```
+
 ### `tls`
 
 _Optional_
@@ -365,7 +347,7 @@ _Optional_
 `ca` is the path to the certificate authority used for the secured connection to the authentication server,
 it defaults to the system bundle.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
 ```
@@ -397,17 +379,6 @@ data:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -433,7 +404,7 @@ _Optional_
 `cert` is the path to the public certificate used for the secure connection to the authentication server.
 When using this option, setting the `key` option is required.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
   - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
@@ -467,19 +438,6 @@ data:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
-  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -511,7 +469,7 @@ _Optional_
 `key` is the path to the private key used for the secure connection to the authentication server.
 When using this option, setting the `cert` option is required.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
   - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
@@ -545,19 +503,6 @@ data:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
-  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -588,7 +533,7 @@ _Optional, Default=false_
 
 If `insecureSkipVerify` is `true`, the TLS connection to the authentication server accepts any certificate presented by the server regardless of the hostnames it covers.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify=true"
 ```
@@ -609,17 +554,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:

docs/content/middlewares/http/grpcweb.md

@@ -0,0 +1,66 @@
+---
+title: "Traefik GrpcWeb Documentation"
+description: "In Traefik Proxy's HTTP middleware, GrpcWeb converts a gRPC Web requests to HTTP/2 gRPC requests. Read the technical documentation."
+---
+
+# GrpcWeb
+
+Converting gRPC Web requests to HTTP/2 gRPC requests.
+{: .subtitle }
+
+The GrpcWeb middleware converts gRPC Web requests to HTTP/2 gRPC requests before forwarding them to the backends.
+
+!!! tip
+
+    Please note, that Traefik needs to communicate using gRPC with the backends (h2c or HTTP/2 over TLS).
+    Check out the [gRPC](../../user-guides/grpc.md) user guide for more details.
+
+## Configuration Examples
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-grpcweb.grpcweb.allowOrigins=*"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-grpcweb
+spec:
+  grpcWeb:
+    allowOrigins:
+      - "*"
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-grpcweb.grpcWeb.allowOrigins=*"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-grpcweb:
+      grpcWeb:
+        allowOrigins:
+          - "*"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-grpcweb.grpcWeb]
+    allowOrigins = ["*"]
+```
+
+## Configuration Options
+
+### `allowOrigins`
+
+The `allowOrigins` contains the list of allowed origins.
+A wildcard origin `*` can also be configured to match all requests.
+
+More information including how to use the settings can be found at:
+
+- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
+- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
+- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)

docs/content/middlewares/http/headers.md

@@ -20,7 +20,7 @@ A set of forwarded headers are automatically added by default. See the [FAQ](../
 
 The following example adds the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` header to the response
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Script-Name=test"
   - "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=value"
@@ -44,19 +44,6 @@ spec:
 - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
-  "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "value"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
-  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -82,7 +69,7 @@ http:
 In the following example, requests are proxied with an extra `X-Script-Name` header while their `X-Custom-Request-Header` header gets stripped,
 and responses are stripped of their `X-Custom-Response-Header` header.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
   - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
@@ -109,21 +96,6 @@ spec:
 - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
-  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header": "",
-  "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "",
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
-  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
-  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -151,7 +123,7 @@ http:
 Security-related headers (HSTS headers, Browser XSS filter, etc) can be managed similarly to custom headers as shown above.
 This functionality makes it possible to easily use security features by adding headers.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.testHeader.headers.framedeny=true"
   - "traefik.http.middlewares.testHeader.headers.browserxssfilter=true"
@@ -173,19 +145,6 @@ spec:
 - "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.testheader.headers.framedeny": "true",
-  "traefik.http.middlewares.testheader.headers.browserxssfilter": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.testheader.headers.framedeny=true"
-  - "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -211,7 +170,7 @@ instead the response will be generated and sent back to the client directly.
 Please note that the example below is by no means authoritative or exhaustive,
 and should not be used as is for production.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
   - "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
@@ -248,25 +207,6 @@ spec:
 - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
-  "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*",
-  "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist": "https://foo.bar.org,https://example.org",
-  "traefik.http.middlewares.testheader.headers.accesscontrolmaxage": "100",
-  "traefik.http.middlewares.testheader.headers.addvaryheader": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
-  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -466,7 +406,7 @@ The `referrerPolicy` allows sites to control whether browsers forward the `Refer
 
 !!! warning
 
-    Deprecated in favor of `permissionsPolicy`
+    Deprecated in favor of [`permissionsPolicy`](#permissionsPolicy)
 
 The `featurePolicy` allows sites to control browser features.
 

docs/content/middlewares/http/inflightreq.md

@@ -14,7 +14,7 @@ To proactively prevent services from being overwhelmed with high load, the numbe
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
@@ -34,18 +34,6 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
-}
-```
-
-```yaml tab="Rancher"
-# Limiting to 10 simultaneous connections
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
-```
-
 ```yaml tab="File (YAML)"
 # Limiting to 10 simultaneous connections
 http:
@@ -69,7 +57,7 @@ http:
 The `amount` option defines the maximum amount of allowed simultaneous in-flight request.
 The middleware responds with `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
@@ -89,18 +77,6 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
-}
-```
-
-```yaml tab="Rancher"
-# Limiting to 10 simultaneous connections
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
-```
-
 ```yaml tab="File (YAML)"
 # Limiting to 10 simultaneous connections
 http:
@@ -146,7 +122,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and select
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
 ```
@@ -167,17 +143,6 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth": "2"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -211,7 +176,7 @@ http:
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
     | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
@@ -234,17 +199,6 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -268,7 +222,7 @@ http:
 
 Name of the header used to group incoming requests.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
 ```
@@ -288,17 +242,6 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername": "username"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -319,7 +262,7 @@ http:
 
 Whether to consider the request host as the source.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```
@@ -339,17 +282,6 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:

docs/content/middlewares/http/ipallowlist.md

@@ -35,18 +35,6 @@ spec:
 - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
-}
-```
-
-```yaml tab="Rancher"
-# Accepts request from defined IP
-labels:
-  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
-```
-
 ```yaml tab="File (YAML)"
 # Accepts request from defined IP
 http:
@@ -125,20 +113,6 @@ spec:
 - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32, 192.168.1.7",
-  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth": "2"
-}
-```
-
-```yaml tab="Rancher"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
-labels:
-  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
-```
-
 ```yaml tab="File (YAML)"
 # Allowlisting Based on `X-Forwarded-For` with `depth=2`
 http:
@@ -207,20 +181,6 @@ spec:
 - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
-  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
-}
-```
-
-```yaml tab="Rancher"
-# Exclude from `X-Forwarded-For`
-labels:
-  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
-  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
 ```yaml tab="File (YAML)"
 # Exclude from `X-Forwarded-For`
 http:

docs/content/middlewares/http/ipwhitelist.md

@@ -41,18 +41,6 @@ spec:
 - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
-}
-```
-
-```yaml tab="Rancher"
-# Accepts request from defined IP
-labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-```
-
 ```yaml tab="File (YAML)"
 # Accepts request from defined IP
 http:
@@ -131,20 +119,6 @@ spec:
 - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth": "2"
-}
-```
-
-```yaml tab="Rancher"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
-labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
-```
-
 ```yaml tab="File (YAML)"
 # Whitelisting Based on `X-Forwarded-For` with `depth=2`
 http:
@@ -213,20 +187,6 @@ spec:
 - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
-}
-```
-
-```yaml tab="Rancher"
-# Exclude from `X-Forwarded-For`
-labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
 ```yaml tab="File (YAML)"
 # Exclude from `X-Forwarded-For`
 http:

docs/content/middlewares/http/overview.md

@@ -12,7 +12,7 @@ Controlling connections
 
 ## Configuration Example
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # As a Docker Label
 whoami:
   #  A container that exposes an API to show its IP address
@@ -26,19 +26,6 @@ whoami:
 
 ```yaml tab="Kubernetes IngressRoute"
 # As a Kubernetes Traefik IngressRoute
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: middlewares.traefik.io
-spec:
-  group: traefik.io
-  version: v1alpha1
-  names:
-    kind: Middleware
-    plural: middlewares
-    singular: middleware
-  scope: Namespaced
-
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
@@ -69,22 +56,6 @@ spec:
 - "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
-  "traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
-}
-```
-
-```yaml tab="Rancher"
-# As a Rancher Label
-labels:
-  # Create a middleware named `foo-add-prefix`
-  - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
-  # Apply the middleware named `foo-add-prefix` to the router named `router1`
-  - "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
-```
-
 ```toml tab="File (TOML)"
 # As TOML Configuration File
 [http.routers]
@@ -142,7 +113,7 @@ http:
 | [Errors](errorpages.md)                   | Defines custom error pages                        | Request Lifecycle           |
 | [ForwardAuth](forwardauth.md)             | Delegates Authentication                          | Security, Authentication    |
 | [Headers](headers.md)                     | Adds / Updates headers                            | Security                    |
-| [IPWhiteList](ipwhitelist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
+| [IPAllowList](ipallowlist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
 | [InFlightReq](inflightreq.md)             | Limits the number of simultaneous connections     | Security, Request lifecycle |
 | [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header              | Security                    |
 | [RateLimit](ratelimit.md)                 | Limits the call frequency                         | Security, Request lifecycle |

docs/content/middlewares/http/passtlsclientcert.md

@@ -18,7 +18,7 @@ PassTLSClientCert adds the selected data from the passed client TLS certificate
 
 Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 labels:
   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
@@ -39,18 +39,6 @@ spec:
 - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem": "true"
-}
-```
-
-```yaml tab="Rancher"
-# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
-labels:
-  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
-```
-
 ```yaml tab="File (YAML)"
 # Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 http:
@@ -69,7 +57,7 @@ http:
 
 ??? example "Pass the pem in the `X-Forwarded-Tls-Client-Cert` header"
 
-    ```yaml tab="Docker"
+    ```yaml tab="Docker & Swarm"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
     labels:
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
@@ -146,52 +134,6 @@ http:
     - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
     ```
 
-    ```json tab="Marathon"
-    "labels": {
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
-    }
-    ```
-
-    ```yaml tab="Rancher"
-    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
-    labels:
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
-    ```
-
     ```yaml tab="File (YAML)"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
     http:

docs/content/middlewares/http/ratelimit.md

@@ -14,7 +14,7 @@ It is based on a [token bucket](https://en.wikipedia.org/wiki/Token_bucket) impl
 
 ## Configuration Example
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Here, an average of 100 requests per second is allowed.
 # In addition, a burst of 200 requests is allowed.
 labels:
@@ -42,21 +42,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
-  "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "200"
-}
-```
-
-```yaml tab="Rancher"
-# Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 200 requests is allowed.
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=200"
-```
-
 ```yaml tab="File (YAML)"
 # Here, an average of 100 requests per second is allowed.
 # In addition, a burst of 200 requests is allowed.
@@ -88,7 +73,7 @@ It defaults to `0`, which means no rate limiting.
 The rate is actually defined by dividing `average` by `period`.
 So for a rate below 1 req/s, one needs to define a `period` larger than a second.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # 100 reqs/s
 labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
@@ -110,17 +95,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
-```
-
 ```yaml tab="File (YAML)"
 # 100 reqs/s
 http:
@@ -147,7 +121,7 @@ r = average / period
 
 It defaults to `1` second.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # 6 reqs/minute
 labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
@@ -172,20 +146,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "6",
-  "traefik.http.middlewares.test-ratelimit.ratelimit.period": "1m",
-}
-```
-
-```yaml tab="Rancher"
-# 6 reqs/minute
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
-```
-
 ```yaml tab="File (YAML)"
 # 6 reqs/minute
 http:
@@ -210,7 +170,7 @@ http:
 
 It defaults to `1`.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
 ```
@@ -229,17 +189,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "100",
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -283,7 +232,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and select
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
 ```
@@ -304,17 +253,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth": "2"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -375,7 +313,7 @@ and the first IP that is _not_ in the pool (if any) is returned.
     | `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
     | `"10.0.0.1,11.0.0.1"`          | `"10.0.0.1,11.0.0.1"` | `""`         |
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
@@ -398,17 +336,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -432,7 +359,7 @@ http:
 
 Name of the header used to group incoming requests.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
 ```
@@ -452,17 +379,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername": "username"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -483,7 +399,7 @@ http:
 
 Whether to consider the request host as the source.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
 ```
@@ -503,17 +419,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:

docs/content/middlewares/http/redirectregex.md

@@ -16,7 +16,7 @@ The RedirectRegex redirects a request using regex matching and replacement.
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Redirect with domain replacement
 # Note: all dollar signs need to be doubled for escaping.
 labels:
@@ -43,21 +43,6 @@ spec:
 - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-redirectregex.redirectregex.regex": "^http://localhost/(.*)",
-  "traefik.http.middlewares.test-redirectregex.redirectregex.replacement": "http://mydomain/${1}"
-}
-```
-
-```yaml tab="Rancher"
-# Redirect with domain replacement
-# Note: all dollar signs need to be doubled for escaping.
-labels:
-  - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
-  - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
-```
-
 ```yaml tab="File (YAML)"
 # Redirect with domain replacement
 http:

docs/content/middlewares/http/redirectscheme.md

@@ -25,7 +25,7 @@ The RedirectScheme middleware redirects the request if the request scheme is dif
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Redirect to https
 labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
@@ -51,20 +51,6 @@ labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
-  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
-}
-```
-
-```yaml tab="Rancher"
-# Redirect to https
-labels:
-  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
-  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -89,7 +75,7 @@ http:
 
 Set the `permanent` option to `true` to apply a permanent redirection.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Redirect to https
 labels:
   # ...
@@ -115,20 +101,6 @@ labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
 ```
 
-```json tab="Marathon"
-"labels": {
-
-  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
-}
-```
-
-```yaml tab="Rancher"
-# Redirect to https
-labels:
-  # ...
-  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -151,7 +123,7 @@ http:
 
 The `scheme` option defines the scheme of the new URL.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Redirect to https
 labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
@@ -174,18 +146,6 @@ labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
-}
-```
-
-```yaml tab="Rancher"
-# Redirect to https
-labels:
-  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -206,7 +166,7 @@ http:
 
 The `port` option defines the port of the new URL.
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Redirect to https
 labels:
   # ...
@@ -232,20 +192,6 @@ labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
 ```
 
-```json tab="Marathon"
-"labels": {
-
-  "traefik.http.middlewares.test-redirectscheme.redirectscheme.port": "443"
-}
-```
-
-```yaml tab="Rancher"
-# Redirect to https
-labels:
-  # ...
-  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:

docs/content/middlewares/http/replacepath.md

@@ -16,7 +16,7 @@ Replace the path of the request URL.
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Replace the path with /foo
 labels:
   - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
@@ -38,18 +38,6 @@ spec:
 - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-replacepath.replacepath.path": "/foo"
-}
-```
-
-```yaml tab="Rancher"
-# Replace the path with /foo
-labels:
-  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
-```
-
 ```yaml tab="File (YAML)"
 # Replace the path with /foo
 http:

docs/content/middlewares/http/replacepathregex.md

@@ -16,7 +16,7 @@ The ReplaceRegex replaces the path of a URL using regex matching and replacement
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Replace path with regex
 labels:
   - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
@@ -41,20 +41,6 @@ spec:
 - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex": "^/foo/(.*)",
-  "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement": "/bar/$1"
-}
-```
-
-```yaml tab="Rancher"
-# Replace path with regex
-labels:
-  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
-  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
-```
-
 ```yaml tab="File (YAML)"
 # Replace path with regex
 http:

docs/content/middlewares/http/retry.md

@@ -18,7 +18,7 @@ The Retry middleware has an optional configuration to enable an exponential back
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Retry 4 times with exponential backoff
 labels:
   - "traefik.http.middlewares.test-retry.retry.attempts=4"
@@ -43,20 +43,6 @@ spec:
 - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-retry.retry.attempts": "4",
-  "traefik.http.middlewares.test-retry.retry.initialinterval": "100ms",
-}
-```
-
-```yaml tab="Rancher"
-# Retry 4 times with exponential backoff
-labels:
-  - "traefik.http.middlewares.test-retry.retry.attempts=4"
-  - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
-```
-
 ```yaml tab="File (YAML)"
 # Retry 4 times with exponential backoff
 http:

docs/content/middlewares/http/stripprefix.md

@@ -16,7 +16,7 @@ Remove the specified prefixes from the URL path.
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Strip prefix /foobar and /fiibar
 labels:
   - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
@@ -40,18 +40,6 @@ spec:
 - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "/foobar,/fiibar"
-}
-```
-
-```yaml tab="Rancher"
-# Strip prefix /foobar and /fiibar
-labels:
-  - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
-```
-
 ```yaml tab="File (YAML)"
 # Strip prefix /foobar and /fiibar
 http:
@@ -93,12 +81,12 @@ Using the previous example, the backend should return `/products/shoes/image.png
 
 _Optional, Default=true_
 
+!!! warning
+
+    `forceSlash` option is deprecated and should not be used.
+
 The `forceSlash` option ensures the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
 
-This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
-
-It is recommended to explicitly set `forceSlash` to `false`.
-
 ??? info "Behavior examples"
 
     - `forceSlash=true`
@@ -141,19 +129,6 @@ spec:
     forceSlash: false
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.example.stripprefix.prefixes": "/foobar",
-  "traefik.http.middlewares.example.stripprefix.forceSlash": "false"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
-  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:

docs/content/middlewares/http/stripprefixregex.md

@@ -12,7 +12,7 @@ Remove the matching prefixes from the URL path.
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
 ```
@@ -32,17 +32,6 @@ spec:
 - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex": "/foo/[a-z0-9]+/[0-9]+/"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
-```
-
 ```yaml tab="File (YAML)"
 http:
   middlewares:

docs/content/middlewares/overview.md

@@ -23,7 +23,7 @@ Middlewares that use the same protocol can be combined into chains to fit every
 
 ## Configuration Example
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # As a Docker Label
 whoami:
   #  A container that exposes an API to show its IP address
@@ -66,22 +66,6 @@ spec:
 - "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
-  "traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
-}
-```
-
-```yaml tab="Rancher"
-# As a Rancher Label
-labels:
-  # Create a middleware named `foo-add-prefix`
-  - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
-  # Apply the middleware named `foo-add-prefix` to the router named `router1`
-  - "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
-```
-
 ```yaml tab="File (YAML)"
 # As YAML Configuration File
 http:

docs/content/middlewares/tcp/inflightconn.md

@@ -7,7 +7,7 @@ To proactively prevent services from being overwhelmed with high load, the numbe
 
