Prepare release v2.11.29

Bump github.com/docker/docker to v28.3.3
Remove Semaphore CI
2025-09-06 05:44:21 +03:00 · 2025-08-26 14:50:08 +02:00 · 2025-08-20 15:52:06 +02:00 · 2025-08-13 10:30:06 +02:00 · 2025-08-13 09:22:04 +02:00 · 2025-08-11 14:44:05 +02:00
1078 changed files with 56553 additions and 29498 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,5 +1,5 @@
 dist/
-!dist/traefik
+!dist/**/traefik
 site/
 vendor/
 .idea/
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -6,12 +6,14 @@ body:
    attributes:
      label: Welcome!
      description: |
-        The issue tracker is for reporting bugs and feature requests only. For end-user related support questions, please refer to one of the following:
-        - the Traefik community forum: https://community.traefik.io/
+        The issue tracker is for reporting bugs and feature requests only.
+        For end-user related support questions, please use the [Traefik community forum](https://community.traefik.io/).

-        The configurations between 1.X and 2.X are NOT compatible. Please have a look [here](https://doc.traefik.io/traefik/getting-started/configuration-overview/).
+        All new/updated issues are triaged regularly by the maintainers.
+        All issues closed by a bot are subsequently double-checked by the maintainers.

        DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+
      options:
        - label: Yes, I've searched similar issues on [GitHub](https://github.com/traefik/traefik/issues) and didn't find any.
          required: true
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -2,16 +2,16 @@
 PLEASE READ THIS MESSAGE.

 Documentation fixes or enhancements:
- for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.8
+- for Traefik v2: use branch v2.11
+- for Traefik v3: use branch v3.0

 Bug fixes:
- for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.8
+- for Traefik v2: use branch v2.11
+- for Traefik v3: use branch v3.0

 Enhancements:
- for Traefik v1: we only accept bug fixes
- for Traefik v2: use branch master
+- for Traefik v2: we only accept bug fixes
+- for Traefik v3: use branch master

 HOW TO WRITE A GOOD PULL REQUEST? https://doc.traefik.io/traefik/contributing/submitting-pull-requests/

--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -4,76 +4,78 @@ on:
  pull_request:
    branches:
      - '*'
+    paths-ignore:
+      - 'docs/**'
+      - '**.md'
+      - 'script/gcg/**'

 env:
-  GO_VERSION: 1.17
+  GO_VERSION: '1.24'
  CGO_ENABLED: 0
-  IN_DOCKER: ""

 jobs:

  build-webui:
-    runs-on: ubuntu-20.04
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-
-      - name: Build webui
-        run: |
-          make clean-webui generate-webui
-          tar czvf webui.tar.gz ./webui/static/
-
-      - name: Artifact webui
-        uses: actions/upload-artifact@v2
-        with:
-          name: webui.tar.gz
-          path: webui.tar.gz
+    uses: ./.github/workflows/template-webui.yaml

  build:
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
+
    strategy:
      matrix:
-        os: [ ubuntu-20.04, macos-latest, windows-latest ]
+        os: [ darwin, freebsd, linux, openbsd, windows ]
+        arch: [ amd64, arm64 ]
+        include:
+          - os: freebsd
+            arch: 386
+          - os: linux
+            arch: 386
+          - os: linux
+            arch: arm
+            goarm: 6
+          - os: linux
+            arch: arm
+            goarm: 7
+          - os: linux
+            arch: ppc64le
+          - os: linux
+            arch: riscv64
+          - os: linux
+            arch: s390x
+          - os: openbsd
+            arch: 386
+          - os: windows
+            arch: 386
    needs:
      - build-webui
-    defaults:
-      run:
-        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik

    steps:
-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v5
        with:
-          path: go/src/github.com/traefik/traefik
          fetch-depth: 0

-      - name: Cache Go modules
-        uses: actions/cache@v2
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        env:
+          ImageOS: ${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.goarm }}
        with:
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-            ~/Library/Caches/go-build
-            '%LocalAppData%\go-build'
-          key: ${{ runner.os }}-build-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-build-go-
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true

      - name: Artifact webui
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
        with:
          name: webui.tar.gz
-          path: ${{ github.workspace }}/go/src/github.com/traefik/traefik

      - name: Untar webui
-        run: tar xvf webui.tar.gz
+        run: |
+          tar xvf webui.tar.gz
+          rm webui.tar.gz

      - name: Build
+        env:
+          GOOS: ${{ matrix.os }}
+          GOARCH: ${{ matrix.arch }}
+          GOARM: ${{ matrix.goarm }}
        run: make binary
--- a/.github/workflows/check_doc.yml
+++ b/.github/workflows/check_doc.yml
@@ -9,13 +9,17 @@ jobs:

  docs:
    name: Check, verify and build documentation
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest

    steps:
      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

      - name: Check documentation
        run: make docs-pull-images docs
+        env:
+          # These variables are not passed to workflows that are triggered by a pull request from a fork.
+          DOCS_VERIFY_SKIP: ${{ vars.DOCS_VERIFY_SKIP }}
+          DOCS_LINT_SKIP: ${{ vars.DOCS_LINT_SKIP }}
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,70 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - master
+      - v*
+  schedule:
+    - cron: '11 22 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript', 'go' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Use only 'java' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v5
+
+    - name: setup go
+      uses: actions/setup-go@v5
+      if: ${{ matrix.language == 'go' }}
+      with:
+        go-version-file: 'go.mod'
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+
+    # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    # - run: |
+    #     echo "Run, Build Application using script"
+    #     ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -1,30 +1,31 @@
 name: Build and Publish Documentation

 on:
+  workflow_dispatch: {}
  push:
    branches:
      - master
      - v*

 env:
-  STRUCTOR_VERSION: v1.11.2
+  STRUCTOR_VERSION: v1.13.2
  MIXTUS_VERSION: v0.4.1

 jobs:

  docs:
    name: Doc Process
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
    if: github.repository == 'traefik/traefik'

    steps:
      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

      - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -39,9 +40,9 @@ jobs:
        run: curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b $HOME/bin ${MIXTUS_VERSION}

      - name: Build documentation
-        run: $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
-        env:
-          STRUCTOR_LATEST_TAG: ${{ secrets.STRUCTOR_LATEST_TAG }}
+        run: |
+          STRUCTOR_LATEST_TAG=$(curl -s https://api.github.com/repos/traefik/traefik/releases/latest | jq -r '.tag_name')
+          $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug

      - name: Apply seo
        run: $HOME/bin/seo -path=./site -product=traefik
--- a/.github/workflows/experimental.yaml
+++ b/.github/workflows/experimental.yaml
@@ -6,32 +6,65 @@ on:
      - master
      - v*

+env:
+  GO_VERSION: '1.24'
+  CGO_ENABLED: 0
+
 jobs:

+  build-webui:
+    if: github.repository == 'traefik/traefik'
+    uses: ./.github/workflows/template-webui.yaml
+
  experimental:
    if: github.repository == 'traefik/traefik'
    name: Build experimental image on branch
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest

    steps:
-
-      # https://github.com/marketplace/actions/checkout
      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        env:
+          ImageOS: ${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.goarm }}
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - name: Build
+        run: make generate binary
+
      - name: Branch name
        run: echo ${GITHUB_REF##*/}

-      - name: Build docker experimental image
-        run: docker build -t traefik/traefik:experimental-${GITHUB_REF##*/} -f exp.Dockerfile .
-
      - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

-      - name: Push to Docker Hub
-        run: docker push traefik/traefik:experimental-${GITHUB_REF##*/}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Artifact webui
+        uses: actions/download-artifact@v4
+        with:
+          name: webui.tar.gz
+
+      - name: Untar webui
+        run: |
+          tar xvf webui.tar.gz
+          rm webui.tar.gz
+
+      - name: Build docker experimental image
+        env:
+          DOCKER_BUILDX_ARGS: "--push"
+        run: |
+          make multi-arch-image-experimental-${GITHUB_REF##*/}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,136 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+env:
+  GO_VERSION: '1.24'
+  CGO_ENABLED: 0
+  VERSION: ${{ github.ref_name }}
+  TRAEFIKER_EMAIL: "traefiker@traefik.io"
+  CODENAME: mimolette
+
+jobs:
+
+  build-webui:
+    if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
+    uses: ./.github/workflows/template-webui.yaml
+
+  build:
+    if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        os: [ linux-amd64, linux-386, linux-arm, linux-arm64, linux-ppc64le, linux-s390x, linux-riscv64, darwin, windows-amd64, windows-arm64, windows-386, freebsd, openbsd ]
+    needs:
+      - build-webui
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        env:
+          # Ensure cache consistency on Linux, see https://github.com/actions/setup-go/pull/383
+          ImageOS: ${{ matrix.os }}
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - name: Artifact webui
+        uses: actions/download-artifact@v4
+        with:
+          name: webui.tar.gz
+
+      - name: Untar webui
+        run: |
+          tar xvf webui.tar.gz
+          rm webui.tar.gz
+
+      - name: Go generate
+        run: go generate
+
+
+      - name: Generate goreleaser file
+        run: |
+          GORELEASER_CONFIG_FILE_PATH=$(go run ./internal/release "${{ matrix.os }}")
+          echo "GORELEASER_CONFIG_FILE_PATH=$GORELEASER_CONFIG_FILE_PATH" >> $GITHUB_ENV
+
+      - name: Build with goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          # 'latest', 'nightly', or a semver
+          version: '~> v2'
+          args: release --clean --timeout="90m" --config "${{ env.GORELEASER_CONFIG_FILE_PATH }}"
+
+      - name: Artifact binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.os }}-binaries
+          path: |
+            dist/**/*_checksums.txt
+            dist/**/*.tar.gz
+            dist/**/*.zip
+          retention-days: 1
+
+  release:
+    if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
+    runs-on: ubuntu-latest
+
+    needs:
+      - build
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Artifact webui
+        uses: actions/download-artifact@v4
+        with:
+          name: webui.tar.gz
+
+      - name: Untar webui
+        run: |
+          tar xvf webui.tar.gz
+          rm webui.tar.gz
+
+      - name: Retrieve the secret and decode it to a file
+        env:
+          TRAEFIKER_RSA: ${{ secrets.TRAEFIKER_RSA }}
+        run: |
+          mkdir -p ~/.ssh
+          echo "${TRAEFIKER_RSA}" | base64 --decode > ~/.ssh/traefiker_rsa
+
+      - name: Download All Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: dist/
+          pattern: "*-binaries"
+          merge-multiple: true
+
+      - name: Publish Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          cat dist/**/*_checksums.txt >> "dist/traefik_${VERSION}_checksums.txt"
+          rm dist/**/*_checksums.txt
+          tar cfz "dist/traefik-${VERSION}.src.tar.gz" \
+            --exclude-vcs \
+            --exclude .idea \
+            --exclude .github \
+            --exclude dist .
+          
+          chown -R "$(id -u)":"$(id -g)" dist/
+          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION} --latest=false
+          
+          ./script/deploy.sh
+
--- a/.github/workflows/template-webui.yaml
+++ b/.github/workflows/template-webui.yaml
@@ -0,0 +1,37 @@
+name: Build Web UI
+on:
+  workflow_call: {}
+jobs:
+
+  build-webui:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Setup node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: webui/.nvmrc
+          cache: yarn
+          cache-dependency-path: webui/yarn.lock
+
+      - name: Build webui
+        working-directory: ./webui
+        run: |
+          yarn install
+          yarn build
+
+      - name: Package webui
+        run: |
+          tar czvf webui.tar.gz ./webui/static/
+
+      - name: Artifact webui
+        uses: actions/upload-artifact@v4
+        with:
+          name: webui.tar.gz
+          path: webui.tar.gz
+          retention-days: 1
--- a/.github/workflows/test-integration.yaml
+++ b/.github/workflows/test-integration.yaml
@@ -0,0 +1,105 @@
+name: Test Integration
+
+on:
+  pull_request:
+    branches:
+      - '*'
+    paths-ignore:
+      - 'docs/**'
+      - '**.md'
+      - 'script/gcg/**'
+
+env:
+  GO_VERSION: '1.24'
+  CGO_ENABLED: 0
+
+jobs:
+
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - name: Avoid generating webui
+        run: touch webui/static/index.html
+
+      - name: Build binary
+        run: make binary-linux-amd64
+
+      - name: Save go cache build
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-cache-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
+
+      - name: Artifact traefik binary
+        uses: actions/upload-artifact@v4
+        with:
+          name: traefik
+          path: ./dist/linux/amd64/traefik
+          retention-days: 1
+
+  test-integration:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+    strategy:
+      fail-fast: true
+      matrix:
+        parallel: [12]
+        index: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11]
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - name: Avoid generating webui
+        run: touch webui/static/index.html
+
+      - name: Download traefik binary
+        uses: actions/download-artifact@v4
+        with:
+          name: traefik
+          path: ./dist/linux/amd64/
+
+      - name: Make binary executable
+        run: chmod +x ./dist/linux/amd64/traefik
+
+      - name: Restore go cache build
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-cache-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
+
+      - name: Generate go test Slice
+        id: test_split
+        uses: hashicorp-forge/go-test-split-action@v2.0.0
+        with:
+          packages: ./integration
+          total: ${{ matrix.parallel }}
+          index: ${{ matrix.index }}
+
+      - name: Run Integration tests
+        run: |
+          TESTS=$(echo "${{ steps.test_split.outputs.run}}" | sed 's/\$/\$\$/g')
+          TESTFLAGS="-run \"${TESTS}\"" make test-integration
--- a/.github/workflows/test-unit.yaml
+++ b/.github/workflows/test-unit.yaml
@@ -4,43 +4,83 @@ on:
  pull_request:
    branches:
      - '*'
+    paths-ignore:
+      - 'docs/**'
+      - '**.md'
+      - 'script/gcg/**'

 env:
-  GO_VERSION: 1.17
-  IN_DOCKER: ""
+  GO_VERSION: '1.24'

 jobs:

-  test-unit:
-    runs-on: ubuntu-20.04
-
-    defaults:
-      run:
-        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
-
+  generate-packages:
+    name: List Go Packages
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v5
        with:
-          path: go/src/github.com/traefik/traefik
          fetch-depth: 0

-      - name: Cache Go modules
-        uses: actions/cache@v2
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
        with:
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-          key: ${{ runner.os }}-test-unit-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-test-unit-go-
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - name: Generate matrix
+        id: set-matrix
+        run: |
+          matrix_output=$(go run ./internal/testsci/genmatrix.go)
+          echo "$matrix_output"
+          echo "$matrix_output" >> $GITHUB_OUTPUT
+
+  test-unit:
+    runs-on: ubuntu-latest
+    needs: generate-packages
+    strategy:
+      matrix:
+        package: ${{ fromJson(needs.generate-packages.outputs.matrix) }}
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true

      - name: Avoid generating webui
        run: touch webui/static/index.html

      - name: Tests
-        run: make test-unit
+        run: |
+          go test -v -parallel 8 ${{ matrix.package.group }}
+
+  test-ui-unit:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Set up Node.js ${{ env.NODE_VERSION }}
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: webui/.nvmrc
+          cache: 'yarn'
+          cache-dependency-path: webui/yarn.lock
+
+      - name: UI unit tests
+        run: |
+          yarn --cwd webui install
+          yarn --cwd webui test:unit:ci
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -6,84 +6,74 @@ on:
      - '*'

 env:
-  GO_VERSION: 1.17
-  GOLANGCI_LINT_VERSION: v1.46.2
-  MISSSPELL_VERSION: v0.3.4
-  IN_DOCKER: ""
+  GO_VERSION: '1.24'
+  GOLANGCI_LINT_VERSION: v2.0.2
+  MISSPELL_VERSION: v0.6.0

 jobs:

-  validate:
-    runs-on: ubuntu-20.04
-
-    defaults:
-      run:
-        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+  lint:
+    runs-on: ubuntu-latest

    steps:
-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v5
        with:
-          path: go/src/github.com/traefik/traefik
          fetch-depth: 0

-      - name: Cache Go modules
-        uses: actions/cache@v2
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
        with:
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-          key: ${{ runner.os }}-validate-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-validate-go-
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true

-      - name: Install golangci-lint ${{ env.GOLANGCI_LINT_VERSION }}
-        run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v7
+        with:
+          version: "${{ env.GOLANGCI_LINT_VERSION }}"

-      - name: Install missspell ${{ env.MISSSPELL_VERSION }}
-        run: curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSSPELL_VERSION}
+  validate:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - name: Install misspell ${{ env.MISSPELL_VERSION }}
+        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/HEAD/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSPELL_VERSION}

      - name: Avoid generating webui
        run: touch webui/static/index.html

      - name: Validate
-        run: make validate
+        run: make validate-files

  validate-generate:
-    runs-on: ubuntu-20.04
-
-    defaults:
-      run:
-        working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
+    runs-on: ubuntu-latest

    steps:
-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v5
        with:
-          path: go/src/github.com/traefik/traefik
          fetch-depth: 0

-      - name: Cache Go modules
-        uses: actions/cache@v2
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
        with:
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-          key: ${{ runner.os }}-validate-generate-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-validate-generate-go-
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true

      - name: go generate
        run: |
-          go generate
+          make generate
          git diff --exit-code

      - name: go mod tidy
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,4 @@ vendor/
 plugins-storage/
 plugins-local/
 traefik_changelog.md
+integration/tailscale.secret
--- a/.golangci.toml
+++ b/.golangci.toml
@@ -1,224 +0,0 @@
-[run]
-  timeout = "10m"
-  skip-files = []
-  skip-dirs = [
-    "pkg/provider/kubernetes/crd/generated/",
-  ]
-
-[linters-settings]
-
-  [linters-settings.govet]
-    check-shadowing = false
-
-  [linters-settings.golint]
-    min-confidence = 0.0
-
-  [linters-settings.gocyclo]
-    min-complexity = 14.0
-
-  [linters-settings.goconst]
-    min-len = 3.0
-    min-occurrences = 4.0
-
-  [linters-settings.misspell]
-    locale = "US"
-
-  [linters-settings.funlen]
-    lines = 230 # default 60
-    statements = 120 # default 40
-
-  [linters-settings.forbidigo]
-    forbid = [
-      '^print(ln)?$',
-      '^spew\.Print(f|ln)?$',
-      '^spew\.Dump$',
-    ]
-
-  [linters-settings.depguard]
-    list-type = "blacklist"
-    include-go-root = false
-    packages = ["github.com/pkg/errors"]
-
-  [linters-settings.godox]
-    keywords = ["FIXME"]
-
-  [linters-settings.importas]
-    corev1 = "k8s.io/api/core/v1"
-    networkingv1beta1 = "k8s.io/api/networking/v1beta1"
-    extensionsv1beta1 = "k8s.io/api/extensions/v1beta1"
-    metav1 = "k8s.io/apimachinery/pkg/apis/meta/v1"
-    kubeerror = "k8s.io/apimachinery/pkg/api/errors"
-    composeapi = "github.com/docker/compose/v2/pkg/api"
-
-  [linters-settings.revive]
-    [[linters-settings.revive.rules]]
-      name = "struct-tag"
-    [[linters-settings.rules]]
-      name = "blank-imports"
-    [[linters-settings.rules]]
-      name = "context-as-argument"
-    [[linters-settings.rules]]
-      name = "context-keys-type"
-    [[linters-settings.rules]]
-      name = "dot-imports"
-    [[linters-settings.rules]]
-      name = "error-return"
-    [[linters-settings.rules]]
-      name = "error-strings"
-    [[linters-settings.rules]]
-      name = "error-naming"
-    [[linters-settings.rules]]
-      name = "exported"
-    [[linters-settings.rules]]
-      name = "if-return"
-    [[linters-settings.rules]]
-      name = "increment-decrement"
-    [[linters-settings.rules]]
-      name = "var-naming"
-    [[linters-settings.rules]]
-      name = "var-declaration"
-    [[linters-settings.rules]]
-      name = "package-comments"
-    [[linters-settings.rules]]
-      name = "range"
-    [[linters-settings.rules]]
-      name = "receiver-naming"
-    [[linters-settings.rules]]
-      name = "time-naming"
-    [[linters-settings.rules]]
-      name = "unexported-return"
-    [[linters-settings.rules]]
-      name = "indent-error-flow"
-    [[linters-settings.rules]]
-      name = "errorf"
-    [[linters-settings.rules]]
-      name = "empty-block"
-    [[linters-settings.rules]]
-      name = "superfluous-else"
-    [[linters-settings.rules]]
-      name = "unused-parameter"
-    [[linters-settings.rules]]
-      name = "unreachable-code"
-    [[linters-settings.rules]]
-      name = "redefines-builtin-id"
-
-  [linters-settings.gomoddirectives]
-    replace-allow-list = [
-      "github.com/abbot/go-http-auth",
-      "github.com/go-check/check",
-      "github.com/gorilla/mux",
-      "github.com/mailgun/minheap",
-      "github.com/mailgun/multibuf",
-      "github.com/jaguilar/vt100",
-    ]
-
-[linters]
-  enable-all = true
-  disable = [
-    "scopelint", # Deprecated
-    "interfacer", # Deprecated
-    "maligned", # Deprecated
-    "golint", # Deprecated
-    "execinquery", # Not relevant (SQL)
-    "sqlclosecheck", # Not relevant (SQL)
-    "rowserrcheck", # Not relevant (SQL)
-    "lll", # Not relevant
-    "gocyclo", # FIXME must be fixed
-    "cyclop", # Duplicate of gocyclo
-    "gocognit", # Too strict
-    "nestif", # Too many false-positive.
-    "prealloc", # Too many false-positive.
-    "makezero", # Not relevant
-    "ifshort", # Not relevant
-    "dupl", # Too strict
-    "gosec", # Too strict
-    "gochecknoinits",
-    "gochecknoglobals",
-    "wsl", # Too strict
-    "nlreturn", # Not relevant
-    "gomnd", # Too strict
-    "stylecheck", # skip because report issues related to some generated files.
-    "testpackage", # Too strict
-    "tparallel", # Not relevant
-    "paralleltest", # Not relevant
-    "exhaustive", # Not relevant
-    "exhaustivestruct", # Not relevant
-    "exhaustruct", # duplicate of exhaustivestruct
-    "goerr113", # Too strict
-    "wrapcheck", # Too strict
-    "noctx", # Too strict
-    "bodyclose", # Too many false-positive and panics.
-    "unparam", # Too strict
-    "godox", # Too strict
-    "forcetypeassert", # Too strict
-    "tagliatelle", # Not compatible with current tags.
-    "varnamelen", # not relevant
-    "nilnil", # not relevant
-    "ireturn", # not relevant
-    "contextcheck", # too many false-positive
-    "containedctx", # too many false-positive
-    "maintidx", # kind of duplicate of gocyclo
-    "nonamedreturns", # not relevant
-  ]
-
-[issues]
-  exclude-use-default = false
-  max-per-linter = 0
-  max-same-issues = 0
-  exclude = [
-    "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked",
-    "should have a package comment, unless it's in another file for this package",
-    "SA1019: http.CloseNotifier has been deprecated",  # FIXME must be fixed
-    "SA1019: cfg.SSLRedirect is deprecated",
-    "SA1019: cfg.SSLTemporaryRedirect is deprecated",
-    "SA1019: cfg.SSLHost is deprecated",
-    "SA1019: cfg.SSLForceHost is deprecated",
-    "SA1019: cfg.FeaturePolicy is deprecated",
-    "SA1019: c.Providers.ConsulCatalog.Namespace is deprecated",
-    "SA1019: c.Providers.Consul.Namespace is deprecated",
-  ]
- [[issues.exclude-rules]]
-    path = "(.+)_test.go"
-    linters = ["goconst", "funlen", "godot"]
- [[issues.exclude-rules]]
-    path = "integration/.+_test.go"
-    text = "Error return value of `cmd\\.Process\\.Kill` is not checked"
- [[issues.exclude-rules]]
-    path = "integration/(consul_catalog_test|constraint_test).go"
-    text = "Error return value of `(s.deregisterService|s.deregisterAgentService)` is not checked"
- [[issues.exclude-rules]]
-    path = "integration/grpc_test.go"
-    text = "Error return value of `closer` is not checked"
- [[issues.exclude-rules]]
-    path = "pkg/h2c/h2c.go"
-    text = "Error return value of `rw.Write` is not checked"
- [[issues.exclude-rules]]
-    path = "pkg/provider/docker/builder_test.go"
-    text = "(U1000: func )?`(.+)` is unused"
- [[issues.exclude-rules]]
-    path = "pkg/provider/kubernetes/builder_(endpoint|service)_test.go"
-    text = "(U1000: func )?`(.+)` is unused"
- [[issues.exclude-rules]]
-    path = "pkg/server/service/bufferpool.go"
-    text = "SA6002: argument should be pointer-like to avoid allocations"
- [[issues.exclude-rules]]
-    path = "cmd/configuration.go"
-    text = "string `traefik` has (\\d) occurrences, make it a constant"
- [[issues.exclude-rules]]
-    path = "pkg/server/middleware/middlewares.go"
-    text = "Function 'buildConstructor' has too many statements"
- [[issues.exclude-rules]]
-    path = "pkg/tracing/haystack/logger.go"
-    linters = ["goprintffuncname"]
- [[issues.exclude-rules]]
-    path = "pkg/tracing/tracing.go"
-    text = "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"
- [[issues.exclude-rules]]
-    path = "pkg/log/deprecated.go"
-    linters = ["godot"]
- [[issues.exclude-rules]]
-    path = "(.+)\\.go"
-    text = "struct-tag: unknown option 'inline' in JSON tag"
- [[issues.exclude-rules]]
-    path = "pkg/server/router/tcp/manager.go"
-    text = "Function 'buildEntryPointHandler' is too long (.+)"
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,313 @@
+version: "2"
+
+formatters:
+  enable:
+    - gci
+    - gofumpt
+  exclusions:
+    generated: lax
+    paths:
+      - pkg/provider/kubernetes/crd/generated/
+
+linters:
+  default: all
+  disable:
+    - bodyclose # too many false-positive
+    - containedctx # too many false-positive
+    - contextcheck # too many false-positive
+    - cyclop # duplicate of gocyclo
+    - dupl # Too strict
+    - err113 # Too strict
+    - exhaustive # Not relevant
+    - exhaustruct # Not relevant
+    - forcetypeassert # Too strict
+    - gochecknoglobals
+    - gochecknoinits
+    - gocognit # Too strict
+    - gocyclo # FIXME must be fixed
+    - gosec # Too strict
+    - gosmopolitan  # not relevant
+    - ireturn # Not relevant
+    - lll # Not relevant
+    - maintidx # kind of duplicate of gocyclo
+    - makezero # Not relevant
+    - mnd # Too strict
+    - nestif # Too many false-positive.
+    - nilnil # Not relevant
+    - nlreturn # Not relevant
+    - noctx # Too strict
+    - nonamedreturns # Too strict
+    - paralleltest # Not relevant
+    - prealloc # Too many false-positive.
+    - rowserrcheck # not relevant (SQL)
+    - sqlclosecheck # not relevant (SQL)
+    - tagliatelle # Too strict
+    - testpackage # Too strict
+    - tparallel # Not relevant
+    - varnamelen # Not relevant
+    - wrapcheck # Too strict
+    - wsl # Too strict
+
+  settings:
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: github.com/instana/testify
+              desc: not allowed
+            - pkg: github.com/pkg/errors
+              desc: Should be replaced by standard lib errors package
+    errcheck:
+      exclude-functions:
+        - fmt.Fprintln
+    forbidigo:
+      forbid:
+        - pattern: ^print(ln)?$
+        - pattern: ^spew\.Print(f|ln)?$
+        - pattern: ^spew\.Dump$
+    funlen:
+      lines: -1
+      statements: 120
+    goconst:
+      min-len: 3
+      min-occurrences: 4
+    gocyclo:
+      min-complexity: 14
+    godox:
+      keywords:
+        - FIXME
+    gomoddirectives:
+      toolchain-pattern: go1\.\d+\.\d+$
+      tool-forbidden: true
+      go-version-pattern: ^1\.\d+(\.0)?$
+      replace-allow-list:
+        - github.com/abbot/go-http-auth
+        - github.com/gorilla/mux
+        - github.com/mailgun/minheap
+        - github.com/mailgun/multibuf
+        - github.com/jaguilar/vt100
+        - github.com/cucumber/godog
+    govet:
+      enable-all: true
+      disable:
+        - shadow
+        - fieldalignment
+    importas:
+      no-unaliased: true
+      alias:
+        - pkg: github.com/docker/compose/v2/pkg/api
+          alias: composeapi
+
+        # Standard Kubernetes rewrites:
+        - pkg: k8s.io/api/core/v1
+          alias: corev1
+        - pkg: k8s.io/api/networking/v1
+          alias: netv1
+        - pkg: k8s.io/api/networking/v1beta1
+          alias: netv1beta1
+        - pkg: k8s.io/api/admission/v1
+          alias: admv1
+        - pkg: k8s.io/api/admission/v1beta1
+          alias: admv1beta1
+        - pkg: k8s.io/api/extensions/v1beta1
+          alias: extv1beta1
+        - pkg: k8s.io/apimachinery/pkg/apis/meta/v1
+          alias: metav1
+        - pkg: k8s.io/apimachinery/pkg/types
+          alias: ktypes
+        - pkg: k8s.io/apimachinery/pkg/api/errors
+          alias: kerror
+        - pkg: k8s.io/client-go/kubernetes
+          alias: kclientset
+        - pkg: k8s.io/client-go/informers
+          alias: kinformers
+        - pkg: k8s.io/client-go/testing
+          alias: ktesting
+        - pkg: k8s.io/apimachinery/pkg/runtime/schema
+          alias: kschema
+        - pkg: k8s.io/client-go/kubernetes/scheme
+          alias: kscheme
+        - pkg: k8s.io/apimachinery/pkg/version
+          alias: kversion
+        - pkg: k8s.io/client-go/kubernetes/fake
+          alias: kubefake
+        - pkg: k8s.io/client-go/discovery/fake
+          alias: discoveryfake
+
+        # Kubernetes Gateway rewrites:
+        - pkg: sigs.k8s.io/gateway-api/pkg/client/clientset/gateway/versioned
+          alias: gateclientset
+        - pkg: sigs.k8s.io/gateway-api/pkg/client/informers/gateway/externalversions
+          alias: gateinformers
+        - pkg: sigs.k8s.io/gateway-api/apis/v1alpha2
+          alias: gatev1alpha2
+
+        # Traefik Kubernetes rewrites:
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikcontainous/v1alpha1
+          alias: containousv1alpha1
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikio/v1alpha1
+          alias: traefikv1alpha1
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned
+          alias: traefikclientset
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/informers/externalversions
+          alias: traefikinformers
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme
+          alias: traefikscheme
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake
+          alias: traefikcrdfake
+    misspell:
+      locale: US
+    revive:
+      rules:
+        - name: struct-tag
+        - name: blank-imports
+        - name: context-as-argument
+        - name: context-keys-type
+        - name: dot-imports
+        - name: error-return
+        - name: error-strings
+        - name: error-naming
+        - name: exported
+          disabled: true
+        - name: if-return
+        - name: increment-decrement
+        - name: var-naming
+        - name: var-declaration
+        - name: package-comments
+          disabled: true
+        - name: range
+        - name: receiver-naming
+        - name: time-naming
+        - name: unexported-return
+        - name: indent-error-flow
+        - name: errorf
+        - name: empty-block
+        - name: superfluous-else
+        - name: unused-parameter
+          disabled: true
+        - name: unreachable-code
+        - name: redefines-builtin-id
+    tagalign:
+      align: false
+      sort: true
+      order:
+        - description
+        - json
+        - toml
+        - yaml
+        - yml
+        - label
+        - label-slice-as-struct
+        - file
+        - kv
+        - export
+    testifylint:
+      disable:
+        - suite-dont-use-pkg
+        - require-error
+        - go-require
+    perfsprint:
+      err-error: true
+      errorf: true
+      sprintf1: true
+      strconcat: false
+    staticcheck:
+      checks:
+        - all
+        - '-ST1000'
+        - '-ST1003'
+        - '-ST1016'
+        - '-ST1020'
+        - '-ST1021'
+        - '-ST1022'
+        - '-QF1001'
+        - '-QF1008' # TODO must be fixed
+
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - std-error-handling
+    rules:
+      - path: (.+)_test.go
+        linters:
+          - canonicalheader
+          - fatcontext
+          - funlen
+          - goconst
+          - godot
+      - path: (.+)_test.go
+        text: ' always receives '
+        linters:
+          - unparam
+      - path: pkg/server/service/bufferpool.go
+        text: 'SA6002: argument should be pointer-like to avoid allocations'
+      - path: pkg/server/middleware/middlewares.go
+        text: Function 'buildConstructor' has too many statements
+        linters:
+          - funlen
+      - path: pkg/tracing/haystack/logger.go
+        linters:
+          - goprintffuncname
+      - path: pkg/tracing/tracing.go
+        text: printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'
+        linters:
+          - goprintffuncname
+      - path: pkg/tls/tlsmanager_test.go
+        text: 'SA1019: config.ClientCAs.Subjects has been deprecated since Go 1.18'
+      - path: pkg/types/tls_test.go
+        text: 'SA1019: tlsConfig.RootCAs.Subjects has been deprecated since Go 1.18'
+      - path: pkg/provider/kubernetes/(crd|gateway)/client.go
+        linters:
+          - interfacebloat
+      - path: pkg/metrics/metrics.go
+        linters:
+          - interfacebloat
+      - path: integration/healthcheck_test.go
+        text: Duplicate words \(wsp2,\) found
+        linters:
+          - dupword
+      - path: pkg/types/domain_test.go
+        text: Duplicate words \(sub\) found
+        linters:
+          - dupword
+      - path: pkg/provider/kubernetes/gateway/client_mock_test.go
+        text: 'unusedwrite: unused write to field'
+        linters:
+          - govet
+      - path: pkg/provider/acme/local_store.go
+        linters:
+          - musttag
+      - path: pkg/tls/certificate.go
+        text: the methods of "Certificates" use pointer receiver and non-pointer receiver.
+        linters:
+          - recvcheck
+      - path: pkg/config/static/static_config.go
+        source: 'errors.New\("Consul Catalog provider'
+        text: 'ST1005: error strings should not be capitalized'
+      - path: pkg/config/static/static_config.go
+        source: 'errors.New\("Consul provider'
+        text: 'ST1005: error strings should not be capitalized'
+      - path: pkg/config/static/static_config.go
+        source: 'errors.New\("Nomad provider'
+        text: 'ST1005: error strings should not be capitalized'
+      - path: (.+)\.go
+        text: 'struct-tag: unknown option ''inline'' in JSON tag'
+        linters:
+          - revive
+      - path: (.+)\.go
+        text: 'struct-tag: unknown option ''omitzero'' in TOML tag'
+        linters:
+          - revive
+      - path: (.+)\.go$
+        text: 'SA1019: http.CloseNotifier has been deprecated' # FIXME must be fixed
+      - path: (.+)\.go$
+        text: 'SA1019: cfg.(SSLRedirect|SSLTemporaryRedirect|SSLHost|SSLForceHost|FeaturePolicy) is deprecated'
+      - path: (.+)\.go$
+        text: 'SA1019: c.Providers.(ConsulCatalog|Consul|Nomad).Namespace is deprecated'
+    paths:
+      - pkg/provider/kubernetes/crd/generated/
+
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
--- a/.goreleaser.yml.tmpl
+++ b/.goreleaser.yml.tmpl
@@ -1,8 +1,11 @@
 project_name: traefik
+version: 2

-before:
-  hooks:
-    - go generate
+[[if .GOARCH]]
+dist: "./dist/[[ .GOOS ]]-[[ .GOARCH ]]"
+[[else]]
+dist: "./dist/[[ .GOOS ]]"
+[[end]]

 builds:
  - binary: traefik
@@ -15,34 +18,38 @@ builds:
    flags:
      - -trimpath
    goos:
-      - linux
-      - darwin
-      - windows
-      - freebsd
-      - openbsd
+      - "[[ .GOOS ]]"
    goarch:
+      [[if .GOARCH]]
+      - "[[ .GOARCH ]]"
+      [[else]]
      - amd64
-      - 386
+      - '386'
      - arm
      - arm64
      - ppc64le
      - s390x
+      - riscv64
+      [[end]]
    goarm:
-      - 7
-      - 6
-      - 5
+      - '7'
+      - '6'
    ignore:
      - goos: darwin
-        goarch: 386
+        goarch: '386'
      - goos: openbsd
        goarch: arm
      - goos: openbsd
        goarch: arm64
+      - goos: freebsd
+        goarch: arm
      - goos: freebsd
        goarch: arm64
+      - goos: windows
+        goarch: arm

 changelog:
-  skip: true
+  disable: true

 archives:
  - id: traefik
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -1,83 +0,0 @@
-version: v1.0
-name: Traefik
-agent:
-  machine:
-    type: e1-standard-4
-    os_image: ubuntu1804
-
-fail_fast:
-  stop:
-    when: "branch != 'master'"
-
-auto_cancel:
-  queued:
-    when: "branch != 'master'"
-  running:
-    when: "branch != 'master'"
-
-global_job_config:
-  prologue:
-    commands:
-      - curl -sSfL https://raw.githubusercontent.com/ldez/semgo/master/godownloader.sh | sudo sh -s -- -b "/usr/local/bin"
-      - sudo semgo go1.17
-      - export "GOPATH=$(go env GOPATH)"
-      - export "SEMAPHORE_GIT_DIR=${GOPATH}/src/github.com/traefik/${SEMAPHORE_PROJECT_NAME}"
-      - export "PATH=${GOPATH}/bin:${PATH}"
-      - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
-      - export GOPROXY=https://proxy.golang.org,direct
-      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.46.2
-      - curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
-      - checkout
-      - cache restore traefik-$(checksum go.sum)
-
-blocks:
-  - name: Test Integration
-    dependencies: []
-    run:
-      when: "branch =~ '.*' OR pull_request =~'.*'"
-    task:
-      jobs:
-        - name: Test Integration
-          commands:
-            - make pull-images
-            - touch webui/static/index.html # Avoid generating webui
-            - IN_DOCKER="" make binary
-            - make test-integration
-            - df -h
-      epilogue:
-        always:
-          commands:
-            - cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod
-
-  - name: Release
-    dependencies: []
-    run:
-      when: "tag =~ '.*'"
-    task:
-      agent:
-        machine:
-          type: e1-standard-8
-          os_image: ubuntu1804
-      secrets:
-        - name: traefik
-      env_vars:
-        - name: GH_VERSION
-          value: 1.12.1
-        - name: CODENAME
-          value: "vacherin"
-        - name: IN_DOCKER
-          value: ""
-      prologue:
-        commands:
-          - export VERSION=${SEMAPHORE_GIT_TAG_NAME}
-          - curl -sSL -o /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz
-          - tar -zxvf /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz -C /tmp
-          - sudo mv /tmp/gh_${GH_VERSION}_linux_amd64/bin/gh /usr/local/bin/gh
-          - sudo rm -rf ~/.phpbrew ~/.kerl ~/.sbt ~/.nvm ~/.npm ~/.kiex /usr/lib/jvm /opt/az /opt/firefox # Remove unnecessary data.
-          - sudo service docker stop && sudo umount /var/lib/docker && sudo service docker start # Unmounts the docker disk and the whole system disk is usable.
-      jobs:
-        - name: Release
-          commands:
-            - make release-packages
-            - gh release create ${SEMAPHORE_GIT_TAG_NAME} ./dist/traefik*.* --repo traefik/traefik --title ${SEMAPHORE_GIT_TAG_NAME} --notes ${SEMAPHORE_GIT_TAG_NAME}
-            - ./script/deploy.sh
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,925 @@
+## [v2.11.29](https://github.com/traefik/traefik/tree/v2.11.29) (2025-08-26)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.28...v2.11.29)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.25.2 ([#11983](https://github.com/traefik/traefik/pull/11983) by [ldez](https://github.com/ldez))
+- **[docker]** Bump github.com/docker/docker to v28.3.3 ([#12007](https://github.com/traefik/traefik/pull/12007) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- Fix invalid links in documentation ([#11960](https://github.com/traefik/traefik/pull/11960) by [mloiseleur](https://github.com/mloiseleur))
+- Update releases docs for v3.5 ([#11949](https://github.com/traefik/traefik/pull/11949) by [jnoordsij](https://github.com/jnoordsij))
+
+## [v2.11.28](https://github.com/traefik/traefik/tree/v2.11.28) (2025-07-23)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.27...v2.11.28)
+
+**Bug fixes:**
+- **[logs]** Redact logged install configuration ([#11907](https://github.com/traefik/traefik/pull/11907) by [jspdown](https://github.com/jspdown))
+- **[plugins]** Fix client arbitrary file access during archive extraction zipslip ([#11911](https://github.com/traefik/traefik/pull/11911) by [odaysec](https://github.com/odaysec))
+- **[server]** Disable MPTCP by default ([#11918](https://github.com/traefik/traefik/pull/11918) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[k8s/crd,k8s]** Remove all mentions of ordering for TLSOption CurvePreferences field ([#11924](https://github.com/traefik/traefik/pull/11924) by [jnoordsij](https://github.com/jnoordsij))
+
+## [v2.11.27](https://github.com/traefik/traefik/tree/v2.11.27) (2025-07-11)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.26...v2.11.27)
+
+**Bug fixes:**
+- Bump github.com/go-viper/mapstructure/v2 to v2.3.0 ([#11880](https://github.com/traefik/traefik/pull/11880) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.11.26](https://github.com/traefik/traefik/tree/v2.11.26) (2025-06-26)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.25...v2.11.26)
+
+**Bug fixes:**
+- **[middleware]** Do not log redis sentinel username and password ([#11819](https://github.com/traefik/traefik/pull/11819) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[kv]** Fix KV reference rendering ([#11815](https://github.com/traefik/traefik/pull/11815) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,k8s/crd]** Fix typo in redirect middleware documentation ([#11830](https://github.com/traefik/traefik/pull/11830) by [rtribotte](https://github.com/rtribotte))
+- Update supported versions ([#11811](https://github.com/traefik/traefik/pull/11811) by [jnoordsij](https://github.com/jnoordsij))
+
+## [v2.11.25](https://github.com/traefik/traefik/tree/v2.11.25) (2025-05-27)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.24...v2.11.25)
+
+**Bug fixes:**
+- **[k8s/ingress]** Fix panic for ingress with backend resource ([#11777](https://github.com/traefik/traefik/pull/11777) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Normalize request path ([#11768](https://github.com/traefik/traefik/pull/11768) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[middleware,k8s]** Add multi-tenant TLS guidance to the docs ([#11724](https://github.com/traefik/traefik/pull/11724) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[service]** Add a note about how to disable connection reuse with backends ([#11716](https://github.com/traefik/traefik/pull/11716) by [rtribotte](https://github.com/rtribotte))
+- Fix broken link in documentation ([#11761](https://github.com/traefik/traefik/pull/11761) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Change version for path sanitization migration guide ([#11702](https://github.com/traefik/traefik/pull/11702) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.24](https://github.com/traefik/traefik/tree/v2.11.24) (2025-04-18)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.22...v2.11.24)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.23.1 ([#11690](https://github.com/traefik/traefik/pull/11690) by [ldez](https://github.com/ldez))
+- **[metrics]** Bump gopkg.in/DataDog/dd-trace-go.v1 to v1.72.2 ([#11693](https://github.com/traefik/traefik/pull/11693) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware]** Add Content-Length header to preflight response ([#11682](https://github.com/traefik/traefik/pull/11682) by [lbenguigui](https://github.com/lbenguigui))
+- **[server]** Sanitize request path ([#11684](https://github.com/traefik/traefik/pull/11684) by [rtribotte](https://github.com/rtribotte))
+- Bump github.com/redis/go-redis/v9 to v9.7.3 ([#11695](https://github.com/traefik/traefik/pull/11695) by [kevinpollet](https://github.com/kevinpollet))
+- Bump golang.org/x/net to v0.38.0 ([#11691](https://github.com/traefik/traefik/pull/11691) by [kevinpollet](https://github.com/kevinpollet))
+- Bump golang.org/x/oauth2 to v0.28.0 ([#11689](https://github.com/traefik/traefik/pull/11689) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[middleware]** Add content-length best practice documentation ([#11697](https://github.com/traefik/traefik/pull/11697) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Typo fix on the Explanation Section for User Guide HTTP Challenge. ([#11676](https://github.com/traefik/traefik/pull/11676) by [YapWC](https://github.com/YapWC))
+
+## [v2.11.23](https://github.com/traefik/traefik/tree/v2.11.23) (2025-04-17)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.22...v2.11.23)
+
+Release canceled.
+
+## [v2.11.22](https://github.com/traefik/traefik/tree/v2.11.22) (2025-03-31)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.21...v2.11.22)
+
+**Bug fixes:**
+- **[ecs,logs]** Bump AWS SDK to v2 ([#11359](https://github.com/traefik/traefik/pull/11359) by [Juneezee](https://github.com/Juneezee))
+- **[logs,tls]** Error level log for configuration-related TLS errors with backends ([#11611](https://github.com/traefik/traefik/pull/11611) by [rtribotte](https://github.com/rtribotte))
+- **[rules]** Allow underscore character in HostSNI matcher ([#11557](https://github.com/traefik/traefik/pull/11557) by [rohitlohar45](https://github.com/rohitlohar45))
+- **[server]** Bump github.com/vulcand/oxy/v2 to v2.0.3 ([#11649](https://github.com/traefik/traefik/pull/11649) by [adamvduke](https://github.com/adamvduke))
+- **[server]** Bump golang.org/x/net to v0.37.0 ([#11632](https://github.com/traefik/traefik/pull/11632) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Change boolean module properties default value to undefined ([#11639](https://github.com/traefik/traefik/pull/11639) by [rtribotte](https://github.com/rtribotte))
+- Bump github.com/golang-jwt/jwt to v4.5.2 and v5.2.2 ([#11634](https://github.com/traefik/traefik/pull/11634) by [kevinpollet](https://github.com/kevinpollet))
+- Bump github.com/redis/go-redis/v9 to v9.6.3 ([#11633](https://github.com/traefik/traefik/pull/11633) by [kevinpollet](https://github.com/kevinpollet))
+- Bump golang.org/x/net to v0.36.0 ([#11608](https://github.com/traefik/traefik/pull/11608) by [kevinpollet](https://github.com/kevinpollet))
+- Bump github.com/go-jose/go-jose/v4 to v4.0.5 ([#11571](https://github.com/traefik/traefik/pull/11571) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[accesslogs]** Remove documentation for OriginStatusLine and DownstreamStatusLine accessLogs fields ([#11599](https://github.com/traefik/traefik/pull/11599) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Clarifies that retry middleware uses TCP, not HTTP status codes ([#11603](https://github.com/traefik/traefik/pull/11603) by [geraldcroes](https://github.com/geraldcroes))
+- **[redis]** Add tip for dynamic configuration updates of Redis ([#11577](https://github.com/traefik/traefik/pull/11577) by [Alanxtl](https://github.com/Alanxtl))
+- Add Security Support ([#11610](https://github.com/traefik/traefik/pull/11610) by [nmengin](https://github.com/nmengin))
+
+# [v2.11.21](https://github.com/traefik/traefik/tree/v2.11.21) (2025-02-24)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.20...v2.11.21)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.22.2 ([#11537](https://github.com/traefik/traefik/pull/11537) by [ldez](https://github.com/ldez))
+- **[cli]** Bump github.com/traefik/paerser to v0.2.2 ([#11530](https://github.com/traefik/traefik/pull/11530) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware]** Enable the retry middleware in the proxy ([#11536](https://github.com/traefik/traefik/pull/11536) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware]** Retry should send headers on Write ([#11534](https://github.com/traefik/traefik/pull/11534) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.11.20](https://github.com/traefik/traefik/tree/v2.11.20) (2025-01-31)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.19...v2.11.20)
+
+**Bug fixes:**
+- **[acme]** Graceful shutdown for ACME JSON write operation ([#11497](https://github.com/traefik/traefik/pull/11497) by [juliens](https://github.com/juliens))
+
+**Documentation:**
+- Change docker-compose to docker compose ([#11496](https://github.com/traefik/traefik/pull/11496) by [khai-pi](https://github.com/khai-pi))
+
+## [v2.11.19](https://github.com/traefik/traefik/tree/v2.11.19) (2025-01-29)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.18...v2.11.19)
+
+**Bug fixes:**
+- **[middleware]** Changing log message when client cert is not available to debug ([#11453](https://github.com/traefik/traefik/pull/11453) by [Nelwhix](https://github.com/Nelwhix))
+- **[service]** Do not create a logger instance for each proxy ([#11487](https://github.com/traefik/traefik/pull/11487) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Fix auto refresh not clearing on component unmount ([#11477](https://github.com/traefik/traefik/pull/11477) by [DoubleREW](https://github.com/DoubleREW))
+
+**Documentation:**
+- Remove awesome.traefik.io reference in documentation section ([#11435](https://github.com/traefik/traefik/pull/11435) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.11.18](https://github.com/traefik/traefik/tree/v2.11.18) (2025-01-07)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.17...v2.11.18)
+
+**Bug fixes:**
+- **[websocket,server]** Disable http2 connect setting for websocket by default ([#11412](https://github.com/traefik/traefik/pull/11412) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.17](https://github.com/traefik/traefik/tree/v2.11.17) (2025-01-06)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.16...v2.11.17)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.21.0 ([#11368](https://github.com/traefik/traefik/pull/11368) by [ldez](https://github.com/ldez))
+- **[middleware]** Fix typo in basicauth note ([#11397](https://github.com/traefik/traefik/pull/11397) by [tieje](https://github.com/tieje))
+- **[service]** Configure ErrorLog in httputil.ReverseProxy ([#11344](https://github.com/traefik/traefik/pull/11344) by [peacewalker122](https://github.com/peacewalker122))
+- Bump golang.org/x/net to v0.33.0 ([#11365](https://github.com/traefik/traefik/pull/11365) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[acme]** Fix allowACMEByPass TOML example ([#11370](https://github.com/traefik/traefik/pull/11370) by [hannesbraun](https://github.com/hannesbraun))
+- **[k8s/crd]** Update copyright for 2025 ([#11383](https://github.com/traefik/traefik/pull/11383) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.11.16](https://github.com/traefik/traefik/tree/v2.11.16) (2024-12-16)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.15...v2.11.16)
+
+**Bug fixes:**
+- **[server]** Update golang.org/x dependencies ([#11336](https://github.com/traefik/traefik/pull/11336) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.15](https://github.com/traefik/traefik/tree/v2.11.15) (2024-12-06)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.14...v2.11.15)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.20.4 ([#11295](https://github.com/traefik/traefik/pull/11295) by [ldez](https://github.com/ldez))
+- **[http3]** Update github.com/quic-go/quic-go to v0.48.2 ([#11320](https://github.com/traefik/traefik/pull/11320) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.11.14](https://github.com/traefik/traefik/tree/v2.11.14) (2024-11-20)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.13...v2.11.14)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.20.2 ([#11263](https://github.com/traefik/traefik/pull/11263) by [ldez](https://github.com/ldez))
+- **[logs,server]** Change level of peeking first byte error log to DEBUG ([#11254](https://github.com/traefik/traefik/pull/11254) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,server]** Drop untrusted X-Forwarded-Prefix header ([#11253](https://github.com/traefik/traefik/pull/11253) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Apply keepalive config to h2c entrypoints ([#11276](https://github.com/traefik/traefik/pull/11276) by [davefu113](https://github.com/davefu113))
+- **[service]** Fix internal handlers ServiceBuilder composition ([#11281](https://github.com/traefik/traefik/pull/11281) by [juliens](https://github.com/juliens))
+
+**Documentation:**
+- **[accesslogs]** Update access-logs.md, add examples for accesslog.format ([#11275](https://github.com/traefik/traefik/pull/11275) by [bluepuma77](https://github.com/bluepuma77))
+- Fix the defaultRule CLI examples ([#11282](https://github.com/traefik/traefik/pull/11282) by [kevinpollet](https://github.com/kevinpollet))
+- Fix spelling, grammar, and rephrase sections for clarity in some documentation pages ([#11280](https://github.com/traefik/traefik/pull/11280) by [AntoineDeveloper](https://github.com/AntoineDeveloper))
+- Fix absolute link in the migration guide ([#11269](https://github.com/traefik/traefik/pull/11269) by [kevinpollet](https://github.com/kevinpollet))
+- Add X-Forwarded-Prefix to the migration guide ([#11267](https://github.com/traefik/traefik/pull/11267) by [kevinpollet](https://github.com/kevinpollet))
+- Fix a small typo in entrypoints documentation ([#11261](https://github.com/traefik/traefik/pull/11261) by [quiode](https://github.com/quiode))
+- Add a warning about environment variables casing for static configuration ([#11226](https://github.com/traefik/traefik/pull/11226) by [anchal00](https://github.com/anchal00))
+- Improve documentation on dashboard ([#11220](https://github.com/traefik/traefik/pull/11220) by [mloiseleur](https://github.com/mloiseleur))
+
+## [v2.11.13](https://github.com/traefik/traefik/tree/v2.11.13) (2024-10-28)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.12...v2.11.13)
+
+**Bug fixes:**
+- **[middleware,service]** Panic on aborted requests to properly close the connection ([#11129](https://github.com/traefik/traefik/pull/11129) by [tonybart1337](https://github.com/tonybart1337))
+
+**Documentation:**
+- Update business callouts ([#11217](https://github.com/traefik/traefik/pull/11217) by [tomatokoolaid](https://github.com/tomatokoolaid))
+
+## [v2.11.12](https://github.com/traefik/traefik/tree/v2.11.12) (2024-10-09)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.11...v2.11.12)
+
+**Bug fixes:**
+- **[middleware]** Bump github.com/klauspost/compress to dbd6c381492a ([#11162](https://github.com/traefik/traefik/pull/11162) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Upgrade to node 22.9 and yarn lock to fix vulnerabilities ([#11173](https://github.com/traefik/traefik/pull/11173) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Adopt a layout for the large amount of entrypoint port numbers ([#11157](https://github.com/traefik/traefik/pull/11157) by [framebassman](https://github.com/framebassman))
+
+**Documentation:**
+- **[accesslogs]** Clarify that only header fields may be redacted in access-logs ([#11139](https://github.com/traefik/traefik/pull/11139) by [mattbnz](https://github.com/mattbnz))
+- Update business callout ([#11172](https://github.com/traefik/traefik/pull/11172) by [tomatokoolaid](https://github.com/tomatokoolaid))
+
+## [v2.11.11](https://github.com/traefik/traefik/tree/v2.11.11) (2024-10-02)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.10...v2.11.11)
+
+**Bug fixes:**
+- **[acme]** Ensure defaultGeneratedCert.main as Subject&#39;s CN ([#10581](https://github.com/traefik/traefik/pull/10581) by [Lamatte](https://github.com/Lamatte))
+- **[middleware,authentication]** Clean connection headers for forward auth request only ([#11095](https://github.com/traefik/traefik/pull/11095) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Bump github.com/klauspost/compress to 8e14b1b5a913 ([#11141](https://github.com/traefik/traefik/pull/11141) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Rework condition to not log on timeout ([#11133](https://github.com/traefik/traefik/pull/11133) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Remove unused boot files from webui ([#11109](https://github.com/traefik/traefik/pull/11109) by [michelheusschen](https://github.com/michelheusschen))
+
+**Documentation:**
+- **[accesslogs]** Specify default format value for access log ([#11130](https://github.com/traefik/traefik/pull/11130) by [darkweaver87](https://github.com/darkweaver87))
+- **[api]** Update API documentation to mention pagination ([#11115](https://github.com/traefik/traefik/pull/11115) by [lyrandy](https://github.com/lyrandy))
+
+## [v2.11.10](https://github.com/traefik/traefik/tree/v2.11.10) (2024-09-19)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.9...v2.11.10)
+
+**Bug fixes:**
+- **[http3]** Bump github.com/quic-go/quic-go to v0.47.0 ([#11104](https://github.com/traefik/traefik/pull/11104) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Check if ACME certificate resolver is not nil ([#11103](https://github.com/traefik/traefik/pull/11103) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.11.9](https://github.com/traefik/traefik/tree/v2.11.9) (2024-09-16)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.8...v2.11.9)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.18.0 ([#11060](https://github.com/traefik/traefik/pull/11060) by [ldez](https://github.com/ldez))
+- **[acme]** Allow handling ACME challenges with custom routers ([#10981](https://github.com/traefik/traefik/pull/10981) by [rtribotte](https://github.com/rtribotte))
+- **[logs,middleware]** Make the keys of the accessLog.fields.names map case-insensitive ([#11040](https://github.com/traefik/traefik/pull/11040) by [SpecLad](https://github.com/SpecLad))
+- **[logs,middleware]** Ensure proper logs for aborted streaming responses ([#10819](https://github.com/traefik/traefik/pull/10819) by [hood](https://github.com/hood))
+- **[middleware,server]** Cleanup Connection headers before passing the middleware chain ([#11077](https://github.com/traefik/traefik/pull/11077) by [kevinpollet](https://github.com/kevinpollet))
+- **[plugins]** Upgrade paerser to v0.2.1 ([#11048](https://github.com/traefik/traefik/pull/11048) by [mmatur](https://github.com/mmatur))
+- **[server,tcp]** Prevent error logging when TCP WRR pool is empty ([#10989](https://github.com/traefik/traefik/pull/10989) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Upgrade webui dependencies ([#11031](https://github.com/traefik/traefik/pull/11031) by [mloiseleur](https://github.com/mloiseleur))
+
+**Documentation:**
+- **[acme]** Fix typo in multiple DNS challenge provider warning ([#11001](https://github.com/traefik/traefik/pull/11001) by [tired-engineer](https://github.com/tired-engineer))
+- **[k8s]** Update k8s quickstart permissions ([#11049](https://github.com/traefik/traefik/pull/11049) by [mmatur](https://github.com/mmatur))
+- **[metrics]** Remove documentation for unimplemented service retries metric  ([#10983](https://github.com/traefik/traefik/pull/10983) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Unify tab titles ([#11072](https://github.com/traefik/traefik/pull/11072) by [jsoref](https://github.com/jsoref))
+- Give valid examples for exposing dashboard with default Helm values ([#11015](https://github.com/traefik/traefik/pull/11015) by [holysoles](https://github.com/holysoles))
+
+## [v2.11.8](https://github.com/traefik/traefik/tree/v2.11.8) (2024-08-06)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.7...v2.11.8)
+
+**Bug fixes:**
+- **[docker]** Update to github.com/docker/docker v27.1.1 ([#10955](https://github.com/traefik/traefik/pull/10955) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Upgrade webui dependencies ([#10961](https://github.com/traefik/traefik/pull/10961) by [mmatur](https://github.com/mmatur))
+
+**Documentation:**
+- Fix embedded youtube video ([#10958](https://github.com/traefik/traefik/pull/10958) by [mmatur](https://github.com/mmatur))
+- Updated index.md to include video ([#10944](https://github.com/traefik/traefik/pull/10944) by [tomatokoolaid](https://github.com/tomatokoolaid))
+
+## [v2.11.7](https://github.com/traefik/traefik/tree/v2.11.7) (2024-07-30)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.6...v2.11.7)
+
+**Bug fixes:**
+- **[logs]** Make the log about new version more accurate ([#10903](https://github.com/traefik/traefik/pull/10903) by [jmcbri](https://github.com/jmcbri))
+- **[tls,k8s/crd,k8s]** Enforce default cipher suites list ([#10907](https://github.com/traefik/traefik/pull/10907) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[acme]** Modify certificatesDuration documentation ([#10920](https://github.com/traefik/traefik/pull/10920) by [peacewalker122](https://github.com/peacewalker122))
+- **[api]** Improve explanation on API exposition ([#10926](https://github.com/traefik/traefik/pull/10926) by [mloiseleur](https://github.com/mloiseleur))
+- **[docker,consul,rancher,ecs]** Improve doc on sensitive data stored into labels/tags ([#10873](https://github.com/traefik/traefik/pull/10873) by [emilevauge](https://github.com/emilevauge))
+- **[docker,logs]** Improve error and documentation on the needed link between router and service ([#10262](https://github.com/traefik/traefik/pull/10262) by [mloiseleur](https://github.com/mloiseleur))
+- **[docker]** Document Docker port selection on multiple exposed ports ([#10935](https://github.com/traefik/traefik/pull/10935) by [mbrodala](https://github.com/mbrodala))
+- Update the supported versions table for v3.1 release ([#10933](https://github.com/traefik/traefik/pull/10933) by [jnoordsij](https://github.com/jnoordsij))
+- Update PR approval process ([#10887](https://github.com/traefik/traefik/pull/10887) by [emilevauge](https://github.com/emilevauge))
+
+## [v2.11.6](https://github.com/traefik/traefik/tree/v2.11.6) (2024-07-02)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.5...v2.11.6)
+
+**Bug fixes:**
+- **[ecs]** Fix ECS config for OIDC + IRSA ([#10814](https://github.com/traefik/traefik/pull/10814) by [mmatur](https://github.com/mmatur))
+- **[http3]** Disable QUIC 0-RTT ([#10867](https://github.com/traefik/traefik/pull/10867) by [mmatur](https://github.com/mmatur))
+- **[middleware,server]** Remove interface names from IPv6 ([#10813](https://github.com/traefik/traefik/pull/10813) by [JeroenED](https://github.com/JeroenED))
+
+**Documentation:**
+- **[docker,acme]** Fix a typo in the ACME docker-compose docs ([#10866](https://github.com/traefik/traefik/pull/10866) by [ciacon](https://github.com/ciacon))
+- Update Advanced Capabilities Callout ([#10846](https://github.com/traefik/traefik/pull/10846) by [tomatokoolaid](https://github.com/tomatokoolaid))
+- Update maintainers ([#10834](https://github.com/traefik/traefik/pull/10834) by [emilevauge](https://github.com/emilevauge))
+- Fix readme badge for Semaphore CI ([#10830](https://github.com/traefik/traefik/pull/10830) by [mmatur](https://github.com/mmatur))
+- Fix typo in keepAliveMaxTime docs ([#10825](https://github.com/traefik/traefik/pull/10825) by [shochdoerfer](https://github.com/shochdoerfer))
+
+## [v2.11.5](https://github.com/traefik/traefik/tree/v2.11.5) (2024-06-18)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.4...v2.11.5)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.17.4 ([#10803](https://github.com/traefik/traefik/pull/10803) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- Update the supported versions table ([#10798](https://github.com/traefik/traefik/pull/10798) by [nmengin](https://github.com/nmengin))
+
+## [v2.11.4](https://github.com/traefik/traefik/tree/v2.11.4) (2024-06-10)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.3...v2.11.4)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.17.3 ([#10768](https://github.com/traefik/traefik/pull/10768) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** Fix .com and .org domain examples  ([#10635](https://github.com/traefik/traefik/pull/10635) by [rptaylor](https://github.com/rptaylor))
+- **[middleware]** Add a note about the Ratelimit middleware&#39;s behavior when the sourceCriterion header is missing ([#10752](https://github.com/traefik/traefik/pull/10752) by [dgutzmann](https://github.com/dgutzmann))
+- Add user guides link to getting started ([#10785](https://github.com/traefik/traefik/pull/10785) by [norlinhenrik](https://github.com/norlinhenrik))
+- Remove helm default repo warning as repo has been long deprecated ([#10772](https://github.com/traefik/traefik/pull/10772) by [corneliusroemer](https://github.com/corneliusroemer))
+
+## [v2.11.3](https://github.com/traefik/traefik/tree/v2.11.3) (2024-05-17)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.2...v2.11.3)
+
+**Bug fixes:**
+- **[server]** Remove deadlines for non-TLS connections ([#10615](https://github.com/traefik/traefik/pull/10615) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Display of Content Security Policy values getting out of screen ([#10710](https://github.com/traefik/traefik/pull/10710) by [brandonfl](https://github.com/brandonfl))
+- **[webui]** Fix provider icon size ([#10621](https://github.com/traefik/traefik/pull/10621) by [framebassman](https://github.com/framebassman))
+
+**Documentation:**
+- **[k8s/crd]** Fix migration/v2.md ([#10658](https://github.com/traefik/traefik/pull/10658) by [stemar94](https://github.com/stemar94))