 ## Configuration Examples
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 labels:
   - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
 ```
@@ -27,18 +27,6 @@ spec:
 - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount": "10"
-}
-```
-
-```yaml tab="Rancher"
-# Limiting to 10 simultaneous connections.
-labels:
-  - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
-```
-
 ```yaml tab="File (YAML)"
 # Limiting to 10 simultaneous connections.
 tcp:

docs/content/middlewares/tcp/ipwhitelist.md

@@ -39,18 +39,6 @@ spec:
 - "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
-}
-```
-
-```yaml tab="Rancher"
-# Accepts request from defined IP
-labels:
-  - "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-```
-
 ```toml tab="File (TOML)"
 # Accepts request from defined IP
 [tcp.middlewares]

docs/content/middlewares/tcp/overview.md

@@ -12,40 +12,27 @@ Controlling connections
 
 ## Configuration Example
 
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # As a Docker Label
 whoami:
   #  A container that exposes an API to show its IP address
   image: traefik/whoami
   labels:
-    # Create a middleware named `foo-ip-whitelist`
+    # Create a middleware named `foo-ip-allowlist`
-    - "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+    - "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
-    # Apply the middleware named `foo-ip-whitelist` to the router named `router1`
+    # Apply the middleware named `foo-ip-allowlist` to the router named `router1`
-    - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@docker"
+    - "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@docker"
 ```
 
 ```yaml tab="Kubernetes IngressRoute"
 # As a Kubernetes Traefik IngressRoute
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: middlewaretcps.traefik.io
-spec:
-  group: traefik.io
-  version: v1alpha1
-  names:
-    kind: MiddlewareTCP
-    plural: middlewaretcps
-    singular: middlewaretcp
-  scope: Namespaced
-
 ---
 apiVersion: traefik.io/v1alpha1
 kind: MiddlewareTCP
 metadata:
-  name: foo-ip-whitelist
+  name: foo-ip-allowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
     sourcerange:
       - 127.0.0.1/32
       - 192.168.1.7
@@ -60,30 +47,14 @@ spec:
   routes:
     # more fields...
     middlewares:
-      - name: foo-ip-whitelist
+      - name: foo-ip-allowlist
 ```
 
 ```yaml tab="Consul Catalog"
-# Create a middleware named `foo-ip-whitelist`
+# Create a middleware named `foo-ip-allowlist`
-- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
-# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
+# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
-- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@consulcatalog"
+- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@consulcatalog"
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7",
-  "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@marathon"
-}
-```
-
-```yaml tab="Rancher"
-# As a Rancher Label
-labels:
-  # Create a middleware named `foo-ip-whitelist`
-  - "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  # Apply the middleware named `foo-ip-whitelist` to the router named `router1`
-  - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@rancher"
 ```
 
 ```toml tab="File (TOML)"
@@ -91,11 +62,11 @@ labels:
 [tcp.routers]
   [tcp.routers.router1]
     service = "myService"
-    middlewares = ["foo-ip-whitelist"]
+    middlewares = ["foo-ip-allowlist"]
     rule = "Host(`example.com`)"
 
 [tcp.middlewares]
-  [tcp.middlewares.foo-ip-whitelist.ipWhiteList]
+  [tcp.middlewares.foo-ip-allowlist.ipAllowList]
     sourceRange = ["127.0.0.1/32", "192.168.1.7"]
 
 [tcp.services]
@@ -114,12 +85,12 @@ tcp:
     router1:
       service: myService
       middlewares:
-        - "foo-ip-whitelist"
+        - "foo-ip-allowlist"
       rule: "Host(`example.com`)"
 
   middlewares:
-    foo-ip-whitelist:
+    foo-ip-allowlist:
-      ipWhiteList:
+      ipAllowList:
         sourceRange:
           - "127.0.0.1/32"
           - "192.168.1.7"
@@ -137,4 +108,4 @@ tcp:
 | Middleware                                | Purpose                                           | Area                        |
 |-------------------------------------------|---------------------------------------------------|-----------------------------|
 | [InFlightConn](inflightconn.md)           | Limits the number of simultaneous connections.    | Security, Request lifecycle |
-| [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs.                     | Security, Request lifecycle |
+| [IPAllowList](ipallowlist.md)             | Limit the allowed client IPs.                     | Security, Request lifecycle |

docs/content/migration/v1-to-v2.md

@@ -38,7 +38,7 @@ Then any router can refer to an instance of the wanted middleware.
 
     !!! info "v1"
 
-    ```yaml tab="Docker"
+    ```yaml tab="Docker & Swarm"
     labels:
       - "traefik.frontend.rule=Host:test.localhost;PathPrefix:/test"
       - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -100,7 +100,7 @@ Then any router can refer to an instance of the wanted middleware.
 
     !!! info "v2"
 
-    ```yaml tab="Docker"
+    ```yaml tab="Docker & Swarm"
     labels:
       - "traefik.http.routers.router0.rule=Host(`test.localhost`) && PathPrefix(`/test`)"
       - "traefik.http.routers.router0.middlewares=auth"
@@ -317,7 +317,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
           namespace: default
     ```
 
-    ```yaml tab="Docker"
+    ```yaml tab="Docker & Swarm"
     labels:
       # myTLSOptions must be defined by another provider, in this instance in the File Provider.
       # see the cross provider section
@@ -428,7 +428,7 @@ To apply a redirection:
 
     !!! info "v2"
 
-    ```yaml tab="Docker"
+    ```yaml tab="Docker & Swarm"
     labels:
       traefik.http.routers.app.rule: Host(`example.net`)
       traefik.http.routers.app.entrypoints: web
@@ -556,7 +556,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
 
     !!! info "v1"
 
-    ```yaml tab="Docker"
+    ```yaml tab="Docker & Swarm"
     labels:
       - "traefik.frontend.rule=Host:example.org;PathPrefixStrip:/admin"
     ```
@@ -588,7 +588,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
 
     !!! info "v2"
 
-    ```yaml tab="Docker"
+    ```yaml tab="Docker & Swarm"
     labels:
       - "traefik.http.routers.admin.rule=Host(`example.org`) && PathPrefix(`/admin`)"
       - "traefik.http.routers.admin.middlewares=admin-stripprefix"
@@ -1044,7 +1044,7 @@ To activate the dashboard, you can either:
 
     !!! info "v2"
 
-    ```yaml tab="Docker"
+    ```yaml tab="Docker & Swarm"
     # dynamic configuration
     labels:
       - "traefik.http.routers.api.rule=Host(`traefik.docker.localhost`)"

docs/content/migration/v2-to-v3.md

@@ -0,0 +1,736 @@
+---
+title: "Traefik V3 Migration Documentation"
+description: "Migrate from Traefik Proxy v2 to v3 and update all the necessary configurations to take advantage of all the improvements. Read the technical documentation."
+---
+
+# Migration Guide: From v2 to v3
+
+How to Migrate from Traefik v2 to Traefik v3.
+{: .subtitle }
+
+The version 3 of Traefik introduces a number of breaking changes,
+which require one to update their configuration when they migrate from v2 to v3.
+The goal of this page is to recapitulate all of these changes,
+and in particular to give examples, feature by feature, 
+of how the configuration looked like in v2,
+and how it now looks like in v3.
+
+## Static configuration
+
+### Docker & Docker Swarm
+
+#### SwarmMode
+
+In v3, the provider Docker has been split into 2 providers:
+
+- Docker provider (without Swarm support)
+- Swarm provider  (Swarm support only)
+
+??? example "An example usage of v2 Docker provider with Swarm"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        swarmMode: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.docker]
+        swarmMode=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.docker.swarmMode=true
+    ```
+
+This configuration is now unsupported and would prevent Traefik to start.
+
+##### Remediation
+
+In v3, the `swarmMode` should not be used with the Docker provider, and, to use Swarm, the Swarm provider should be used instead.
+
+??? example "An example usage of the Swarm provider"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      swarm:
+        endpoint: "tcp://127.0.0.1:2377"
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.swarm]
+        endpoint="tcp://127.0.0.1:2377"
+    ```
+
+    ```bash tab="CLI"
+    --providers.swarm.endpoint=tcp://127.0.0.1:2377
+    ```
+
+#### TLS.CAOptional
+
+Docker provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        tls: 
+          caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.docker.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.docker.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `tls.caOptional` option should be removed from the Docker provider static configuration.
+
+### Kubernetes Gateway API
+
+#### Experimental Channel Resources (TLSRoute and TCPRoute)
+
+In v3, the Kubernetes Gateway API provider does not enable support for the experimental channel API resources by default.
+
+##### Remediation
+
+The `experimentalChannel` option should be used to enable the support for the experimental channel API resources.
+
+??? example "An example usage of the Kubernetes Gateway API provider with experimental channel support enabled"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      kubernetesGateway:
+        experimentalChannel: true
+    ```
+    
+    ```toml tab="File (TOML)"
+    [providers.kubernetesGateway]
+        experimentalChannel = true
+      # ...
+    ```
+    
+    ```bash tab="CLI"
+    --providers.kubernetesgateway.experimentalchannel=true
+    ```
+
+### Experimental Configuration
+
+#### HTTP3
+
+In v3, HTTP/3 is no longer an experimental feature.
+It can be enabled on entry points without the associated `experimental.http3` option, which is now removed.
+It is now unsupported and would prevent Traefik to start.
+
+??? example "An example usage of v2 Experimental `http3` option"
+
+    ```yaml tab="File (YAML)"
+    experimental:
+      http3: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [experimental]
+        http3=true
+    ```
+
+    ```bash tab="CLI"
+    --experimental.http3=true
+    ```
+
+##### Remediation
+
+The `http3` option should be removed from the static configuration experimental section.
+To configure `http3`, please checkout the [entrypoint configuration documentation](https://doc.traefik.io/traefik/v3.0/routing/entrypoints/#http3_1).
+
+### Consul provider
+
+#### namespace
+
+The Consul provider `namespace` option was deprecated in v2 and is now removed in v3.
+It is now unsupported and would prevent Traefik to start.
+
+??? example "An example usage of v2 Consul `namespace` option"
+
+    ```yaml tab="File (YAML)"
+    consul:
+      namespace: foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [consul]
+        namespace=foobar
+    ```
+
+    ```bash tab="CLI"
+    --consul.namespace=foobar
+    ```
+
+##### Remediation
+
+In v3, the `namespaces` option should be used instead of the `namespace` option.
+
+??? example "An example usage of Consul `namespaces` option"
+
+    ```yaml tab="File (YAML)"
+    consul:
+      namespaces:
+        - foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [consul]
+        namespaces=["foobar"]
+    ```
+
+    ```bash tab="CLI"
+    --consul.namespaces=foobar
+    ```
+
+#### TLS.CAOptional
+
+Consul provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      consul:
+        tls: 
+          caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.consul.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.consul.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `tls.caOptional` option should be removed from the Consul provider static configuration.
+
+### ConsulCatalog provider
+
+#### namespace
+
+The ConsulCatalog provider `namespace` option was deprecated in v2 and is now removed in v3.
+It is now unsupported and would prevent Traefik to start.
+
+??? example "An example usage of v2 ConsulCatalog `namespace` option"
+
+    ```yaml tab="File (YAML)"
+    consulCatalog:
+      namespace: foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [consulCatalog]
+        namespace=foobar
+    ```
+
+    ```bash tab="CLI"
+    --consulCatalog.namespace=foobar
+    ```
+
+##### Remediation
+
+In v3, the `namespaces` option should be used instead of the `namespace` option.
+
+??? example "An example usage of ConsulCatalog `namespaces` option"
+
+    ```yaml tab="File (YAML)"
+    consulCatalog:
+      namespaces:
+        - foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [consulCatalog]
+        namespaces=["foobar"]
+    ```
+
+    ```bash tab="CLI"
+    --consulCatalog.namespaces=foobar
+    ```
+
+#### Endpoint.TLS.CAOptional
+
+ConsulCatalog provider `endpoint.tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the Endpoint.TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      consulCatalog:
+        endpoint:
+          tls: 
+            caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.consulCatalog.endpoint.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.consulCatalog.endpoint.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `endpoint.tls.caOptional` option should be removed from the ConsulCatalog provider static configuration.
+
+### Nomad provider
+
+#### namespace
+
+The Nomad provider `namespace` option was deprecated in v2 and is now removed in v3.
+It is now unsupported and would prevent Traefik to start.
+
+??? example "An example usage of v2 Nomad `namespace` option"
+
+    ```yaml tab="File (YAML)"
+    nomad:
+      namespace: foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [nomad]
+        namespace=foobar
+    ```
+
+    ```bash tab="CLI"
+    --nomad.namespace=foobar
+    ```
+
+##### Remediation
+
+In v3, the `namespaces` option should be used instead of the `namespace` option.
+
+??? example "An example usage of Nomad `namespaces` option"
+
+    ```yaml tab="File (YAML)"
+    nomad:
+      namespaces:
+        - foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [nomad]
+        namespaces=["foobar"]
+    ```
+
+    ```bash tab="CLI"
+    --nomad.namespaces=foobar
+    ```
+
+#### Endpoint.TLS.CAOptional
+
+Nomad provider `endpoint.tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the Endpoint.TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      nomad:
+        endpoint:
+          tls: 
+            caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.nomad.endpoint.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.nomad.endpoint.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `endpoint.tls.caOptional` option should be removed from the Nomad provider static configuration.
+
+### Rancher v1 Provider
+
+In v3, the Rancher v1 provider has been removed because Rancher v1 is [no longer actively maintained](https://rancher.com/docs/os/v1.x/en/support/),
+and Rancher v2 is supported as a standard Kubernetes provider.
+
+??? example "An example of Traefik v2 Rancher v1 configuration"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      rancher: {}
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.rancher]
+    ```
+
+    ```bash tab="CLI"
+    --providers.rancher=true
+    ```
+
+This configuration is now unsupported and would prevent Traefik to start.
+
+#### Remediation
+
+Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
+As such, Rancher 2.x users should utilize the [Kubernetes CRD provider](../providers/kubernetes-crd.md) directly.
+
+Also, all Rancher provider related configuration should be removed from the static configuration.
+
+### Marathon provider
+
+Marathon maintenance [ended on October 31, 2021](https://github.com/mesosphere/marathon/blob/master/README.md).
+In v3, the Marathon provider has been removed.
+
+??? example "An example of v2 Marathon provider configuration"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      marathon: {}
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.marathon]
+    ```
+
+    ```bash tab="CLI"
+    --providers.marathon=true
+    ```
+
+This configuration is now unsupported and would prevent Traefik to start.
+
+#### Remediation
+
+All Marathon provider related configuration should be removed from the static configuration.
+
+### HTTP Provider
+
+#### TLS.CAOptional
+
+HTTP provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      http:
+        tls: 
+          caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.http.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.http.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `tls.caOptional` option should be removed from the HTTP provider static configuration.
+
+### ETCD Provider
+
+#### TLS.CAOptional
+
+ETCD provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      etcd:
+        tls: 
+          caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.etcd.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.etcd.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `tls.caOptional` option should be removed from the ETCD provider static configuration.
+
+### Redis Provider
+
+#### TLS.CAOptional
+
+Redis provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      redis:
+        tls: 
+          caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.redis.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.redis.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `tls.caOptional` option should be removed from the Redis provider static configuration.
+
+### InfluxDB v1
+
+InfluxDB v1.x maintenance [ended in 2021](https://www.influxdata.com/blog/influxdb-oss-and-enterprise-roadmap-update-from-influxdays-emea/).
+In v3, the InfluxDB v1 metrics provider has been removed.
+
+??? example "An example of Traefik v2 InfluxDB v1 metrics configuration"
+
+    ```yaml tab="File (YAML)"
+    metrics:
+      influxDB: {}
+    ```
+
+    ```toml tab="File (TOML)"
+    [metrics.influxDB]
+    ```
+
+    ```bash tab="CLI"
+    --metrics.influxDB=true
+    ```
+
+This configuration is now unsupported and would prevent Traefik to start.
+
+#### Remediation
+
+All InfluxDB v1 metrics provider related configuration should be removed from the static configuration.
+
+### Pilot
+
+Traefik Pilot is no longer available since October 4th, 2022.
+
+??? example "An example of v2 Pilot configuration"
+
+    ```yaml tab="File (YAML)"
+    pilot:
+      token: foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [pilot]
+        token=foobar
+    ```
+
+    ```bash tab="CLI"
+    --pilot.token=foobar
+    ```
+
+In v2, Pilot configuration was deprecated and ineffective,
+it is now unsupported and would prevent Traefik to start.
+
+#### Remediation
+
+All Pilot related configuration should be removed from the static configuration.
+
+## Dynamic configuration
+
+### Router Rule Matchers
+
+In v3, a new rule matchers syntax has been introduced for HTTP and TCP routers.
+The default rule matchers syntax is now the v3 one, but for backward compatibility this can be configured.
+The v2 rule matchers syntax is deprecated and its support will be removed in the next major version.
+For this reason, we encourage migrating to the new syntax.
+
+By default, the `defaultRuleSyntax` static option is automatically set to `v3`, meaning that the default rule is the new one.
+
+#### New V3 Syntax Notable Changes
+
+The `Headers` and `HeadersRegexp` matchers have been renamed to `Header` and `HeaderRegexp` respectively.
+
+`PathPrefix` no longer uses regular expressions to match path prefixes.
+
+`QueryRegexp` has been introduced to match query values using a regular expression.
+
+`HeaderRegexp`, `HostRegexp`, `PathRegexp`, `QueryRegexp`, and `HostSNIRegexp` matchers now uses the [Go regexp syntax](https://golang.org/pkg/regexp/syntax/).
+
+All matchers now take a single value (except `Header`, `HeaderRegexp`, `Query`, and `QueryRegexp` which take two)
+and should be explicitly combined using logical operators to mimic previous behavior.
+
+`Query` can take a single value to match is the query value that has no value (e.g. `/search?mobile`).
+
+`HostHeader` has been removed, use `Host` instead.
+
+#### Remediation
+
+##### Configure the Default Syntax In Static Configuration
+
+The default rule matchers syntax is the expected syntax for any router that is not self opt-out from this default value.
+It can be configured in the static configuration.
+
+??? example "An example configuration for the default rule matchers syntax"
+
+    ```yaml tab="File (YAML)"
+    # static configuration
+    core:
+      defaultRuleSyntax: v2
+    ```
+
+    ```toml tab="File (TOML)"
+    # static configuration
+    [core]
+        defaultRuleSyntax="v2"
+    ```
+
+    ```bash tab="CLI"
+    # static configuration
+    --core.defaultRuleSyntax=v2
+    ```
+
+##### Configure the Syntax Per Router
+
+The rule syntax can also be configured on a per-router basis.
+This allows to have heterogeneous router configurations and ease migration.
+
+??? example "An example router with syntax configuration"
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.routers.test.ruleSyntax=v2"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: test.route
+  namespace: default
+
+spec:
+  routes:
+    - match: PathPrefix(`/foo`, `/bar`)
+      syntax: v2
+      kind: Rule
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.routers.test.ruleSyntax=v2"
+```
+
+```yaml tab="File (YAML)"
+http:
+  routers:
+    test:
+      ruleSyntax: v2
+```
+
+```toml tab="File (TOML)"
+[http.routers]
+  [http.routers.test]
+    ruleSyntax = "v2"
+```
+
+### IPWhiteList
+
+In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing anything to the configuration. 
+
+### Deprecated Options Removal
+
+- The `tracing.datadog.globaltag` option has been removed.
+- The `tls.caOptional` option has been removed from the ForwardAuth middleware, as well as from the HTTP, Consul, Etcd, Redis, ZooKeeper, Consul Catalog, and Docker providers.
+- `sslRedirect`, `sslTemporaryRedirect`, `sslHost`, `sslForceHost` and `featurePolicy` options of the Headers middleware have been removed.
+- The `forceSlash` option of the StripPrefix middleware has been removed.
+- The `preferServerCipherSuites` option has been removed.
+
+### TCP LoadBalancer `terminationDelay` option
+
+The TCP LoadBalancer `terminationDelay` option has been removed.
+This option can now be configured directly on the `TCPServersTransport` level, please take a look at this [documentation](../routing/services/index.md#terminationdelay)
+
+### Kubernetes CRDs API Group `traefik.containo.us`
+
+In v3, the Kubernetes CRDs API Group `traefik.containo.us` has been removed. 
+Please use the API Group `traefik.io` instead.
+
+### Kubernetes Ingress API Group `networking.k8s.io/v1beta1`
+
+In v3, the Kubernetes Ingress API Group `networking.k8s.io/v1beta1` ([removed since Kubernetes v1.22](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122)) support has been removed.
+
+Please use the API Group `networking.k8s.io/v1` instead.
+
+### Traefik CRD API Version `apiextensions.k8s.io/v1beta1`
+
+In v3, the Traefik CRD API Version `apiextensions.k8s.io/v1beta1` ([removed since Kubernetes v1.22](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#customresourcedefinition-v122)) support has been removed.
+
+Please use the CRD definition with the API Version `apiextensions.k8s.io/v1` instead.
+
+## Operations
+
+### Traefik RBAC Update
+
+In v3, the support of `TCPServersTransport` has been introduced.
+When using the KubernetesCRD provider, it is therefore necessary to update [RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-crd.md) manifests.
+
+### Content-Type Auto-Detection
+
+In v3, the `Content-Type` header is not auto-detected anymore when it is not set by the backend.
+One should use the `ContentType` middleware to enable the `Content-Type` header value auto-detection.
+
+### Observability
+
+#### gRPC Metrics
+
+In v3, the reported status code for gRPC requests is now the value of the `Grpc-Status` header.  
+
+#### Tracing
+
+In v3, the tracing feature has been revamped and is now powered exclusively by [OpenTelemetry](https://opentelemetry.io/ "Link to website of OTel") (OTel).
+!!! warning "Important"
+
+    Traefik v3 **no** longer supports direct output formats for specific vendors such as Instana, Jaeger, Zipkin, Haystack, Datadog, and Elastic.
+Instead, it focuses on pure OpenTelemetry implementation, providing a unified and standardized approach for observability.
+
+Here are two possible transition strategies:
+
+1. OTLP Ingestion Endpoints:
+
+    Most vendors now offer OpenTelemetry Protocol (OTLP) ingestion endpoints.
+    You can seamlessly integrate Traefik v3 with these endpoints to continue leveraging tracing capabilities.
+
+2. Legacy Stack Compatibility:
+
+    For legacy stacks that cannot immediately upgrade to the latest vendor agents supporting OTLP ingestion,
+    using OpenTelemetry (OTel) collectors with appropriate exporters configuration is a viable solution.
+    This allows continued compatibility with the existing infrastructure.
+
+Please check the [OpenTelemetry Tracing provider documention](../observability/tracing/opentelemetry.md) for more information.
+
+#### Internal Resources Observability
+
+In v3, observability for internal routers or services (e.g.: `ping@internal`) is disabled by default.
+To enable it one should use the new `addInternals` option for AccessLogs, Metrics or Tracing.
+Please take a look at the observability documentation for more information:
+
+- [AccessLogs](../observability/access-logs.md#addinternals)
+- [Metrics](../observability/metrics/overview.md#addinternals)
+- [Tracing](../observability/tracing/overview.md#addinternals)