+- **[k8s/gatewayapi]** Fix HTTPRoute use of backendRefs ([#10630](https://github.com/traefik/traefik/pull/10630) by [sakaru](https://github.com/sakaru))
+- **[k8s/gatewayapi]** Fix HTTPRoute path type ([#10629](https://github.com/traefik/traefik/pull/10629) by [sakaru](https://github.com/sakaru))
+- **[k8s]** Improve mirroring example on Kubernetes ([#10701](https://github.com/traefik/traefik/pull/10701) by [mloiseleur](https://github.com/mloiseleur))
+- Consistent entryPoints capitalization in CLI flag usage ([#10650](https://github.com/traefik/traefik/pull/10650) by [jnoordsij](https://github.com/jnoordsij))
+- Fix unfinished migration sentence for v2.11.2 ([#10633](https://github.com/traefik/traefik/pull/10633) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.11.2](https://github.com/traefik/traefik/tree/v2.11.2) (2024-04-11)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.1...v2.11.2)
+
+**Bug fixes:**
+- **[server]** Revert LingeringTimeout and change default value for ReadTimeout ([#10599](https://github.com/traefik/traefik/pull/10599) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Set default ReadTimeout value to 60s ([#10602](https://github.com/traefik/traefik/pull/10602) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.1](https://github.com/traefik/traefik/tree/v2.11.1) (2024-04-10)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.0...v2.11.1)
+
+**Bug fixes:**
+- **[acme,tls]** Enforce handling of ACME-TLS/1 challenges ([#10536](https://github.com/traefik/traefik/pull/10536) by [rtribotte](https://github.com/rtribotte))
+- **[acme]** Update go-acme/lego to v4.16.1 ([#10508](https://github.com/traefik/traefik/pull/10508) by [ldez](https://github.com/ldez))
+- **[acme]** Close created file in ACME local store CheckFile func ([#10574](https://github.com/traefik/traefik/pull/10574) by [testwill](https://github.com/testwill))
+- **[docker,http3]** Update to quic-go v0.42.0 and docker/cli v24.0.9 ([#10572](https://github.com/traefik/traefik/pull/10572) by [mloiseleur](https://github.com/mloiseleur))
+- **[docker,marathon,rancher,ecs,tls,nomad]** Allow to configure TLSStore default generated certificate with labels ([#10439](https://github.com/traefik/traefik/pull/10439) by [kevinpollet](https://github.com/kevinpollet))
+- **[ecs]** Adjust ECS network interface detection logic ([#10550](https://github.com/traefik/traefik/pull/10550) by [amaxine](https://github.com/amaxine))
+- **[logs,tls]** Fix log when default TLSStore and TLSOptions are defined multiple times ([#10499](https://github.com/traefik/traefik/pull/10499) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Allow empty replacement with ReplacePathRegex middleware ([#10538](https://github.com/traefik/traefik/pull/10538) by [rtribotte](https://github.com/rtribotte))
+- **[plugins]** Update Yaegi to v0.16.1 ([#10565](https://github.com/traefik/traefik/pull/10565) by [ldez](https://github.com/ldez))
+- **[provider,rules]** Don&#39;t allow routers higher than internal ones ([#10428](https://github.com/traefik/traefik/pull/10428) by [ldez](https://github.com/ldez))
+- **[rules]** Reserve priority range for internal routers ([#10541](https://github.com/traefik/traefik/pull/10541) by [youkoulayley](https://github.com/youkoulayley))
+- **[server,tcp]** Introduce Lingering Timeout ([#10569](https://github.com/traefik/traefik/pull/10569) by [rtribotte](https://github.com/rtribotte))
+- **[tcp]** Enforce failure for TCP HostSNI with hostname ([#10540](https://github.com/traefik/traefik/pull/10540) by [youkoulayley](https://github.com/youkoulayley))
+- **[tracing]** Bump Elastic APM to v2.4.8 ([#10512](https://github.com/traefik/traefik/pull/10512) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Fix dashboard exposition through a router ([#10518](https://github.com/traefik/traefik/pull/10518) by [mmatur](https://github.com/mmatur))
+- **[webui]** Display IPAllowlist middleware configuration in dashboard ([#10459](https://github.com/traefik/traefik/pull/10459) by [youkoulayley](https://github.com/youkoulayley))
+- **[webui]** Make text more readable in dark mode ([#10473](https://github.com/traefik/traefik/pull/10473) by [hood](https://github.com/hood))
+- **[webui]** Migrate to Quasar 2.x and Vue.js 3.x ([#10416](https://github.com/traefik/traefik/pull/10416) by [andsarr](https://github.com/andsarr))
+- **[webui]** Add a horizontal scroll for the mobile view ([#10480](https://github.com/traefik/traefik/pull/10480) by [framebassman](https://github.com/framebassman))
+
+**Documentation:**
+- **[acme]** Update gandiv5 env variable in providers table ([#10506](https://github.com/traefik/traefik/pull/10506) by [dominiwe](https://github.com/dominiwe))
+- **[acme]** Fix multiple dns provider documentation ([#10496](https://github.com/traefik/traefik/pull/10496) by [mmatur](https://github.com/mmatur))
+- **[docker]** Fix paragraph in entrypoints and Docker docs ([#10491](https://github.com/traefik/traefik/pull/10491) by [luigir-it](https://github.com/luigir-it))
+- **[k8s]** Improve middleware example ([#10532](https://github.com/traefik/traefik/pull/10532) by [mloiseleur](https://github.com/mloiseleur))
+- **[metrics]** Fix host header mention in prometheus metrics doc ([#10502](https://github.com/traefik/traefik/pull/10502) by [MorphBonehunter](https://github.com/MorphBonehunter))
+- **[metrics]** Fix typo in statsd metrics docs ([#10437](https://github.com/traefik/traefik/pull/10437) by [xpac1985](https://github.com/xpac1985))
+- **[middleware]** Improve excludedIPs example with IPWhiteList and IPAllowList middleware ([#10554](https://github.com/traefik/traefik/pull/10554) by [mloiseleur](https://github.com/mloiseleur))
+- **[nomad]** Improve documentation about Nomad ACL minimum rights ([#10482](https://github.com/traefik/traefik/pull/10482) by [Thadir](https://github.com/Thadir))
+- **[server]** Add specification for TCP TLS routers in documentation ([#10510](https://github.com/traefik/traefik/pull/10510) by [shivanipawar00](https://github.com/shivanipawar00))
+- **[tls]** Fix default value for peerCertURI option ([#10470](https://github.com/traefik/traefik/pull/10470) by [marcmognol](https://github.com/marcmognol))
+- Update releases page ([#10449](https://github.com/traefik/traefik/pull/10449) by [ldez](https://github.com/ldez))
+- Update releases page ([#10443](https://github.com/traefik/traefik/pull/10443) by [ldez](https://github.com/ldez))
+- Add youkoulayley to maintainers ([#10517](https://github.com/traefik/traefik/pull/10517) by [emilevauge](https://github.com/emilevauge))
+- Add sdelicata to maintainers ([#10515](https://github.com/traefik/traefik/pull/10515) by [emilevauge](https://github.com/emilevauge))
+
+**Misc:**
+- **[webui]** Modify the Hub Button ([#10583](https://github.com/traefik/traefik/pull/10583) by [mdeliatf](https://github.com/mdeliatf))
+
+## [v2.11.0](https://github.com/traefik/traefik/tree/v2.11.0) (2024-02-12)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.0-rc1...v2.11.0)
+
+**Enhancements:**
+- **[middleware]** Deprecate IPWhiteList middleware in favor of IPAllowList ([#10249](https://github.com/traefik/traefik/pull/10249) by [lbenguigui](https://github.com/lbenguigui))
+- **[redis]** Add Redis Sentinel support ([#10245](https://github.com/traefik/traefik/pull/10245) by [youkoulayley](https://github.com/youkoulayley))
+- **[server]** Add KeepAliveMaxTime and KeepAliveMaxRequests features to entrypoints ([#10247](https://github.com/traefik/traefik/pull/10247) by [juliens](https://github.com/juliens))
+- **[sticky-session]** Hash WRR sticky cookies ([#10243](https://github.com/traefik/traefik/pull/10243) by [youkoulayley](https://github.com/youkoulayley))
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.15.0 ([#10392](https://github.com/traefik/traefik/pull/10392) by [ldez](https://github.com/ldez))
+- **[authentication]** Fix NTLM and Kerberos ([#10405](https://github.com/traefik/traefik/pull/10405) by [juliens](https://github.com/juliens))
+- **[file]** Fix file watcher ([#10420](https://github.com/traefik/traefik/pull/10420) by [juliens](https://github.com/juliens))
+- **[file]** Update github.com/fsnotify/fsnotify to v1.7.0 ([#10313](https://github.com/traefik/traefik/pull/10313) by [ldez](https://github.com/ldez))
+- **[http3]** Update quic-go to v0.40.1 ([#10296](https://github.com/traefik/traefik/pull/10296) by [ldez](https://github.com/ldez))
+- **[middleware,tcp]** Add missing TCP IPAllowList middleware constructor ([#10331](https://github.com/traefik/traefik/pull/10331) by [youkoulayley](https://github.com/youkoulayley))
+- **[nomad]** Update the Nomad API dependency to v1.7.2 ([#10327](https://github.com/traefik/traefik/pull/10327) by [jrasell](https://github.com/jrasell))
+- **[server]** Fix ReadHeaderTimeout for PROXY protocol ([#10320](https://github.com/traefik/traefik/pull/10320) by [juliens](https://github.com/juliens))
+- **[webui]** Fixes the Header Button ([#10395](https://github.com/traefik/traefik/pull/10395) by [mdeliatf](https://github.com/mdeliatf))
+- **[webui]** Fix URL encode resource&#39;s id before calling API endpoints ([#10292](https://github.com/traefik/traefik/pull/10292) by [andsarr](https://github.com/andsarr))
+
+**Documentation:**
+- **[acme]** Fix TLS challenge explanation ([#10293](https://github.com/traefik/traefik/pull/10293) by [cavokz](https://github.com/cavokz))
+- **[docker]** Update wording of compose example ([#10276](https://github.com/traefik/traefik/pull/10276) by [svx](https://github.com/svx))
+- **[docker,acme]** Fix typo ([#10294](https://github.com/traefik/traefik/pull/10294) by [youpsla](https://github.com/youpsla))
+- **[ecs]** Mention ECS as supported backend ([#10393](https://github.com/traefik/traefik/pull/10393) by [aleyrizvi](https://github.com/aleyrizvi))
+- **[k8s/crd]** Adjust deprecation notice for Kubernetes CRD provider ([#10317](https://github.com/traefik/traefik/pull/10317) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Update the documentation for RateLimit to provide a better example ([#10298](https://github.com/traefik/traefik/pull/10298) by [rmburton](https://github.com/rmburton))
+- **[server]** Fix the keepAlive options for the CLI examples ([#10398](https://github.com/traefik/traefik/pull/10398) by [immanuelfodor](https://github.com/immanuelfodor))
+- Prepare release v2.11.0-rc2 ([#10384](https://github.com/traefik/traefik/pull/10384) by [rtribotte](https://github.com/rtribotte))
+- Improve Concepts documentation page ([#10315](https://github.com/traefik/traefik/pull/10315) by [oliver-dvorski](https://github.com/oliver-dvorski))
+- Prepare release v2.11.0-rc1 ([#10326](https://github.com/traefik/traefik/pull/10326) by [mmatur](https://github.com/mmatur))
+- Fix description for anonymous usage statistics references ([#10287](https://github.com/traefik/traefik/pull/10287) by [ariyonaty](https://github.com/ariyonaty))
+- Documentation enhancements ([#10261](https://github.com/traefik/traefik/pull/10261) by [svx](https://github.com/svx))
+
+## [v2.11.0-rc2](https://github.com/traefik/traefik/tree/v2.11.0-rc2) (2024-01-24)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.0-rc1...v2.11.0-rc2)
+
+**Bug fixes:**
+- **[middleware,tcp]** Add missing TCP IPAllowList middleware constructor ([#10331](https://github.com/traefik/traefik/pull/10331) by [youkoulayley](https://github.com/youkoulayley))
+- **[nomad]** Update the Nomad API dependency to v1.7.2 ([#10327](https://github.com/traefik/traefik/pull/10327) by [jrasell](https://github.com/jrasell))
+
+**Documentation:**
+- Improve Concepts documentation page ([#10315](https://github.com/traefik/traefik/pull/10315) by [oliver-dvorski](https://github.com/oliver-dvorski))
+
+## [v2.11.0-rc1](https://github.com/traefik/traefik/tree/v2.11.0-rc1) (2024-01-02)
+[All Commits](https://github.com/traefik/traefik/compare/0a7964300166d167f68d5502bc245b3b9c8842b4...v2.11.0-rc1)
+
+**Enhancements:**
+- **[middleware]** Deprecate IPWhiteList middleware in favor of IPAllowList ([#10249](https://github.com/traefik/traefik/pull/10249) by [lbenguigui](https://github.com/lbenguigui))
+- **[redis]** Add Redis Sentinel support ([#10245](https://github.com/traefik/traefik/pull/10245) by [youkoulayley](https://github.com/youkoulayley))
+- **[server]** Add KeepAliveMaxTime and KeepAliveMaxRequests features to entrypoints ([#10247](https://github.com/traefik/traefik/pull/10247) by [juliens](https://github.com/juliens))
+- **[sticky-session]** Hash WRR sticky cookies ([#10243](https://github.com/traefik/traefik/pull/10243) by [youkoulayley](https://github.com/youkoulayley))
+
+**Bug fixes:**
+- **[file]** Update github.com/fsnotify/fsnotify to v1.7.0 ([#10313](https://github.com/traefik/traefik/pull/10313) by [ldez](https://github.com/ldez))
+- **[http3]** Update quic-go to v0.40.1 ([#10296](https://github.com/traefik/traefik/pull/10296) by [ldez](https://github.com/ldez))
+- **[server]** Fix ReadHeaderTimeout for PROXY protocol ([#10320](https://github.com/traefik/traefik/pull/10320) by [juliens](https://github.com/juliens))
+
+**Documentation:**
+- **[acme]** Fix TLS challenge explanation ([#10293](https://github.com/traefik/traefik/pull/10293) by [cavokz](https://github.com/cavokz))
+- **[docker,acme]** Fix typo ([#10294](https://github.com/traefik/traefik/pull/10294) by [youpsla](https://github.com/youpsla))
+- **[docker]** Update wording of compose example ([#10276](https://github.com/traefik/traefik/pull/10276) by [svx](https://github.com/svx))
+- **[k8s/crd]** Adjust deprecation notice for Kubernetes CRD provider ([#10317](https://github.com/traefik/traefik/pull/10317) by [rtribotte](https://github.com/rtribotte))
+- Fix description for anonymous usage statistics references ([#10287](https://github.com/traefik/traefik/pull/10287) by [ariyonaty](https://github.com/ariyonaty))
+- Documentation enhancements ([#10261](https://github.com/traefik/traefik/pull/10261) by [svx](https://github.com/svx))
+
+## [v2.10.7](https://github.com/traefik/traefik/tree/v2.10.7) (2023-12-06)
+[All Commits](https://github.com/traefik/traefik/compare/v2.10.6...v2.10.7)
+
+**Bug fixes:**
+- **[logs]** Fixed datadog logs json format issue ([#10233](https://github.com/traefik/traefik/pull/10233) by [sssash18](https://github.com/sssash18))
+
+## [v2.10.6](https://github.com/traefik/traefik/tree/v2.10.6) (2023-11-28)
+[All Commits](https://github.com/traefik/traefik/compare/v2.10.5...v2.10.6)
+
+**Bug fixes:**
+- **[acme]** Remove backoff for http challenge ([#10224](https://github.com/traefik/traefik/pull/10224) by [youkoulayley](https://github.com/youkoulayley))
+- **[consul,consulcatalog]** Update github.com/hashicorp/consul/api ([#10220](https://github.com/traefik/traefik/pull/10220) by [kevinpollet](https://github.com/kevinpollet))
+- **[http3]** Update quic-go to v0.39.1 ([#10171](https://github.com/traefik/traefik/pull/10171) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware]** Fix stripPrefix middleware is not applied to retried attempts ([#10255](https://github.com/traefik/traefik/pull/10255) by [niki-timofe](https://github.com/niki-timofe))
+- **[provider]** Refuse recursive requests ([#10242](https://github.com/traefik/traefik/pull/10242) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Deny request with fragment in URL path ([#10229](https://github.com/traefik/traefik/pull/10229) by [lbenguigui](https://github.com/lbenguigui))
+- **[tracing]** Remove deprecated code usage for datadog tracer ([#10196](https://github.com/traefik/traefik/pull/10196) by [mmatur](https://github.com/mmatur))
+
+**Documentation:**
+- **[governance]** Update the review process and maintainers team documentation ([#10230](https://github.com/traefik/traefik/pull/10230) by [geraldcroes](https://github.com/geraldcroes))
+- **[governance]** Guidelines Update ([#10197](https://github.com/traefik/traefik/pull/10197) by [geraldcroes](https://github.com/geraldcroes))
+- **[metrics]** Add a mention for the host header in metrics headers labels doc ([#10172](https://github.com/traefik/traefik/pull/10172) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Rephrase BasicAuth and DigestAuth docs ([#10226](https://github.com/traefik/traefik/pull/10226) by [sssash18](https://github.com/sssash18))
+- **[middleware]** Improve ErrorPages examples ([#10209](https://github.com/traefik/traefik/pull/10209) by [arendhummeling](https://github.com/arendhummeling))
+- Add @lbenguigui to maintainers ([#10222](https://github.com/traefik/traefik/pull/10222) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.10.5](https://github.com/traefik/traefik/tree/v2.10.5) (2023-10-11)
+[All Commits](https://github.com/traefik/traefik/compare/v2.10.4...v2.10.5)
+
+**Bug fixes:**
+- **[accesslogs]** Move origin fields capture to service level ([#10126](https://github.com/traefik/traefik/pull/10126) by [rtribotte](https://github.com/rtribotte))
+- **[accesslogs]** Fix preflight response status in access logs ([#10142](https://github.com/traefik/traefik/pull/10142) by [rtribotte](https://github.com/rtribotte))
+- **[acme]** Update go-acme/lego to v4.14.0 ([#10087](https://github.com/traefik/traefik/pull/10087) by [ldez](https://github.com/ldez))
+- **[acme]** Update go-acme/lego to v4.13.3 ([#10077](https://github.com/traefik/traefik/pull/10077) by [ldez](https://github.com/ldez))
+- **[http3]** Update quic-go to v0.37.5 ([#10083](https://github.com/traefik/traefik/pull/10083) by [ldez](https://github.com/ldez))
+- **[http3]** Update quic-go to v0.39.0 ([#10137](https://github.com/traefik/traefik/pull/10137) by [ldez](https://github.com/ldez))
+- **[http3]** Update quic-go to v0.37.6 ([#10085](https://github.com/traefik/traefik/pull/10085) by [ldez](https://github.com/ldez))
+- **[http3]** Update quic-go to v0.38.0 ([#10086](https://github.com/traefik/traefik/pull/10086) by [ldez](https://github.com/ldez))
+- **[http3]** Update quic-go to v0.38.1 ([#10090](https://github.com/traefik/traefik/pull/10090) by [ldez](https://github.com/ldez))
+- **[kv]** Ignore ErrKeyNotFound error for the KV provider ([#10082](https://github.com/traefik/traefik/pull/10082) by [sunyakun](https://github.com/sunyakun))
+- **[middleware,authentication]** Adjust forward auth to avoid connection leak ([#10096](https://github.com/traefik/traefik/pull/10096) by [wdhongtw](https://github.com/wdhongtw))
+- **[middleware,server]** Improve CNAME flattening to avoid unnecessary error logging ([#10128](https://github.com/traefik/traefik/pull/10128) by [niallnsec](https://github.com/niallnsec))
+- **[middleware]** Allow X-Forwarded-For delete operation ([#10132](https://github.com/traefik/traefik/pull/10132) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Update x/net and grpc/grpc-go ([#10161](https://github.com/traefik/traefik/pull/10161) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Add missing accessControlAllowOriginListRegex to middleware view ([#10157](https://github.com/traefik/traefik/pull/10157) by [DBendit](https://github.com/DBendit))
+- Fix false positive in url anonymization ([#10138](https://github.com/traefik/traefik/pull/10138) by [jspdown](https://github.com/jspdown))
+
+**Documentation:**
+- **[acme]** Change Arvancloud URL ([#10115](https://github.com/traefik/traefik/pull/10115) by [sajjadjafaribojd](https://github.com/sajjadjafaribojd))
+- **[acme]** Correct minor typo in crd-acme docs ([#10067](https://github.com/traefik/traefik/pull/10067) by [ayyron-lmao](https://github.com/ayyron-lmao))
+- **[healthcheck]** Remove healthcheck interval configuration warning ([#10068](https://github.com/traefik/traefik/pull/10068) by [rtribotte](https://github.com/rtribotte))
+- **[kv,redis]** Docs describe the missing db parameter in redis provider ([#10052](https://github.com/traefik/traefik/pull/10052) by [tokers](https://github.com/tokers))
+- **[middleware]** Doc fix accessControlAllowHeaders examples ([#10121](https://github.com/traefik/traefik/pull/10121) by [ebuildy](https://github.com/ebuildy))
+- Updates business callout in the documentation ([#10122](https://github.com/traefik/traefik/pull/10122) by [tomatokoolaid](https://github.com/tomatokoolaid))
+
+## [v2.10.4](https://github.com/traefik/traefik/tree/v2.10.4) (2023-07-24)
+[All Commits](https://github.com/traefik/traefik/compare/v2.10.3...v2.10.4)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.13.2 ([#10036](https://github.com/traefik/traefik/pull/10036) by [ldez](https://github.com/ldez))
+- **[acme]** Update go-acme/lego to v4.13.0 ([#10029](https://github.com/traefik/traefik/pull/10029) by [ldez](https://github.com/ldez))
+- **[k8s/ingress,k8s]** fix: avoid panic on resource backends ([#10023](https://github.com/traefik/traefik/pull/10023) by [ldez](https://github.com/ldez))
+- **[middleware,tracing,plugins]** fix: traceability of the middleware plugins ([#10028](https://github.com/traefik/traefik/pull/10028) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- Update maintainers guidelines ([#9981](https://github.com/traefik/traefik/pull/9981) by [geraldcroes](https://github.com/geraldcroes))
+- Update release documentation ([#9975](https://github.com/traefik/traefik/pull/9975) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- **[webui]** Updates the Hub tooltip content using a web component and adds an option to disable Hub button ([#10008](https://github.com/traefik/traefik/pull/10008) by [mdeliatf](https://github.com/mdeliatf))
+
+## [v2.10.3](https://github.com/traefik/traefik/tree/v2.10.3) (2023-06-17)
+[All Commits](https://github.com/traefik/traefik/compare/v2.10.2...v2.10.3)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.12.2 ([#9935](https://github.com/traefik/traefik/pull/9971) by [ldez](https://github.com/ldez))
+
+## [v2.10.2](https://github.com/traefik/traefik/tree/v2.10.2) (2023-06-17)
+[All Commits](https://github.com/traefik/traefik/compare/v2.10.1...v2.10.2)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.12.1 ([#9935](https://github.com/traefik/traefik/pull/9935) by [ldez](https://github.com/ldez))
+- **[acme]** Update go-acme/lego to v4.12.0 ([#9918](https://github.com/traefik/traefik/pull/9918) by [ldez](https://github.com/ldez))
+- **[acme]** Update go-acme/lego to v4.11.0 ([#9883](https://github.com/traefik/traefik/pull/9883) by [ldez](https://github.com/ldez))
+- **[acme]** Do not check for wildcard domains for non DNS challenge ([#9881](https://github.com/traefik/traefik/pull/9881) by [erkexzcx](https://github.com/erkexzcx))
+- **[k8s/crd]** Fix multiple subsets endpoint ([#9914](https://github.com/traefik/traefik/pull/9914) by [joaosilva15](https://github.com/joaosilva15))
+- **[k8s/ingress,k8s/crd,k8s,hub]** Clean code related to Hub ([#9894](https://github.com/traefik/traefik/pull/9894) by [ldez](https://github.com/ldez))
+- **[metrics]** Enable Prometheus provider cleanup when only the router&#39;s metrics level is activated ([#9887](https://github.com/traefik/traefik/pull/9887) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Encode query semicolons ([#9943](https://github.com/traefik/traefik/pull/9943) by [LandryBe](https://github.com/LandryBe))
+- **[middleware]** Missing trailer with custom errors middleware ([#9942](https://github.com/traefik/traefik/pull/9942) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Support informational headers in middlewares redefining the response writer. ([#9938](https://github.com/traefik/traefik/pull/9938) by [rtribotte](https://github.com/rtribotte))
+- **[plugins]** Improve error messages related to plugins ([#9924](https://github.com/traefik/traefik/pull/9924) by [ldez](https://github.com/ldez))
+- **[tracing]** Update DataDog tracing dependency to v1.50.1 ([#9953](https://github.com/traefik/traefik/pull/9953) by [der-eismann](https://github.com/der-eismann))
+
+**Documentation:**
+- **[accesslogs]** Fix over-indented yaml configuration of access logs ([#9930](https://github.com/traefik/traefik/pull/9930) by [ufUNnxagpM](https://github.com/ufUNnxagpM))
+- **[tls]** Add FAQ documentation about TLS certificates ([#9868](https://github.com/traefik/traefik/pull/9868) by [rtribotte](https://github.com/rtribotte))
+- Fix typo ([#9966](https://github.com/traefik/traefik/pull/9966) by [green1052](https://github.com/green1052))
+- Add business callouts ([#9940](https://github.com/traefik/traefik/pull/9940) by [tomatokoolaid](https://github.com/tomatokoolaid))
+- Add logo for GitHub dark mode ([#9890](https://github.com/traefik/traefik/pull/9890) by [ldez](https://github.com/ldez))
+
+## [v2.10.1](https://github.com/traefik/traefik/tree/v2.10.1) (2023-04-27)
+[All Commits](https://github.com/traefik/traefik/compare/v2.10.0...v2.10.1)
+
+**Bug fixes:**
+- **[middleware,oxy]** Update vulcand/oxy to be5cf38 ([#9874](https://github.com/traefik/traefik/pull/9874) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- Fix v2.10 migration guide ([#9863](https://github.com/traefik/traefik/pull/9863) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.10.0](https://github.com/traefik/traefik/tree/v2.10.0) (2023-04-24)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc1...v2.10.0)
+
+**Enhancements:**
+- **[docker]** Expose ContainerName in Docker provider ([#9770](https://github.com/traefik/traefik/pull/9770) by [quinot](https://github.com/quinot))
+- **[hub]** Remove hub configuration out of experimental ([#9792](https://github.com/traefik/traefik/pull/9792) by [mpl](https://github.com/mpl))
+- **[k8s/crd]** Introduce traefik.io API Group CRDs ([#9765](https://github.com/traefik/traefik/pull/9765) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress,k8s/crd,k8s]** Native Kubernetes service load-balancing ([#9740](https://github.com/traefik/traefik/pull/9740) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,metrics]** Add prometheus metric requests_total with headers ([#9783](https://github.com/traefik/traefik/pull/9783) by [rtribotte](https://github.com/rtribotte))
+- **[nomad]** Support multiple namespaces in the Nomad Provider ([#9794](https://github.com/traefik/traefik/pull/9794) by [rtribotte](https://github.com/rtribotte))
+- **[tracing]** Add support to send DataDog traces via Unix Socket ([#9714](https://github.com/traefik/traefik/pull/9714) by [der-eismann](https://github.com/der-eismann))
+- **[webui]** Modify the Hub Button ([#9851](https://github.com/traefik/traefik/pull/9851) by [mdeliatf](https://github.com/mdeliatf))
+- **[webui]** Display period setting of the RateLimit middleware in the webui ([#9822](https://github.com/traefik/traefik/pull/9822) by [smatyas](https://github.com/smatyas))
+
+**Bug fixes:**
+- **[docker]** Only warn about missing docker network when network_mode is not host or container ([#9799](https://github.com/traefik/traefik/pull/9799) by [sentriz](https://github.com/sentriz))
+- **[k8s/ingress,k8s]** Bump k8s.io/client-go from v0.22.1 to v0.26.3 ([#9808](https://github.com/traefik/traefik/pull/9808) by [ldez](https://github.com/ldez))
+- **[plugins]** Improve DeepCopy of PluginConf ([#9846](https://github.com/traefik/traefik/pull/9846) by [ldez](https://github.com/ldez))
+- **[plugins]** Update Yaegi to v0.15.1 ([#9815](https://github.com/traefik/traefik/pull/9815) by [ldez](https://github.com/ldez))
+- **[server]** Update vulcand/oxy to 03de175b3822 ([#9849](https://github.com/traefik/traefik/pull/9849) by [longit644](https://github.com/longit644))
+
+**Documentation:**
+- Prepare release v2.10.0-rc1 ([#9802](https://github.com/traefik/traefik/pull/9802) by [ldez](https://github.com/ldez))
+- Fix order of log levels ([#9791](https://github.com/traefik/traefik/pull/9791) by [svx](https://github.com/svx))
+- **[docker]** Update wording - add link descriptions ([#9816](https://github.com/traefik/traefik/pull/9816) by [svx](https://github.com/svx))
+- **[middleware]** Add accessControlAllowHeaders example ([#9810](https://github.com/traefik/traefik/pull/9810) by [yingshaoxo](https://github.com/yingshaoxo))
+- **[tls]** More details on Kubernetes options for mTLS ([#9835](https://github.com/traefik/traefik/pull/9835) by [mloiseleur](https://github.com/mloiseleur))
+- Prepare release v2.10.0-rc2 ([#9830](https://github.com/traefik/traefik/pull/9830) by [mpl](https://github.com/mpl))
+- Update Call To Actions ([#9824](https://github.com/traefik/traefik/pull/9824) by [svx](https://github.com/svx))
+- Improve concepts page ([#9813](https://github.com/traefik/traefik/pull/9813) by [svx](https://github.com/svx))
+- Update wording ([#9811](https://github.com/traefik/traefik/pull/9811) by [svx](https://github.com/svx))
+
+**Misc:**
+- Merge branch v2.9 into v2.10 ([#9798](https://github.com/traefik/traefik/pull/9798) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into v2.10 ([#9829](https://github.com/traefik/traefik/pull/9829) by [mpl](https://github.com/mpl))
+
+## [v2.10.0-rc2](https://github.com/traefik/traefik/tree/v2.10.0-rc2) (2023-04-07)
+[All Commits](https://github.com/traefik/traefik/compare/v2.10.0-rc1...v2.10.0-rc2)
+
+**Enhancements:**
+- **[webui]** Display period setting of the RateLimit middleware in the webui ([#9822](https://github.com/traefik/traefik/pull/9822) by [smatyas](https://github.com/smatyas))
+
+**Bug fixes:**
+- **[docker]** Only warn about missing docker network when network_mode is not host or container ([#9799](https://github.com/traefik/traefik/pull/9799) by [sentriz](https://github.com/sentriz))
+- **[k8s/ingress,k8s]** chore: bump k8s.io/client-go from v0.22.1 to v0.26.3 ([#9808](https://github.com/traefik/traefik/pull/9808) by [ldez](https://github.com/ldez))
+- **[plugins]** Update Yaegi to v0.15.1 ([#9815](https://github.com/traefik/traefik/pull/9815) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[docker]** Update wording - add link descriptions ([#9816](https://github.com/traefik/traefik/pull/9816) by [svx](https://github.com/svx))
+- **[middleware]** Add accessControlAllowHeaders example ([#9810](https://github.com/traefik/traefik/pull/9810) by [yingshaoxo](https://github.com/yingshaoxo))
+- Update Call To Actions ([#9824](https://github.com/traefik/traefik/pull/9824) by [svx](https://github.com/svx))