docs/content/migration/v2.md

@@ -77,6 +77,7 @@ rules:
       - tlsoptions
       - tlsstores
       - serverstransports
+      - serverstransporttcps
     verbs:
       - get
       - list
@@ -169,6 +170,7 @@ rules:
     verbs:
       - update
   - apiGroups:
+      - traefik.io
       - traefik.containo.us
     resources:
       - middlewares
@@ -180,6 +182,7 @@ rules:
       - tlsoptions
       - tlsstores
       - serverstransports
+      - serverstransporttcps
     verbs:
       - get
       - list

docs/content/observability/access-logs.md

@@ -26,6 +26,26 @@ accessLog: {}
 --accesslog=true
 ```
 
+### `addInternals`
+
+_Optional, Default="false"_
+
+Enables accessLogs for internal resources (e.g.: `ping@internal`).
+
+```yaml tab="File (YAML)"
+accesslog:
+  addInternals: true
+```
+
+```toml tab="File (TOML)"
+[accesslog]
+  addInternals = true
+```
+
+```bash tab="CLI"
+--accesslog.addinternals
+```
+
 ### `filePath`
 
 By default access logs are written to the standard output.
@@ -229,6 +249,7 @@ accessLog:
     | `RetryAttempts`         | The amount of attempts the request was retried.                                                                                                                     |
     | `TLSVersion`            | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS).                                                                                         |
     | `TLSCipher`             | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS)                                                           |
+    | `TLSClientSubject`      | The string representation of the TLS client certificate's Subject (e.g. `CN=username,O=organization`)                                                               |
 
 ## Log Rotation
 
@@ -254,7 +275,7 @@ version: "3.7"
 
 services:
   traefik:
-    image: traefik:v2.11
+    image: traefik:v3.0
     environment:
       - TZ=US/Alaska
     command:

docs/content/observability/logs.md

@@ -66,7 +66,7 @@ log:
 
 By default, the `level` is set to `ERROR`.
 
-Alternative logging levels are `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`, and `PANIC`.
+Alternative logging levels are `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`, and `PANIC`.
 
 ```yaml tab="File (YAML)"
 log:
@@ -82,10 +82,101 @@ log:
 --log.level=DEBUG
 ```
 
+#### `noColor`
+
+When using the 'common' format, disables the colorized output.
+
+```yaml tab="File (YAML)"
+log:
+  noColor: true
+```
+
+```toml tab="File (TOML)"
+[log]
+  noColor = true
+```
+
+```bash tab="CLI"
+--log.nocolor=true
+```
+
 ## Log Rotation
 
-Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
+The rotation of the log files can be configured with the following options.
-This allows the logs to be rotated and processed by an external program, such as `logrotate`.
 
-!!! warning
+### `maxSize`
-    This does not work on Windows due to the lack of USR signals.
+
+`maxSize` is the maximum size in megabytes of the log file before it gets rotated.
+It defaults to 100 megabytes.
+
+```yaml tab="File (YAML)"
+log:
+  maxSize: 1
+```
+
+```toml tab="File (TOML)"
+[log]
+  maxSize = 1
+```
+
+```bash tab="CLI"
+--log.maxsize=1
+```
+
+### `maxBackups`
+
+`maxBackups` is the maximum number of old log files to retain.
+The default is to retain all old log files (though `maxAge` may still cause them to get deleted).
+
+```yaml tab="File (YAML)"
+log:
+  maxBackups: 3
+```
+
+```toml tab="File (TOML)"
+[log]
+  maxBackups = 3
+```
+
+```bash tab="CLI"
+--log.maxbackups=3
+```
+
+### `maxAge`
+
+`maxAge` is the maximum number of days to retain old log files based on the timestamp encoded in their filename.
+Note that a day is defined as 24 hours and may not exactly correspond to calendar days due to daylight savings, leap seconds, etc.
+The default is not to remove old log files based on age.
+
+```yaml tab="File (YAML)"
+log:
+  maxAge: 3
+```
+
+```toml tab="File (TOML)"
+[log]
+  maxAge = 3
+```
+
+```bash tab="CLI"
+--log.maxage=3
+```
+
+### `compress`
+
+`compress` determines if the rotated log files should be compressed using gzip.
+The default is not to perform compression.
+
+```yaml tab="File (YAML)"
+log:
+  compress: true
+```
+
+```toml tab="File (TOML)"
+[log]
+  compress = true
+```
+
+```bash tab="CLI"
+--log.compress=true
+```

docs/content/observability/metrics/datadog.md

@@ -27,6 +27,8 @@ _Required, Default="127.0.0.1:8125"_
 
 Address instructs exporter to send metrics to datadog-agent at this address.
 
+This address can be a Unix Domain Socket (UDS) address with the following form: `unix:///path/to/datadog.socket`.  
+
 ```yaml tab="File (YAML)"
 metrics:
   datadog:

docs/content/observability/metrics/influxdb.md

@@ -1,268 +0,0 @@
----
-title: "Traefik InfluxDB Documentation"
-description: "Traefik supports several metrics backends, including InfluxDB. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
----
-
-# InfluxDB
-
-To enable the InfluxDB:
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB: {}
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-```
-
-```bash tab="CLI"
---metrics.influxdb=true
-```
-
-#### `address`
-
-_Required, Default="localhost:8089"_
-
-Address instructs exporter to send metrics to influxdb at this address.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    address: localhost:8089
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    address = "localhost:8089"
-```
-
-```bash tab="CLI"
---metrics.influxdb.address=localhost:8089
-```
-
-#### `protocol`
-
-_Required, Default="udp"_
-
-InfluxDB's address protocol (udp or http).
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    protocol: udp
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    protocol = "udp"
-```
-
-```bash tab="CLI"
---metrics.influxdb.protocol=udp
-```
-
-#### `database`
-
-_Optional, Default=""_
-
-InfluxDB database used when protocol is http.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    database: db
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    database = "db"
-```
-
-```bash tab="CLI"
---metrics.influxdb.database=db
-```
-
-#### `retentionPolicy`
-
-_Optional, Default=""_
-
-InfluxDB retention policy used when protocol is http.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    retentionPolicy: two_hours
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    retentionPolicy = "two_hours"
-```
-
-```bash tab="CLI"
---metrics.influxdb.retentionPolicy=two_hours
-```
-
-#### `username`
-
-_Optional, Default=""_
-
-InfluxDB username (only with http).
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    username: john
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    username = "john"
-```
-
-```bash tab="CLI"
---metrics.influxdb.username=john
-```
-
-#### `password`
-
-_Optional, Default=""_
-
-InfluxDB password (only with http).
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    password: secret
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    password = "secret"
-```
-
-```bash tab="CLI"
---metrics.influxdb.password=secret
-```
-
-#### `addEntryPointsLabels`
-
-_Optional, Default=true_
-
-Enable metrics on entry points.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    addEntryPointsLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    addEntryPointsLabels = true
-```
-
-```bash tab="CLI"
---metrics.influxdb.addEntryPointsLabels=true
-```
-
-#### `addRoutersLabels`
-
-_Optional, Default=false_
-
-Enable metrics on routers.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    addRoutersLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    addRoutersLabels = true
-```
-
-```bash tab="CLI"
---metrics.influxdb.addrouterslabels=true
-```
-
-#### `addServicesLabels`
-
-_Optional, Default=true_
-
-Enable metrics on services.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    addServicesLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    addServicesLabels = true
-```
-
-```bash tab="CLI"
---metrics.influxdb.addServicesLabels=true
-```
-
-#### `pushInterval`
-
-_Optional, Default=10s_
-
-The interval used by the exporter to push metrics to influxdb.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    pushInterval: 10s
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    pushInterval = "10s"
-```
-
-```bash tab="CLI"
---metrics.influxdb.pushInterval=10s
-```
-
-#### `additionalLabels`
-
-_Optional, Default={}_
-
-Additional labels (influxdb tags) on all metrics.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    additionalLabels:
-      host: example.com
-      environment: production
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    [metrics.influxDB.additionalLabels]
-      host = "example.com"
-      environment = "production"
-```
-
-```bash tab="CLI"
---metrics.influxdb.additionallabels.host=example.com --metrics.influxdb.additionallabels.environment=production
-```

docs/content/observability/metrics/opentelemetry.md

@@ -0,0 +1,519 @@
+---
+title: "Traefik OpenTelemetry Documentation"
+description: "Traefik supports several metrics backends, including OpenTelemetry. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
+---
+
+# OpenTelemetry
+
+To enable the OpenTelemetry metrics:
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp: {}
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp]
+```
+
+```bash tab="CLI"
+--metrics.otlp=true
+```
+
+!!! info "Default protocol"
+
+    The OpenTelemetry exporter will export metrics to the collector using HTTP by default to https://localhost:4318/v1/metrics, see the [gRPC Section](#grpc-configuration) to use gRPC.
+
+#### `addEntryPointsLabels`
+
+_Optional, Default=true_
+
+Enable metrics on entry points.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    addEntryPointsLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp]
+    addEntryPointsLabels = true
+```
+
+```bash tab="CLI"
+--metrics.otlp.addEntryPointsLabels=true
+```
+
+#### `addRoutersLabels`
+
+_Optional, Default=false_
+
+Enable metrics on routers.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    addRoutersLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp]
+    addRoutersLabels = true
+```
+
+```bash tab="CLI"
+--metrics.otlp.addRoutersLabels=true
+```
+
+#### `addServicesLabels`
+
+_Optional, Default=true_
+
+Enable metrics on services.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    addServicesLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp]
+    addServicesLabels = true
+```
+
+```bash tab="CLI"
+--metrics.otlp.addServicesLabels=true
+```
+
+#### `explicitBoundaries`
+
+_Optional, Default=".005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10"_
+
+Explicit boundaries for Histogram data points.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    explicitBoundaries:
+      - 0.1
+      - 0.3
+      - 1.2
+      - 5.0
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp]
+    explicitBoundaries = [0.1,0.3,1.2,5.0]
+```
+
+```bash tab="CLI"
+--metrics.otlp.explicitBoundaries=0.1,0.3,1.2,5.0
+```
+
+#### `pushInterval`
+
+_Optional, Default=10s_
+
+Interval at which metrics are sent to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    pushInterval: 10s
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp]
+    pushInterval = "10s"
+```
+
+```bash tab="CLI"
+--metrics.otlp.pushInterval=10s
+```
+
+### HTTP configuration
+
+_Optional_
+
+This instructs the exporter to send the metrics to the OpenTelemetry Collector using HTTP.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    http: {}
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp.http]
+```
+
+```bash tab="CLI"
+--metrics.otlp.http=true
+```
+
+#### `endpoint`
+
+_Required, Default="http://localhost:4318/v1/metrics", Format="`<scheme>://<host>:<port><path>`"_
+
+URL of the OpenTelemetry Collector to send metrics to.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    http:
+      endpoint: http://localhost:4318/v1/metrics
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp.http]
+    endpoint = "http://localhost:4318/v1/metrics"
+```
+
+```bash tab="CLI"
+--metrics.otlp.http.endpoint=http://localhost:4318/v1/metrics
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with metrics by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    http:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp.http.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--metrics.otlp.http.headers.foo=bar --metrics.otlp.http.headers.baz=buz
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the Client TLS configuration used by the exporter to send metrics to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    http:
+      tls:
+        ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[metrics.otlp.http.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--metrics.otlp.http.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    http:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[metrics.otlp.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--metrics.otlp.http.tls.cert=path/to/foo.cert
+--metrics.otlp.http.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    http:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[metrics.otlp.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--metrics.otlp.http.tls.cert=path/to/foo.cert
+--metrics.otlp.http.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    http:
+      tls:
+        insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[metrics.otlp.http.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--metrics.otlp.http.tls.insecureSkipVerify=true
+```
+
+### gRPC configuration
+
+_Optional_
+
+This instructs the exporter to send metrics to the OpenTelemetry Collector using gRPC.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    grpc: {}
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp.grpc]
+```
+
+```bash tab="CLI"
+--metrics.otlp.grpc=true
+```
+
+#### `endpoint`
+
+_Required, Default="localhost:4317", Format="`<host>:<port>`"_
+
+Address of the OpenTelemetry Collector to send metrics to.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    grpc:
+      endpoint: localhost:4317
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp.grpc]
+    endpoint = "localhost:4317"
+```
+
+```bash tab="CLI"
+--metrics.otlp.grpc.endpoint=localhost:4317
+```
+
+#### `insecure`
+
+_Optional, Default=false_
+
+Allows exporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    grpc:
+      insecure: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp.grpc]
+    insecure = true
+```
+
+```bash tab="CLI"
+--metrics.otlp.grpc.insecure=true
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with metrics by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    grpc:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp.grpc.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--metrics.otlp.grpc.headers.foo=bar --metrics.otlp.grpc.headers.baz=buz
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the Client TLS configuration used by the exporter to send metrics to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    grpc:
+      tls:
+        ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[metrics.otlp.grpc.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--metrics.otlp.grpc.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    grpc:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[metrics.otlp.grpc.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--metrics.otlp.grpc.tls.cert=path/to/foo.cert
+--metrics.otlp.grpc.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    grpc:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[metrics.otlp.grpc.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--metrics.otlp.grpc.tls.cert=path/to/foo.cert
+--metrics.otlp.grpc.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    grpc:
+      tls:
+        insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[metrics.otlp.grpc.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--metrics.otlp.grpc.tls.insecureSkipVerify=true
+```

docs/content/observability/metrics/overview.md

@@ -1,41 +1,76 @@
 ---
 title: "Traefik Metrics Overview"
-description: "Traefik Proxy supports these metrics backend systems: Datadog, InfluxDB, Prometheus, and StatsD. Read the full documentation to get started."
+description: "Traefik Proxy supports these metrics backend systems: Datadog, InfluxDB 2.X, Prometheus, and StatsD. Read the full documentation to get started."
 ---
 
 # Metrics
 
-Traefik supports these metrics backends:
+Traefik provides metrics in the [OpenTelemetry](./opentelemetry.md) format as well as the following vendor specific backends:
 
 - [Datadog](./datadog.md)
-- [InfluxDB](./influxdb.md)
 - [InfluxDB2](./influxdb2.md)
 - [Prometheus](./prometheus.md)
 - [StatsD](./statsd.md)
 
+Traefik Proxy hosts an official Grafana dashboard for both [on-premises](https://grafana.com/grafana/dashboards/17346)
+and [Kubernetes](https://grafana.com/grafana/dashboards/17347) deployments.
+
+## Common Options
+
+### `addInternals`
+
+_Optional, Default="false"_
+
+Enables metrics for internal resources (e.g.: `ping@internals`).
+
+```yaml tab="File (YAML)"
+metrics:
+  addInternals: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+addInternals = true
+```
+
+```bash tab="CLI"
+--metrics.addinternals
+```
+
 ## Global Metrics
 
-| Metric                                      | Type    | Description                                             |
+| Metric                     | Type  | [Labels](#labels)        | Description                                                        |
-|---------------------------------------------|---------|---------------------------------------------------------|
+|----------------------------|-------|--------------------------|--------------------------------------------------------------------|
-| Config reload total                         | Count   | The total count of configuration reloads.               |
+| Config reload total        | Count |                          | The total count of configuration reloads.                          |
-| Config reload last success                  | Gauge   | The timestamp of the last configuration reload success. |
+| Config reload last success | Gauge |                          | The timestamp of the last configuration reload success.            |
-| TLS certificates not after                  | Gauge   | The expiration date of certificates.                    |
+| Open connections           | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
+| TLS certificates not after | Gauge |                          | The expiration date of certificates.                               |
+
+```opentelemetry tab="OpenTelemetry"
+traefik_config_reloads_total
+traefik_config_last_reload_success
+traefik_open_connections
+traefik_tls_certs_not_after
+```
 
 ```prom tab="Prometheus"
 traefik_config_reloads_total
 traefik_config_last_reload_success
+traefik_open_connections
 traefik_tls_certs_not_after
 ```
 
 ```dd tab="Datadog"
 config.reload.total
 config.reload.lastSuccessTimestamp
+open.connections
 tls.certs.notAfterTimestamp
 ```
 
-```influxdb tab="InfluxDB / InfluxDB2"
+```influxdb tab="InfluxDB2"
 traefik.config.reload.total
 traefik.config.reload.lastSuccessTimestamp
+traefik.open.connections
 traefik.tls.certs.notAfterTimestamp
 ```
 
@@ -43,25 +78,91 @@ traefik.tls.certs.notAfterTimestamp
 # Default prefix: "traefik"
 {prefix}.config.reload.total
 {prefix}.config.reload.lastSuccessTimestamp
+{prefix}.open.connections
 {prefix}.tls.certs.notAfterTimestamp
 ```
 
-## EntryPoint Metrics
+### Labels
+
+Here is a comprehensive list of labels that are provided by the global metrics:
+
+| Label        | Description                            | example              |
+|--------------|----------------------------------------|----------------------|
+| `entrypoint` | Entrypoint that handled the connection | "example_entrypoint" |
+| `protocol`   | Connection protocol                    | "TCP"                |
+
+## OpenTelemetry Semantic Conventions
+
+Traefik Proxy follows [official OpenTelemetry semantic conventions v1.23.1](https://github.com/open-telemetry/semantic-conventions/blob/v1.23.1/docs/http/http-metrics.md).
+
+### HTTP Server
+
+| Metric                        | Type      | [Labels](#labels)                                                                                                                        | Description                       |
+|-------------------------------|-----------|------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------|
+| http.server.request.duration	 | Histogram | `error.type`, `http.request.method`, `http.response.status_code`, `network.protocol.name`, `server.address`, `server.port`, `url.scheme` | Duration of HTTP server requests  |
+
+#### Labels
+
+Here is a comprehensive list of labels that are provided by the metrics:
+
+| Label                       | Description                                                  | example       |
+|-----------------------------|--------------------------------------------------------------|---------------|
+| `error.type`                | Describes a class of error the operation ended with          | "500"         |
+| `http.request.method`       | HTTP request method                                          | "GET"         |
+| `http.response.status_code` | HTTP response status code                                    | "200"         |
+| `network.protocol.name`     | OSI application layer or non-OSI equivalent                  | "http/1.1"    |
+| `network.protocol.version`  | Version of the protocol specified in `network.protocol.name` | "1.1"         |
+| `server.address`            | Name of the local HTTP server that received the request      | "example.com" |
+| `server.port`               | Port of the local HTTP server that received the request      | "80"          |
+| `url.scheme`                | The URI scheme component identifying the used protocol       | "http"        |
+
+### HTTP Client
+
+| Metric                        | Type      | [Labels](#labels)                                                                                                                        | Description                       |
+|-------------------------------|-----------|------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------|
+| http.client.request.duration	 | Histogram | `error.type`, `http.request.method`, `http.response.status_code`, `network.protocol.name`, `server.address`, `server.port`, `url.scheme` | Duration of HTTP client requests  |
+
+#### Labels
+
+Here is a comprehensive list of labels that are provided by the metrics:
+
+| Label                       | Description                                                  | example       |
+|-----------------------------|--------------------------------------------------------------|---------------|
+| `error.type`                | Describes a class of error the operation ended with          | "500"         |
+| `http.request.method`       | HTTP request method                                          | "GET"         |
+| `http.response.status_code` | HTTP response status code                                   | "200"         |
+| `network.protocol.name`     | OSI application layer or non-OSI equivalent                  | "http/1.1"    |
+| `network.protocol.version`  | Version of the protocol specified in `network.protocol.name` | "1.1"         |
+| `server.address`            | Name of the local HTTP server that received the request      | "example.com" |
+| `server.port`               | Port of the local HTTP server that received the request      | "80"          |
+| `url.scheme`                | The URI scheme component identifying the used protocol       | "http"        |
+
+## HTTP Metrics
+
+On top of the official OpenTelemetry semantic conventions, Traefik provides its own metrics to monitor the incoming traffic.
+
+### EntryPoint Metrics
 
 | Metric                | Type      | [Labels](#labels)                          | Description                                                         |
 |-----------------------|-----------|--------------------------------------------|---------------------------------------------------------------------|
 | Requests total        | Count     | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint.         |
 | Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `entrypoint`  | The total count of HTTPS requests received by an entrypoint.        |
 | Request duration      | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint.             |
-| Open connections      | Count     | `method`, `protocol`, `entrypoint`         | The current count of open connections on an entrypoint.             |
 | Requests bytes total  | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint.  |
 | Responses bytes total | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
 
+```opentelemetry tab="OpenTelemetry"
+traefik_entrypoint_requests_total
+traefik_entrypoint_requests_tls_total
+traefik_entrypoint_request_duration_seconds
+traefik_entrypoint_requests_bytes_total
+traefik_entrypoint_responses_bytes_total
+```
+
 ```prom tab="Prometheus"
 traefik_entrypoint_requests_total
 traefik_entrypoint_requests_tls_total
 traefik_entrypoint_request_duration_seconds
-traefik_entrypoint_open_connections
 traefik_entrypoint_requests_bytes_total
 traefik_entrypoint_responses_bytes_total
 ```
@@ -70,16 +171,14 @@ traefik_entrypoint_responses_bytes_total
 entrypoint.request.total
 entrypoint.request.tls.total
 entrypoint.request.duration
-entrypoint.connections.open
 entrypoint.requests.bytes.total
 entrypoint.responses.bytes.total
 ```
 
-```influxdb tab="InfluxDB / InfluxDB2"
+```influxdb tab="InfluxDB2"
 traefik.entrypoint.requests.total
 traefik.entrypoint.requests.tls.total
 traefik.entrypoint.request.duration
-traefik.entrypoint.connections.open
 traefik.entrypoint.requests.bytes.total
 traefik.entrypoint.responses.bytes.total
 ```
@@ -89,27 +188,32 @@ traefik.entrypoint.responses.bytes.total
 {prefix}.entrypoint.request.total
 {prefix}.entrypoint.request.tls.total
 {prefix}.entrypoint.request.duration
-{prefix}.entrypoint.connections.open
 {prefix}.entrypoint.requests.bytes.total
 {prefix}.entrypoint.responses.bytes.total
 ```
 
-## Router Metrics
+### Router Metrics
 
 | Metric                | Type      | [Labels](#labels)                                 | Description                                                    |
 |-----------------------|-----------|---------------------------------------------------|----------------------------------------------------------------|
 | Requests total        | Count     | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router.          |
 | Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `router`, `service`  | The total count of HTTPS requests handled by a router.         |
 | Request duration      | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router.             |
-| Open connections      | Count     | `method`, `protocol`, `router`, `service`         | The current count of open connections on a router.             |
 | Requests bytes total  | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router.  |
 | Responses bytes total | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
 
+```opentelemetry tab="OpenTelemetry"
+traefik_router_requests_total
+traefik_router_requests_tls_total
+traefik_router_request_duration_seconds
+traefik_router_requests_bytes_total
+traefik_router_responses_bytes_total
+```
+
 ```prom tab="Prometheus"
 traefik_router_requests_total
 traefik_router_requests_tls_total
 traefik_router_request_duration_seconds
-traefik_router_open_connections
 traefik_router_requests_bytes_total
 traefik_router_responses_bytes_total
 ```
@@ -118,16 +222,14 @@ traefik_router_responses_bytes_total
 router.request.total
 router.request.tls.total
 router.request.duration
-router.connections.open
 router.requests.bytes.total
 router.responses.bytes.total
 ```
 
-```influxdb tab="InfluxDB / InfluxDB2"
+```influxdb tab="InfluxDB2"
 traefik.router.requests.total
 traefik.router.requests.tls.total
 traefik.router.request.duration
-traefik.router.connections.open
 traefik.router.requests.bytes.total
 traefik.router.responses.bytes.total
 ```
@@ -137,29 +239,36 @@ traefik.router.responses.bytes.total
 {prefix}.router.request.total
 {prefix}.router.request.tls.total
 {prefix}.router.request.duration
-{prefix}.router.connections.open
 {prefix}.router.requests.bytes.total
 {prefix}.router.responses.bytes.total
 ```
 
-## Service Metrics
+### Service Metrics
 
 | Metric                | Type      | Labels                                  | Description                                                 |
 |-----------------------|-----------|-----------------------------------------|-------------------------------------------------------------|
 | Requests total        | Count     | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service.    |
 | Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `service`  | The total count of HTTPS requests processed on a service.   |
 | Request duration      | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service.         |
-| Open connections      | Count     | `method`, `protocol`, `service`         | The current count of open connections on a service.         |
 | Retries total         | Count     | `service`                               | The count of requests retries on a service.                 |
 | Server UP             | Gauge     | `service`, `url`                        | Current service's server status, 0 for a down or 1 for up.  |
 | Requests bytes total  | Count     | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service.  |
 | Responses bytes total | Count     | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
 
+```opentelemetry tab="OpenTelemetry"
+traefik_service_requests_total
+traefik_service_requests_tls_total
+traefik_service_request_duration_seconds
+traefik_service_retries_total
+traefik_service_server_up
+traefik_service_requests_bytes_total
+traefik_service_responses_bytes_total
+```
+
 ```prom tab="Prometheus"
 traefik_service_requests_total
 traefik_service_requests_tls_total
 traefik_service_request_duration_seconds
-traefik_service_open_connections
 traefik_service_retries_total
 traefik_service_server_up
 traefik_service_requests_bytes_total
@@ -170,18 +279,16 @@ traefik_service_responses_bytes_total
 service.request.total
 router.service.tls.total
 service.request.duration
-service.connections.open
 service.retries.total
 service.server.up
 service.requests.bytes.total
 service.responses.bytes.total
 ```
 