+- Improve concepts page ([#9813](https://github.com/traefik/traefik/pull/9813) by [svx](https://github.com/svx))
+- Update wording ([#9811](https://github.com/traefik/traefik/pull/9811) by [svx](https://github.com/svx))
+
+## [v2.9.10](https://github.com/traefik/traefik/tree/v2.9.10) (2023-04-06)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.9...v2.9.10)
+
+## [v2.10.0-rc1](https://github.com/traefik/traefik/tree/v2.10.0-rc1) (2023-03-22)
+[All Commits](https://github.com/traefik/traefik/compare/b3f162a8a61d89beaa9edc8adc12cc4cb3e1de0f...v2.10.0-rc1)
+
+**Enhancements:**
+- **[docker]** Expose ContainerName in Docker provider ([#9770](https://github.com/traefik/traefik/pull/9770) by [quinot](https://github.com/quinot))
+- **[hub]** hub: get out of experimental. ([#9792](https://github.com/traefik/traefik/pull/9792) by [mpl](https://github.com/mpl))
+- **[k8s/crd]** Introduce traefik.io API Group CRDs ([#9765](https://github.com/traefik/traefik/pull/9765) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress,k8s/crd,k8s]** Native Kubernetes service load-balancing ([#9740](https://github.com/traefik/traefik/pull/9740) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,metrics]** Add prometheus metric requests_total with headers ([#9783](https://github.com/traefik/traefik/pull/9783) by [rtribotte](https://github.com/rtribotte))
+- **[nomad]** Support multiple namespaces in the Nomad Provider ([#9794](https://github.com/traefik/traefik/pull/9794) by [rtribotte](https://github.com/rtribotte))
+- **[tracing]** Add support to send DataDog traces via Unix Socket ([#9714](https://github.com/traefik/traefik/pull/9714) by [der-eismann](https://github.com/der-eismann))
+
+**Documentation:**
+- docs: update order of log levels ([#9791](https://github.com/traefik/traefik/pull/9791) by [svx](https://github.com/svx))
+
+**Misc:**
+- Merge current v2.9 into v2.10 ([#9798](https://github.com/traefik/traefik/pull/9798) by [ldez](https://github.com/ldez))
+
+## [v2.9.9](https://github.com/traefik/traefik/tree/v2.9.9) (2023-03-21)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.8...v2.9.9)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.10.2 ([#9749](https://github.com/traefik/traefik/pull/9749) by [ldez](https://github.com/ldez))
+- **[http3]** Update quic-go to v0.33.0 ([#9737](https://github.com/traefik/traefik/pull/9737) by [ldez](https://github.com/ldez))
+- **[metrics]** Include user-defined default cert for traefik_tls_certs_not_after metric ([#9742](https://github.com/traefik/traefik/pull/9742) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Update vulcand/oxy to a0e9f7ff1040 ([#9750](https://github.com/traefik/traefik/pull/9750) by [ldez](https://github.com/ldez))
+- **[nomad]** Fix default configuration settings for Nomad Provider ([#9758](https://github.com/traefik/traefik/pull/9758) by [aofei](https://github.com/aofei))
+- **[nomad]** Fix Nomad client TLS defaults ([#9795](https://github.com/traefik/traefik/pull/9795) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Remove User-Agent header removal from ReverseProxy director func ([#9752](https://github.com/traefik/traefik/pull/9752) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[middleware]** Clarify ratelimit middleware ([#9777](https://github.com/traefik/traefik/pull/9777) by [mpl](https://github.com/mpl))
+- **[tcp]** Correcting variable name &#39;server address&#39; in TCP Router ([#9743](https://github.com/traefik/traefik/pull/9743) by [ralphg6](https://github.com/ralphg6))
+
+## [v2.9.8](https://github.com/traefik/traefik/tree/v2.9.8) (2023-02-15)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.7...v2.9.8)
+
+**Bug fixes:**
+- **[server]** Update golang.org/x/net to v0.7.0 ([#9716](https://github.com/traefik/traefik/pull/9716) by [ldez](https://github.com/ldez))
+
+## [v2.9.7](https://github.com/traefik/traefik/tree/v2.9.7) (2023-02-14)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.6...v2.9.7)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.10.0 ([#9705](https://github.com/traefik/traefik/pull/9705) by [ldez](https://github.com/ldez))
+- **[ecs]** Prevent panicking when a container has no network interfaces ([#9661](https://github.com/traefik/traefik/pull/9661) by [rtribotte](https://github.com/rtribotte))
+- **[file]** Make file provider more resilient wrt first configuration ([#9595](https://github.com/traefik/traefik/pull/9595) by [mpl](https://github.com/mpl))
+- **[logs]** Differentiate UDP stream and TCP connection in logs ([#9687](https://github.com/traefik/traefik/pull/9687) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Prevent from no rate limiting when average is zero ([#9621](https://github.com/traefik/traefik/pull/9621) by [witalisoft](https://github.com/witalisoft))
+- **[middleware]** Prevents superfluous WriteHeader call in the error middleware ([#9620](https://github.com/traefik/traefik/pull/9620) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware]** Sanitize X-Forwarded-Proto header in RedirectScheme middleware ([#9598](https://github.com/traefik/traefik/pull/9598) by [ldez](https://github.com/ldez))
+- **[plugins]** Update paerser to v0.2.0 ([#9671](https://github.com/traefik/traefik/pull/9671) by [ldez](https://github.com/ldez))
+- **[plugins]** Update Yaegi to v0.15.0 ([#9700](https://github.com/traefik/traefik/pull/9700) by [ldez](https://github.com/ldez))
+- **[tls,http3]** Bump quic-go to 89769f409f ([#9685](https://github.com/traefik/traefik/pull/9685) by [mpl](https://github.com/mpl))
+- **[tls,tcp]** Adds the support for IPv6 in the TCP HostSNI matcher ([#9692](https://github.com/traefik/traefik/pull/9692) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[acme]** Add CNAME support and gotchas ([#9698](https://github.com/traefik/traefik/pull/9698) by [mpl](https://github.com/mpl))
+- **[acme]** Further Let&#39;s Encrypt ratelimit warnings ([#9627](https://github.com/traefik/traefik/pull/9627) by [hcooper](https://github.com/hcooper))
+- **[k8s]** Add info admonition about routing to k8 services ([#9645](https://github.com/traefik/traefik/pull/9645) by [svx](https://github.com/svx))
+- **[k8s]** Improve TLSStore CRD documentation ([#9579](https://github.com/traefik/traefik/pull/9579) by [mloiseleur](https://github.com/mloiseleur))
+- **[middleware]** doc: add note about remoteaddr strategy ([#9701](https://github.com/traefik/traefik/pull/9701) by [mpl](https://github.com/mpl))
+- Update copyright to match new standard ([#9651](https://github.com/traefik/traefik/pull/9651) by [paulocfjunior](https://github.com/paulocfjunior))
+- Update copyright for 2023 ([#9631](https://github.com/traefik/traefik/pull/9631) by [kevinpollet](https://github.com/kevinpollet))
+- Update submitting pull requests to include language about drafts ([#9609](https://github.com/traefik/traefik/pull/9609) by [tfny](https://github.com/tfny))
+
+## [v2.9.6](https://github.com/traefik/traefik/tree/v2.9.6) (2022-12-07)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.5...v2.9.6)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.9.1 ([#9550](https://github.com/traefik/traefik/pull/9550) by [ldez](https://github.com/ldez))
+- **[k8s/crd]** Support of allowEmptyServices in TraefikService ([#9424](https://github.com/traefik/traefik/pull/9424) by [jeromeguiard](https://github.com/jeromeguiard))
+- **[logs]** Remove logs of the request ([#9574](https://github.com/traefik/traefik/pull/9574) by [ldez](https://github.com/ldez))
+- **[plugins]** Increase the timeout on plugin download ([#9529](https://github.com/traefik/traefik/pull/9529) by [ldez](https://github.com/ldez))
+- **[server]** Update golang.org/x/net ([#9582](https://github.com/traefik/traefik/pull/9582) by [ldez](https://github.com/ldez))
+- **[tls]** Handle broken TLS conf better ([#9572](https://github.com/traefik/traefik/pull/9572) by [mpl](https://github.com/mpl))
+- **[tracing]** Update DataDog tracing dependency to v1.43.1 ([#9526](https://github.com/traefik/traefik/pull/9526) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Add missing serialNumber passTLSClientCert option to middleware panel ([#9539](https://github.com/traefik/traefik/pull/9539) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[docker]** Add networking example ([#9542](https://github.com/traefik/traefik/pull/9542) by [Janik-Haag](https://github.com/Janik-Haag))
+- **[hub]** Add information about the Hub Agent ([#9560](https://github.com/traefik/traefik/pull/9560) by [nmengin](https://github.com/nmengin))
+- **[k8s/helm]** Update Helm installation section ([#9564](https://github.com/traefik/traefik/pull/9564) by [mloiseleur](https://github.com/mloiseleur))
+- **[middleware]** Clarify PathPrefix matcher greediness ([#9519](https://github.com/traefik/traefik/pull/9519) by [mpl](https://github.com/mpl))
+
+## [v2.9.5](https://github.com/traefik/traefik/tree/v2.9.5) (2022-11-17)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.4...v2.9.5)
+
+**Bug fixes:**
+- **[logs,middleware]** Create a new capture instance for each incoming request ([#9510](https://github.com/traefik/traefik/pull/9510) by [sdelicata](https://github.com/sdelicata))
+
+**Documentation:**
+- **[k8s/helm]** Update helm repository ([#9506](https://github.com/traefik/traefik/pull/9506) by [charlie-haley](https://github.com/charlie-haley))
+- Enhance wording of building-testing page ([#9509](https://github.com/traefik/traefik/pull/9509) by [svx](https://github.com/svx))
+- Add link descriptions and update wording ([#9507](https://github.com/traefik/traefik/pull/9507) by [svx](https://github.com/svx))
+- Removes the experimental tag on the Traefik Hub header ([#9498](https://github.com/traefik/traefik/pull/9498) by [tfny](https://github.com/tfny))
+
+## [v2.9.4](https://github.com/traefik/traefik/tree/v2.9.4) (2022-10-27)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.4)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.9.0 ([#9413](https://github.com/traefik/traefik/pull/9413) by [tony-defa](https://github.com/tony-defa))
+- **[kv,redis]** Fix Redis configuration type ([#9435](https://github.com/traefik/traefik/pull/9435) by [ldez](https://github.com/ldez))
+- **[logs,middleware,metrics]** Handle capture on redefined http.responseWriters ([#9440](https://github.com/traefik/traefik/pull/9440) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,k8s]** Remove raw cert escape in PassTLSClientCert middleware ([#9412](https://github.com/traefik/traefik/pull/9412) by [rtribotte](https://github.com/rtribotte))
+- **[plugins]** Update Yaegi to v0.14.3 ([#9468](https://github.com/traefik/traefik/pull/9468) by [ldez](https://github.com/ldez))
+- Remove side effect on default transport tests ([#9460](https://github.com/traefik/traefik/pull/9460) by [sdelicata](https://github.com/sdelicata))
+
+**Documentation:**
+- **[k8s]** Fix links to gateway API guides ([#9445](https://github.com/traefik/traefik/pull/9445) by [kevinpollet](https://github.com/kevinpollet))
+- Simplify dashboard rule example ([#9454](https://github.com/traefik/traefik/pull/9454) by [sosoba](https://github.com/sosoba))
+- Add v2.9 to release page ([#9438](https://github.com/traefik/traefik/pull/9438) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.9.3](https://github.com/traefik/traefik/tree/v2.9.3) (2022-10-27)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.3)
+
+Release canceled.
+
+## [v2.9.2](https://github.com/traefik/traefik/tree/v2.9.2) (2022-10-27)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.2)
+
+Release canceled.
+
+## [v2.9.1](https://github.com/traefik/traefik/tree/v2.9.1) (2022-10-03)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc1...v2.9.1)
+
+**Enhancements:**
+- **[acme,tls]** ACME Default Certificate ([#9189](https://github.com/traefik/traefik/pull/9189) by [rtribotte](https://github.com/rtribotte))
+- **[consul,etcd,zk,kv,redis]** Update valkeyrie to v1.0.0 ([#9316](https://github.com/traefik/traefik/pull/9316) by [ldez](https://github.com/ldez))
+- **[consulcatalog,nomad]** Support Nomad canary deployment ([#9216](https://github.com/traefik/traefik/pull/9216) by [rtribotte](https://github.com/rtribotte))
+- **[consulcatalog]** Move consulcatalog provider to only use health apis ([#9140](https://github.com/traefik/traefik/pull/9140) by [kevinpollet](https://github.com/kevinpollet))
+- **[docker]** Add support for reaching containers using host networking on Podman ([#9190](https://github.com/traefik/traefik/pull/9190) by [freundTech](https://github.com/freundTech))
+- **[docker]** Use IPv6 address ([#9183](https://github.com/traefik/traefik/pull/9183) by [tomMoulard](https://github.com/tomMoulard))
+- **[docker]** Add allowEmptyServices for Docker provider ([#8690](https://github.com/traefik/traefik/pull/8690) by [jvasseur](https://github.com/jvasseur))
+- **[ecs]**  Add support for ECS Anywhere ([#9324](https://github.com/traefik/traefik/pull/9324) by [tuxpower](https://github.com/tuxpower))
+- **[healthcheck]** Add a method option to the service Health Check ([#9165](https://github.com/traefik/traefik/pull/9165) by [ddtmachado](https://github.com/ddtmachado))
+- **[http3]** Upgrade quic-go to v0.28.0 ([#9187](https://github.com/traefik/traefik/pull/9187) by [tomMoulard](https://github.com/tomMoulard))
+- **[http]** Start polling HTTP provider at the beginning ([#9116](https://github.com/traefik/traefik/pull/9116) by [moutoum](https://github.com/moutoum))
+- **[k8s/crd,plugins]** Load plugin configuration field value from Kubernetes Secret ([#9103](https://github.com/traefik/traefik/pull/9103) by [rtribotte](https://github.com/rtribotte))
+- **[logs,tcp]** Quiet down TCP RST packet error on read operation ([#9007](https://github.com/traefik/traefik/pull/9007) by [rtribotte](https://github.com/rtribotte))
+- **[metrics]** Add traffic size metrics ([#9208](https://github.com/traefik/traefik/pull/9208) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware,pilot]** Remove Pilot support ([#9330](https://github.com/traefik/traefik/pull/9330) by [ldez](https://github.com/ldez))
+- **[rules,tcp]** Support ALPN for TCP + TLS routers ([#8913](https://github.com/traefik/traefik/pull/8913) by [sh7dm](https://github.com/sh7dm))
+- **[tcp,service,udp]** Make the loadbalancers servers order random ([#9037](https://github.com/traefik/traefik/pull/9037) by [qmloong](https://github.com/qmloong))
+- **[tls]** Change default TLS options for more security ([#8951](https://github.com/traefik/traefik/pull/8951) by [ddtmachado](https://github.com/ddtmachado))
+- **[tracing]** Add Datadog GlobalTags support ([#9266](https://github.com/traefik/traefik/pull/9266) by [sdelicata](https://github.com/sdelicata))
+
+**Bug fixes:**
+- **[acme]** Fix ACME panic ([#9365](https://github.com/traefik/traefik/pull/9365) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[metrics]** Rework metrics overview page ([#9366](https://github.com/traefik/traefik/pull/9366) by [ddtmachado](https://github.com/ddtmachado))
+
+**Misc:**
+- Merge current v2.8 into v2.9 ([#9400](https://github.com/traefik/traefik/pull/9400) by [ldez](https://github.com/ldez))
+- Merge current v2.8 into v2.9 ([#9371](https://github.com/traefik/traefik/pull/9371) by [ldez](https://github.com/ldez))
+- Merge current v2.8 into v2.9 ([#9367](https://github.com/traefik/traefik/pull/9367) by [ldez](https://github.com/ldez))
+- Merge current v2.8 into v2.9 ([#9350](https://github.com/traefik/traefik/pull/9350) by [ldez](https://github.com/ldez))
+- Merge current v2.8 into v2.9 ([#9343](https://github.com/traefik/traefik/pull/9343) by [kevinpollet](https://github.com/kevinpollet))
+- Merge v2.8.5 into master ([#9329](https://github.com/traefik/traefik/pull/9329) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.8 into master ([#9291](https://github.com/traefik/traefik/pull/9291) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.8 into master ([#9265](https://github.com/traefik/traefik/pull/9265) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.8 into master ([#9209](https://github.com/traefik/traefik/pull/9209) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.8 into master ([#9146](https://github.com/traefik/traefik/pull/9146) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.8 into master ([#9135](https://github.com/traefik/traefik/pull/9135) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.9.0](https://github.com/traefik/traefik/tree/v2.9.0) (2022-10-03)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc1...v2.9.0)
+
+Release canceled.
+
+## [v2.9.0-rc5](https://github.com/traefik/traefik/tree/v2.9.0-rc5) (2022-09-30)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc4...v2.9.0-rc5)
+
+**Misc:**
+- Merge current v2.8 into v2.9 ([#9400](https://github.com/traefik/traefik/pull/9400) by [ldez](https://github.com/ldez))
+
+## [v2.8.8](https://github.com/traefik/traefik/tree/v2.8.8) (2022-09-30)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.7...v2.8.8)
+
+**Bug fixes:**
+- **[server]** Update golang.org/x/net to latest version ([#9398](https://github.com/traefik/traefik/pull/9398) by [tspearconquest](https://github.com/tspearconquest))
+
+**Documentation:**
+- **[docker]** Fix watch option description for Docker provider ([#9391](https://github.com/traefik/traefik/pull/9391) by [bhuisgen](https://github.com/bhuisgen))
+- **[ecs]** Fix autoDiscoverClusters option documentation for ECS provider ([#9392](https://github.com/traefik/traefik/pull/9392) by [johnpekcan](https://github.com/johnpekcan))
+- **[k8s]** Improve documentation for publishedService and IP options ([#9380](https://github.com/traefik/traefik/pull/9380) by [samip5](https://github.com/samip5))
+
+## [v2.9.0-rc4](https://github.com/traefik/traefik/tree/v2.9.0-rc4) (2022-09-23)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc3...v2.9.0-rc4)
+
+**Bug fixes:**
+- **[acme]** Fix ACME panic ([#9365](https://github.com/traefik/traefik/pull/9365) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[metrics]** Rework metrics overview page ([#9366](https://github.com/traefik/traefik/pull/9366) by [ddtmachado](https://github.com/ddtmachado))
+
+**Misc:**
+- Merge current v2.8 into v2.9 ([#9371](https://github.com/traefik/traefik/pull/9371) by [ldez](https://github.com/ldez))
+- Merge current v2.8 into v2.9 ([#9367](https://github.com/traefik/traefik/pull/9367) by [ldez](https://github.com/ldez))
+- Merge current v2.8 into v2.9 ([#9350](https://github.com/traefik/traefik/pull/9350) by [ldez](https://github.com/ldez))
+
+## [v2.8.7](https://github.com/traefik/traefik/tree/v2.8.7) (2022-09-23)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.5...v2.8.7)
+
+**Bug fixes:**
+- **[consulcatalog]** Fix UDP loadbalancer tags not being used with Consul Catalog ([#9357](https://github.com/traefik/traefik/pull/9357) by [t3hchipmunk](https://github.com/t3hchipmunk))
+- **[docker,rancher,ecs,provider]** Simplify AddServer algorithm ([#9358](https://github.com/traefik/traefik/pull/9358) by [ldez](https://github.com/ldez))
+- **[plugins]** Allow empty plugin configuration ([#9338](https://github.com/traefik/traefik/pull/9338) by [ldez](https://github.com/ldez))
+- **[rules]** Fix query parameter matching with equal ([#9369](https://github.com/traefik/traefik/pull/9369) by [ldez](https://github.com/ldez))
+- **[server]** Optimize websocket headers handling ([#9360](https://github.com/traefik/traefik/pull/9360) by [juliens](https://github.com/juliens))
+
+**Documentation:**
+- **[ecs]** Add documentation for ECS constraints option ([#9354](https://github.com/traefik/traefik/pull/9354) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/gatewayapi]** Fix link to RouteNamespaces ([#9349](https://github.com/traefik/traefik/pull/9349) by [ldez](https://github.com/ldez))
+- Add documentation for json schema usage to validate config in the FAQ ([#9340](https://github.com/traefik/traefik/pull/9340) by [rtribotte](https://github.com/rtribotte))
+- Add a note on case insensitive regex matching ([#9322](https://github.com/traefik/traefik/pull/9322) by [NEwa-05](https://github.com/NEwa-05))
+
+## [v2.8.6](https://github.com/traefik/traefik/tree/v2.8.6) (2022-09-23)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.5...v2.8.6)
+
+Release canceled.
+
+## [v2.9.0-rc3](https://github.com/traefik/traefik/tree/v2.9.0-rc3) (2022-09-16)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc2...v2.9.0-rc3)
+
+**Misc:**
+- Merge current v2.8 into v2.9 ([#9343](https://github.com/traefik/traefik/pull/9343) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.9.0-rc1](https://github.com/traefik/traefik/tree/v2.9.0-rc2) (2022-09-14)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.0-rc1...v2.9.0-rc2)
+
+**Enhancements:**
+- **[acme,tls]** ACME Default Certificate ([#9189](https://github.com/traefik/traefik/pull/9189) by [rtribotte](https://github.com/rtribotte))
+- **[consul,etcd,zk,kv,redis]** Update valkeyrie to v1.0.0 ([#9316](https://github.com/traefik/traefik/pull/9316) by [ldez](https://github.com/ldez))
+- **[consulcatalog,nomad]** Support Nomad canary deployment ([#9216](https://github.com/traefik/traefik/pull/9216) by [rtribotte](https://github.com/rtribotte))
+- **[consulcatalog]** Move consulcatalog provider to only use health apis ([#9140](https://github.com/traefik/traefik/pull/9140) by [kevinpollet](https://github.com/kevinpollet))
+- **[docker]** Add support for reaching containers using host networking on Podman ([#9190](https://github.com/traefik/traefik/pull/9190) by [freundTech](https://github.com/freundTech))
+- **[docker]** Use IPv6 address ([#9183](https://github.com/traefik/traefik/pull/9183) by [tomMoulard](https://github.com/tomMoulard))
+- **[docker]** Add allowEmptyServices for Docker provider ([#8690](https://github.com/traefik/traefik/pull/8690) by [jvasseur](https://github.com/jvasseur))
+- **[ecs]**  Add support for ECS Anywhere ([#9324](https://github.com/traefik/traefik/pull/9324) by [tuxpower](https://github.com/tuxpower))
+- **[healthcheck]** Add a method option to the service Health Check ([#9165](https://github.com/traefik/traefik/pull/9165) by [ddtmachado](https://github.com/ddtmachado))
+- **[http3]** Upgrade quic-go to v0.28.0 ([#9187](https://github.com/traefik/traefik/pull/9187) by [tomMoulard](https://github.com/tomMoulard))
+- **[http]** Start polling HTTP provider at the beginning ([#9116](https://github.com/traefik/traefik/pull/9116) by [moutoum](https://github.com/moutoum))
+- **[k8s/crd,plugins]** Load plugin configuration field value from Kubernetes Secret ([#9103](https://github.com/traefik/traefik/pull/9103) by [rtribotte](https://github.com/rtribotte))
+- **[logs,tcp]** Quiet down TCP RST packet error on read operation ([#9007](https://github.com/traefik/traefik/pull/9007) by [rtribotte](https://github.com/rtribotte))
+- **[metrics]** Add traffic size metrics ([#9208](https://github.com/traefik/traefik/pull/9208) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware,pilot]** Remove Pilot support ([#9330](https://github.com/traefik/traefik/pull/9330) by [ldez](https://github.com/ldez))
+- **[rules,tcp]** Support ALPN for TCP + TLS routers ([#8913](https://github.com/traefik/traefik/pull/8913) by [sh7dm](https://github.com/sh7dm))
+- **[tcp,service,udp]** Make the loadbalancers servers order random ([#9037](https://github.com/traefik/traefik/pull/9037) by [qmloong](https://github.com/qmloong))
+- **[tls]** Change default TLS options for more security ([#8951](https://github.com/traefik/traefik/pull/8951) by [ddtmachado](https://github.com/ddtmachado))
+- **[tracing]** Add Datadog GlobalTags support ([#9266](https://github.com/traefik/traefik/pull/9266) by [sdelicata](https://github.com/sdelicata))
+
+**Misc:**
+- Merge v2.8.5 into master ([#9329](https://github.com/traefik/traefik/pull/9329) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.8 into master ([#9291](https://github.com/traefik/traefik/pull/9291) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.8 into master ([#9265](https://github.com/traefik/traefik/pull/9265) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.8 into master ([#9209](https://github.com/traefik/traefik/pull/9209) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.8 into master ([#9146](https://github.com/traefik/traefik/pull/9146) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.8 into master ([#9135](https://github.com/traefik/traefik/pull/9135) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.9.0-rc1](https://github.com/traefik/traefik/tree/v2.9.0-rc1) (2022-09-14)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.0-rc1...v2.9.0-rc1)
+
+Release canceled.
+
+## [v2.8.5](https://github.com/traefik/traefik/tree/v2.8.5) (2022-09-13)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.4...v2.8.5)
+
+**Bug fixes:**
+- **[plugins]** Update Yaegi to v0.14.2 ([#9327](https://github.com/traefik/traefik/pull/9327) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Fix IPv6 addr with square brackets ([#9313](https://github.com/traefik/traefik/pull/9313) by [moonlightwatch](https://github.com/moonlightwatch))
+- **[webui,api]** Display default TLS options in the dashboard ([#9312](https://github.com/traefik/traefik/pull/9312) by [skwair](https://github.com/skwair))
+
+**Documentation:**
+- **[docker]** Add healthcheck timeout seconds to value ([#9306](https://github.com/traefik/traefik/pull/9306) by [fty4](https://github.com/fty4))
+- Update deprecation notes about Pilot ([#9314](https://github.com/traefik/traefik/pull/9314) by [nmengin](https://github.com/nmengin))
+- Added resources for businesses ([#9268](https://github.com/traefik/traefik/pull/9268) by [tomatokoolaid](https://github.com/tomatokoolaid))
+
+## [v2.8.4](https://github.com/traefik/traefik/tree/v2.8.4) (2022-09-02)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.3...v2.8.4)
+
+**Bug fixes:**
+- **[docker,docker/swarm]** Fix Docker provider mem leak on operation retries ([#9288](https://github.com/traefik/traefik/pull/9288) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Fix retry middleware on panic ([#9284](https://github.com/traefik/traefik/pull/9284) by [ldez](https://github.com/ldez))
+- **[plugins]** Allow Traefik starting even if plugin service is unavailable ([#9287](https://github.com/traefik/traefik/pull/9287) by [ldez](https://github.com/ldez))
+- chore: update paerser to v0.1.9 ([#9270](https://github.com/traefik/traefik/pull/9270) by [tomMoulard](https://github.com/tomMoulard))
+
+**Documentation:**
+- **[acme]** Fix infoblox acme provider documentation ([#9277](https://github.com/traefik/traefik/pull/9277) by [ldez](https://github.com/ldez))
+- **[k8s/crd]** Fix serversTransport CRD documentation ([#9283](https://github.com/traefik/traefik/pull/9283) by [cuishuang](https://github.com/cuishuang))
+- **[k8s/crd]** Fix k8s for example for rootCAs serversTransport ([#9274](https://github.com/traefik/traefik/pull/9274) by [ben-krieger](https://github.com/ben-krieger))
+- **[k8s]** Add missing networking apiGroup in Kubernetes RBACs examples and references ([#9295](https://github.com/traefik/traefik/pull/9295) by [fibsifan](https://github.com/fibsifan))
+- Update deprecation notes about Pilot ([#9300](https://github.com/traefik/traefik/pull/9300) by [nmengin](https://github.com/nmengin))
+
+## [v2.8.3](https://github.com/traefik/traefik/tree/v2.8.3) (2022-08-12)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.2...v2.8.3)
+
+**Bug fixes:**
+- **[file]** Update paerser to v0.1.8 ([#9258](https://github.com/traefik/traefik/pull/9258) by [ldez](https://github.com/ldez))
+- **[marathon]** Add missing context in backoff for Marathon ([#9246](https://github.com/traefik/traefik/pull/9246) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.8.2](https://github.com/traefik/traefik/tree/v2.8.2) (2022-08-11)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.1...v2.8.2)
+
+**Bug fixes:**
+- **[k8s/ingress,k8s]** Place namespace before name in router key for Ingress ([#9221](https://github.com/traefik/traefik/pull/9221) by [longshine](https://github.com/longshine))
+- **[kv]** Update valkeyrie to a9a70ee ([#9243](https://github.com/traefik/traefik/pull/9243) by [kevinpollet](https://github.com/kevinpollet))
+- **[logs,middleware,tracing]** Remove request dump from IPWhitelist debug log and tracing message ([#9244](https://github.com/traefik/traefik/pull/9244) by [rtribotte](https://github.com/rtribotte))
+- **[metrics]** Control allocation and copy of labelNamesValues type ([#9241](https://github.com/traefik/traefik/pull/9241) by [rtribotte](https://github.com/rtribotte))
+- **[metrics]** Fix service up gauge for Prometheus metrics ([#9197](https://github.com/traefik/traefik/pull/9197) by [juliens](https://github.com/juliens))
+- **[plugins]** Bump paerser to v0.1.6 ([#9224](https://github.com/traefik/traefik/pull/9224) by [ldez](https://github.com/ldez))
+- **[yaml]** Add missing inline tag for YAML serialization ([#9182](https://github.com/traefik/traefik/pull/9182) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[k8s]** Fix wording of default behavior for namespaces option ([#9222](https://github.com/traefik/traefik/pull/9222) by [markormesher](https://github.com/markormesher))
+- **[k8s]** Add getting started guide for Kubernetes ([#9163](https://github.com/traefik/traefik/pull/9163) by [moutoum](https://github.com/moutoum))
+- **[plugins]** Remove Traefik Pilot and add a Traefik Plugins Catalog page ([#9171](https://github.com/traefik/traefik/pull/9171) by [sdelicata](https://github.com/sdelicata))
+- Update Thank You page with proper branding and grammar fixes ([#9203](https://github.com/traefik/traefik/pull/9203) by [tfny](https://github.com/tfny))
+- Update CONTRIBUTING.md to contain all information in one place ([#9192](https://github.com/traefik/traefik/pull/9192) by [tfny](https://github.com/tfny))
+- Update the PR guidelines in Contributing docs ([#9179](https://github.com/traefik/traefik/pull/9179) by [tfny](https://github.com/tfny))
+
 ## [v2.8.1](https://github.com/traefik/traefik/tree/v2.8.1) (2022-07-11)
 [All Commits](https://github.com/traefik/traefik/compare/v2.8.0...v2.8.1)