-```influxdb tab="InfluxDB / InfluxDB2"
+```influxdb tab="InfluxDB2"
 traefik.service.requests.total
 traefik.service.requests.tls.total
 traefik.service.request.duration
-traefik.service.connections.open
 traefik.service.retries.total
 traefik.service.server.up
 traefik.service.requests.bytes.total
@@ -193,14 +300,13 @@ traefik.service.responses.bytes.total
 {prefix}.service.request.total
 {prefix}.service.request.tls.total
 {prefix}.service.request.duration
-{prefix}.service.connections.open
 {prefix}.service.retries.total
 {prefix}.service.server.up
 {prefix}.service.requests.bytes.total
 {prefix}.service.responses.bytes.total
 ```
 
-## Labels
+### Labels
 
 Here is a comprehensive list of labels that are provided by the metrics:
 

docs/content/observability/overview.md

@@ -0,0 +1,42 @@
+---
+title: "Traefik Observability Overview"
+description: "Traefik provides Logs, Access Logs, Metrics and Tracing. Read the full documentation to get started."
+---
+
+# Overview
+
+Traefik's Observability system
+{: .subtitle }
+
+## Logs
+
+Traefik logs informs about everything that happens within Traefik (startup, configuration, events, shutdown, and so on).
+
+Read the [Logs documentation](./logs.md) to learn how to configure it.
+
+## Access Logs
+
+Access logs are a key part of observability in Traefik.
+
+They are providing valuable insights about incoming traffic, and allow to monitor it.
+The access logs record detailed information about each request received by Traefik,
+including the source IP address, requested URL, response status code, and more.
+
+Read the [Access Logs documentation](./access-logs.md) to learn how to configure it.
+
+## Metrics
+
+Traefik offers a metrics feature that provides valuable insights about the performance and usage.
+These metrics include the number of requests received, the requests duration, and more.
+
+On top of supporting metrics in the OpenTelemetry format, Traefik supports the following vendor specific metrics systems: Prometheus, Datadog, InfluxDB 2.X, and StatsD.
+
+Read the [Metrics documentation](./metrics/overview.md) to learn how to configure it.
+
+## Tracing
+
+The Traefik tracing system allows developers to gain deep visibility into the flow of requests through their infrastructure.
+
+Traefik provides tracing information in the OpenTelemery format.
+
+Read the [Tracing documentation](./tracing/overview.md) to learn how to configure it.

docs/content/observability/tracing/datadog.md

@@ -1,163 +0,0 @@
----
-title: "Traefik Datadog Tracing Documentation"
-description: "Traefik Proxy supports Datadog for tracing. Read the technical documentation to enable Datadog for observability."
----
-
-# Datadog
-
-To enable the Datadog tracer:
-
-```yaml tab="File (YAML)"
-tracing:
-  datadog: {}
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.datadog]
-```
-
-```bash tab="CLI"
---tracing.datadog=true
-```
-
-#### `localAgentHostPort`
-
-_Optional, Default="localhost:8126"_
-
-Local Agent Host Port instructs the reporter to send spans to the Datadog Agent at this address (host:port).
-
-```yaml tab="File (YAML)"
-tracing:
-  datadog:
-    localAgentHostPort: localhost:8126
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.datadog]
-    localAgentHostPort = "localhost:8126"
-```
-
-```bash tab="CLI"
---tracing.datadog.localAgentHostPort=localhost:8126
-```
-
-#### `localAgentSocket`
-
-_Optional, Default=""_
-
-Local Agent Socket instructs the reporter to send spans to the Datadog Agent at this UNIX socket.
-
-```yaml tab="File (YAML)"
-tracing:
-  datadog:
-    localAgentSocket: /var/run/datadog/apm.socket
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.datadog]
-    localAgentSocket = "/var/run/datadog/apm.socket"
-```
-
-```bash tab="CLI"
---tracing.datadog.localAgentSocket=/var/run/datadog/apm.socket
-```
-
-#### `debug`
-
-_Optional, Default=false_
-
-Enables Datadog debug.
-
-```yaml tab="File (YAML)"
-tracing:
-  datadog:
-    debug: true
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.datadog]
-    debug = true
-```
-
-```bash tab="CLI"
---tracing.datadog.debug=true
-```
-
-#### `globalTag`
-
-??? warning "Deprecated in favor of the [`globalTags`](#globaltags) option."
-
-    _Optional, Default=empty_
-    
-    Applies a shared key:value tag on all spans.
-    
-    ```yaml tab="File (YAML)"
-    tracing:
-      datadog:
-        globalTag: sample
-    ```
-    
-    ```toml tab="File (TOML)"
-    [tracing]
-      [tracing.datadog]
-        globalTag = "sample"
-    ```
-    
-    ```bash tab="CLI"
-    --tracing.datadog.globalTag=sample
-    ```
-
-#### `globalTags`
-
-_Optional, Default=empty_
-
-Applies a list of shared key:value tags on all spans.
-
-```yaml tab="File (YAML)"
-tracing:
-  datadog:
-    globalTags:
-      tag1: foo
-      tag2: bar
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.datadog]
-    [tracing.datadog.globalTags]
-      tag1 = "foo"
-      tag2 = "bar"
-```
-
-```bash tab="CLI"
---tracing.datadog.globalTags.tag1=foo
---tracing.datadog.globalTags.tag2=bar
-```
-
-#### `prioritySampling`
-
-_Optional, Default=false_
-
-Enables priority sampling.
-When using distributed tracing, 
-this option must be enabled in order to get all the parts of a distributed trace sampled.
-
-```yaml tab="File (YAML)"
-tracing:
-  datadog:
-    prioritySampling: true
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.datadog]
-    prioritySampling = true
-```
-
-```bash tab="CLI"
---tracing.datadog.prioritySampling=true
-```

docs/content/observability/tracing/elastic.md

@@ -1,93 +0,0 @@
----
-title: "Traefik Elastic Documentation"
-description: "Traefik supports several tracing backends, including Elastic. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
----
-
-# Elastic
-
-To enable the Elastic tracer:
-
-```yaml tab="File (YAML)"
-tracing:
-  elastic: {}
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.elastic]
-```
-
-```bash tab="CLI"
---tracing.elastic=true
-```
-
-#### `serverURL`
-
-_Optional, Default="http://localhost:8200"_
-
-URL of the Elastic APM server.
-
-```yaml tab="File (YAML)"
-tracing:
-  elastic:
-    serverURL: "http://apm:8200"
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.elastic]
-    serverURL = "http://apm:8200"
-```
-
-```bash tab="CLI"
---tracing.elastic.serverurl="http://apm:8200"
-```
-
-#### `secretToken`
-
-_Optional, Default=""_
-
-Token used to connect to Elastic APM Server.
-
-```yaml tab="File (YAML)"
-tracing:
-  elastic:
-    secretToken: "mytoken"
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.elastic]
-    secretToken = "mytoken"
-```
-
-```bash tab="CLI"
---tracing.elastic.secrettoken="mytoken"
-```
-
-#### `serviceEnvironment`
-
-_Optional, Default=""_
-
-Environment's name where Traefik is deployed in, e.g. `production` or `staging`.
-
-```yaml tab="File (YAML)"
-tracing:
-  elastic:
-    serviceEnvironment: "production"
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.elastic]
-    serviceEnvironment = "production"
-```
-
-```bash tab="CLI"
---tracing.elastic.serviceenvironment="production"
-```
-
-### Further
-
-Additional configuration of Elastic APM Go agent can be done using environment variables.
-See [APM Go agent reference](https://www.elastic.co/guide/en/apm/agent/go/current/configuration.html).

docs/content/observability/tracing/haystack.md

@@ -1,176 +0,0 @@
----
-title: "Traefik Haystack Documentation"
-description: "Traefik supports several tracing backends, including Haystack. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
----
-
-# Haystack
-
-To enable the Haystack tracer:
-
-```yaml tab="File (YAML)"
-tracing:
-  haystack: {}
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-```
-
-```bash tab="CLI"
---tracing.haystack=true
-```
-
-#### `localAgentHost`
-
-_Required, Default="127.0.0.1"_
-
-Local Agent Host instructs reporter to send spans to the Haystack Agent at this address.
-
-```yaml tab="File (YAML)"
-tracing:
-  haystack:
-    localAgentHost: 127.0.0.1
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    localAgentHost = "127.0.0.1"
-```
-
-```bash tab="CLI"
---tracing.haystack.localAgentHost=127.0.0.1
-```
-
-#### `localAgentPort`
-
-_Required, Default=35000_
-
-Local Agent Port instructs reporter to send spans to the Haystack Agent at this port.
-
-```yaml tab="File (YAML)"
-tracing:
-  haystack:
-    localAgentPort: 35000
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    localAgentPort = 35000
-```
-
-```bash tab="CLI"
---tracing.haystack.localAgentPort=35000
-```
-
-#### `globalTag`
-
-_Optional, Default=empty_
-
-Applies shared key:value tag on all spans.
-
-```yaml tab="File (YAML)"
-tracing:
-  haystack:
-    globalTag: sample:test
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    globalTag = "sample:test"
-```
-
-```bash tab="CLI"
---tracing.haystack.globalTag=sample:test
-```
-
-#### `traceIDHeaderName`
-
-_Optional, Default=empty_
-
-Sets the header name used to store the trace ID.
-
-```yaml tab="File (YAML)"
-tracing:
-  haystack:
-    traceIDHeaderName: Trace-ID
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    traceIDHeaderName = "Trace-ID"
-```
-
-```bash tab="CLI"
---tracing.haystack.traceIDHeaderName=Trace-ID
-```
-
-#### `parentIDHeaderName`
-
-_Optional, Default=empty_
-
-Sets the header name used to store the parent ID.
-
-```yaml tab="File (YAML)"
-tracing:
-  haystack:
-    parentIDHeaderName: Parent-Message-ID
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    parentIDHeaderName = "Parent-Message-ID"
-```
-
-```bash tab="CLI"
---tracing.haystack.parentIDHeaderName=Parent-Message-ID
-```
-
-#### `spanIDHeaderName`
-
-_Optional, Default=empty_
-
-Sets the header name used to store the span ID.
-
-```yaml tab="File (YAML)"
-tracing:
-  haystack:
-    spanIDHeaderName: Message-ID
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    spanIDHeaderName = "Message-ID"
-```
-
-```bash tab="CLI"
---tracing.haystack.spanIDHeaderName=Message-ID
-```
-
-#### `baggagePrefixHeaderName`
-
-_Optional, Default=empty_
-
-Sets the header name prefix used to store baggage items in a map.
-
-```yaml tab="File (YAML)"
-tracing:
-  haystack:
-    baggagePrefixHeaderName: "sample"
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.haystack]
-    baggagePrefixHeaderName = "sample"
-```
-
-```bash tab="CLI"
---tracing.haystack.baggagePrefixHeaderName=sample
-```

docs/content/observability/tracing/instana.md

@@ -1,117 +0,0 @@
----
-title: "Traefik Instana Documentation"
-description: "Traefik supports several tracing backends, including Instana. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
----
-
-# Instana
-
-To enable the Instana tracer:
-
-```yaml tab="File (YAML)"
-tracing:
-  instana: {}
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.instana]
-```
-
-```bash tab="CLI"
---tracing.instana=true
-```
-
-#### `localAgentHost`
-
-_Required, Default="127.0.0.1"_
-
-Local Agent Host instructs reporter to send spans to the Instana Agent at this address.
-
-```yaml tab="File (YAML)"
-tracing:
-  instana:
-    localAgentHost: 127.0.0.1
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.instana]
-    localAgentHost = "127.0.0.1"
-```
-
-```bash tab="CLI"
---tracing.instana.localAgentHost=127.0.0.1
-```
-
-#### `localAgentPort`
-
-_Required, Default=42699_
-
-Local Agent port instructs reporter to send spans to the Instana Agent listening on this port.
-
-```yaml tab="File (YAML)"
-tracing:
-  instana:
-    localAgentPort: 42699
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.instana]
-    localAgentPort = 42699
-```
-
-```bash tab="CLI"
---tracing.instana.localAgentPort=42699
-```
-
-#### `logLevel`
-
-_Required, Default="info"_
-
-Sets Instana tracer log level.
-
-Valid values are:
-
-- `error`
-- `warn`
-- `debug`
-- `info`
-
-```yaml tab="File (YAML)"
-tracing:
-  instana:
-    logLevel: info
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.instana]
-    logLevel = "info"
-```
-
-```bash tab="CLI"
---tracing.instana.logLevel=info
-```
-
-#### `enableAutoProfile`
-
-_Required, Default=false_
-
-Enables [automatic profiling](https://www.ibm.com/docs/en/obi/current?topic=instana-profile-processes) for the Traefik process.
-
-```yaml tab="File (YAML)"
-tracing:
-  instana:
-    enableAutoProfile: true
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.instana]
-    enableAutoProfile = true
-```
-
-```bash tab="CLI"
---tracing.instana.enableAutoProfile=true
-```

docs/content/observability/tracing/jaeger.md

@@ -1,294 +0,0 @@
----
-title: "Traefik Jaeger Documentation"
-description: "Traefik supports several tracing backends, including Jaeger. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
----
-
-# Jaeger
-
-To enable the Jaeger tracer:
-
-```yaml tab="File (YAML)"
-tracing:
-  jaeger: {}
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-```
-
-```bash tab="CLI"
---tracing.jaeger=true
-```
-
-!!! warning
-    Traefik is able to send data over the compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent)
-    or a [Jaeger collector](https://www.jaegertracing.io/docs/deployment/#collector).
-
-!!! info
-    All Jaeger configuration can be overridden by [environment variables](https://github.com/jaegertracing/jaeger-client-go#environment-variables)
-
-#### `samplingServerURL`
-
-_Required, Default="http://localhost:5778/sampling"_
-
-Address of the Jaeger Agent HTTP sampling server.
-
-```yaml tab="File (YAML)"
-tracing:
-  jaeger:
-    samplingServerURL: http://localhost:5778/sampling
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    samplingServerURL = "http://localhost:5778/sampling"
-```
-
-```bash tab="CLI"
---tracing.jaeger.samplingServerURL=http://localhost:5778/sampling
-```
-
-#### `samplingType`
-
-_Required, Default="const"_
-
-Type of the sampler.
-
-Valid values are:
-
-- `const`
-- `probabilistic`
-- `rateLimiting`
-
-```yaml tab="File (YAML)"
-tracing:
-  jaeger:
-    samplingType: const
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    samplingType = "const"
-```
-
-```bash tab="CLI"
---tracing.jaeger.samplingType=const
-```
-
-#### `samplingParam`
-
-_Required, Default=1.0_
-
-Value passed to the sampler.
-
-Valid values are:
-
-- for `const` sampler, 0 or 1 for always false/true respectively
-- for `probabilistic` sampler, a probability between 0 and 1
-- for `rateLimiting` sampler, the number of spans per second
-
-```yaml tab="File (YAML)"
-tracing:
-  jaeger:
-    samplingParam: 1.0
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    samplingParam = 1.0
-```
-
-```bash tab="CLI"
---tracing.jaeger.samplingParam=1.0
-```
-
-#### `localAgentHostPort`
-
-_Required, Default="127.0.0.1:6831"_
-
-Local Agent Host Port instructs the reporter to send spans to the Jaeger Agent at this address (host:port).
-
-```yaml tab="File (YAML)"
-tracing:
-  jaeger:
-    localAgentHostPort: 127.0.0.1:6831
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    localAgentHostPort = "127.0.0.1:6831"
-```
-
-```bash tab="CLI"
---tracing.jaeger.localAgentHostPort=127.0.0.1:6831
-```
-
-#### `gen128Bit`
-
-_Optional, Default=false_
-
-Generates 128 bits trace IDs, compatible with OpenCensus.
-
-```yaml tab="File (YAML)"
-tracing:
-  jaeger:
-    gen128Bit: true
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    gen128Bit = true
-```
-
-```bash tab="CLI"
---tracing.jaeger.gen128Bit
-```
-
-#### `propagation`
-
-_Required, Default="jaeger"_
-
-Sets the propagation header type.
-
-Valid values are:
-
-- `jaeger`, jaeger's default trace header.
-- `b3`, compatible with OpenZipkin
-
-```yaml tab="File (YAML)"
-tracing:
-  jaeger:
-    propagation: jaeger
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    propagation = "jaeger"
-```
-
-```bash tab="CLI"
---tracing.jaeger.propagation=jaeger
-```
-
-#### `traceContextHeaderName`
-
-_Required, Default="uber-trace-id"_
-
-HTTP header name used to propagate tracing context.
-This must be in lower-case to avoid mismatches when decoding incoming headers.
-
-```yaml tab="File (YAML)"
-tracing:
-  jaeger:
-    traceContextHeaderName: uber-trace-id
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    traceContextHeaderName = "uber-trace-id"
-```
-
-```bash tab="CLI"
---tracing.jaeger.traceContextHeaderName=uber-trace-id
-```
-
-### disableAttemptReconnecting
-
-_Optional, Default=true_
-
-Disables the UDP connection helper that periodically re-resolves the agent's hostname and reconnects if there was a change.
-Enabling the re-resolving of UDP address make the client more robust in Kubernetes deployments.
-
-```yaml tab="File (YAML)"
-tracing:
-  jaeger:
-    disableAttemptReconnecting: false
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger]
-    disableAttemptReconnecting = false
-```
-
-```bash tab="CLI"
---tracing.jaeger.disableAttemptReconnecting=false
-```
-
-### `collector`
-#### `endpoint`
-
-_Optional, Default=""_
-
-Collector Endpoint instructs the reporter to send spans to the Jaeger Collector at this URL.
-
-```yaml tab="File (YAML)"
-tracing:
-  jaeger:
-    collector:
-        endpoint: http://127.0.0.1:14268/api/traces?format=jaeger.thrift
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger.collector]
-    endpoint = "http://127.0.0.1:14268/api/traces?format=jaeger.thrift"
-```
-
-```bash tab="CLI"
---tracing.jaeger.collector.endpoint=http://127.0.0.1:14268/api/traces?format=jaeger.thrift
-```
-
-#### `user`
-
-_Optional, Default=""_
-
-User instructs the reporter to include a user for basic HTTP authentication when sending spans to the Jaeger Collector.
-
-```yaml tab="File (YAML)"
-tracing:
-  jaeger:
-    collector:
-        user: my-user
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger.collector]
-    user = "my-user"
-```
-
-```bash tab="CLI"
---tracing.jaeger.collector.user=my-user
-```
-
-#### `password`
-
-_Optional, Default=""_
-
-Password instructs the reporter to include a password for basic HTTP authentication when sending spans to the Jaeger Collector.
-
-```yaml tab="File (YAML)"
-tracing:
-  jaeger:
-    collector:
-        password: my-password
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.jaeger.collector]
-    password = "my-password"
-```
-
-```bash tab="CLI"
---tracing.jaeger.collector.password=my-password
-```

docs/content/observability/tracing/opentelemetry.md

@@ -0,0 +1,426 @@
+---
+title: "Traefik OpenTelemetry Documentation"
+description: "Traefik supports several tracing backends, including OpenTelemetry. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
+---
+
+# OpenTelemetry
+
+To enable the OpenTelemetry tracer:
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp: {}
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.otlp]
+```
+
+```bash tab="CLI"
+--tracing.otlp=true
+```
+
+!!! info "Default protocol"
+
+    The OpenTelemetry trace exporter will export traces to the collector using HTTP by default to https://localhost:4318/v1/traces, see the [gRPC Section](#grpc-configuration) to use gRPC.
+
+!!! info "Trace sampling"
+
+	By default, the OpenTelemetry trace exporter will sample 100% of traces.  
+	See [OpenTelemetry's SDK configuration](https://opentelemetry.io/docs/reference/specification/sdk-environment-variables/#general-sdk-configuration) to customize the sampling strategy.
+
+!!! info "Propagation"
+    
+    Traefik supports the `OTEL_PROPAGATORS` env variable to set up the propragators. The supported propagators are:
+
+    - tracecontext (default)
+    - baggage (default)
+    - b3
+    - b3multi
+    - jaeger
+    - xray
+    - ottrace
+
+    Example of configuration:
+
+        OTEL_PROPAGATORS=b3,jaeger
+
+
+### HTTP configuration
+
+_Optional_
+
+This instructs the exporter to send spans to the OpenTelemetry Collector using HTTP.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    http: {}
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.otlp.http]
+```
+
+```bash tab="CLI"
+--tracing.otlp.http=true
+```
+
+#### `endpoint`
+
+_Required, Default="http://localhost:4318/v1/traces", Format="`<scheme>://<host>:<port><path>`"_
+
+URL of the OpenTelemetry Collector to send spans to.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    http:
+      endpoint: http://localhost:4318/v1/traces
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.otlp.http]
+    endpoint = "http://localhost:4318/v1/traces"
+```
+
+```bash tab="CLI"
+--tracing.otlp.http.endpoint=http://localhost:4318/v1/traces
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with traces by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    http:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.otlp.http.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--tracing.otlp.http.headers.foo=bar --tracing.otlp.http.headers.baz=buz
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the Client TLS configuration used by the exporter to send spans to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    http:
+      tls:
+        ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[tracing.otlp.http.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--tracing.otlp.http.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    http:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[tracing.otlp.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--tracing.otlp.http.tls.cert=path/to/foo.cert
+--tracing.otlp.http.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    http:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[tracing.otlp.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--tracing.otlp.http.tls.cert=path/to/foo.cert
+--tracing.otlp.http.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    http:
+      tls:
+        insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[tracing.otlp.http.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--tracing.otlp.http.tls.insecureSkipVerify=true
+```
+
+### gRPC configuration
+
+_Optional_
+
+This instructs the exporter to send spans to the OpenTelemetry Collector using gRPC.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    grpc: {}
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.otlp.grpc]
+```
+
+```bash tab="CLI"
+--tracing.otlp.grpc=true
+```
+
+#### `endpoint`
+
+_Required, Default="localhost:4317", Format="`<host>:<port>`"_
+
+Address of the OpenTelemetry Collector to send spans to.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    grpc:
+      endpoint: localhost:4317
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.otlp.grpc]
+    endpoint = "localhost:4317"
+```
+
+```bash tab="CLI"
+--tracing.otlp.grpc.endpoint=localhost:4317
+```
+#### `insecure`
+
+_Optional, Default=false_
+
+Allows exporter to send spans to the OpenTelemetry Collector without using a secured protocol.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    grpc:
+      insecure: true
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.otlp.grpc]
+    insecure = true
+```
+
+```bash tab="CLI"
+--tracing.otlp.grpc.insecure=true
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with traces by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    grpc:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.otlp.grpc.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--tracing.otlp.grpc.headers.foo=bar --tracing.otlp.grpc.headers.baz=buz
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the Client TLS configuration used by the exporter to send spans to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    grpc:
+      tls:
+        ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[tracing.otlp.grpc.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--tracing.otlp.grpc.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    grpc:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[tracing.otlp.grpc.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--tracing.otlp.grpc.tls.cert=path/to/foo.cert
+--tracing.otlp.grpc.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    grpc:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[tracing.otlp.grpc.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--tracing.otlp.grpc.tls.cert=path/to/foo.cert
+--tracing.otlp.grpc.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    grpc:
+      tls:
+        insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[tracing.otlp.grpc.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--tracing.otlp.grpc.tls.insecureSkipVerify=true
+```

docs/content/observability/tracing/overview.md

@@ -10,21 +10,12 @@ Visualize the Requests Flow
 
 The tracing system allows developers to visualize call flows in their infrastructure.
 
-Traefik uses OpenTracing, an open standard designed for distributed tracing.
+Traefik uses [OpenTelemetry](https://opentelemetry.io/ "Link to website of OTel"), an open standard designed for distributed tracing.
 
-Traefik supports six tracing backends:
+Please check our dedicated [OTel docs](./opentelemetry.md) to learn more.
-
-- [Jaeger](./jaeger.md)
-- [Zipkin](./zipkin.md)
-- [Datadog](./datadog.md)
-- [Instana](./instana.md)
-- [Haystack](./haystack.md)
-- [Elastic](./elastic.md)
 
 ## Configuration
 
-By default, Traefik uses Jaeger as tracing backend.
-
 To enable the tracing:
 