@@ -247,7 +1169,7 @@ Release canceled.
 - **[webui]** Add a link to service on router detail view ([#8821](https://github.com/traefik/traefik/pull/8821) by [Tchoupinax](https://github.com/Tchoupinax))

 **Documentation:**
-  Add a Feature Deprecation page ([#8868](https://github.com/traefik/traefik/pull/8868) by [ddtmachado](https://github.com/ddtmachado))
+- Add a Feature Deprecation page ([#8868](https://github.com/traefik/traefik/pull/8868) by [ddtmachado](https://github.com/ddtmachado))

 **Misc:**
 - Merge current v2.6 into master ([#8877](https://github.com/traefik/traefik/pull/8877) by [rtribotte](https://github.com/rtribotte))
@@ -615,7 +1537,6 @@ Release canceled.
 - Merge current v2.4 into master ([#7748](https://github.com/traefik/traefik/pull/7748) by [kevinpollet](https://github.com/kevinpollet))
 - Merge current v2.4 into master ([#7728](https://github.com/traefik/traefik/pull/7728) by [mmatur](https://github.com/mmatur))

-
 ## [v2.4.14](https://github.com/traefik/traefik/tree/v2.4.14) (2021-08-16)
 [All Commits](https://github.com/traefik/traefik/compare/v2.4.13...v2.4.14)

@@ -3431,7 +4352,6 @@ Same changelog as v2.0.3.
 ## [v1.7.0-rc2](https://github.com/traefik/traefik/tree/v1.7.0-rc2) (2018-07-17)
 [All Commits](https://github.com/traefik/traefik/compare/v1.7.0-rc1...v1.7.0-rc2)

-
 **Bug fixes:**
 - **[acme,provider]** Create init method on provider interface ([#3580](https://github.com/traefik/traefik/pull/3580) by [Juliens](https://github.com/Juliens))
 - **[acme]** Serve TLS-Challenge certificate in first ([#3605](https://github.com/traefik/traefik/pull/3605) by [nmengin](https://github.com/nmengin))
@@ -4441,7 +5361,7 @@ Same changelog as v2.0.3.
 - **[acme]** Dumpcerts.sh: fixed sed, extracted domain keys ([#2161](https://github.com/traefik/traefik/pull/2161) by [sjawhar](https://github.com/sjawhar))
 - Merge current v1.4 into master  ([#2469](https://github.com/traefik/traefik/pull/2469) by [ldez](https://github.com/ldez))
 - Revert &#34;Merge v1.4.2 into master&#34; ([#2414](https://github.com/traefik/traefik/pull/2414) by [ldez](https://github.com/ldez))
-  Merge v1.4.3 into master ([#2406](https://github.com/traefik/traefik/pull/2406) by [ldez](https://github.com/ldez))
+- Merge v1.4.3 into master ([#2406](https://github.com/traefik/traefik/pull/2406) by [ldez](https://github.com/ldez))
 - Merge v1.4.2 into master ([#2358](https://github.com/traefik/traefik/pull/2358) by [ldez](https://github.com/ldez))
 - Merge v1.4.3 into master ([#2415](https://github.com/traefik/traefik/pull/2415) by [ldez](https://github.com/ldez))
 - Merge v1.4.1 into master  ([#2318](https://github.com/traefik/traefik/pull/2318) by [ldez](https://github.com/ldez))
@@ -5790,7 +6710,7 @@ Same changelog as v2.0.3.
 - Fix k8s watch [\#573](https://github.com/traefik/traefik/pull/573) ([errm](https://github.com/errm))
 - Add requirements.txt for netlify [\#567](https://github.com/traefik/traefik/pull/567) ([emilevauge](https://github.com/emilevauge))
 - Merge v1.0.1 master [\#565](https://github.com/traefik/traefik/pull/565) ([emilevauge](https://github.com/emilevauge))
-  Move webui to FountainJS with Webpack [\#558](https://github.com/traefik/traefik/pull/558) ([micaelmbagira](https://github.com/micaelmbagira))
+- Move webui to FountainJS with Webpack [\#558](https://github.com/traefik/traefik/pull/558) ([micaelmbagira](https://github.com/micaelmbagira))
 - Add global InsecureSkipVerify option to disable certificate checking [\#557](https://github.com/traefik/traefik/pull/557) ([stuart-c](https://github.com/stuart-c))
 - Move version.go in its own package… [\#553](https://github.com/traefik/traefik/pull/553) ([vdemeester](https://github.com/vdemeester))
 - Upgrade libkermit and dependencies [\#552](https://github.com/traefik/traefik/pull/552) ([vdemeester](https://github.com/vdemeester))
@@ -6013,7 +6933,7 @@ Same changelog as v2.0.3.
 - Fix k8s watch [\#573](https://github.com/traefik/traefik/pull/573) ([errm](https://github.com/errm))
 - Add requirements.txt for netlify [\#567](https://github.com/traefik/traefik/pull/567) ([emilevauge](https://github.com/emilevauge))
 - Merge v1.0.1 master [\#565](https://github.com/traefik/traefik/pull/565) ([emilevauge](https://github.com/emilevauge))
-  Move webui to FountainJS with Webpack [\#558](https://github.com/traefik/traefik/pull/558) ([micaelmbagira](https://github.com/micaelmbagira))
+- Move webui to FountainJS with Webpack [\#558](https://github.com/traefik/traefik/pull/558) ([micaelmbagira](https://github.com/micaelmbagira))
 - Add global InsecureSkipVerify option to disable certificate checking [\#557](https://github.com/traefik/traefik/pull/557) ([stuart-c](https://github.com/stuart-c))
 - Move version.go in its own package… [\#553](https://github.com/traefik/traefik/pull/553) ([vdemeester](https://github.com/vdemeester))
 - Upgrade libkermit and dependencies [\#552](https://github.com/traefik/traefik/pull/552) ([vdemeester](https://github.com/vdemeester))
@@ -6174,7 +7094,3 @@ Same changelog as v2.0.3.
 - Fix travis tag check [\#422](https://github.com/traefik/traefik/pull/422) ([emilevauge](https://github.com/emilevauge))
 - log info about TOML configuration file using [\#420](https://github.com/traefik/traefik/pull/420) ([cocap10](https://github.com/cocap10))
 - Doc about skipping some integration tests with '-check.f ConsulCatalogSuite' [\#418](https://github.com/traefik/traefik/pull/418) ([samber](https://github.com/samber))
-
-
-
-\* *This Change Log was automatically generated by [gcg](https://github.com/ldez/gcg)*
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -30,23 +30,35 @@ Project maintainers have the right and responsibility to remove, edit, or reject

 ## Scope

-This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or our community. 
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or our community.

-Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. 
+Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
 Representation of a project may be further defined and clarified by project maintainers.

 ## Enforcement

 Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@traefik.io

-All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. 
+All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances.

-The project team is obligated to maintain confidentiality with regard to the reporter of an incident. 
+The project team is obligated to maintain confidentiality with regard to the reporter of an incident.

 Further details of specific enforcement policies may be posted separately.

 Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.

+When an inappropriate behavior is reported, maintainers will discuss on the Maintainer's Discord before marking the message as "abuse". 
+This conversation beforehand avoids one-sided decisions.
+
+The first message will be edited and marked as abuse.
+The second edited message and marked as abuse results in a 7-day ban.
+The third edited message and marked as abuse results in a permanent ban.
+
+The content of edited messages is:
+`Dear user, we want traefik to provide a welcoming and respectful environment. Your [comment/issue/PR] has been reported and marked as abuse according to our [Code of Conduct](./CODE_OF_CONDUCT.md). Thank you.`
+
+The [report must be resolved](https://docs.github.com/en/communities/moderating-comments-and-conversations/managing-reported-content-in-your-organizations-repository#resolving-a-report) accordingly.
+
 ## Attribution

 This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,8 +2,10 @@

 Here are some guidelines that should help to start contributing to the project.

- [Submitting pull Requests](https://github.com/traefik/contributors-guide/blob/master/pr_guidelines.md)
+- [Submitting pull Requests](https://doc.traefik.io/traefik/contributing/submitting-pull-requests/)
 - [Submitting issues](https://doc.traefik.io/traefik/contributing/submitting-issues/)
- [Submitting security issues](docs/content/contributing/submitting-security-issues.md)
+- [Submitting security issues](https://doc.traefik.io/traefik/contributing/submitting-security-issues/)
+- [Advocating for Traefik](https://doc.traefik.io/traefik/contributing/advocating/)
+- [Triage Process](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md)

 If you are willing to become a maintainer of the project, please take a look at the [maintainers guidelines](docs/content/contributing/maintainers-guidelines.md).
--- a/12
+++ b/12
@@ -1,6 +1,12 @@
-FROM scratch
-COPY script/ca-certificates.crt /etc/ssl/certs/
-COPY dist/traefik /
+# syntax=docker/dockerfile:1.2
+FROM alpine:3.22
+
+RUN apk add --no-cache --no-progress ca-certificates tzdata
+
+ARG TARGETPLATFORM
+COPY ./dist/$TARGETPLATFORM/traefik /
+
 EXPOSE 80
 VOLUME ["/tmp"]
+
 ENTRYPOINT ["/traefik"]
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,6 +1,6 @@
 The MIT License (MIT)

-Copyright (c) 2016-2020 Containous SAS; 2020-2022 Traefik Labs
+Copyright (c) 2016-2020 Containous SAS; 2020-2025 Traefik Labs

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/229
+++ b/229
@@ -1,125 +1,112 @@
 SRCS = $(shell git ls-files '*.go' | grep -v '^vendor/')

-TAG_NAME := $(shell git tag -l --contains HEAD)
+TAG_NAME := $(shell git describe --abbrev=0 --tags --exact-match)
 SHA := $(shell git rev-parse HEAD)
 VERSION_GIT := $(if $(TAG_NAME),$(TAG_NAME),$(SHA))
 VERSION := $(if $(VERSION),$(VERSION),$(VERSION_GIT))

-GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
-TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))
+BIN_NAME := traefik
+CODENAME ?= cheddar

-REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
-TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"traefik/traefik")
+DATE := $(shell date -u '+%Y-%m-%d_%I:%M:%S%p')

-INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)",-v "/var/run/docker.sock:/var/run/docker.sock")
-DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
+# Default build target
+GOOS := $(shell go env GOOS)
+GOARCH := $(shell go env GOARCH)
+GOGC ?=

-TRAEFIK_ENVS := \
-	-e OS_ARCH_ARG \
-	-e OS_PLATFORM_ARG \
-	-e TESTFLAGS \
-	-e VERBOSE \
-	-e VERSION \
-	-e CODENAME \
-	-e TESTDIRS \
-	-e CI \
-	-e CONTAINER=DOCKER		# Indicator for integration tests that we are running inside a container.
+LINT_EXECUTABLES = misspell shellcheck

-TRAEFIK_MOUNT := -v "$(CURDIR)/dist:/go/src/github.com/traefik/traefik/dist"
-DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
-DOCKER_NON_INTERACTIVE ?= false
-DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
-DOCKER_RUN_TRAEFIK_TEST := docker run --add-host=host.docker.internal:127.0.0.1 --rm --name=traefik --network traefik-test-network -v $(PWD):$(PWD) -w $(PWD) $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
-DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -i) $(DOCKER_RUN_OPTS)
-
-IN_DOCKER ?= true
+DOCKER_BUILD_PLATFORMS ?= linux/amd64,linux/arm64

 .PHONY: default
-default: binary
+#? default: Run `make generate` and `make binary`
+default: generate binary

-## Create the "dist" directory
+#? dist: Create the "dist" directory
 dist:
 	mkdir -p dist

-## Build Dev Docker image
-.PHONY: build-dev-image
-build-dev-image: dist
-ifneq ("$(IN_DOCKER)", "")
-	docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" --build-arg HOST_PWD="$(PWD)" -f build.Dockerfile .
-endif
-
-## Build Dev Docker image without cache
-.PHONY: build-dev-image-no-cache
-build-dev-image-no-cache: dist
-ifneq ("$(IN_DOCKER)", "")
-	docker build $(DOCKER_BUILD_ARGS) --no-cache -t "$(TRAEFIK_DEV_IMAGE)" --build-arg HOST_PWD="$(PWD)" -f build.Dockerfile .
-endif
-
-## Build WebUI Docker image
 .PHONY: build-webui-image
+#? build-webui-image: Build WebUI Docker image
 build-webui-image:
 	docker build -t traefik-webui -f webui/Dockerfile webui

-## Clean WebUI static generated assets
 .PHONY: clean-webui
+#? clean-webui: Clean WebUI static generated assets
 clean-webui:
 	rm -r webui/static
 	mkdir -p webui/static
 	printf 'For more information see `webui/readme.md`' > webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md

-## Generate WebUI
 webui/static/index.html:
 	$(MAKE) build-webui-image
 	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui npm run build:nc
 	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ./static

 .PHONY: generate-webui
+#? generate-webui: Generate WebUI
 generate-webui: webui/static/index.html

-## Build the binary
+.PHONY: generate
+#? generate: Generate code (Dynamic and Static configuration documentation reference files)
+generate:
+	go generate
+
 .PHONY: binary
-binary: generate-webui build-dev-image
-	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary
+#? binary: Build the binary
+binary: generate-webui dist
+	@echo SHA: $(VERSION) $(CODENAME) $(DATE)
+	CGO_ENABLED=0 GOGC=${GOGC} GOOS=${GOOS} GOARCH=${GOARCH} go build ${FLAGS[*]} -ldflags "-s -w \
+    -X github.com/traefik/traefik/v2/pkg/version.Version=$(VERSION) \
+    -X github.com/traefik/traefik/v2/pkg/version.Codename=$(CODENAME) \
+    -X github.com/traefik/traefik/v2/pkg/version.BuildDate=$(DATE)" \
+    -installsuffix nocgo -o "./dist/${GOOS}/${GOARCH}/$(BIN_NAME)" ./cmd/traefik

-## Build the linux binary locally
-.PHONY: binary-debug
-binary-debug: generate-webui
-	GOOS=linux ./script/make.sh binary
+binary-linux-arm64: export GOOS := linux
+binary-linux-arm64: export GOARCH := arm64
+binary-linux-arm64:
+	@$(MAKE) binary
+
+binary-linux-amd64: export GOOS := linux
+binary-linux-amd64: export GOARCH := amd64
+binary-linux-amd64:
+	@$(MAKE) binary
+
+binary-windows-amd64: export GOOS := windows
+binary-windows-amd64: export GOARCH := amd64
+binary-windows-amd64: export BIN_NAME := traefik.exe
+binary-windows-amd64:
+	@$(MAKE) binary

-## Build the binary for the standard platforms (linux, darwin, windows)
 .PHONY: crossbinary-default
-crossbinary-default: generate-webui build-dev-image
-	$(DOCKER_RUN_TRAEFIK_NOTTY) ./script/make.sh generate crossbinary-default
+#? crossbinary-default: Build the binary for the standard platforms (linux, darwin, windows)
+crossbinary-default: generate generate-webui
+	$(CURDIR)/script/crossbinary-default.sh

-## Build the binary for the standard platforms (linux, darwin, windows) in parallel
-.PHONY: crossbinary-default-parallel
-crossbinary-default-parallel:
-	$(MAKE) generate-webui
-	$(MAKE) build-dev-image crossbinary-default
-
-## Run the unit and integration tests
 .PHONY: test
-test: build-dev-image
-	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
-	trap 'docker network rm traefik-test-network' EXIT; \
-	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST),) ./script/make.sh generate test-unit binary test-integration
+#? test: Run the unit and integration tests
+test: test-ui-unit test-unit test-integration

-## Run the unit tests
 .PHONY: test-unit
-test-unit: build-dev-image
-	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
-	trap 'docker network rm traefik-test-network' EXIT; \
-	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST)) ./script/make.sh generate test-unit
+#? test-unit: Run the unit tests
+test-unit:
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test -cover "-coverprofile=cover.out" -v $(TESTFLAGS) ./pkg/... ./cmd/...

-## Run the integration tests
 .PHONY: test-integration
-test-integration: build-dev-image
-	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
-	trap 'docker network rm traefik-test-network' EXIT; \
-	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST),) ./script/make.sh generate binary test-integration
+#? test-integration: Run the integration tests
+test-integration:
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -test.timeout=20m -failfast -v $(TESTFLAGS)
+
+.PHONY: test-ui-unit
+#? test-ui-unit: Run the unit tests for the webui
+test-ui-unit:
+	$(MAKE) build-webui-image
+	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui yarn --cwd webui install
+	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui yarn --cwd webui test:unit:ci

-## Pull all images for integration tests
 .PHONY: pull-images
+#? pull-images: Pull all Docker images to avoid timeout during integration tests
 pull-images:
 	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml \
 		| awk '{print $$2}' \
@@ -127,84 +114,76 @@ pull-images:
 		| uniq \
 		| xargs -P 6 -n 1 docker pull

-## Validate code and docs
+.PHONY: lint
+#? lint: Run golangci-lint
+lint:
+	golangci-lint run
+
 .PHONY: validate-files
-validate-files: build-dev-image
-	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
-	bash $(CURDIR)/script/validate-shell-script.sh
+#? validate-files: Validate code and docs
+validate-files:
+	$(foreach exec,$(LINT_EXECUTABLES),\
+            $(if $(shell which $(exec)),,$(error "No $(exec) in PATH")))
+	$(CURDIR)/script/validate-vendor.sh
+	$(CURDIR)/script/validate-misspell.sh
+	$(CURDIR)/script/validate-shell-script.sh

-## Validate code, docs, and vendor
 .PHONY: validate
-validate: build-dev-image
-	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell validate-vendor
-	bash $(CURDIR)/script/validate-shell-script.sh
+#? validate: Validate code, docs, and vendor
+validate: lint validate-files
+
+# Target for building images for multiple architectures.
+.PHONY: multi-arch-image-%
+multi-arch-image-%: binary-linux-amd64 binary-linux-arm64
+	docker buildx build $(DOCKER_BUILDX_ARGS) -t traefik/traefik:$* --platform=$(DOCKER_BUILD_PLATFORMS) -f Dockerfile .
+

-## Clean up static directory and build a Docker Traefik image
 .PHONY: build-image
-build-image: clean-webui binary
-	docker build -t $(TRAEFIK_IMAGE) .
+#? build-image: Clean up static directory and build a Docker Traefik image
+build-image: export DOCKER_BUILDX_ARGS := --load
+build-image: export DOCKER_BUILD_PLATFORMS := linux/$(GOARCH)
+build-image: clean-webui
+	@$(MAKE) multi-arch-image-latest

-## Build a Docker Traefik image without re-building the webui
 .PHONY: build-image-dirty
-build-image-dirty: binary
-	docker build -t $(TRAEFIK_IMAGE) .
+#? build-image-dirty: Build a Docker Traefik image without re-building the webui when it's already built
+build-image-dirty: export DOCKER_BUILDX_ARGS := --load
+build-image-dirty: export DOCKER_BUILD_PLATFORMS := linux/$(GOARCH)
+build-image-dirty:
+	@$(MAKE) multi-arch-image-latest

-## Locally build traefik for linux, then shove it an alpine image, with basic tools.
-.PHONY: build-image-debug
-build-image-debug: binary-debug
-	docker build -t $(TRAEFIK_IMAGE) -f debug.Dockerfile .
-
-## Start a shell inside the build env
-.PHONY: shell
-shell: build-dev-image
-	$(DOCKER_RUN_TRAEFIK) /bin/bash
-
-## Build documentation site
 .PHONY: docs
+#? docs: Build documentation site
 docs:
 	make -C ./docs docs

-## Serve the documentation site locally
 .PHONY: docs-serve
+#? docs-serve: Serve the documentation site locally
 docs-serve:
 	make -C ./docs docs-serve

-## Pull image for doc building
 .PHONY: docs-pull-images
+#? docs-pull-images: Pull image for doc building
 docs-pull-images:
 	make -C ./docs docs-pull-images

-## Generate CRD clientset and CRD manifests
 .PHONY: generate-crd
+#? generate-crd: Generate CRD clientset and CRD manifests
 generate-crd:
 	@$(CURDIR)/script/code-gen.sh

-## Generate code from dynamic configuration https://github.com/traefik/genconf
 .PHONY: generate-genconf
+#? generate-genconf: Generate code from dynamic configuration github.com/traefik/genconf
 generate-genconf:
 	go run ./cmd/internal/gen/

-## Create packages for the release
-.PHONY: release-packages
-release-packages: generate-webui build-dev-image
-	rm -rf dist
-	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish --timeout="90m"
-	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
-		--exclude-vcs \
-		--exclude .idea \
-		--exclude .travis \
-		--exclude .semaphoreci \
-		--exclude .github \
-		--exclude dist .
-	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) chown -R $(shell id -u):$(shell id -g) dist/
-
-## Format the Code
 .PHONY: fmt
+#? fmt: Format the Code
 fmt:
 	gofmt -s -l -w $(SRCS)

-.PHONY: run-dev
-run-dev:
-	go generate
-	GO111MODULE=on go build ./cmd/traefik
-	./traefik
+.PHONY: help
+#? help: Get more info on make commands
+help: Makefile
+	@echo " Choose a command run in traefik:"
+	@sed -n 's/^#?//p' $< | column -t -s ':' |  sort | sed -e 's/^/ /'
--- a/README.md
+++ b/README.md
@@ -1,16 +1,18 @@

 <p align="center">
-<img src="docs/content/assets/img/traefik.logo.png" alt="Traefik" title="Traefik" />
+    <picture>
+      <source media="(prefers-color-scheme: dark)" srcset="docs/content/assets/img/traefik.logo-dark.png">
+      <source media="(prefers-color-scheme: light)" srcset="docs/content/assets/img/traefik.logo.png">
+      <img alt="Traefik" title="Traefik" src="docs/content/assets/img/traefik.logo.png">
+    </picture>
 </p>

-[![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
 [![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
 [![Join the community support forum at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)

-
 Traefik (pronounced _traffic_) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
 Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
 Pointing Traefik at your orchestrator should be the _only_ configuration step you need.
@@ -58,20 +60,20 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 - Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org)  (wildcard certificates support)
 - Circuit breakers, retry
 - See the magic through its clean web UI
- Websocket, HTTP/2, GRPC ready
+- WebSocket, HTTP/2, GRPC ready
 - Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB)
 - Keeps access logs (JSON, CLF)
 - Fast
 - Exposes a Rest API
 - Packaged as a single binary file (made with :heart: with go) and available as an [official](https://hub.docker.com/r/_/traefik/) docker image

-
 ## Supported Backends

 - [Docker](https://doc.traefik.io/traefik/providers/docker/) / [Swarm mode](https://doc.traefik.io/traefik/providers/docker/)
 - [Kubernetes](https://doc.traefik.io/traefik/providers/kubernetes-crd/)
 - [Marathon](https://doc.traefik.io/traefik/providers/marathon/)
 - [Rancher](https://doc.traefik.io/traefik/providers/rancher/) (Metadata)
+- [ECS](https://doc.traefik.io/traefik/providers/ecs/)
 - [File](https://doc.traefik.io/traefik/providers/file/)

 ## Quickstart
@@ -88,11 +90,10 @@ You can access the simple HTML frontend of Traefik.

 You can find the complete documentation of Traefik v2 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).