 ```yaml tab="File (YAML)"
@@ -41,6 +32,26 @@ tracing: {}
 
 ### Common Options
 
+#### `addInternals`
+
+_Optional, Default="false"_
+
+Enables tracing for internal resources (e.g.: `ping@internal`).
+
+```yaml tab="File (YAML)"
+tracing:
+  addInternals: true
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  addInternals = true
+```
+
+```bash tab="CLI"
+--tracing.addinternals
+```
+
 #### `serviceName`
 
 _Required, Default="traefik"_
@@ -61,25 +72,91 @@ tracing:
 --tracing.serviceName=traefik
 ```
 
-#### `spanNameLimit`
+#### `sampleRate`
 
-_Required, Default=0_
+_Optional, Default=1.0_
 
-Span name limit allows for name truncation in case of very long names.
+The proportion of requests to trace, specified between 0.0 and 1.0.
-This can prevent certain tracing providers to drop traces that exceed their length limits.
-
-`0` means no truncation will occur.
 
 ```yaml tab="File (YAML)"
 tracing:
-  spanNameLimit: 150
+  sampleRate: 0.2
 ```
 
 ```toml tab="File (TOML)"
 [tracing]
-  spanNameLimit = 150
+    sampleRate = 0.2
 ```
 
 ```bash tab="CLI"
---tracing.spanNameLimit=150
+--tracing.sampleRate=0.2
+```
+
+#### `globalAttributes`
+
+_Optional, Default=empty_
+
+Applies a list of shared key:value attributes on all spans.
+
+```yaml tab="File (YAML)"
+tracing:
+  globalAttributes:
+    attr1: foo
+    attr2: bar
+```
+
+```toml tab="File (TOML)"
+[tracing]
+    [tracing.globalAttributes]
+      attr1 = "foo"
+      attr2 = "bar"
+```
+
+```bash tab="CLI"
+--tracing.globalAttributes.attr1=foo
+--tracing.globalAttributes.attr2=bar
+```
+
+#### `capturedRequestHeaders`
+
+_Optional, Default=empty_
+
+Defines the list of request headers to add as attributes.
+It applies to client and server kind spans.
+
+```yaml tab="File (YAML)"
+tracing:
+  capturedRequestHeaders:
+    - X-CustomHeader
+```
+
+```toml tab="File (TOML)"
+[tracing]
+    capturedRequestHeaders = ["X-CustomHeader"]
+```
+
+```bash tab="CLI"
+--tracing.capturedRequestHeaders[0]=X-CustomHeader
+```
+
+#### `capturedResponseHeaders`
+
+_Optional, Default=empty_
+
+Defines the list of response headers to add as attributes.
+It applies to client and server kind spans.
+
+```yaml tab="File (YAML)"
+tracing:
+  capturedResponseHeaders:
+    - X-CustomHeader
+```
+
+```toml tab="File (TOML)"
+[tracing]
+    capturedResponseHeaders = ["X-CustomHeader"]
+```
+
+```bash tab="CLI"
+--tracing.capturedResponseHeaders[0]=X-CustomHeader
 ```

docs/content/observability/tracing/zipkin.md

@@ -1,110 +0,0 @@
----
-title: "Traefik Zipkin Documentation"
-description: "Traefik supports several tracing backends, including Zipkin. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
----
-
-# Zipkin
-
-To enable the Zipkin tracer:
-
-```yaml tab="File (YAML)"
-tracing:
-  zipkin: {}
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.zipkin]
-```
-
-```bash tab="CLI"
---tracing.zipkin=true
-```
-
-#### `httpEndpoint`
-
-_Required, Default="http://localhost:9411/api/v2/spans"_
-
-HTTP endpoint used to send data.
-
-```yaml tab="File (YAML)"
-tracing:
-  zipkin:
-    httpEndpoint: http://localhost:9411/api/v2/spans
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.zipkin]
-    httpEndpoint = "http://localhost:9411/api/v2/spans"
-```
-
-```bash tab="CLI"
---tracing.zipkin.httpEndpoint=http://localhost:9411/api/v2/spans
-```
-
-#### `sameSpan`
-
-_Optional, Default=false_
-
-Uses SameSpan RPC style traces.
-
-```yaml tab="File (YAML)"
-tracing:
-  zipkin:
-    sameSpan: true
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.zipkin]
-    sameSpan = true
-```
-
-```bash tab="CLI"
---tracing.zipkin.sameSpan=true
-```
-
-#### `id128Bit`
-
-_Optional, Default=true_
-
-Uses 128 bits trace IDs.
-
-```yaml tab="File (YAML)"
-tracing:
-  zipkin:
-    id128Bit: false
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.zipkin]
-    id128Bit = false
-```
-
-```bash tab="CLI"
---tracing.zipkin.id128Bit=false
-```
-
-#### `sampleRate`
-
-_Required, Default=1.0_
-
-The proportion of requests to trace, specified between 0.0 and 1.0.
-
-```yaml tab="File (YAML)"
-tracing:
-  zipkin:
-    sampleRate: 0.2
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.zipkin]
-    sampleRate = 0.2
-```
-
-```bash tab="CLI"
---tracing.zipkin.sampleRate=0.2
-```

docs/content/operations/dashboard.md

@@ -72,7 +72,7 @@ to allow defining:
 
 - One or more security features through [middlewares](../middlewares/overview.md)
   like authentication ([basicAuth](../middlewares/http/basicauth.md), [digestAuth](../middlewares/http/digestauth.md),
-  [forwardAuth](../middlewares/http/forwardauth.md)) or [whitelisting](../middlewares/http/ipwhitelist.md).
+  [forwardAuth](../middlewares/http/forwardauth.md)) or [allowlisting](../middlewares/http/ipallowlist.md).
 
 - A [router rule](#dashboard-router-rule) for accessing the dashboard,
   through Traefik itself (sometimes referred to as "Traefik-ception").
@@ -93,12 +93,12 @@ rule = "Host(`traefik.example.com`)"
 
 ```bash tab="Path Prefix Rule"
 # The dashboard can be accessed on http://example.com/dashboard/ or http://traefik.example.com/dashboard/
-rule = "PathPrefix(`/api`, `/dashboard`)"
+rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
 ```
 
 ```bash tab="Combination of Rules"
 # The dashboard can be accessed on http://traefik.example.com/dashboard/
-rule = "Host(`traefik.example.com`) && PathPrefix(`/api`, `/dashboard`)"
+rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
 ```
 
 ??? example "Dashboard Dynamic Configuration Examples"

docs/content/operations/include-api-examples.md

@@ -1,4 +1,4 @@
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Dynamic Configuration
 labels:
   - "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
@@ -51,24 +51,6 @@ spec:
 - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.routers.api.rule": "Host(`traefik.example.com`)",
-  "traefik.http.routers.api.service": "api@internal",
-  "traefik.http.routers.api.middlewares": "auth",
-  "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-}
-```
-
-```yaml tab="Rancher"
-# Dynamic Configuration
-labels:
-  - "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
-  - "traefik.http.routers.api.service=api@internal"
-  - "traefik.http.routers.api.middlewares=auth"
-  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic Configuration
 http:

docs/content/operations/include-dashboard-examples.md

@@ -1,4 +1,4 @@
-```yaml tab="Docker"
+```yaml tab="Docker & Swarm"
 # Dynamic Configuration
 labels:
   - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
@@ -51,24 +51,6 @@ spec:
 - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```
 
-```json tab="Marathon"
-"labels": {
-  "traefik.http.routers.dashboard.rule": "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))",
-  "traefik.http.routers.dashboard.service": "api@internal",
-  "traefik.http.routers.dashboard.middlewares": "auth",
-  "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-}
-```
-
-```yaml tab="Rancher"
-# Dynamic Configuration
-labels:
-  - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
-  - "traefik.http.routers.dashboard.service=api@internal"
-  - "traefik.http.routers.dashboard.middlewares=auth"
-  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic Configuration
 http:

docs/content/providers/consul-catalog.md

@@ -674,41 +674,6 @@ providers:
 
 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
 
-### `namespace`
-
-??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
-
-    _Optional, Default=""_
-    
-    The `namespace` option defines the namespace in which the consul catalog services will be discovered.
-    
-    !!! warning
-    
-        The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
-        which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
-    
-    !!! warning
-    
-        One should only define either the `namespaces` option or the `namespace` option.
-    
-    ```yaml tab="File (YAML)"
-    providers:
-      consulCatalog:
-        namespace: "production" 
-        # ...
-    ```
-    
-    ```toml tab="File (TOML)"
-    [providers.consulCatalog]
-      namespace = "production"
-      # ...
-    ```
-    
-    ```bash tab="CLI"
-    --providers.consulcatalog.namespace=production
-    # ...
-    ```
-
 ### `namespaces`
 
 _Optional, Default=""_
@@ -749,6 +714,32 @@ providers:
 # ...
 ```
 
+### `strictChecks`
+
+_Optional, Default="passing,warning"_
+
+Define which [Consul Service health checks](https://developer.hashicorp.com/consul/docs/services/usage/checks#define-initial-health-check-status) are allowed to take on traffic.
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    strictChecks: 
+      - "passing"
+      - "warning"
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  strictChecks = ["passing", "warning"]
+  # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.strictChecks=passing,warning
+# ...
+```
+
 ### `watch`
 
 _Optional, Default=false_

docs/content/providers/consul.md

@@ -59,40 +59,6 @@ providers:
 --providers.consul.rootkey=traefik
 ```
 
-### `namespace`
-
-??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
-
-    _Optional, Default=""_
-    
-    The `namespace` option defines the namespace to query.
-    
-    !!! warning
-    
-        The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
-        which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
-    
-    !!! warning
-    
-        One should only define either the `namespaces` option or the `namespace` option.
-    
-    ```yaml tab="File (YAML)"
-    providers:
-      consul:
-        # ...
-        namespace: "production"
-    ```
-    
-    ```toml tab="File (TOML)"
-    [providers.consul]
-      # ...
-      namespace = "production"
-    ```
-    
-    ```bash tab="CLI"
-    --providers.consul.namespace=production
-    ```
-
 ### `namespaces`
 
 _Optional, Default=""_

docs/content/providers/docker.md

@@ -12,8 +12,7 @@ A Story of Labels & Containers
 
 Attach labels to your containers and let Traefik do the rest!
 
-Traefik works with both [Docker (standalone) Engine](https://docs.docker.com/engine/)
+This provider works with [Docker (standalone) Engine](https://docs.docker.com/engine/).
-and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
 
 !!! tip "The Quick Start Uses Docker"
 
@@ -49,49 +48,6 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
           - traefik.http.routers.my-container.rule=Host(`example.com`)
     ```
 
-??? example "Configuring Docker Swarm & Deploying / Exposing Services"
-
-    Enabling the docker provider (Swarm Mode)
-
-    ```yaml tab="File (YAML)"
-    providers:
-      docker:
-        # swarm classic (1.12-)
-        # endpoint: "tcp://127.0.0.1:2375"
-        # docker swarm mode (1.12+)
-        endpoint: "tcp://127.0.0.1:2377"
-        swarmMode: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.docker]
-      # swarm classic (1.12-)
-      # endpoint = "tcp://127.0.0.1:2375"
-      # docker swarm mode (1.12+)
-      endpoint = "tcp://127.0.0.1:2377"
-      swarmMode = true
-    ```
-
-    ```bash tab="CLI"
-    # swarm classic (1.12-)
-    # --providers.docker.endpoint=tcp://127.0.0.1:2375
-    # docker swarm mode (1.12+)
-    --providers.docker.endpoint=tcp://127.0.0.1:2377
-    --providers.docker.swarmMode=true
-    ```
-
-    Attach labels to services (not to containers) while in Swarm mode (in your docker compose file)
-
-    ```yaml
-    version: "3"
-    services:
-      my-container:
-        deploy:
-          labels:
-            - traefik.http.routers.my-container.rule=Host(`example.com`)
-            - traefik.http.services.my-container-service.loadbalancer.server.port=8080
-    ```
-
 ## Routing Configuration
 
 When using Docker as a [provider](./overview.md),
@@ -124,14 +80,13 @@ Port detection works as follows:
 - If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) multiple ports,
   or does not expose any port, then you must manually specify which port Traefik should use for communication
   by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
-  (Read more on this label in the dedicated section in [routing](../routing/providers/docker.md#port)).
+  (Read more on this label in the dedicated section in [routing](../routing/providers/docker.md#services)).
 
 ### Host networking
 
 When exposing containers that are configured with [host networking](https://docs.docker.com/network/host/),
 the IP address of the host is resolved as follows:
 
-<!-- TODO: verify and document the swarm mode case with container.Node.IPAddress coming from the API -->
 - try a lookup of `host.docker.internal`
 - if the lookup was unsuccessful, try a lookup of `host.containers.internal`, ([Podman](https://docs.podman.io/en/latest/) equivalent of `host.docker.internal`)
 - if that lookup was also unsuccessful, fall back to `127.0.0.1`
@@ -175,7 +130,6 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
         - Authorization with the [Docker Authorization Plugin Mechanism](https://web.archive.org/web/20190920092526/https://docs.docker.com/engine/extend/plugins_authorization/)
         - Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
         - Accounting at container level, by exposing the socket on a another container than Traefik's.
-          With Swarm mode, it allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
         - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
         - SSH public key authentication (SSH is supported with Docker > 18.09)
 
@@ -192,71 +146,13 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
         - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
         - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
 
-## Docker Swarm Mode
-
-To enable Docker Swarm (instead of standalone Docker) as a configuration provider,
-set the [`swarmMode`](#swarmmode) directive to `true`.
-
-### Routing Configuration with Labels
-
-While in Swarm Mode, Traefik uses labels found on services, not on individual containers.
-
-Therefore, if you use a compose file with Swarm Mode, labels should be defined in the
-[`deploy`](https://docs.docker.com/compose/compose-file/compose-file-v3/#labels-1) part of your service.
-
-This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/compose-file-v3/)).
-
-### Port Detection
-
-Docker Swarm does not provide any [port detection](#port-detection) information to Traefik.
-
-Therefore, you **must** specify the port to use for communication by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
-(Check the reference for this label in the [routing section for Docker](../routing/providers/docker.md#port)).
-
-### Docker API Access
-
-Docker Swarm Mode follows the same rules as Docker [API Access](#docker-api-access).
-
-Since the Swarm API is only exposed on the [manager nodes](https://docs.docker.com/engine/swarm/how-swarm-mode-works/nodes/#manager-nodes),
-these are the nodes that Traefik should be scheduled on by deploying Traefik with a constraint on the node "role":
-
-```shell tab="With Docker CLI"
-docker service create \
-  --constraint=node.role==manager \
-  #... \
-```
-
-```yml tab="With Docker Compose"
-version: '3'
-
-services:
-  traefik:
-    # ...
-    deploy:
-      placement:
-        constraints:
-          - node.role == manager
-```
-
-!!! tip "Scheduling Traefik on Worker Nodes"
-
-    Following the guidelines given in the previous section ["Docker API Access"](#docker-api-access),
-    if you expose the Docker API through TCP, then Traefik can be scheduled on any node if the TCP
-    socket is reachable.
-
-    Please consider the security implications by reading the [Security Note](#security-note).
-
-    A good example can be found on [Bret Fisher's repository](https://github.com/BretFisher/dogvscat/blob/master/stack-proxy-global.yml#L124).
-
 ## Provider Configuration
 
 ### `endpoint`
 
 _Required, Default="unix:///var/run/docker.sock"_
 
-<!-- markdownlint-disable MD051 -->
+See the [Docker API Access](#docker-api-access) section for more information.
-See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API Access](#docker-api-access_1) for more information.
-<!-- markdownlint-restore -->
 
 ??? example "Using the docker.sock"
 
@@ -267,7 +163,7 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A
 
     services:
       traefik:
-         image: traefik:v2.11 # The official v2 Traefik docker image
+         image: traefik:v3.0 # The official v3 Traefik docker image
          ports:
            - "80:80"
          volumes:
@@ -473,54 +369,6 @@ providers:
     In this case, to prevent an infinite loop,
     Traefik adds an internal middleware to refuse the request if it comes from the same router.
 
-### `swarmMode`
-
-_Optional, Default=false_
-
-Enables the Swarm Mode (instead of standalone Docker).
-
-```yaml tab="File (YAML)"
-providers:
-  docker:
-    swarmMode: true
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.docker]
-  swarmMode = true
-  # ...
-```
-
-```bash tab="CLI"
---providers.docker.swarmMode=true
-# ...
-```
-
-### `swarmModeRefreshSeconds`
-
-_Optional, Default=15_
-
-Defines the polling interval (in seconds) for Swarm Mode.
-
-```yaml tab="File (YAML)"
-providers:
-  docker:
-    swarmModeRefreshSeconds: 30
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.docker]
-  swarmModeRefreshSeconds = 30
-  # ...
-```
-
-```bash tab="CLI"
---providers.docker.swarmModeRefreshSeconds=30
-# ...
-```
-
 ### `httpClientTimeout`
 
 _Optional, Default=0_

docs/content/providers/ecs.md

@@ -234,6 +234,30 @@ providers:
 # ...
 ```
 