-A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
-
 ## Support

 To get community support, you can:
+
 - join the Traefik community forum: [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)

 If you need commercial support, please contact [Traefik.io](https://traefik.io) by mail: <mailto:support@traefik.io>.
@@ -124,9 +125,8 @@ You can find high level and deep dive videos on [videos.traefik.io](https://vide
 ## Maintainers

 We are strongly promoting a philosophy of openness and sharing, and firmly standing against the elitist closed approach. Being part of the core team should be accessible to anyone who is motivated and want to be part of that journey!
-This [document](docs/content/contributing/maintainers-guidelines.md) describes how to be part of the core team as well as various responsibilities and guidelines for Traefik maintainers.
-You can also find more information on our process to review pull requests and manage issues [in this document](docs/content/contributing/maintainers.md).
-
+This [document](docs/content/contributing/maintainers-guidelines.md) describes how to be part of the [maintainers' team](docs/content/contributing/maintainers.md) as well as various responsibilities and guidelines for Traefik maintainers.
+You can also find more information on our process to review pull requests and manage issues [in this document](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md).

 ## Contributing

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,8 +1,7 @@
 # Security Policy

-We strongly advise you to register your Traefik instances to [Pilot](https://pilot.traefik.io) to be notified of security advisories that apply to your Traefik version.
-You can also join our security mailing list to be aware of the latest announcements from our security team.
-You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+You can join our security mailing list to be aware of the latest announcements from our security team.
+You can subscribe by sending an email to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).

 Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).

@@ -17,7 +16,7 @@ Each version is supported until the next one is released (e.g. 1.1.x will be sup
 We use [Semantic Versioning](https://semver.org/).

 | Version   | Supported          |
-| --------- | ------------------ |
+|-----------|--------------------|
 | `2.2.x`   | :white_check_mark: |
 | `< 2.2.x` | :x:                |
 | `1.7.x`   | :white_check_mark: |
@@ -26,4 +25,6 @@ We use [Semantic Versioning](https://semver.org/).
 ## Reporting a Vulnerability

 We want to keep Traefik safe for everyone.
-If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, using [this form](https://security.traefik.io).
+If you've discovered a security vulnerability in Traefik,
+we appreciate your help in disclosing it to us in a responsible manner,
+by creating a [security advisory](https://github.com/traefik/traefik/security/advisories).
--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -1,37 +0,0 @@
-FROM golang:1.17-alpine
-
-RUN apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
-    && update-ca-certificates \
-    && rm -rf /var/cache/apk/*
-
-# Which docker version to test on
-ARG DOCKER_VERSION=18.09.7
-
-# Download docker
-RUN mkdir -p /usr/local/bin \
-    && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz \
-    | tar -xzC /usr/local/bin --transform 's#^.+/##x'
-
-# Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash -s -- -b $GOPATH/bin v1.46.2
-
-# Download misspell binary to bin folder in $GOPATH
-RUN curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
-
-# Download goreleaser binary to bin folder in $GOPATH
-RUN curl -sfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | sh
-
-WORKDIR /go/src/github.com/traefik/traefik
-
-# Because of CVE-2022-24765 (https://github.blog/2022-04-12-git-security-vulnerability-announced/),
-# we configure git to allow the Traefik codebase path on the Host for docker in docker usages.
-ARG HOST_PWD=""
-
-RUN git config --global --add safe.directory "${HOST_PWD}"
-
-# Download go modules
-COPY go.mod .
-COPY go.sum .
-RUN GO111MODULE=on GOPROXY=https://proxy.golang.org go mod download
-
-COPY . /go/src/github.com/traefik/traefik
--- a/cmd/healthcheck/healthcheck.go
+++ b/cmd/healthcheck/healthcheck.go
@@ -64,7 +64,7 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 	client := &http.Client{Timeout: 5 * time.Second}
 	protocol := "http"

-	// FIXME Handle TLS on ping etc...
+	// TODO Handle TLS on ping etc...
 	// if pingEntryPoint.TLS != nil {
 	// 	protocol = "https"
 	// 	tr := &http.Transport{
--- a/cmd/internal/gen/centrifuge.go
+++ b/cmd/internal/gen/centrifuge.go
@@ -13,6 +13,7 @@ import (
 	"path"
 	"path/filepath"
 	"reflect"
+	"slices"
 	"sort"
 	"strings"

@@ -72,22 +73,16 @@ func NewCentrifuge(rootPkg string) (*Centrifuge, error) {

 // Run runs the code extraction and the code generation.
 func (c Centrifuge) Run(dest string, pkgName string) error {
-	files, err := c.run(c.pkg.Scope(), c.rootPkg, pkgName)
-	if err != nil {
-		return err
-	}
+	files := c.run(c.pkg.Scope(), c.rootPkg, pkgName)

-	err = fileWriter{baseDir: dest}.Write(files)
+	err := fileWriter{baseDir: dest}.Write(files)
 	if err != nil {
 		return err
 	}

 	for _, p := range c.pkg.Imports() {
-		if contains(c.IncludedImports, p.Path()) {
-			fls, err := c.run(p.Scope(), p.Path(), p.Name())
-			if err != nil {
-				return err
-			}
+		if slices.Contains(c.IncludedImports, p.Path()) {
+			fls := c.run(p.Scope(), p.Path(), p.Name())

 			err = fileWriter{baseDir: filepath.Join(dest, p.Name())}.Write(fls)
 			if err != nil {
@@ -99,11 +94,11 @@ func (c Centrifuge) Run(dest string, pkgName string) error {
 	return err
 }

-func (c Centrifuge) run(sc *types.Scope, rootPkg string, pkgName string) (map[string]*File, error) {
+func (c Centrifuge) run(sc *types.Scope, rootPkg string, pkgName string) map[string]*File {
 	files := map[string]*File{}

 	for _, name := range sc.Names() {
-		if contains(c.ExcludedTypes, name) {
+		if slices.Contains(c.ExcludedTypes, name) {
 			continue
 		}

@@ -113,7 +108,7 @@ func (c Centrifuge) run(sc *types.Scope, rootPkg string, pkgName string) (map[st
 		}

 		filename := filepath.Base(c.fileSet.File(o.Pos()).Name())
-		if contains(c.ExcludedFiles, path.Join(rootPkg, filename)) {
+		if slices.Contains(c.ExcludedFiles, path.Join(rootPkg, filename)) {
 			continue
 		}

@@ -158,14 +153,14 @@ func (c Centrifuge) run(sc *types.Scope, rootPkg string, pkgName string) (map[st
 		}
 	}

-	return files, nil
+	return files
 }

 func (c Centrifuge) writeStruct(name string, obj *types.Struct, rootPkg string, elt *File) string {
 	b := strings.Builder{}
 	b.WriteString(fmt.Sprintf("type %s struct {\n", name))

-	for i := 0; i < obj.NumFields(); i++ {
+	for i := range obj.NumFields() {
 		field := obj.Field(i)

 		if !field.Exported() {
@@ -243,16 +238,6 @@ func extractPackage(t types.Type) string {
 	}
 }

-func contains(values []string, value string) bool {
-	for _, val := range values {
-		if val == value {
-			return true
-		}
-	}
-
-	return false
-}
-
 type fileWriter struct {
 	baseDir string
 }
--- a/cmd/traefik/plugins.go
+++ b/cmd/traefik/plugins.go
@@ -30,18 +30,17 @@ func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]p
 	if hasPlugins(staticCfg) {
 		opts := plugins.ClientOptions{
 			Output: outputDir,
-			Token:  getPilotToken(staticCfg),
 		}

 		var err error
 		client, err = plugins.NewClient(opts)
 		if err != nil {
-			return nil, nil, nil, err
+			return nil, nil, nil, fmt.Errorf("unable to create plugins client: %w", err)
 		}

 		err = plugins.SetupRemotePlugins(client, staticCfg.Experimental.Plugins)
 		if err != nil {
-			return nil, nil, nil, err
+			return nil, nil, nil, fmt.Errorf("unable to set up plugins environment: %w", err)
 		}

 		plgs = staticCfg.Experimental.Plugins
@@ -75,18 +74,6 @@ func checkUniquePluginNames(e *static.Experimental) error {
 	return nil
 }

-func isPilotEnabled(staticCfg *static.Configuration) bool {
-	return staticCfg.Pilot != nil && staticCfg.Pilot.Token != ""
-}
-
-func getPilotToken(staticCfg *static.Configuration) string {
-	if staticCfg.Pilot == nil {
-		return ""
-	}
-
-	return staticCfg.Pilot.Token
-}
-
 func hasPlugins(staticCfg *static.Configuration) bool {
 	return staticCfg.Experimental != nil && len(staticCfg.Experimental.Plugins) > 0
 }
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -3,7 +3,6 @@ package main
 import (
 	"context"
 	"crypto/x509"
-	"encoding/json"
 	"fmt"
 	stdlog "log"
 	"net/http"
@@ -15,7 +14,7 @@ import (
 	"syscall"
 	"time"

-	"github.com/coreos/go-systemd/daemon"
+	"github.com/coreos/go-systemd/v22/daemon"
 	"github.com/go-acme/lego/v4/challenge"
 	gokitmetrics "github.com/go-kit/kit/metrics"
 	"github.com/sirupsen/logrus"
@@ -31,19 +30,20 @@ import (
 	"github.com/traefik/traefik/v2/pkg/log"
 	"github.com/traefik/traefik/v2/pkg/metrics"
 	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
-	"github.com/traefik/traefik/v2/pkg/pilot"
 	"github.com/traefik/traefik/v2/pkg/provider/acme"
 	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
-	"github.com/traefik/traefik/v2/pkg/provider/hub"
 	"github.com/traefik/traefik/v2/pkg/provider/traefik"
+	"github.com/traefik/traefik/v2/pkg/redactor"
 	"github.com/traefik/traefik/v2/pkg/safe"
 	"github.com/traefik/traefik/v2/pkg/server"
 	"github.com/traefik/traefik/v2/pkg/server/middleware"
 	"github.com/traefik/traefik/v2/pkg/server/service"
 	traefiktls "github.com/traefik/traefik/v2/pkg/tls"
+	"github.com/traefik/traefik/v2/pkg/tracing"
+	"github.com/traefik/traefik/v2/pkg/tracing/jaeger"
 	"github.com/traefik/traefik/v2/pkg/types"
 	"github.com/traefik/traefik/v2/pkg/version"
-	"github.com/vulcand/oxy/roundrobin"
+	"github.com/vulcand/oxy/v2/roundrobin"
 )

 func main() {
@@ -100,12 +100,11 @@ func runCmd(staticConfiguration *static.Configuration) error {

 	log.WithoutContext().Infof("Traefik version %s built on %s", version.Version, version.BuildDate)

-	jsonConf, err := json.Marshal(staticConfiguration)
+	redactedStaticConfiguration, err := redactor.RemoveCredentials(staticConfiguration)
 	if err != nil {
-		log.WithoutContext().Errorf("Could not marshal static configuration: %v", err)
-		log.WithoutContext().Debugf("Static configuration loaded [struct] %#v", staticConfiguration)
+		log.WithoutContext().Errorf("Could not redact static configuration: %v", err)
 	} else {
-		log.WithoutContext().Debugf("Static configuration loaded %s", string(jsonConf))
+		log.WithoutContext().Debugf("Static configuration loaded %s", redactedStaticConfiguration)
 	}

 	if staticConfiguration.Global.CheckNewVersion {
@@ -187,7 +186,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}

-	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider)
+	acmeProviders := initACMEProvider(staticConfiguration, providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider, routinesPool)

 	// Entrypoints

@@ -201,34 +200,28 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}

-	// Pilot
-
-	var aviator *pilot.Pilot
-	var pilotRegistry *metrics.PilotRegistry
-	if isPilotEnabled(staticConfiguration) {
-		pilotRegistry = metrics.RegisterPilot()
-
-		aviator = pilot.New(staticConfiguration.Pilot.Token, pilotRegistry, routinesPool)
-
-		routinesPool.GoCtx(func(ctx context.Context) {
-			aviator.Tick(ctx)
-		})
+	if staticConfiguration.Pilot != nil {
+		log.WithoutContext().Warn("Traefik Pilot has been removed.")
 	}

-	if staticConfiguration.Pilot != nil {
-		log.WithoutContext().Warn("Traefik Pilot is deprecated and will be removed soon. Please check our Blog for migration instructions later this year.")
+	if staticConfiguration.API != nil {
+		version.DisableDashboardAd = staticConfiguration.API.DisableDashboardAd
 	}

 	// Plugins

 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
 	if err != nil {
-		return nil, err
+		log.WithoutContext().WithError(err).Error("Plugins are disabled because an error has occurred.")
 	}

 	// Providers plugins

 	for name, conf := range staticConfiguration.Providers.Plugin {
+		if pluginBuilder == nil {
+			break
+		}
+
 		p, err := pluginBuilder.BuildProvider(name, conf)
 		if err != nil {
 			return nil, fmt.Errorf("plugin: failed to build provider: %w", err)
@@ -240,25 +233,9 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		}
 	}

-	// Traefik Hub
-
-	if staticConfiguration.Hub != nil {
-		if err = providerAggregator.AddProvider(staticConfiguration.Hub); err != nil {
-			return nil, fmt.Errorf("adding Traefik Hub provider: %w", err)
-		}
-
-		// API is mandatory for Traefik Hub to access the dynamic configuration.
-		if staticConfiguration.API == nil {
-			staticConfiguration.API = &static.API{}
-		}
-	}
-
 	// Metrics

 	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
-	if pilotRegistry != nil {
-		metricRegistries = append(metricRegistries, pilotRegistry)
-	}
 	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)

 	// Service manager factory
@@ -270,7 +247,9 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	// Router factory

 	accessLog := setupAccessLog(staticConfiguration.AccessLog)
-	chainBuilder := middleware.NewChainBuilder(*staticConfiguration, metricsRegistry, accessLog)
+	tracer := setupTracing(staticConfiguration.Tracing)
+
+	chainBuilder := middleware.NewChainBuilder(metricsRegistry, accessLog, tracer)
 	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder, metricsRegistry)

 	// Watcher
@@ -288,7 +267,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		tlsManager.UpdateConfigs(ctx, conf.TLS.Stores, conf.TLS.Options, conf.TLS.Certificates)

 		gauge := metricsRegistry.TLSCertsNotAfterTimestampGauge()
-		for _, certificate := range tlsManager.GetCertificates() {
+		for _, certificate := range tlsManager.GetServerCertificates() {
 			appendCertMetric(gauge, certificate)
 		}
 	})
@@ -305,10 +284,10 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	})

 	// Switch router
-	watcher.AddListener(switchRouter(routerFactory, serverEntryPointsTCP, serverEntryPointsUDP, aviator))
+	watcher.AddListener(switchRouter(routerFactory, serverEntryPointsTCP, serverEntryPointsUDP))

 	// Metrics
-	if metricsRegistry.IsEpEnabled() || metricsRegistry.IsSvcEnabled() {
+	if metricsRegistry.IsEpEnabled() || metricsRegistry.IsRouterEnabled() || metricsRegistry.IsSvcEnabled() {
 		var eps []string
 		for key := range serverEntryPointsTCP {
 			eps = append(eps, key)
@@ -335,11 +314,8 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 				continue
 			}

-			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok &&
-				// "traefik-hub" is an allowed certificate resolver name in a Traefik Hub Experimental feature context.
-				// It is used to activate its own certificate resolution, even though it is not a "classical" traefik certificate resolver.
-				(staticConfiguration.Hub == nil || rt.TLS.CertResolver != "traefik-hub") {
-				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
+			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
+				log.WithoutContext().Errorf("Router %s uses a nonexistent resolver: %s", rtName, rt.TLS.CertResolver)
 			}
 		}
 	})
@@ -361,11 +337,6 @@ func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvid
 func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string {
 	var defaultEntryPoints []string
 	for name, cfg := range staticConfiguration.EntryPoints {
-		// Traefik Hub entryPoint should not be part of the set of default entryPoints.
-		if hub.APIEntrypoint == name || hub.TunnelEntrypoint == name {
-			continue
-		}
-
 		protocol, err := cfg.GetProtocol()
 		if err != nil {
 			// Should never happen because Traefik should not start if protocol is invalid.
@@ -381,23 +352,19 @@ func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string
 	return defaultEntryPoints
 }

-func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints, aviator *pilot.Pilot) func(conf dynamic.Configuration) {
+func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints) func(conf dynamic.Configuration) {
 	return func(conf dynamic.Configuration) {
 		rtConf := runtime.NewConfig(conf)

 		routers, udpRouters := routerFactory.CreateRouters(rtConf)

-		if aviator != nil {
-			aviator.SetDynamicConfiguration(conf)
-		}
-
 		serverEntryPointsTCP.Switch(routers)
 		serverEntryPointsUDP.Switch(udpRouters)
 	}
 }

 // initACMEProvider creates an acme provider from the ACME part of globalConfiguration.
-func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider) []*acme.Provider {
+func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider, routinesPool *safe.Pool) []*acme.Provider {
 	localStores := map[string]*acme.LocalStore{}

 	var resolvers []*acme.Provider
@@ -407,7 +374,7 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 		}

 		if localStores[resolver.ACME.Storage] == nil {
-			localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
+			localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage, routinesPool)
 		}

 		p := &acme.Provider{
@@ -504,13 +471,79 @@ func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {

 	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
 	if err != nil {
-		log.WithoutContext().Warnf("Unable to create access logger : %v", err)
+		log.WithoutContext().Warnf("Unable to create access logger: %v", err)
 		return nil
 	}

 	return accessLoggerMiddleware
 }

+func setupTracing(conf *static.Tracing) *tracing.Tracing {
+	if conf == nil {
+		return nil
+	}
+
+	var backend tracing.Backend
+
+	if conf.Jaeger != nil {
+		backend = conf.Jaeger
+	}
+
+	if conf.Zipkin != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Zipkin backend.")
+		} else {
+			backend = conf.Zipkin
+		}
+	}
+
+	if conf.Datadog != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Datadog backend.")
+		} else {
+			backend = conf.Datadog
+		}
+	}
+
+	if conf.Instana != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Instana backend.")
+		} else {
+			backend = conf.Instana
+		}
+	}
+
+	if conf.Haystack != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Haystack backend.")
+		} else {
+			backend = conf.Haystack
+		}
+	}
+
+	if conf.Elastic != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Elastic backend.")
+		} else {
+			backend = conf.Elastic
+		}
+	}
+
+	if backend == nil {
+		log.WithoutContext().Debug("Could not initialize tracing, using Jaeger by default")
+		defaultBackend := &jaeger.Config{}
+		defaultBackend.SetDefaults()
+		backend = defaultBackend
+	}
+
+	tracer, err := tracing.NewTracing(conf.ServiceName, conf.SpanNameLimit, backend)
+	if err != nil {
+		log.WithoutContext().Warnf("Unable to create tracer: %v", err)
+		return nil
+	}
+	return tracer
+}
+
 func configureLogging(staticConfiguration *static.Configuration) {
 	// configure default log flags
 	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
--- a/cmd/traefik/traefik_test.go
+++ b/cmd/traefik/traefik_test.go
@@ -94,7 +94,6 @@ func TestAppendCertMetric(t *testing.T) {
 	}

 	for _, test := range testCases {
-		test := test
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()

--- a/debug.Dockerfile
+++ b/debug.Dockerfile
@@ -1,10 +0,0 @@
-FROM alpine:3.14
-# Feel free to add below any helpful dependency for debugging.
-# iproute2 is for ss.
-RUN apk --no-cache --no-progress add bash curl ca-certificates tzdata lsof iproute2 \
-    && update-ca-certificates \
-    && rm -rf /var/cache/apk/*
-COPY dist/traefik /
-EXPOSE 80
-VOLUME ["/tmp"]
-ENTRYPOINT ["/traefik"]
--- a/docs/check.Dockerfile
+++ b/docs/check.Dockerfile
@@ -1,20 +1,19 @@
-FROM alpine:3.14 as alpine
+FROM alpine:3.22

 RUN apk --no-cache --no-progress add \
    build-base \
+    gcompat \
    libcurl \
    libxml2-dev \
    libxslt-dev \
    ruby \
    ruby-bigdecimal \
    ruby-dev \
-    ruby-etc \
    ruby-ffi \
-    ruby-json \
    zlib-dev

-RUN gem install nokogiri --version 1.13.3 --no-document -- --use-system-libraries
-RUN gem install html-proofer --version 3.19.3 --no-document -- --use-system-libraries
+RUN gem install nokogiri --version 1.18.6 --no-document -- --use-system-libraries
+RUN gem install html-proofer --version 5.0.10 --no-document -- --use-system-libraries

 # After Ruby, some NodeJS YAY!
 RUN apk --no-cache --no-progress add \
@@ -22,12 +21,9 @@ RUN apk --no-cache --no-progress add \
    nodejs \
    npm

-# To handle 'not get uid/gid'
-RUN npm config set unsafe-perm true
-
 RUN npm install --global \
-    markdownlint@0.22.0 \
-    markdownlint-cli@0.26.0
+    markdownlint@0.29.0 \
+    markdownlint-cli@0.35.0

 # Finally the shell tools we need for later
 # tini helps to terminate properly all the parallelized tasks when sending CTRL-C
--- a/docs/content/assets/img/traefik.logo-dark.png
+++ b/docs/content/assets/img/traefik.logo-dark.png
--- a/docs/content/contributing/advocating.md
+++ b/docs/content/contributing/advocating.md
@@ -1,15 +1,15 @@
 ---
 title: "Traefik Advocation Documentation"
-description: "There are many ways to contribute to Traefik Proxy. If you're talking about Traefik, let us know and we'll promote your enthusiasm!"
+description: "There are many ways to contribute to Traefik Proxy. Let us know if you’re talking about Traefik, and we'll promote your enthusiasm!"
 ---

 # Advocating

-Spread the Love & Tell Us about It
+Spread the Love & Tell Us About It
 {: .subtitle }

-Traefik Proxy was started by the community for the community.
-You can contribute to the Traefik community in three main ways: 
+Traefik Proxy was started by the community and for the community.
+You can contribute to the Traefik community in three main ways:

 **Spread the word!** Guides, videos, blog posts, how-to articles, and showing off your network design all help spread the word about Traefik Proxy
 and teach others in the community how to best implement it.
@@ -28,4 +28,4 @@ Luckily, as an open source community, our users can help by [building awesome fe
 We are a big community, so we do need to prioritize a bit.
 That is why we use the tag `contributor/wanted` to let you know which pull requests will make it to the front of the queue for design support and review.
 Feel free to grab one of these and run with it.
-Top contributors get unique swag to celebrate. 
+Top contributors get unique swag to celebrate.
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@@ -8,67 +8,18 @@ description: "Compile and test your own Traefik Proxy! Learn how to build your o
 Compile and Test Your Own Traefik!
 {: .subtitle }

-So you want to build your own Traefik binary from the sources?
+You want to build your own Traefik binary from the sources?
 Let's see how.

 ## Building

-You need either [Docker](https://github.com/docker/docker) and `make` (Method 1), or `go` (Method 2) in order to build Traefik.
-For changes to its dependencies, the `dep` dependency management tool is required.
-
-### Method 1: Using `Docker` and `Makefile`
-
-Run make with the `binary` target.
-This will create binaries for the Linux platform in the `dist` folder.
-
-In case when you run build on CI, you may probably want to run docker in non-interactive mode. To achieve that define `DOCKER_NON_INTERACTIVE=true` environment variable.
-
-```bash
-$ make binary
-docker build -t traefik-webui -f webui/Dockerfile webui
-Sending build context to Docker daemon  2.686MB
-Step 1/11 : FROM node:8.15.0
- ---> 1f6c34f7921c
-[...]
-Successfully built ce4ff439c06a
-Successfully tagged traefik-webui:latest
-[...]
-docker build  -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile .
-Sending build context to Docker daemon    279MB
-Step 1/10 : FROM golang:1.16-alpine
- ---> f4bfb3d22bda
-[...]
-Successfully built 5c3c1a911277
-Successfully tagged traefik-dev:4475--feature-documentation
-docker run  -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock" -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -e VERBOSE -e VERSION -e CODENAME -e TESTDIRS -e CI -e CONTAINER=DOCKER		 -v "/home/ldez/sources/go/src/github.com/traefik/traefik/"dist":/go/src/github.com/traefik/traefik/"dist"" "traefik-dev:4475--feature-documentation" ./script/make.sh generate binary
---> Making bundle: generate (in .)
-removed 'autogen/genstatic/gen.go'
-
---> Making bundle: binary (in .)
-
-$ ls dist/
-traefik*
-```
-
-The following targets can be executed outside Docker by setting the variable `IN_DOCKER` to an empty string (although be aware that some of the tests might fail in that context):
-
- `test-unit`
- `test-integration`
- `validate`
- `binary` (the webUI is still generated by using Docker)
-
-ex:
-
-```bash
-IN_DOCKER= make test-unit
-```
-
-### Method 2: Using `go`
-
-Requirements:
-
- `go` v1.16+
- environment variable `GO111MODULE=on`
+You need:
+    - [Docker](https://github.com/docker/docker "Link to website of Docker") 
+    - `make`
+    - [Go](https://go.dev/ "Link to website of Go")
+    - [misspell](https://github.com/golangci/misspell)
+    - [shellcheck](https://github.com/koalaman/shellcheck)
+    - [Tailscale](https://tailscale.com/) if you are using Docker Desktop 

 !!! tip "Source Directory"

@@ -101,43 +52,34 @@ Requirements:
    ## ... and the list goes on
    ```

-#### Build Traefik
+### Build Traefik

 Once you've set up your go environment and cloned the source repository, you can build Traefik.

 ```bash
-# Generate UI static files
-make clean-webui generate-webui
+$ make binary
+SHA: 8fddfe118288bb5280eb5e77fa952f52def360b4 cheddar 2024-01-11_03:14:57PM
+CGO_ENABLED=0 GOGC=off GOOS=darwin GOARCH=arm64 go build  -ldflags "-s -w \
+    -X github.com/traefik/traefik/v2/pkg/version.Version=8fddfe118288bb5280eb5e77fa952f52def360b4 \
+    -X github.com/traefik/traefik/v2/pkg/version.Codename=cheddar \
+    -X github.com/traefik/traefik/v2/pkg/version.BuildDate=2024-01-11_03:14:57PM" \
+    -installsuffix nocgo -o "./dist/darwin/arm64/traefik" ./cmd/traefik

-# required to merge non-code components into the final binary,
-# such as the web dashboard/UI
-go generate
+$ ls dist/
+traefik*
 ```

-```bash
-# Standard go build
-go build ./cmd/traefik
-```
-
-You will find the Traefik executable (`traefik`) in the `~/go/src/github.com/traefik/traefik` directory.
+You will find the Traefik executable (`traefik`) in the `./dist` directory.