+### `healthyTasksOnly`
+
+_Optional, Default=false_
+
+Determines whether Traefik discovers only healthy tasks (`HEALTHY` healthStatus).
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    healthyTasksOnly: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  healthyTasksOnly = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.healthyTasksOnly=true
+# ...
+```
+
 ### `defaultRule`
 
 _Optional, Default=```Host(`{{ normalize .Name }}`)```_

docs/content/providers/file.md

@@ -18,7 +18,7 @@ It supports providing configuration through a [single configuration file](#filen
 
 !!! tip
 
-    The file provider can be a good solution for reusing common elements from other providers (e.g. declaring whitelist middlewares, basic authentication, ...)
+    The file provider can be a good solution for reusing common elements from other providers (e.g. declaring allowlist middlewares, basic authentication, ...)
 
 ## Configuration Examples
 

docs/content/providers/http.md

@@ -76,6 +76,26 @@ providers:
 --providers.http.pollTimeout=5s
 ```
 
+### `headers`
+
+_Optional_
+
+Defines custom headers to be sent to the endpoint.
+
+```yaml tab="File (YAML)"
+providers:
+  headers:
+    name: value
+```
+
+```toml tab="File (TOML)"
+[providers.http.headers]
+  name = "value"
+```
+
+```bash tab="CLI"
+--providers.http.headers.name=value
+
 ### `tls`
 
 _Optional_

docs/content/providers/kubernetes-crd.md

@@ -14,7 +14,9 @@ However, as the community expressed the need to benefit from Traefik features wi
 the Traefik engineering team developed a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
 (CRD) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
 
-## Configuration Requirements
+## Requirements
+
+{!kubernetes-requirements.md!}
 
 !!! tip "All Steps for a Successful Deployment"
 
@@ -25,20 +27,14 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku
         * Apply the needed kubernetesCRD provider [configuration](#provider-configuration)
     * Add all necessary Traefik custom [resources](../reference/dynamic-configuration/kubernetes-crd.md#resources)
 
-!!! warning "Deprecated apiextensions.k8s.io/v1beta1 CRD"
-
-    The `apiextensions.k8s.io/v1beta1` CustomResourceDefinition is deprecated in Kubernetes `v1.16+` and will be removed in `v1.22+`.
-    
-    For Kubernetes `v1.16+`, please use the Traefik `apiextensions.k8s.io/v1` CRDs instead.
-
 !!! example "Installing Resource Definition and RBAC"
 
     ```bash
     # Install Traefik Resource Definitions:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
     
     # Install RBAC for Traefik:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
     ```
 
 ## Resource Configuration
@@ -341,6 +337,30 @@ providers:
 --providers.kubernetescrd.allowexternalnameservices=true
 ```
 
+### `nativeLBByDefault`
+
+_Optional, Default: false_
+
+Defines whether to use Native Kubernetes load-balancing mode by default.
+For more information, please check out the IngressRoute `nativeLB` option [documentation](../routing/providers/kubernetes-crd.md#load-balancing).
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    nativeLBByDefault: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  nativeLBByDefault = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetescrd.nativeLBByDefault=true
+```
+
 ## Full Example
 
 For additional information, refer to the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.

docs/content/providers/kubernetes-gateway.md

@@ -14,7 +14,7 @@ The Gateway API project is part of Kubernetes, working under SIG-NETWORK.
 The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
 specifications from the Kubernetes Special Interest Groups (SIGs).
 
-This provider is proposed as an experimental feature and partially supports the Gateway API [v0.4.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.4.0) specification.
+This provider is proposed as an experimental feature and partially supports Gateway API [v1.0.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.0.0) specification.
 
 !!! warning "Enabling The Experimental Kubernetes Gateway Provider"
 
@@ -41,7 +41,9 @@ This provider is proposed as an experimental feature and partially supports the
     --experimental.kubernetesgateway=true --providers.kubernetesgateway=true #...
     ```
 
-## Configuration Requirements
+## Requirements
+
+{!kubernetes-requirements.md!}
 
 !!! tip "All Steps for a Successful Deployment"
 
@@ -78,17 +80,13 @@ This provider is proposed as an experimental feature and partially supports the
 
 The Kubernetes Gateway API project provides several guides on how to use the APIs.
 These guides can help you to go further than the example above.
-The [getting started guide](https://gateway-api.sigs.k8s.io/v1alpha2/guides/) details how to install the CRDs from their repository.
+The [getting started guide](https://gateway-api.sigs.k8s.io/guides/) details how to install the CRDs from their repository.
-
-!!! note ""
-
-    Keep in mind that the Traefik Gateway provider only supports the `v0.4.0` (v1alpha2).
 
 For now, the Traefik Gateway Provider can be used while following the below guides:
 
-* [Simple Gateway](https://gateway-api.sigs.k8s.io/v1alpha2/guides/simple-gateway/)
+* [Simple Gateway](https://gateway-api.sigs.k8s.io/guides/simple-gateway/)
-* [HTTP routing](https://gateway-api.sigs.k8s.io/v1alpha2/guides/http-routing/)
+* [HTTP routing](https://gateway-api.sigs.k8s.io/guides/http-routing/)
-* [TLS](https://gateway-api.sigs.k8s.io/v1alpha2/guides/tls/)
+* [TLS](https://gateway-api.sigs.k8s.io/guides/tls/)
 
 ## Resource Configuration
 
@@ -214,6 +212,108 @@ providers:
 --providers.kubernetesgateway.namespaces=default,production
 ```
 
+### `statusAddress`
+
+#### `ip`
+
+_Optional, Default: ""_
+
+This IP will get copied to the Gateway `status.addresses`, and currently only supports one IP value (IPv4 or IPv6).
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    statusAddress:
+      ip: "1.2.3.4"
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway.statusAddress]
+  ip = "1.2.3.4"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.statusaddress.ip=1.2.3.4
+```
+
+#### `hostname`
+
+_Optional, Default: ""_
+
+This Hostname will get copied to the Gateway `status.addresses`.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    statusAddress:
+      hostname: "example.net"
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway.statusAddress]
+  hostname = "example.net"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.statusaddress.hostname=example.net
+```
+
+#### `service`
+
+_Optional_
+
+The Kubernetes service to copy status addresses from.
+When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the gateways.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    statusAddress:
+      service:
+        namespace: default
+        name: foo
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway.statusAddress.service]
+  namespace = "default"
+  name = "foo"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.statusaddress.service.namespace=default
+--providers.kubernetesgateway.statusaddress.service.name=foo
+```
+
+### `experimentalChannel`
+
+_Optional, Default: false_
+
+Toggles support for the Experimental Channel resources ([Gateway API release channels documentation](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels)).
+This option currently enables support for `TCPRoute` and `TLSRoute`.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    experimentalChannel: true
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+    experimentalChannel = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.experimentalchannel=true
+```
+
 ### `labelselector`
 
 _Optional, Default: ""_

docs/content/providers/kubernetes-ingress.md

@@ -13,7 +13,7 @@ it manages access to cluster services by supporting the [Ingress](https://kubern
 
 ## Requirements
 
-Traefik supports `1.14+` Kubernetes clusters.
+{!kubernetes-requirements.md!}
 
 ## Routing Configuration
 
@@ -68,28 +68,6 @@ spec:
                   number: 80
 ```
 
-```yaml tab="Ingress v1beta1 (deprecated)"
-apiVersion: networking.k8s.io/v1beta1
-kind: Ingress
-metadata:
-  name: foo
-  namespace: production
-
-spec:
-  rules:
-    - host: example.net
-      http:
-        paths:
-          - path: /bar
-            backend:
-              serviceName: service1
-              servicePort: 80
-          - path: /foo
-            backend:
-              serviceName: service1
-              servicePort: 80
-```
-
 ## LetsEncrypt Support with the Ingress Provider
 
 By design, Traefik is a stateless application,
@@ -257,46 +235,7 @@ Value of `kubernetes.io/ingress.class` annotation that identifies Ingress object
 If the parameter is set, only Ingresses containing an annotation with the same value are processed.
 Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
 
-??? info "Kubernetes 1.18+"
+??? info "Example"
-
-    If the Kubernetes cluster version is 1.18+,
-    the new `IngressClass` resource can be leveraged to identify Ingress objects that should be processed.
-    In that case, Traefik will look for an `IngressClass` in the cluster with the controller value equal to *traefik.io/ingress-controller*.
-
-    In addition to the controller value matching mechanism, the property `ingressClass` (if set) will be used to select IngressClasses by applying a strict matching on their name.
-
-    Please see [this article](https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/) for more information or the example below.
-
-    ```yaml tab="IngressClass"
-    apiVersion: networking.k8s.io/v1beta1
-    kind: IngressClass
-    metadata:
-      name: traefik-lb
-    spec:
-      controller: traefik.io/ingress-controller
-    ```
-
-    ```yaml tab="Ingress"
-    apiVersion: networking.k8s.io/v1beta1
-    kind: Ingress
-    metadata:
-      name: example-ingress
-    spec:
-      ingressClassName: traefik-lb
-      rules:
-      - host: "*.example.com"
-        http:
-          paths:
-          - path: /example
-            backend:
-              serviceName: example-service
-              servicePort: 80
-    ```
-
-??? info "Kubernetes 1.19+"
-
-    If the Kubernetes cluster version is 1.19+,
-    prefer using the `networking.k8s.io/v1` [apiVersion](https://v1-19.docs.kubernetes.io/docs/setup/release/notes/#api-change) of `Ingress` and `IngressClass`.
 
     ```yaml tab="IngressClass"
     apiVersion: networking.k8s.io/v1
@@ -344,6 +283,35 @@ providers:
 --providers.kubernetesingress.ingressclass=traefik-internal
 ```
 
+### `disableIngressClassLookup`
+
+_Optional, Default: false_
+
+If the parameter is set to `true`,
+Traefik will not discover IngressClasses in the cluster.
+By doing so, it alleviates the requirement of giving Traefik the rights to look IngressClasses up.
+Furthermore, when this option is set to `true`,
+Traefik is not able to handle Ingresses with IngressClass references,
+therefore such Ingresses will be ignored.
+Please note that annotations are not affected by this option.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    disableIngressClassLookup: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  disableIngressClassLookup = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.disableingressclasslookup=true
+```
+
 ### `ingressEndpoint`
 
 #### `hostname`
@@ -499,9 +467,33 @@ providers:
 --providers.kubernetesingress.allowexternalnameservices=true
 ```
 
+### `nativeLBByDefault`
+
+_Optional, Default: false_
+
+Defines whether to use Native Kubernetes load-balancing mode by default.
+For more information, please check out the `traefik.ingress.kubernetes.io/service.nativelb` [service annotation documentation](../routing/providers/kubernetes-ingress.md#on-service).
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    nativeLBByDefault: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  nativeLBByDefault = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.nativeLBByDefault=true
+```
+
 ### Further
 
 To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v2.11/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.0/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
 
 {!traefik-for-business-applications.md!}

docs/content/providers/marathon.md

@@ -1,590 +0,0 @@
----
-title: "Traefik Configuration for Marathon"
-description: "Traefik Proxy can be configured to use Marathon as a provider. Read the technical documentation to learn how."
----
-
-# Traefik & Marathon
-
-Traefik can be configured to use Marathon as a provider.
-{: .subtitle }
-
-For additional information, refer to [Marathon user guide](../user-guides/marathon.md).
-
-## Configuration Examples
-
-??? example "Configuring Marathon & Deploying / Exposing Applications"
-
-    Enabling the Marathon provider
-
-    ```yaml tab="File (YAML)"
-    providers:
-      marathon: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.marathon]
-    ```
-
-    ```bash tab="CLI"
-    --providers.marathon=true
-    ```
-
-    Attaching labels to Marathon applications
-
-    ```json
-	{
-		"id": "/whoami",
-		"container": {
-			"type": "DOCKER",
-			"docker": {
-				"image": "traefik/whoami",
-				"network": "BRIDGE",
-				"portMappings": [
-					{
-						"containerPort": 80,
-						"hostPort": 0,
-						"protocol": "tcp"
-					}
-				]
-			}
-		},
-		"labels": {
-			"traefik.http.Routers.app.Rule": "PathPrefix(`/app`)"
-		}
-	}
-    ```
-
-## Routing Configuration
-
-See the dedicated section in [routing](../routing/providers/marathon.md).
-
-## Provider Configuration
-
-### `basic`
-
-_Optional_
-
-Enables Marathon basic authentication.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    basic:
-      httpBasicAuthUser: foo
-      httpBasicPassword: bar
-```
-
-```toml tab="File (TOML)"
-[providers.marathon.basic]
-  httpBasicAuthUser = "foo"
-  httpBasicPassword = "bar"
-```
-
-```bash tab="CLI"
---providers.marathon.basic.httpbasicauthuser=foo
---providers.marathon.basic.httpbasicpassword=bar
-```
-
-### `dcosToken`
-
-_Optional_
-
-Datacenter Operating System (DCOS) Token for DCOS environment.
-
-If set, it overrides the Authorization header.
-
-```toml tab="File (YAML)"
-providers:
-  marathon:
-    dcosToken: "xxxxxx"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  dcosToken = "xxxxxx"
-  # ...
-```
-
-```bash tab="CLI"
---providers.marathon.dcosToken=xxxxxx
-```
-
-### `defaultRule`
-
-_Optional, Default=```Host(`{{ normalize .Name }}`)```_
-
-The default host rule for all services.
-
-For a given application, if no routing rule was defined by a label, it is defined by this `defaultRule` instead.
-
-It must be a valid [Go template](https://pkg.go.dev/text/template/),
-and can include [sprig template functions](https://masterminds.github.io/sprig/).
-
-The app ID can be accessed with the `Name` identifier,
-and the template has access to all the labels defined on this Marathon application.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-  # ...
-```
-
-```bash tab="CLI"
---providers.marathon.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
-# ...
-```
-
-??? info "Default rule and Traefik service"
-
-    The exposure of the Traefik container, combined with the default rule mechanism,
-    can lead to create a router targeting itself in a loop.
-    In this case, to prevent an infinite loop,
-    Traefik adds an internal middleware to refuse the request if it comes from the same router.
-
-### `dialerTimeout`
-
-_Optional, Default=5s_
-
-Amount of time the Marathon provider should wait before timing out,
-when trying to open a TCP connection to a Marathon master.
-
-The value of `dialerTimeout` should be provided in seconds or as a valid duration format,
-see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    dialerTimeout: "10s"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  dialerTimeout = "10s"
-  # ...
-```
-
-```bash tab="CLI"
---providers.marathon.dialerTimeout=10s
-```
-
-### `endpoint`
-
-_Optional, Default=http://127.0.0.1:8080_
-
-Marathon server endpoint.
-
-You can optionally specify multiple endpoints.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    endpoint: "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  endpoint = "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
-  # ...
-```
-
-```bash tab="CLI"
---providers.marathon.endpoint=http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080
-```
-
-### `exposedByDefault`
-
-_Optional, Default=true_
-
-Exposes Marathon applications by default through Traefik.
-
-If set to `false`, applications that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    exposedByDefault: false
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  exposedByDefault = false
-  # ...
-```
-
-```bash tab="CLI"
---providers.marathon.exposedByDefault=false
-# ...
-```
-
-### `constraints`
-
-_Optional, Default=""_
-
-The `constraints` option can be set to an expression that Traefik matches against the application labels to determine whether
-to create any route for that application. If none of the application labels match the expression, no route for that application is
-created. In addition, the expression is also matched against the application constraints, such as described
-in [Marathon constraints](https://mesosphere.github.io/marathon/docs/constraints.html).
-If the expression is empty, all detected applications are included.
-
-The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic.
-In addition, to match against Marathon constraints, the function `MarathonConstraint("field:operator:value")` can be used, where the field, operator, and value parts are concatenated in a single string using the `:` separator.
-
-??? example "Constraints Expression Examples"
-
-    ```toml
-    # Includes only applications having a label with key `a.label.name` and value `foo`
-    constraints = "Label(`a.label.name`, `foo`)"
-    ```
-
-    ```toml
-    # Excludes applications having any label with key `a.label.name` and value `foo`
-    constraints = "!Label(`a.label.name`, `value`)"
-    ```
-
-    ```toml
-    # With logical AND.
-    constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
-    ```
-
-    ```toml
-    # With logical OR.
-    constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
-    ```
-
-    ```toml
-    # With logical AND and OR, with precedence set by parentheses.
-    constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
-    ```
-
-    ```toml
-    # Includes only applications having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegex(`a.label.name`, `a.+`)"
-    ```
-
-    ```toml
-    # Includes only applications having a Marathon constraint with field `A`, operator `B`, and value `C`.
-    constraints = "MarathonConstraint(`A:B:C`)"
-    ```
-
-    ```toml
-    # Uses both Marathon constraint and application label with logical operator.
-    constraints = "MarathonConstraint(`A:B:C`) && Label(`a.label.name`, `value`)"
-    ```
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    constraints: "Label(`a.label.name`,`foo`)"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  constraints = "Label(`a.label.name`,`foo`)"
-  # ...
-```
-
-```bash tab="CLI"
---providers.marathon.constraints=Label(`a.label.name`,`foo`)
-# ...
-```
-
-### `forceTaskHostname`
-
-_Optional, Default=false_
-
-By default, the task IP address (as returned by the Marathon API) is used as backend server if an IP-per-task configuration can be found;
-otherwise, the name of the host running the task is used.
-The latter behavior can be enforced by setting this option to `true`.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    forceTaskHostname: true
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  forceTaskHostname = true
-  # ...
-```
-
-```bash tab="CLI"
---providers.marathon.forceTaskHostname=true
-# ...
-```
-
-### `keepAlive`
-
-_Optional, Default=10s_
-
-Set the TCP Keep Alive duration for the Marathon HTTP Client.
-The value of `keepAlive` should be provided in seconds or as a valid duration format,
-see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    keepAlive: "30s"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  keepAlive = "30s"
-  # ...
-```
-
-```bash tab="CLI"
---providers.marathon.keepAlive=30s
-# ...
-```
-
-### `respectReadinessChecks`
-
-_Optional, Default=false_
-
-Applications may define readiness checks which are probed by Marathon during deployments periodically, and these check results are exposed via the API.
-Enabling `respectReadinessChecks` causes Traefik to filter out tasks whose readiness checks have not succeeded.
-Note that the checks are only valid during deployments.
-
-See the Marathon guide for details.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    respectReadinessChecks: true
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  respectReadinessChecks = true
-  # ...
-```
-
-```bash tab="CLI"
---providers.marathon.respectReadinessChecks=true
-# ...
-```
-
-### `responseHeaderTimeout`
-
-_Optional, Default=60s_
-
-Amount of time the Marathon provider should wait before timing out when waiting for the first response header
-from a Marathon master.
-
-The value of `responseHeaderTimeout` should be provided in seconds or as a valid duration format,
-see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    responseHeaderTimeout: "66s"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  responseHeaderTimeout = "66s"
-  # ...
-```
-
-```bash tab="CLI"
---providers.marathon.responseHeaderTimeout=66s
-# ...
-```
-
-### `tls`
-
-_Optional_
-
-Defines the TLS configuration used for the secure connection to Marathon.
-
-#### `ca`
-
-`ca` is the path to the certificate authority used for the secure connection to Marathon,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    tls:
-      ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[providers.marathon.tls]
-  ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---providers.marathon.tls.ca=path/to/ca.crt
-```
-
-#### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to Marathon.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    tls:
-      cert: path/to/foo.cert
-      key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.marathon.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.marathon.tls.cert=path/to/foo.cert
---providers.marathon.tls.key=path/to/foo.key
-```
-
-#### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to Marathon.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    tls:
-      cert: path/to/foo.cert
-      key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.marathon.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.marathon.tls.cert=path/to/foo.cert
---providers.marathon.tls.key=path/to/foo.key
-```
-
-#### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`, the TLS connection to Marathon accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    tls:
-      insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[providers.marathon.tls]
-  insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---providers.marathon.tls.insecureSkipVerify=true
-```
-
-### `tlsHandshakeTimeout`
-
-_Optional, Default=5s_
-
-Amount of time the Marathon provider should wait before timing out,
-when waiting for the TLS handshake to complete.
-
-The value of `tlsHandshakeTimeout` should be provided in seconds or as a valid duration format,
-see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    tlsHandshakeTimeout: "10s"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  tlsHandshakeTimeout = "10s"
-  # ...
-```
-
-```bash tab="CLI"
---providers.marathon.tlsHandshakeTimeout=10s
-# ...
-```
-
-### `trace`
-
-_Optional, Default=false_
-
-Displays additional provider logs when available.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    trace: true
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  trace = true
-  # ...
-```
-
-```bash tab="CLI"
---providers.marathon.trace=true
-# ...
-```
-
-### `watch`
-
-_Optional, Default=true_
-
-When set to `true`, watches for Marathon changes.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    watch: false
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  watch = false
-  # ...
-```
-
-```bash tab="CLI"
---providers.marathon.watch=false
-# ...
-```

docs/content/providers/nomad.md

@@ -448,7 +448,7 @@ providers:
 
 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
 
-### `namespace`
+### `namespaces`
 
 ??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
 
@@ -512,3 +512,27 @@ providers:
 --providers.nomad.namespaces=ns1,ns2
 # ...
 ```
+
+### `allowEmptyServices`
+
+_Optional, Default: false_
+
+If the parameter is set to `true`,
+it allows the creation of an empty [servers load balancer](../routing/services/index.md#servers-load-balancer) if the targeted Nomad service has no endpoints available. This results in a `503` HTTP response instead of a `404`.
+
+```yaml tab="File (YAML)"
+providers:
+  nomad:
+    allowEmptyServices: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.nomad]
+  allowEmptyServices = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.nomad.allowEmptyServices=true
+```

docs/content/providers/overview.md

@@ -72,7 +72,7 @@ For the list of the providers names, see the [supported providers](#supported-pr
 
     Using the add-foo-prefix middleware from other providers:
 
-    ```yaml tab="Docker"
+    ```yaml tab="Docker & Swarm"
     your-container: #
       image: your-docker-image
 
@@ -141,8 +141,6 @@ Below is the list of the currently supported providers in Traefik.
 | [Consul Catalog](./consul-catalog.md)             | Orchestrator | Label                | `consulcatalog`     |
 | [Nomad](./nomad.md)                               | Orchestrator | Label                | `nomad`             |
 | [ECS](./ecs.md)                                   | Orchestrator | Label                | `ecs`               |
-| [Marathon](./marathon.md)                         | Orchestrator | Label                | `marathon`          |
-| [Rancher](./rancher.md)                           | Orchestrator | Label                | `rancher`           |
 | [File](./file.md)                                 | Manual       | YAML/TOML format     | `file`              |
 | [Consul](./consul.md)                             | KV           | KV                   | `consul`            |
 | [Etcd](./etcd.md)                                 | KV           | KV                   | `etcd`              |
@@ -216,8 +214,6 @@ List of providers that support these features:
 - [ECS](./ecs.md#exposedbydefault)
 - [Consul Catalog](./consul-catalog.md#exposedbydefault)
 - [Nomad](./nomad.md#exposedbydefault)
-- [Rancher](./rancher.md#exposedbydefault)
-- [Marathon](./marathon.md#exposedbydefault)
 
 ### Constraints
 
@@ -227,8 +223,6 @@ List of providers that support constraints:
 - [ECS](./ecs.md#constraints)
 - [Consul Catalog](./consul-catalog.md#constraints)
 - [Nomad](./nomad.md#constraints)
-- [Rancher](./rancher.md#constraints)
-- [Marathon](./marathon.md#constraints)
 - [Kubernetes CRD](./kubernetes-crd.md#labelselector)
 - [Kubernetes Ingress](./kubernetes-ingress.md#labelselector)
 - [Kubernetes Gateway](./kubernetes-gateway.md#labelselector)

docs/content/providers/rancher.md

@@ -1,293 +0,0 @@
----
-title: ""Traefik Configuration Discovery: Rancher""
-description: "Read the official Traefik documentation to learn how to expose Rancher services by default in Traefik Proxy."
----
-
-# Traefik & Rancher
-
-A Story of Labels, Services & Containers
-{: .subtitle }
-
-![Rancher](../assets/img/providers/rancher.png)
-
-Attach labels to your services and let Traefik do the rest!
-
-!!! important "This provider is specific to Rancher 1.x."
-
-    Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
-    As such, Rancher 2.x users should utilize the [Kubernetes CRD provider](./kubernetes-crd.md) directly.
-
-## Configuration Examples
-
-??? example "Configuring Rancher & Deploying / Exposing Services"
-
-    Enabling the Rancher provider
-
-    ```yaml tab="File (YAML)"
-    providers:
-      rancher: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.rancher]
-    ```
-
-    ```bash tab="CLI"
-    --providers.rancher=true
-    ```
-
-    Attaching labels to services
-
-    ```yaml
-    labels:
-      - traefik.http.services.my-service.rule=Host(`example.com`)
-    ```
-
-## Routing Configuration
-
-See the dedicated section in [routing](../routing/providers/rancher.md).
-
-## Provider Configuration
-
-??? tip "Browse the Reference"
-
-    For an overview of all the options that can be set with the Rancher provider, see the following snippets:
-
-    ```yaml tab="File (YAML)"
-    --8<-- "content/providers/rancher.yml"
-    ```
-
-    ```toml tab="File (TOML)"
-    --8<-- "content/providers/rancher.toml"
-    ```
-
-    ```bash tab="CLI"
-    --8<-- "content/providers/rancher.txt"
-    ```
-
-### `exposedByDefault`
-
-_Optional, Default=true_
-
-Expose Rancher services by default in Traefik.
-If set to `false`, services that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
-```yaml tab="File (YAML)"
-providers:
-  rancher:
-    exposedByDefault: false
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.rancher]
-  exposedByDefault = false
-  # ...
-```
-
-```bash tab="CLI"
---providers.rancher.exposedByDefault=false
-# ...
-```
-
-### `defaultRule`
-
-_Optional, Default=```Host(`{{ normalize .Name }}`)```_
-
-The default host rule for all services.
-
-The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.
-
-It must be a valid [Go template](https://pkg.go.dev/text/template/), and can use
-[sprig template functions](https://masterminds.github.io/sprig/).
-The service name can be accessed with the `Name` identifier,
-and the template has access to all the labels defined on this container.
-
-This option can be overridden on a container basis with the `traefik.http.routers.Router1.rule` label.
-
-```yaml tab="File (YAML)"
-providers:
-  rancher:
-    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.rancher]
-  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-  # ...
-```
-
-```bash tab="CLI"
---providers.rancher.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
-# ...
-```
-
-??? info "Default rule and Traefik service"
-
-    The exposure of the Traefik container, combined with the default rule mechanism,
-    can lead to create a router targeting itself in a loop.
-    In this case, to prevent an infinite loop,
-    Traefik adds an internal middleware to refuse the request if it comes from the same router.
-
-### `enableServiceHealthFilter`
-
-_Optional, Default=true_
-
-Filter out services with unhealthy states and inactive states.
-
-```yaml tab="File (YAML)"
-providers:
-  rancher:
-    enableServiceHealthFilter: false
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.rancher]
-  enableServiceHealthFilter = false
-  # ...
-```
-
-```bash tab="CLI"
---providers.rancher.enableServiceHealthFilter=false
-# ...
-```
-
-### `refreshSeconds`
-
-_Optional, Default=15_
-
-Defines the polling interval (in seconds).
-
-```yaml tab="File (YAML)"
-providers:
-  rancher:
-    refreshSeconds: 30
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.rancher]
-  refreshSeconds = 30
-  # ...
-```
-
-```bash tab="CLI"
---providers.rancher.refreshSeconds=30
-# ...
-```
-
-### `intervalPoll`
-
-_Optional, Default=false_
-
-Poll the Rancher metadata service for changes every `rancher.refreshSeconds`,
-which is less accurate than the default long polling technique which provides near instantaneous updates to Traefik.
-
-```yaml tab="File (YAML)"
-providers:
-  rancher:
-    intervalPoll: true
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.rancher]
-  intervalPoll = true
-  # ...
-```
-
-```bash tab="CLI"
---providers.rancher.intervalPoll=true
-# ...
-```
-
-### `prefix`
-
-_Optional, Default="/latest"_
-
-Prefix used for accessing the Rancher metadata service.
-
-```yaml tab="File (YAML)"
-providers:
-  rancher:
-    prefix: "/test"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.rancher]
-  prefix = "/test"
-  # ...
-```
-
-```bash tab="CLI"
---providers.rancher.prefix=/test
-# ...
-```
-
-### `constraints`
-
-_Optional, Default=""_
-
-The `constraints` option can be set to an expression that Traefik matches against the container labels to determine whether
-to create any route for that container. If none of the container tags match the expression, no route for that container is
-created. If the expression is empty, all detected containers are included.
-
-The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as
-the usual boolean logic, as shown in examples below.
-
-??? example "Constraints Expression Examples"
-
-    ```toml
-    # Includes only containers having a label with key `a.label.name` and value `foo`
-    constraints = "Label(`a.label.name`, `foo`)"
-    ```
-
-    ```toml
-    # Excludes containers having any label with key `a.label.name` and value `foo`
-    constraints = "!Label(`a.label.name`, `value`)"
-    ```
-
-    ```toml
-    # With logical AND.
-    constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
-    ```
-
-    ```toml
-    # With logical OR.
-    constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
-    ```
-
-    ```toml
-    # With logical AND and OR, with precedence set by parentheses.
-    constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
-    ```
-
-    ```toml
-    # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegex(`a.label.name`, `a.+`)"
-    ```
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
-```yaml tab="File (YAML)"
-providers:
-  rancher:
-    constraints: "Label(`a.label.name`,`foo`)"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.rancher]
-  constraints = "Label(`a.label.name`,`foo`)"
-  # ...
-```
-
-```bash tab="CLI"
---providers.rancher.constraints=Label(`a.label.name`,`foo`)
-# ...
-```

docs/content/providers/rancher.toml

@@ -1,20 +0,0 @@
-# Enable Rancher Provider.
-[providers.rancher]
-
-  # Expose Rancher services by default in Traefik.
-  exposedByDefault = true
-
-  # Enable watch Rancher changes.
-  watch = true
-
-  # Filter services with unhealthy states and inactive states.
-  enableServiceHealthFilter = true
-
-  # Defines the polling interval (in seconds).
-  refreshSeconds = 15
-
-  # Poll the Rancher metadata service for changes every `rancher.refreshSeconds`, which is less accurate
-  intervalPoll = false
-
-  # Prefix used for accessing the Rancher metadata service
-  prefix = "/latest"

docs/content/providers/rancher.txt

@@ -1,20 +0,0 @@
-# Enable Rancher Provider.
---providers.rancher=true
-
-# Expose Rancher services by default in Traefik.
---providers.rancher.exposedByDefault=true
-
-# Enable watch Rancher changes.
---providers.rancher.watch=true
-
-# Filter services with unhealthy states and inactive states.
---providers.rancher.enableServiceHealthFilter=true
-
-# Defines the polling interval (in seconds).
---providers.rancher.refreshSeconds=15
-
-# Poll the Rancher metadata service for changes every `rancher.refreshSeconds`, which is less accurate
---providers.rancher.intervalPoll=false
-
-# Prefix used for accessing the Rancher metadata service
---providers.rancher.prefix=/latest

docs/content/providers/rancher.yml

@@ -1,21 +0,0 @@
-# Enable Rancher Provider.
-providers:
-  rancher:
-
-  # Expose Rancher services by default in Traefik.
-  exposedByDefault: true
-
-  # Enable watch Rancher changes.
-  watch: true
-
-  # Filter services with unhealthy states and inactive states.
-  enableServiceHealthFilter: true
-
-  # Defines the polling interval (in seconds).
-  refreshSeconds: 15
-
-  # Poll the Rancher metadata service for changes every `rancher.refreshSeconds`, which is less accurate
-  intervalPoll: false
-
-  # Prefix used for accessing the Rancher metadata service
-  prefix: /latest