 ## Testing

-### Method 1: `Docker` and `make`
-
 Run unit tests using the `test-unit` target.
 Run integration tests using the `test-integration` target.
 Run all tests (unit and integration) using the `test` target.

 ```bash
 $ make test-unit
-docker build -t "traefik-dev:your-feature-branch" -f build.Dockerfile .
-# […]
-docker run --rm -it -e OS_ARCH_ARG -e OS_PLATFORM_ARG -e TESTFLAGS -v "/home/user/go/src/github/traefik/traefik/dist:/go/src/github.com/traefik/traefik/dist" "traefik-dev:your-feature-branch" ./script/make.sh generate test-unit
---> Making bundle: generate (in .)
-removed 'gen.go'
-
---> Making bundle: test-unit (in .)
+GOOS=darwin GOARCH=arm64 go test -cover "-coverprofile=cover.out" -v ./pkg/... ./cmd/...
 + go test -cover -coverprofile=cover.out .
 ok      github.com/traefik/traefik   0.005s  coverage: 4.1% of statements

@@ -146,28 +88,30 @@ Test success

 For development purposes, you can specify which tests to run by using (only works the `test-integration` target):

+??? note "Configuring Tailscale for Docker Desktop user"
+
+    Create `tailscale.secret` file in `integration` directory.
+    
+    This file needs to contain a [Tailscale auth key](https://tailscale.com/kb/1085/auth-keys) 
+    (an ephemeral, but reusable, one is recommended).
+
+    Add this section to your tailscale ACLs to auto-approve the routes for the
+    containers in the docker subnet:
+
+    ```json 
+        "autoApprovers": {
+          // Allow myself to automatically
+          // advertize routes for docker networks
+          "routes": {
+            "172.31.42.0/24": ["your_tailscale_identity"],
+          },
+        },
+    ```
+    
 ```bash
 # Run every tests in the MyTest suite
-TESTFLAGS="-check.f MyTestSuite" make test-integration
+TESTFLAGS="-test.run TestAccessLogSuite" make test-integration

 # Run the test "MyTest" in the MyTest suite
-TESTFLAGS="-check.f MyTestSuite.MyTest" make test-integration
-
-# Run every tests starting with "My", in the MyTest suite
-TESTFLAGS="-check.f MyTestSuite.My" make test-integration
-
-# Run every tests ending with "Test", in the MyTest suite
-TESTFLAGS="-check.f MyTestSuite.*Test" make test-integration
+TESTFLAGS="-test.run TestAccessLogSuite -testify.m ^TestAccessLog$" make test-integration
 ```
-
-More: https://labix.org/gocheck
-
-### Method 2: `go`
-
-Unit tests can be run from the cloned directory using `$ go test ./...` which should return `ok`, similar to:
-
-```test
-ok      _/home/user/go/src/github/traefik/traefik    0.004s
-```
-
-Integration tests must be run from the `integration/` directory and require the `-integration` switch: `$ cd integration && go test -integration ./...`.
--- a/docs/content/contributing/data-collection.md
+++ b/docs/content/contributing/data-collection.md
@@ -10,8 +10,8 @@ Understanding How Traefik is Being Used

 ## Configuration Example

-Understanding how you use Traefik is very important to us: it helps us improve the solution in many different ways.  
-For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us so we can benefit from your experience and use cases.
+Understanding how you use Traefik is very important to us: it helps us improve the solution in many different ways.
+For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us, so we can benefit from your experience and use cases.

 !!! example "Enabling Data Collection"

@@ -34,9 +34,7 @@ For this very reason, the sendAnonymousUsage option is mandatory: we want you to

 ## Collected Data

-This feature comes from the public proposal [here](https://github.com/traefik/traefik/issues/2369).
-
-This feature is activated when using Traefik Pilot to better understand the community's need, and also to get information about plug-ins popularity.
+This feature comes from this [public proposal](https://github.com/traefik/traefik/issues/2369).

 In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
 Those data help us prioritize our developments and focus on what's important for our users (for example, which provider is popular, and which is not).
@@ -47,7 +45,7 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col

 - the Traefik version number
 - a hash of the configuration
- an **anonymized version** of the static configuration (token, user name, password, URL, IP, domain, email, etc, are removed).
+- an **anonymized version** of the static configuration (token, username, password, URL, IP, domain, email, etc., are removed).

 !!! info

@@ -101,4 +99,4 @@ providers:

 If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/traefik/traefik/blob/master/pkg/collector/collector.go)

-By default we anonymize all configuration fields, except fields tagged with `export=true`.
+By default, we anonymize all configuration fields, except fields tagged with `export=true`.
--- a/docs/content/contributing/documentation.md
+++ b/docs/content/contributing/documentation.md
@@ -15,10 +15,14 @@ Let's see how.

 ### General

-This [documentation](https://doc.traefik.io/traefik/) is built with [mkdocs](https://mkdocs.org/).
+This [documentation](https://doc.traefik.io/traefik/ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to the website of MkDocs").

 ### Method 1: `Docker` and `make`

+Please make sure you have the following requirements installed:
+
+- [Docker](https://www.docker.com/ "Link to the website of Docker")
+
 You can build the documentation and test it locally (with live reloading), using the `docs-serve` target:

 ```bash
@@ -43,9 +47,12 @@ $ make docs-build
 ...
 ```

-### Method 2: `mkdocs`
+### Method 2: `MkDocs`

-First, make sure you have `python` and `pip` installed.
+Please make sure you have the following requirements installed:
+
+- [Python](https://www.python.org/ "Link to the website of Python")
+- [pip](https://pypi.org/project/pip/ "Link to the website of pip on PyPI")

 ```bash
 $ python --version
@@ -54,7 +61,7 @@ $ pip --version
 pip 1.5.2
 ```

-Then, install mkdocs with `pip`.
+Then, install MkDocs with `pip`.

 ```bash
 pip install --user -r requirements.txt
@@ -87,7 +94,7 @@ Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/bas

 !!! note "Clean & Verify"

-    If you've made changes to the documentation, it's safter to clean it before verifying it.
+    If you've made changes to the documentation, it's safer to clean it before verifying it.

    ```bash
    $ make docs
--- a/docs/content/contributing/maintainers-guidelines.md
+++ b/docs/content/contributing/maintainers-guidelines.md
@@ -7,89 +7,75 @@ description: "Interested in contributing more to the community and becoming a Tr

 ![Maintainer's Guidelines](../assets/img/maintainers-guidelines.png)

-Note: the document is a work in progress.
-
 Welcome to the Traefik Community.
-This document describes how to be part of the core team
-as well as various responsibilities
-and guidelines for Traefik maintainers.
+
 We are strongly promoting a philosophy of openness and sharing,
 and firmly standing against the elitist closed approach.
 Being part of the core team should be accessible to anyone motivated
 and wants to be part of that journey!

-## Onboarding Process
+## Becoming a Maintainer

-If you consider joining our community please drop us a line using Twitter or leave a note in the issue.
-We will schedule a quick call to meet you and learn more about your motivation.
-During the call, the team will discuss the process of becoming a maintainer.
-We will be happy to answer any questions and explain all your doubts.
+Before a contributor becomes a maintainer, they should meet the following requirements:

-## Maintainer's Requirements
+- The contributor enabled [2FA](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication) on their GitHub account

-Note: you do not have to meet all the listed requirements,
-but must have achieved several.
+- The contributor showed a consistent pattern of helpful, non-threatening, and friendly behavior towards other community members in the past.
+
+- The contributor has read and accepted the maintainer's guidelines.
+
+The contributor should also meet one or several of the following requirements:

- Enabled [2FA](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication) on your GitHub account
 - The contributor has opened and successfully run medium to large PR’s in the past 6 months.
+
 - The contributor has participated in multiple code reviews of other PR’s,
  including those of other maintainers and contributors.
- The contributor showed a consistent pattern of helpful, non-threatening, and friendly behavior towards other community members in the past.
+
 - The contributor is active on Traefik Community forums
-  or other technical forums/boards such as K8S slack, Reddit, StackOverflow, hacker news.
- Have read and accepted the contributor guidelines.
+  or other technical forums/boards, such as K8S Slack, Reddit, StackOverflow, and Hacker News.
+
+Any existing active maintainer can create an issue to discuss promoting a contributor to maintainer. 
+Other maintainers can vote on the issue, and if the quorum is reached, the contributor is promoted to maintainer.
+If the quorum is not reached within one month after the issue is created, it is closed.

 ## Maintainer's Responsibilities and Privileges

-There are lots of areas where you can contribute to the project,
-but we can suggest you start with activities such as:
+As a maintainer, you are granted a vote for the following:

- PR reviewing.
-    - According to our guidelines we require you have at least 3 reviewers,
-      thus you can review a PR and leave the relevant comment if it is necessary.
- Participating in a daily [issue triage](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md).
-    - The process helps to understand and prioritize the reported issue according to its importance and severity.
-      This is crucial to learn how our users implement Traefik.
-      Each of the issues that are labeled as bug/possible bug/confirmed requires a reproducible use case. 
-      You can help in creating a reproducible use case if it has not been added to the issue
-      or use the sample code provided by the reporter.
-      Typically, a simple docker compose should be enough to reproduce the issue.
- Code contribution.
- Documentation contribution.
-    - Technical documentation is one of the most important components of the product.
-      The ability to set up a testing environment in a few minutes,
-      using the official documentation,
-      is a game changer.
- You will be listed on our Maintainers GitHub page
-  as well as on our website in the section [maintainers](maintainers.md).
- We will be promoting you on social channels (mostly on Twitter).
+- [PR review](https://github.com/traefik/contributors-guide/blob/master/pr_guidelines.md).

-## Governance
+- [Design review](https://github.com/traefik/contributors-guide/blob/master/proposals.md).

- Roadmap meetings on a regular basis where all maintainers are welcome.
+- [Proposals](https://github.com/traefik/contributors-guide/blob/master/proposals.md).
+
+Maintainers are also added to the maintainer's Discord server where happens the [issue triage](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md)
+and appear on the [Maintainers](maintainers.md) page.
+
+As a maintainer, you should: 
+
+- Prioritize PR reviews, design reviews, and issue triage above any other task. 
+
+Making sure contributors and community members are listened to and have an impact on the project is essential to keeping the project active and develop a thriving community.
+
+- Prioritize helping contributors reaching the expecting quality level over rewriting contributions.
+
+Any triage activity on issues and PRs (e.g. labels, marking messages as off-topic, refusing, marking duplicates) should result from a collective decision to ensure knowledge is shared among maintainers.

 ## Communicating

- All of our maintainers are added to Slack #traefik-maintainers channel that belongs to Traefik labs workspace.
-  Having the team in one place helps us to communicate effectively. 
-  You can reach Traefik core developers directly,
-  which offers the possibility to discuss issues, pull requests, enhancements more efficiently
+- All of our maintainers are added to the Traefik Maintainers Discord server that belongs to Traefik labs.
+  Having the team in one place helps us to communicate effectively.
+  Maintainers can discuss issues, pull requests, enhancements more efficiently
  and get the feedback almost immediately.
  Fewer blockers mean more fun and engaging work.

- On a daily basis, we publish a report that includes all the activities performed during the day.
-  You are updated in regard to the workload that has been processed including:
-  working on the new features and enhancements,
-  activities related to the reported issues and PR’s,
-  other important project-related announcements.
+- Every decision made on the discord server among maintainers is documented so it's visible to the rest of the community.

- At 5:00 PM CET every day we review all the created issues that have been reported,
-  assign them the appropriate *[labels](maintainers.md#labels)*
-  and prioritize them based on the severity of the problem.
-  The process is called *[issue triaging](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md)*.
-  Each of the maintainers is welcome to join the meeting.
-  For that purpose, we use a dedicated Discord server
-  where you are invited once you have become the official maintainer.
+- Maintainers express their opinions on issues and reviews. 
+  It is fine to have different point of views. 
+  We encourage active and open conversations which goals are to improve Traefik.
+
+- When discussing issues and proposals, maintainers should share as much information as possible to help solve the issue.

 ## Maintainers Activity

@@ -97,38 +83,45 @@ In order to keep the core team efficient and dynamic,
 maintainers' activity and involvement will be reviewed on a regular basis.

 - Has the maintainer engaged with the team and the community by meeting two or more of these benchmarks in the past six months?
+
    - Has the maintainer participated in at least two or three maintainer meetings?
+
    - Substantial review of at least one or two PRs from either contributors or maintainers.
+
    - Opened at least one or two bug fixes or feature request PRs
      that were eventually merged (or on a trajectory for merge).
+
    - Substantial participation in the Help Wanted program (answered questions, helped identify issues, applied guidelines from the Help Wanted guide to open issues).
+
    - Substantial participation with the community in general.

 - Has the maintainer shown a consistent pattern of helpful,
  non-threatening,
  and friendly behavior towards other people on the maintainer team and with our community?

-## Additional Comments for (not only) Maintainers
+## Additional Comments for Maintainers (that should apply to any contributor)

- Be able to put yourself in users’ shoes.
- Be open-minded and respectful with other maintainers and other community members.
- Keep the communication public - 
+- Be respectful with other maintainers and other community members.
+
+- Be open minded when participating in conversations: try to put yourself in others’ shoes.
+
+- Keep the communication public -
  if anyone tries to communicate with you directly,
-  ask him politely to move the conversation to a public communication channel.
+  ask politely to move the conversation to a public communication channel.
+
 - Stay away from defensive comments.
+
 - Please try to express your thoughts clearly enough
  and note that some of us are not native English speakers.
  Try to rephrase your sentences, avoiding mental shortcuts;
-  none of us is able to predict your thoughts.
- There are a lot of use cases of using Traefik
-  and even more issues that are difficult to reproduce.
-  If the issue can’t be replicated due to a lack of reproducible case (a simple docker compose should be enough) - 
-  set your time limits while working on the issue
-  and express clearly that you were not able to replicate it.
-  You can come back later to that case.
+  none of us is able to predict anyone's thoughts.
+
 - Be proactive.
+
 - Emoji are fine,
  but if you express yourself clearly enough they are not necessary.
  They will not replace good communication.
- Embrace mentorship.
- Keep in mind that we all have the same intent to improve the project.
+
+- Embrace mentorship: help others grow and match the quality level we strive for.
+
+- Keep in mind that we all have the same goal: improve the project.
--- a/docs/content/contributing/maintainers.md
+++ b/docs/content/contributing/maintainers.md
@@ -5,18 +5,12 @@ description: "Traefik Proxy is an open source software with a thriving community

 # Maintainers

-## The Team
+## Active Maintainers

 * Emile Vauge [@emilevauge](https://github.com/emilevauge)
-* Vincent Demeester [@vdemeester](https://github.com/vdemeester)
-* Ed Robinson [@errm](https://github.com/errm)
-* Daniel Tomcej [@dtomcej](https://github.com/dtomcej)
 * Manuel Zapf [@SantoDE](https://github.com/SantoDE)
-* Timo Reimann [@timoreimann](https://github.com/timoreimann)
-* Ludovic Fernandez [@ldez](https://github.com/ldez)
 * Julien Salleyron [@juliens](https://github.com/juliens)
 * Nicolas Mengin [@nmengin](https://github.com/nmengin)
-* Marco Jantke [@mjantke](https://github.com/mjeri)
 * Michaël Matur [@mmatur](https://github.com/mmatur)
 * Gérald Croës [@geraldcroes](https://github.com/geraldcroes)
 * Jean-Baptiste Doumenjou [@jbdoumenjou](https://github.com/jbdoumenjou)
@@ -25,109 +19,21 @@ description: "Traefik Proxy is an open source software with a thriving community
 * Kevin Pollet [@kevinpollet](https://github.com/kevinpollet)
 * Harold Ozouf [@jspdown](https://github.com/jspdown)
 * Tom Moulard [@tommoulard](https://github.com/tommoulard)
+* Landry Benguigui [@lbenguigui](https://github.com/lbenguigui)
+* Simon Delicata [@sdelicata](https://github.com/sdelicata)
+* Baptiste Mayelle [@youkoulayley](https://github.com/youkoulayley)
+
+## Past Maintainers
+
+People who have had an incredibly positive impact on the project, and are now focusing on other projects.
+
+* Vincent Demeester [@vdemeester](https://github.com/vdemeester)
+* Ed Robinson [@errm](https://github.com/errm)
+* Daniel Tomcej [@dtomcej](https://github.com/dtomcej)
+* Timo Reimann [@timoreimann](https://github.com/timoreimann)
+* Marco Jantke [@mjantke](https://github.com/mjeri)
+* Ludovic Fernandez [@ldez](https://github.com/ldez)

 ## Maintainer's Guidelines

-Please read the [maintainer's guidelines](maintainers-guidelines.md)
-
-## Issue Triage
-
-Issues and PRs are triaged daily and the process for triaging may be found under [triaging issues](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md) in our [contributors guide repository](https://github.com/traefik/contributors-guide).
-
-## PR Review Process
-
-The process for reviewing PRs may be found under [review guidelines](https://github.com/traefik/contributors-guide/blob/master/review_guidelines.md) in our contributors guide repository.
-
-## Labels
-
-A maintainer that looks at an issue/PR must define its `kind/*`, `area/*`, and `status/*`.
-
-### Status - Workflow
-
-The `status/*` labels represent the desired state in the workflow.
-
-* `status/0-needs-triage`: all the new issues and PRs have this status. _[bot only]_
-* `status/1-needs-design-review`: needs a design review. **(only for PR)**
-* `status/2-needs-review`: needs a code/documentation review. **(only for PR)**
-* `status/3-needs-merge`: ready to merge. **(only for PR)**
-* `status/4-merge-in-progress`: merge is in progress. _[bot only]_
-
-### Contributor
-
-* `contributor/need-more-information`: we need more information from the contributor in order to analyze a problem.
-* `contributor/waiting-for-feedback`: we need the contributor to give us feedback.
-* `contributor/waiting-for-corrections`: we need the contributor to take actions in order to move forward with a PR. **(only for PR)** _[bot, humans]_
-* `contributor/needs-resolve-conflicts`: use it only when there is some conflicts (and an automatic rebase is not possible). **(only for PR)** _[bot, humans]_
-
-### Kind
-
-* `kind/enhancement`: a new or improved feature.
-* `kind/question`: a question. **(only for issue)**
-* `kind/proposal`: a proposal that needs to be discussed.
-    * _Proposal issues_ are design proposals
-    * _Proposal PRs_ are technical prototypes that need to be refined with multiple contributors.
-
-* `kind/bug/possible`: a possible bug that needs analysis before it is confirmed or fixed. **(only for issues)**
-* `kind/bug/confirmed`: a confirmed bug (reproducible). **(only for issues)**
-* `kind/bug/fix`: a bug fix. **(only for PR)**
-
-### Resolution
-
-* `resolution/duplicate`: a duplicate issue/PR.
-* `resolution/declined`: declined (Rule #1 of open-source: no is temporary, yes is forever).
-* `WIP`: Work In Progress. **(only for PR)**
-
-### Platform
-
-* `platform/windows`: Windows related.
-
-### Area
-
-* `area/acme`: ACME related.
-* `area/api`: Traefik API related.
-* `area/authentication`: Authentication related.
-* `area/cluster`: Traefik clustering related.
-* `area/documentation`: Documentation related.
-* `area/infrastructure`: CI or Traefik building scripts related.
-* `area/healthcheck`: Health-check related.
-* `area/logs`: Logs related.
-* `area/middleware`: Middleware related.
-* `area/middleware/metrics`: Metrics related. (Prometheus, StatsD, ...)
-* `area/middleware/tracing`: Tracing related. (Jaeger, Zipkin, ...)
-* `area/oxy`: Oxy related.
-* `area/provider`: related to all providers.
-* `area/provider/boltdb`: Boltd DB related.
-* `area/provider/consul`: Consul related.
-* `area/provider/docker`: Docker and Swarm related.
-* `area/provider/ecs`: ECS related.
-* `area/provider/etcd`: Etcd related.
-* `area/provider/eureka`: Eureka related.
-* `area/provider/file`: file provider related.
-* `area/provider/k8s`: Kubernetes related.
-* `area/provider/kv`: KV related.
-* `area/provider/marathon`: Marathon related.
-* `area/provider/mesos`: Mesos related.
-* `area/provider/rancher`: Rancher related.
-* `area/provider/servicefabric`: Azure service fabric related.
-* `area/provider/zk`: Zoo Keeper related.
-* `area/rules`: Rules related.
-* `area/server`: Server related.
-* `area/sticky-session`: Sticky session related.
-* `area/tls`: TLS related.
-* `area/websocket`: WebSocket related.
-* `area/webui`: Web UI related.
-
-### Issues Priority
-
-* `priority/P0`: needs hot fix.
-* `priority/P1`: need to be fixed in next release.
-* `priority/P2`: need to be fixed in the future.
-* `priority/P3`: maybe.
-
-### PR Size
-
-Automatically set by a bot.
-
-* `size/S`: small PR.
-* `size/M`: medium PR.
-* `size/L`: Large PR.
+Please read the [maintainer's guidelines](maintainers-guidelines.md).
--- a/docs/content/contributing/submitting-issues.md
+++ b/docs/content/contributing/submitting-issues.md
@@ -9,10 +9,10 @@ Help Us Help You!
 {: .subtitle }

 Issues are perfect for requesting a feature/enhancement or reporting a suspected bug.
-We use the [GitHub issue tracker](https://github.com/traefik/traefik/issues) to keep track of issues in Traefik. 
+We use the [GitHub issue tracker](https://github.com/traefik/traefik/issues) to keep track of issues in Traefik.

-The process of sorting and checking the issues is a daunting task, and requires a lot of work (more than an hour a day ... just for sorting).
-To help us (and other community members) quickly and easily understand what you need,
+The process of sorting and checking the issues is a daunting task, and requires a lot of work.
+To help maintainers (and other community members) quickly and effortlessly understand what you need,
 be sure to follow the guidelines below.

 !!! important "Getting Help Vs Reporting an Issue"
@@ -33,16 +33,17 @@ Examples:

 ## Feature Request

-Traefik is an open source project and aims to be the best edge router possible. 
+Traefik is an open source project and aims to be the best edge router possible.

 Remember when asking for new features that these must be useful to the majority (and not only useful in edge case scenarios, or hack-like setups).
 Follow the [issue template](https://github.com/traefik/traefik/blob/master/.github/ISSUE_TEMPLATE/feature-request.yml) as much as possible.

 Do your best to explain what you're looking for, and why it would improve Traefik for everyone.
 Be detailed and share the use-case(s) to allow us to see the value of your feature request as quickly as possible.
-Features with a lot of positive interaction (claps, +1s, conversation about how this would impact them) indicate higher community interest and help us to prioritize.  

-If you are interested in creating a PR for your feature request, let us know in the the issue so we can work with you.  
+Features with a lot of positive interaction (claps, +1s, conversation about how this would impact them) indicate higher community interest and help us to prioritize.
+
+If you are interested in creating a PR for your feature request, let us know in the issue, so we can work with you.
 It can take a lot of work to make sure a PR can integrate with our existing code and planning with the team ahead of time can make sure that your PR can be accepted and merged quickly.

 ## Issues or Possible Bug Reports
@@ -50,13 +51,13 @@ It can take a lot of work to make sure a PR can integrate with our existing code
 Follow the [issue template](https://github.com/traefik/traefik/blob/master/.github/ISSUE_TEMPLATE/bug_report.yml) as much as possible.

 Explain the conditions in which you encountered the issue; what is your context?
-Share any logs you may have and make sure to share the steps it takes to reproduce your issue or bug. 
+Share any logs you may have, and make sure to share the steps it takes to reproduce your issue or bug.

 Remain as clear and concise as possible.

-Take time to polish the format of your message so we'll enjoy reading it and working on it. 
+Take time to polish the format of your message, so we'll enjoy reading it and working on it.
 Help your readers focus on what matters and help them understand the structure of your message (see the [GitHub Markdown Syntax](https://docs.github.com/en/get-started/writing-on-github)).

 ## International English

-Every maintainer / Traefik user is not a native English speaker, so if you feel sometimes that some messages sound rude, remember that it probably is a language barrier problem from someone willing to help you.
+Every maintainer / Traefik user is not a native English speaker, so if you sometimes feel that some messages sound rude, remember that it probably is a language barrier problem from someone willing to help you.
--- a/docs/content/contributing/submitting-pull-requests.md
+++ b/docs/content/contributing/submitting-pull-requests.md
@@ -3,12 +3,228 @@ title: "Traefik Pull Requests Documentation"
 description: "Looking to contribute to Traefik Proxy? This guide will show you the guidelines for submitting a PR in our contributors guide repository."
 ---

-# Submitting Pull Requests
+# Before You Submit a Pull Request

-A Quick Guide for Efficient Contributions
-{: .subtitle }
+This guide is for contributors who already have a pull request to submit.
+If you are looking for information on setting up your developer environment
+and creating code to contribute to Traefik Proxy or related projects,
+see the [development guide](https://docs.traefik.io/contributing/building-testing/).

-So you've decided to improve Traefik? 
-Thank You! 
+Looking for a way to contribute to Traefik Proxy?
+Check out this list of [Priority Issues](https://github.com/traefik/traefik/labels/contributor%2Fwanted),
+the [Good First Issue](https://github.com/traefik/traefik/labels/contributor%2Fgood-first-issue) list,
+or the list of [confirmed bugs](https://github.com/traefik/traefik/labels/kind%2Fbug%2Fconfirmed) waiting to be remedied.

-Please review the [guidelines on creating PRs](https://github.com/traefik/contributors-guide/blob/master/pr_guidelines.md) for Traefik in our [contributors guide repository](https://github.com/traefik/contributors-guide).
+## How We Prioritize
+
+We wish we could review every pull request right away, but because it's a time-consuming operation, it's not always possible.
+
+The PRs we are able to handle the fastest are:
+
+* Documentation updates.
+* Bug fixes.
+* Enhancements and Features with a `contributor/wanted` tag.
+
+PRs that take more time to address include:
+
+* Enhancements or Features without the `contributor/wanted` tag.
+
+If you have an idea for an enhancement or feature that you would like to build,
+[create an issue](https://github.com/traefik/traefik/issues/new/choose) for it first
+and tell us you are interested in writing the PR.
+If an issue already exists, definitely comment on it to tell us you are interested in creating a PR.
+
+This will allow us to communicate directly and let you know if it is something we would accept.
+
+It also allows us to make sure you have all the information you need during the design phase
+so that it can be reviewed and merged quickly.
+
+Read more about the [Triage process](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md) in the docs.
+
+## The Pull Request Submit Process
+
+Merging a PR requires the following steps to be completed before it is merged automatically.
+
+* Make sure your pull request adheres to our best practices. These include:
+    * [Following project conventions](https://github.com/traefik/traefik/blob/master/docs/content/contributing/maintainers-guidelines.md); including using the PR Template.
+    * Make small pull requests.
+    * Solve only one problem at a time.
+    * Comment thoroughly.
+    * Do not open the PR from an organization repository.
+    * Keep "allows edit from maintainer" checked.
+    * Use semantic line breaks for documentation.
+    * Ensure your PR is not a draft. We do not review drafts, but do answer questions and confer with developers on them as needed.
+    * Ensure that the dependencies in the `go.mod` file reference a tag. If referencing a tag is not possible, add a comment explaining why.
+* Pass the validation check.
+* Pass all tests.
+* Receive 2 approving reviews from maintainers.
+
+## Pull Request Review Cycle
+
+Learn about our [Triage Process](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md),
+in short, it looks like this:
+
+* We triage every new PR or comment before entering it into the review process.
+    * We ensure that all prerequisites for review have been met.
+    * We check to make sure the use case meets our needs.
+    * We assign reviewers.
+* Design Review.
+    * This takes longer than other parts of the process.
+    * We review that there are no obvious conflicts with our codebase.
+* Code Review.
+    * We review the code in-depth and run tests.
+    * We may ask for changes here.
+    * During code review, we ask that you be reasonably responsive,
+      if a PR languishes in code review it is at risk of rejection,
+      or we may take ownership of the PR and the contributor will become a co-author.
+* Merge.
+    * Success!
+
+!!! note
+
+    Occasionally, we may freeze our codebase when working towards a specific feature or goal that could impact other development.
+    During this time, your pull request could remain unmerged while the release work is completed.
+
+## Run Local Verifications
+
+You must run these local verifications before you submit your pull request to predict the pass or failure of continuous integration.
+Your PR will not be reviewed until these are green on the CI.
+
+* `make generate`
+* `make validate`
+* `make pull-images`
+* `make test`
+
+## The Testing and Merge Workflow
+
+Pull Requests are managed by the bot [Myrmica Lobicornis](https://github.com/traefik/lobicornis).
+This bot is responsible for verifying GitHub Checks (CI, Tests, etc), mergability, and minimum reviews.
+In addition, it rebases or merges with the base PR branch if needed.
+It performs several other housekeeping items
+and you can read more about those on the [README](https://github.com/traefik/lobicornis) for Lobicornis.
+
+The maintainer giving the final LGTM must add the `status/3-needs-merge` label to trigger the merge bot.
+
+By default, a squash-rebase merge will be carried out.
+
+The status `status/4-merge-in-progress` is only used by the bot.
+
+If the bot is not able to perform the merge, the label `bot/need-human-merge` is added.
+In such a situation, solve the conflicts/CI/... and then remove the label `bot/need-human-merge`.
+
+To prevent the bot from automatically merging a PR, add the label `bot/no-merge`.
+
+The label `bot/light-review` decreases the number of required LGTM from 2 to 1.
+
+This label can be used when:
+
+* Updating a dependency.
+* Merging branches back into the next version branch.
+* Submitting minor documentation changes.
+* Submitting changelog PRs.
+
+## Why Was My Pull Request Closed?
+
+Traefik Proxy is made by the community for the community,
+as such the goal is to engage the community to make Traefik the best reverse proxy available.
+Part of this goal is maintaining a lean codebase and ensuring code velocity.
+Unfortunately, this means that sometimes we will not be able to merge a pull request.
+
+Because we respect the work you did, you will always be told why we are closing your pull request.
+If you do not agree with our decision, do not worry; closed pull requests are effortless to recreate,
+and little work is lost by closing a pull request that subsequently needs to be reopened.
+
+Your pull request might be closed if:
+
+* Your PR's design conflicts with our existing codebase in such a way that merging is not an option
+  and the work needed to make your pull request usable is too high.
+    * To prevent this, make sure you created an issue first
+      and think about including Traefik Proxy maintainers in your design phase to minimize conflicts.
+* Your PR is for an enhancement or feature that we will not use.
+    * Please remember to create an issue for any pull request **before** you create a PR
+      to ensure that your goal is something we can merge and that you have any design insight you might need from the team.
+* Your PR has been waiting for feedback from the contributor for over 90 days.
+
+## Why is My Pull Request Not Getting Reviewed
+
+A few factors affect how long your pull request might wait for review.
+
+We must prioritize which PRs we focus on.
+Our first priority is PRs we have identified as having high community engagement and broad applicability.
+We put our top priorities on our roadmap, and you can identify them by the `contributor/wanted` tag.
+These PRs will enter our review process the fastest.
+
+Our second priority is bug fixes.
+Especially for bugs that have already been tagged with `bug/confirmed`.
+These reviews enter the process quickly.
+
+If your PR does not meet the criteria above,
+it will take longer for us to review, as any PRs that do meet the criteria above will be prioritized.
+
+Additionally, during the last few weeks of a milestone, we stop reviewing PRs to reduce churn and stabilize.
+We will resume after the release.
+
+The second major reason that we deprioritize your PR is that you are not following best practices.
+
+The most common failures to follow best practices are:
+
+* You did not create an issue for the PR you wish to make.
+  If you do not create an issue before submitting your PR,
+  we will not be able to answer any design questions and let you know how likely your PR is to be merged.
+* You created pull requests that are too large to review.
+    * Break your pull requests up.
+      If you can extract whole ideas from your pull request and send those as pull requests of their own,
+      you should do that instead.
+      It is better to have many pull requests addressing one thing than one pull request addressing many things.
+    * Traefik Proxy is a fast-moving codebase — lock in your changes ASAP with your small pull request,
+      and make merges be someone else's problem.
+      We want every pull request to be useful on its own,
+      so use your best judgment on what should be a pull request vs. a commit.
+* You did not comment well.
+    * Comment everything.
+
+Please remember that we are working internationally, cross-culturally, and with different use-cases.
+Your reviewer will not intuitively understand the problem the same way you do or solve it the same way you would.
+This is why every change you make must be explained, and your strategy for coding must also be explained.
+
+* Your tests were inadequate or absent.
+    * If you do not know how to test your PR, please ask!
+      We will be happy to help you or suggest appropriate test cases.
+
+If you have already followed the best practices and your PR still has not received a response,
+here are some things you can do to move the process along:
+
+* If you have fixed all the issues from a review,
+  remember to re-request a review (using the designated button) to let your reviewer know that you are ready.
+  You can choose to comment with the changes you made.
+* Kindly comment on the pull request. Doing so will automatically give your PR visibility during the triage process.
+
+For more information on best practices, try these links:
+
+* [How to Write a Git Commit Message - Chris Beams](https://chris.beams.io/posts/git-commit/)
+* [Distributed Git - Contributing to a Project (Commit Guidelines)](https://git-scm.com/book/en/v2/Distributed-Git-Contributing-to-a-Project)
+* [What’s with the 50/72 rule? - Preslav Rachev](https://preslav.me/2015/02/21/what-s-with-the-50-72-rule/)
+* [A Note About Git Commit Messages - Tim Pope](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html)
+
+## It's OK to Push Back
+
+Sometimes reviewers make mistakes.
+It is OK to push back on changes your reviewer requested.
+If you have a good reason for doing something a certain way, you are absolutely allowed to debate the merits of a requested change.
+Both the reviewer and reviewee should strive to discuss these issues in a polite and respectful manner.
+
+You might be overruled, but you might also prevail.
+We are pretty reasonable people.
+
+Another phenomenon of open-source projects (where anyone can comment on any issue) is the dog-pile -
+your pull request gets so many comments from so many people it becomes hard to follow.
+In this situation, you can ask the primary reviewer (assignee) whether they want you to fork a new pull request
+to clear out all the comments.
+You do not have to fix every issue raised by every person who feels like commenting,
+but you should answer reasonable comments with an explanation.
+
+## Common Sense and Courtesy
+
+No document can take the place of common sense and good taste.
+Use your best judgment, while you put a bit of thought into how your work can be made easier to review.
+If you do these things, your pull requests will get merged with less friction.
--- a/docs/content/contributing/submitting-security-issues.md
+++ b/docs/content/contributing/submitting-security-issues.md
@@ -8,14 +8,16 @@ description: "Security is a key part of Traefik Proxy. Read the technical docume
 ## Security Advisories

 We strongly advise you to join our mailing list to be aware of the latest announcements from our security team.
-You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+You can subscribe by sending an email to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).

 ## CVE

-Reported vulnerabilities can be found on 
+Reported vulnerabilities can be found on
 [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).

 ## Report a Vulnerability

 We want to keep Traefik safe for everyone.
-If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, using [this form](https://security.traefik.io).
+If you've discovered a security vulnerability in Traefik,
+we appreciate your help in disclosing it to us in a responsible manner,
+by creating a [security advisory](https://github.com/traefik/traefik/security/advisories).
--- a/docs/content/contributing/thank-you.md
+++ b/docs/content/contributing/thank-you.md
@@ -8,25 +8,25 @@ description: "Thank you to all those who have contributed! Traefik Proxy is an o
 _You_ Made It
 {: .subtitle}

-Traefik truly is an [open-source project](https://github.com/traefik/traefik/),
-and wouldn't have become what it is today without the help of our [many contributors](https://github.com/traefik/traefik/graphs/contributors) (at the time of writing this),
-not accounting for people having helped with issues, tests, comments, articles, ... or just enjoying it and letting others know.
+Traefik Proxy truly is an [open-source project](https://github.com/traefik/traefik/),
+and wouldn't have become what it is today without the help of our [many contributors](https://github.com/traefik/traefik/graphs/contributors),
+not accounting for people having helped with issues, tests, comments, articles, ... or just enjoy using Traefik Proxy and share with others.

-So once again, thank you for your invaluable help on making Traefik such a good product.
+So once again, thank you for your invaluable help in making Traefik such a good product!

 !!! question "Where to Go Next?"
    If you want to:

-    - Propose and idea, request a feature a report a bug,
-      read the page [Submitting Issues](./submitting-issues.md).
+    - Propose an idea, request a feature, or report a bug, 
+      then read [Submitting Issues](./submitting-issues.md).
    - Discover how to make an efficient contribution,
-      read the page [Submitting Pull Requests](./submitting-pull-requests.md).
+      then read [Submitting Pull Requests](./submitting-pull-requests.md).
    - Learn how to build and test Traefik,
-      the page [Building and Testing](./building-testing.md) is for you.
+      then the page [Building and Testing](./building-testing.md) is for you.
    - Contribute to the documentation,
-      read the related page [Documentation](./documentation.md).
+      then read the page about [Documentation](./documentation.md).
    - Understand how do we learn about Traefik usage,
      read the [Data Collection](./data-collection.md) page.
    - Spread the love about Traefik, please check the [Advocating](./advocating.md) page.
    - Learn about who are the maintainers and how they work on the project,
-      read the [Maintainers](./maintainers.md) page.
+      read the [Maintainers](./maintainers.md) and [Maintainer Guidelines](./maintainers-guidelines.md) pages.
--- a/docs/content/deprecation/features.md
+++ b/docs/content/deprecation/features.md
@@ -2,25 +2,43 @@

 This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.

-| Feature                                                       | Deprecated | End of Support | Removal |
-|---------------------------------------------------------------|------------|----------------|---------|
-| [Pilot Dashboard (Metrics)](#pilot-dashboard-metrics)         | 2.7        | 2.8            | 3.0     |
-| [Pilot Plugins](#pilot-plugins)                               | 2.7        | 2.8            | 3.0     |
-| [Consul Enterprise Namespace](#consul-enterprise-namespace)   | 2.8        | N/A            | 3.0     |
+| Feature                                                                                                     | Deprecated | End of Support | Removal |
+|-------------------------------------------------------------------------------------------------------------|------------|----------------|---------|
+| [Pilot](#pilot)                                                                                             | 2.7        | 2.8            | 2.9     |
+| [Consul Enterprise Namespace](#consul-enterprise-namespace)                                                 | 2.8        | N/A            | 3.0     |
+| [TLS 1.0 and 1.1 Support](#tls-10-and-11)                                                                   | N/A        | 2.8            | N/A     |
+| [Nomad Namespace](#nomad-namespace)                                                                         | 2.10       | N/A            | 3.0     |
+| [Kubernetes CRDs API Group `traefik.containo.us`](#kubernetes-crd-provider-api-group-traefikcontainous)     | 2.10       | N/A            | 3.0     |
+| [Kubernetes CRDs API Version `traefik.io/v1alpha1`](#kubernetes-crd-provider-api-version-traefikiov1alpha1) | 3.0        | N/A            | 4.0     |

 ## Impact

-### Pilot Dashboard (Metrics)
+### Pilot

 Metrics will continue to function normally up to 2.8, when they will be disabled.  
 In 2.9, the Pilot platform and all Traefik integration code will be permanently removed.

-### Pilot Plugins 
-
-Starting on 2.7 the pilot token will not be a requirement anymore.  
-At 2.9, a new plugin catalog home should be available, decoupled from pilot.
+Starting on 2.7 the pilot token will not be a requirement anymore for plugins.  
+Since 2.8, a [new plugin catalog](https://plugins.traefik.io) is available, decoupled from Pilot.

 ### Consul Enterprise Namespace

 Starting on 2.8 the `namespace` option of Consul and Consul Catalog providers is deprecated, 
 please use the `namespaces` options instead.  
+
+### TLS 1.0 and 1.1
+
+Starting on 2.8 the default TLS options will use the minimum version of TLS 1.2. Of course, it can still be overridden with custom configuration.  
+
+### Nomad Namespace
+
+Starting on 2.10 the `namespace` option of the Nomad provider is deprecated,
+please use the `namespaces` options instead.
+
+### Kubernetes CRD Provider API Group `traefik.containo.us`
+
+In v2.10, the Kubernetes CRD provider API Group `traefik.containo.us` is deprecated, and its support will end starting with Traefik v3. Please use the API Group `traefik.io` instead.
+
+### Kubernetes CRD Provider API Version `traefik.io/v1alpha1`
+
+The Kubernetes CRD provider API Version `traefik.io/v1alpha1` will subsequently be deprecated in Traefik v3. The next version will be `traefik.io/v1`.
--- a/docs/content/deprecation/releases.md
+++ b/docs/content/deprecation/releases.md
@@ -4,27 +4,37 @@

 Below is a non-exhaustive list of versions and their maintenance status:

-| Version | Release Date | Active Support     | Security Support | 
-|---------|--------------|--------------------|------------------|
-| 2.8     | Jun 29, 2022 |      Yes           |       Yes        |
-| 2.7     | May 24, 2022 | Ended Jun 29, 2022 |       No         |
-| 2.6     | Jan 24, 2022 | Ended May 24, 2022 |       No         |
-| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 |       No         |
-| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 |       No         |
-| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 |       No         |
-| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 |       No         |
-| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 |       No         |
-| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 |       No         |
-| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 |  Contact Support |
+| Version | Release Date | Active Support     | Security Support  |
+|---------|--------------|--------------------|-------------------|
+| 3.5     | Jul 23, 2025 | Yes                | Yes               |
+| 3.4     | May 05, 2025 | Ended Jul 23, 2025 | No                |
+| 3.3     | Jan 06, 2025 | Ended May 05, 2025 | No                |
+| 3.2     | Oct 28, 2024 | Ended Jan 06, 2025 | No                |
+| 3.1     | Jul 15, 2024 | Ended Oct 28, 2024 | No                |
+| 3.0     | Apr 29, 2024 | Ended Jul 15, 2024 | No                |
+| 2.11    | Feb 12, 2024 | Ended Apr 29, 2025 | Ends Feb 01, 2026 |
+| 2.10    | Apr 24, 2023 | Ended Feb 12, 2024 | No                |
+| 2.9     | Oct 03, 2022 | Ended Apr 24, 2023 | No                |
+| 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 | No                |
+| 2.7     | May 24, 2022 | Ended Jun 29, 2022 | No                |
+| 2.6     | Jan 24, 2022 | Ended May 24, 2022 | No                |
+| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 | No                |
+| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 | No                |
+| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 | No                |
+| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 | No                |
+| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 | No                |
+| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 | No                |
+| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 | No                |

 ??? example "Active Support / Security Support"

-    **Active support**: receives any bug fixes.
-    **Security support**: receives only critical bug and security fixes.
+    - **Active support**: Receives any bug fixes.
+
+    - **Security support**: Receives only critical bug and security fixes.

 This page is maintained and updated periodically to reflect our roadmap and any decisions affecting the end of support for Traefik Proxy.

-Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v1 to v2 migration guide](../migration/v1-to-v2.md).
+Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v2 to v3 migration guide](../migration/v2-to-v3.md).

 !!! important "All target dates for end of support or feature removal announcements may be subject to change."

--- a/docs/content/getting-started/concepts.md
+++ b/docs/content/getting-started/concepts.md
@@ -1,19 +1,34 @@
 ---
-title: "Traefik Concepts Documentation"
-description: "Get started with Traefik Proxy. Read the technical documentation for an introduction into the key concepts behind our open source edge router."
+title: Concepts
+description: Traefik - base concepts and main features
 ---

 # Concepts

-Everything You Need to Know
-{: .subtitle }
+This page explains the base concepts of Traefik.
+
+---
+
+## Introduction
+
+Traefik is based on the concept of EntryPoints, Routers, Middlewares and Services.
+
+The main features include dynamic configuration, automatic service discovery, and support for multiple backends and protocols.
+
+1. [EntryPoints](../routing/entrypoints.md "Link to docs about EntryPoints"): EntryPoints are the network entry points into Traefik. They define the port which will receive the packets, and whether to listen for TCP or UDP.
+
+2. [Routers](../routing/routers/index.md "Link to docs about routers"): A router is in charge of connecting incoming requests to the services that can handle them.
+
+3. [Middlewares](../middlewares/overview.md "Link to docs about middlewares"): Attached to the routers, middlewares can modify the requests or responses before they are sent to your service
+
+4. [Services](../routing/services/index.md "Link to docs about services"): Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.

 ## Edge Router

-Traefik is an _Edge Router_, it means that it's the door to your platform, and that it intercepts and routes every incoming request:
-it knows all the logic and every rule that determine which services handle which requests (based on the [path](../routing/routers/index.md#rule), the [host](../routing/routers/index.md#rule), [headers](../routing/routers/index.md#rule), [and so on](../routing/routers/index.md#rule) ...).
+Traefik is an *Edge Router*; this means that it's the door to your platform, and that it intercepts and routes every incoming request:
+it knows all the logic and every [rule](../routing/routers/index.md#rule "Link to docs about routing rules") that determine which services handle which requests (based on the *path*, the *host*, *headers*, etc.).

-![The Door to Your Infrastructure](../assets/img/traefik-concepts-1.png)
+![The Door to Your Infrastructure](../assets/img/traefik-concepts-1.png "Picture explaining the infrastructure")

 ## Auto Service Discovery

@@ -21,21 +36,25 @@ Where traditionally edge routers (or reverse proxies) need a configuration file

 Deploying your services, you attach information that tells Traefik the characteristics of the requests the services can handle.

-![Decentralized Configuration](../assets/img/traefik-concepts-2.png)
+![Decentralized Configuration](../assets/img/traefik-concepts-2.png "Picture about Decentralized Configuration")

-It means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time.
+This means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time.
 Similarly, when a service is removed from the infrastructure, the corresponding route is deleted accordingly.

 You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.

 !!! info "Many different rules"

-    In the example above, we used the request [path](../routing/routers/index.md#rule) to determine which service was in charge, but of course you can use many other different [rules](../routing/routers/index.md#rule).
+    In the example above, we used the request [path rule](../routing/routers/index.md#rule "Link to docs about routing rules") to determine which service was in charge.
+    Certainly, you can use many other different [rules](../routing/routers/index.md#rule "Link to docs about routing rules").

 !!! info "Updating the requests"

-    In the [middleware](../middlewares/overview.md) section, you can learn about how to update the requests before forwarding them to the services.
+    In the [middleware](../middlewares/overview.md "Link to middleware documentation") section, you can learn about how to update the requests before forwarding them to the services.

 !!! question "How does Traefik discover the services?"

-    Traefik is able to use your cluster API to discover the services and read the attached information. In Traefik, these connectors are called [providers](../providers/overview.md) because they _provide_ the configuration to Traefik. To learn more about them, read the [provider overview](../providers/overview.md) section.
+    Traefik is able to use your cluster API to discover the services and read the attached information.
+    In Traefik, these connectors are called [providers](../providers/overview.md "Link to overview about Traefik providers") because they *provide* the configuration to Traefik.
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -79,14 +79,14 @@ traefik --help
 # or

 docker run traefik[:version] --help
-# ex: docker run traefik:v2.8 --help
+# ex: docker run traefik:v2.11 --help
 ```

-All available arguments can also be found [here](../reference/static-configuration/cli.md).
+Check the [CLI reference](../reference/static-configuration/cli.md "Link to CLI reference overview") for an overview about all available arguments.

 ### Environment Variables

-All available environment variables can be found [here](../reference/static-configuration/env.md)
+All available environment variables can be found in the [static configuration environment overview](../reference/static-configuration/env.md).

 ## Available Configuration Options

@@ -94,17 +94,4 @@ All the configuration options are documented in their related section.

 You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action.

-!!! question "Using Traefik for Business Applications?"
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).
+{!traefik-for-business-applications.md!}
--- a/docs/content/getting-started/faq.md
+++ b/docs/content/getting-started/faq.md
@@ -29,7 +29,7 @@ Not to mention that dynamic configuration changes potentially make that kind of
 Therefore, in this dynamic context,
 the static configuration of an `entryPoint` does not give any hint whatsoever about how the traffic going through that `entryPoint` is going to be routed.
 Or whether it's even going to be routed at all,
-i.e. whether there is a Router matching the kind of traffic going through it.
+that is whether there is a Router matching the kind of traffic going through it.

 ### `404 Not found`

@@ -71,7 +71,7 @@ Traefik returns a `502` response code when an error happens while contacting the

 ### `503 Service Unavailable`

-Traefik returns a `503` response code when a Router has been matched
+Traefik returns a `503` response code when a Router has been matched,
 but there are no servers ready to handle the request.

 This situation is encountered when a service has been explicitly configured without servers,
@@ -84,7 +84,7 @@ Sometimes, the `404` response code doesn't play well with other parties or servi
 In these situations, you may want Traefik to always reply with a `503` response code,
 instead of a `404` response code.

-To achieve this behavior, a simple catchall router,
+To achieve this behavior, a catchall router,
 with the lowest possible priority and routing to a service without servers,
 can handle all the requests when no other router has been matched.

@@ -93,7 +93,7 @@ The example below is a file provider only version (`yaml`) of what this configur
 ```yaml tab="Static configuration"
 # traefik.yml

-entrypoints:
+entryPoints:
  web:
    address: :80

@@ -130,7 +130,7 @@ http:
    the principle of the above example above (a catchall router) still stands,
    but the `unavailable` service should be adapted to fit such a need.

-## Why Is My TLS Certificate Not Reloaded When Its Contents Change? 
+## Why Is My TLS Certificate Not Reloaded When Its Contents Change?

 With the file provider,
 a configuration update is only triggered when one of the [watched](../providers/file.md#provider-configuration) configuration files is modified.
@@ -157,3 +157,99 @@ By default, the following headers are automatically added when proxying requests

 For more details,
 please check out the [forwarded header](../routing/entrypoints.md#forwarded-headers) documentation.
+
+## How Traefik is Storing and Serving TLS Certificates?
+
+### Storing TLS Certificates
+
+[TLS](../https/tls.md "Link to Traefik TLS docs") certificates are either provided directly by the [dynamic configuration](./configuration-overview.md#the-dynamic-configuration "Link to dynamic configuration overview") from [providers](../https/tls.md#user-defined "Link to the TLS configuration"),
+or by [ACME resolvers](../https/acme.md#providers "Link to ACME resolvers"), which act themselves as providers internally.
+
+For each TLS certificate, Traefik produces an identifier used as a key to store it.
+This identifier is constructed as the alphabetically ordered concatenation of the SANs `DNSNames` and `IPAddresses` of the TLScertificate.
+
+#### Examples:
+
+| X509v3 Subject Alternative Name         | TLS Certificate Identifier  |
+|-----------------------------------------|-----------------------------|
+| `DNS:example.com, IP Address:127.0.0.1` | `127.0.0.1,example.com`     |
+| `DNS:example.com, DNS:*.example.com`    | `*.example.com,example.com` |
+
+The identifier is used to store TLS certificates in order to be later used to handle TLS connections.
+This operation happens each time there are configuration changes.
+
+If multiple TLS certificates are provided with the same SANs definition (same identifier), only the one processed first is kept.
+Because the dynamic configuration is aggregated from all providers,
+when processing it to gather TLS certificates,
+there is no guarantee of the order in which they would be processed.
+This means that along with configurations applied, it is possible that the TLS certificate retained for a given identifier differs.
+
+### Serving TLS Certificates
+
+For each incoming connection, Traefik is serving the "best" matching TLS certificate for the provided server name.
+
+The TLS certificate selection process narrows down the list of TLS certificates matching the server name,
+and then selects the last TLS certificate in this list after having ordered it by the identifier alphabetically.
+
+#### Examples:
+
+| Selected TLS Certificates Identifiers               | Sorted TLS Certificates Identifiers                 | Served Certificate Identifier |
+|-----------------------------------------------------|-----------------------------------------------------|-------------------------------|
+| `127.0.0.1,example.com`,`*.example.com,example.com` | `*.example.com,example.com`,`127.0.0.1,example.com` | `127.0.0.1,example.com`       |
+| `*.example.com,example.com`,`example.com`           | `*.example.com,example.com`,`example.com`           | `example.com`                 |
+
+### Caching TLS Certificates
+
+While Traefik is serving the best matching TLS certificate for each incoming connection,
+the selection process cost for each incoming connection is avoided thanks to a cache mechanism.
+
+Once a TLS certificate has been selected as the "best" TLS certificate for a server name,
+it is cached for an hour, avoiding the selection process for further connections.
+
+Nonetheless, when a new configuration is applied, the cache is reset.
+
+## What does the "field not found" error mean?
+
+```shell
+error: field not found, node: -badField-
+```
+
+The "field not found" error occurs, when an unknown property is encountered in the dynamic or static configuration.
+
+One way to check whether a configuration file is well-formed, is to validate it with:
+
+- [JSON Schema of the static configuration](https://json.schemastore.org/traefik-v2.json)
+- [JSON Schema of the dynamic configuration](https://json.schemastore.org/traefik-v2-file-provider.json)
+
+## Why are some resources (routers, middlewares, services...) not created/applied?
+
+As a common tip, if a resource is dropped/not created by Traefik after the dynamic configuration was evaluated,
+one should look for an error in the logs.
+
+If found, the error confirms that something went wrong while creating the resource,
+and the message should help in figuring out the mistake(s) in the configuration, and how to fix it.
+
+When using the file provider,
+one way to check if the dynamic configuration is well-formed is to validate it with the [JSON Schema of the dynamic configuration](https://json.schemastore.org/traefik-v2-file-provider.json).
+
+## Why does Let's Encrypt wildcard certificate renewal/generation with DNS challenge fail?
+
+If you're trying to renew wildcard certificates, with DNS challenge,
+and you're getting errors such as:
+
+```txt
+msg="Error renewing certificate from LE: {example.com [*.example.com]}"
+providerName=letsencrypt.acme error="error: one or more domains had a problem:
+[example.com] acme: error presenting token: gandiv5: unexpected authZone example.com. for fqdn example.com."
+```
+
+then it could be due to `CNAME` support.
+
+In which case, you should make sure your infrastructure is properly set up for a
+`DNS` challenge that does not rely on `CNAME`, and you should try disabling `CNAME` support with:
+
+```shell
+LEGO_DISABLE_CNAME_SUPPORT=true
+```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:

 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:

-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.8/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.8/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.11/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.11/traefik.sample.toml)

-```bash
+```shell
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.8
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.11
 ```

 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,28 +29,23 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip

    * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v2.8`
+    ex: `traefik:v2.11`
    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
    * Any orchestrator using docker images can fetch the official Traefik docker image.

 ## Use the Helm Chart

-!!! warning
-
-    The Traefik Chart from
-    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://doc.traefik.io/traefik/v1.7).
-
 Traefik can be installed in Kubernetes using the Helm chart from <https://github.com/traefik/traefik-helm-chart>.

 Ensure that the following requirements are met:

-* Kubernetes 1.14+
-* Helm version 3.x is [installed](https://helm.sh/docs/intro/install/)
+* Kubernetes 1.16+
+* Helm version 3.9+ is [installed](https://helm.sh/docs/intro/install/)

-Add Traefik's chart repository to Helm:
+Add Traefik Labs chart repository to Helm:

 ```bash
-helm repo add traefik https://helm.traefik.io/traefik
+helm repo add traefik https://traefik.github.io/charts
 ```

 You can update the chart repository by running:
@@ -59,7 +54,7 @@ You can update the chart repository by running:
 helm repo update
 ```

-And install it with the `helm` command line:
+And install it with the Helm command line:

 ```bash
 helm install traefik traefik/traefik
@@ -68,6 +63,9 @@ helm install traefik traefik/traefik
 !!! tip "Helm Features"

    All [Helm features](https://helm.sh/docs/intro/using_helm/) are supported.
+
+    Examples are provided [here](https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md).
+
    For instance, installing the chart in a dedicated namespace:

    ```bash tab="Install in a Dedicated Namespace"
@@ -83,8 +81,7 @@ helm install traefik traefik/traefik
    as with [any helm chart](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
    {: #helm-custom-values }

-    The values are not (yet) documented, but are self-explanatory:
-    you can look at the [default `values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
+    All parameters are documented in the default [`values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml).

    You can also set Traefik command line flags using `additionalArguments`.
    Example of installation with logging set to `DEBUG`:
@@ -102,38 +99,6 @@ helm install traefik traefik/traefik
      - "--log.level=DEBUG"
    ```

-### Exposing the Traefik dashboard
-
-This HelmChart does not expose the Traefik dashboard by default, for security concerns.
-Thus, there are multiple ways to expose the dashboard.
-For instance, the dashboard access could be achieved through a port-forward:
-
-```shell
-kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
-```
-
-It can then be reached at: `http://127.0.0.1:9000/dashboard/`
-
-Another way would be to apply your own configuration, for instance,
-by defining and applying an IngressRoute CRD (`kubectl apply -f dashboard.yaml`):
-
-```yaml
-# dashboard.yaml
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: dashboard
-spec:
-  entryPoints:
-    - web
-  routes:
-    - match: Host(`traefik.localhost`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
-      kind: Rule
-      services:
-        - name: api@internal
-          kind: TraefikService
-```
-
 ## Use the Binary Distribution

 Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page.
@@ -179,17 +144,4 @@ And run it:

 All the details are available in the [Contributing Guide](../contributing/building-testing.md)

-!!! question "Using Traefik for Business Applications?"
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).
+{!traefik-for-business-applications.md!}
--- a/docs/content/getting-started/quick-start-with-kubernetes.md
+++ b/docs/content/getting-started/quick-start-with-kubernetes.md
@@ -0,0 +1,337 @@
+---
+title: "Traefik Getting Started With Kubernetes"
+description: "Get started with Traefik Proxy and Kubernetes."
+---
+
+# Quick Start
+
+A Use Case of Traefik Proxy and Kubernetes
+{: .subtitle }
+
+This guide is an introduction to using Traefik Proxy in a Kubernetes environment.  
+The objective is to learn how to run an application behind a Traefik reverse proxy in Kubernetes.  
+It presents and explains the basic blocks required to start with Traefik such as Ingress Controller, Ingresses, Deployments, static, and dynamic configuration.
+
+## Permissions and Accesses
+
+Traefik uses the Kubernetes API to discover running services.
+
+To use the Kubernetes API, Traefik needs some permissions.
+This [permission mechanism](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) is based on roles defined by the cluster administrator.  
+The role is then bound to an account used by an application, in this case, Traefik Proxy.
+
+The first step is to create the role.
+The [`ClusterRole`](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole) resource enumerates the resources and actions available for the role.
+In a file called `00-role.yml`, put the following `ClusterRole`:
+
+```yaml tab="00-role.yml"
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik-role
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.io
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - middlewaretcps
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - ingressrouteudps
+      - tlsoptions
+      - tlsstores
+      - serverstransports
+    verbs:
+      - get
+      - list
+      - watch
+```
+
+!!! info "You can find the reference for this file [there](../../reference/dynamic-configuration/kubernetes-crd/#rbac)."
+
+The next step is to create a dedicated service account for Traefik.
+In a file called `00-account.yml`, put the following [`ServiceAccount`](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/service-account-v1/#ServiceAccount) resource:
+
+```yaml tab="00-account.yml"
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: traefik-account
+```
+
+And then, bind the role on the account to apply the permissions and rules on the latter. In a file called `01-role-binding.yml`, put the
+following [`ClusterRoleBinding`](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1/#ClusterRoleBinding) resource:
+
+```yaml tab="01-role-binding.yml"
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik-role-binding
+
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-role
+subjects:
+  - kind: ServiceAccount
+    name: traefik-account
+    namespace: default # This tutorial uses the "default" K8s namespace.
+```
+
+!!! info "`roleRef` is the Kubernetes reference to the role created in `00-role.yml`."
+
+!!! info "`subjects` is the list of accounts reference."
+
+    In this guide, it only contains the account created in `00-account.yml`
+
+## Deployment and Exposition
+
+!!! info "This section can be managed with the help of the [Traefik Helm chart](../install-traefik/#use-the-helm-chart)."
+
+The [ingress controller](https://traefik.io/glossary/kubernetes-ingress-and-ingress-controller-101/#what-is-a-kubernetes-ingress-controller)
+is a software that runs in the same way as any other application on a cluster.  
+To start Traefik on the Kubernetes cluster,
+a [`Deployment`](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/) resource must exist to describe how to configure
+and scale containers horizontally to support larger workloads.
+
+Start by creating a file called `02-traefik.yml` and paste the following `Deployment` resource:
+
+```yaml tab="02-traefik.yml"
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: traefik-deployment
+  labels:
+    app: traefik
+
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik
+  template:
+    metadata:
+      labels:
+        app: traefik
+    spec:
+      serviceAccountName: traefik-account
+      containers:
+        - name: traefik
+          image: traefik:v2.11
+          args:
+            - --api.insecure
+            - --providers.kubernetesingress
+          ports:
+            - name: web
+              containerPort: 80
+            - name: dashboard
+              containerPort: 8080
+```
+
+The deployment contains an important attribute for customizing Traefik: `args`.  
+These arguments are the static configuration for Traefik.  
+From here, it is possible to enable the dashboard,
+configure entry points,
+select dynamic configuration providers,
+and [more](../reference/static-configuration/cli.md).
+
+In this deployment,
+the static configuration enables the Traefik dashboard,
+and uses Kubernetes native Ingress resources as router definitions to route incoming requests.
+
+!!! info "When there is no entry point in the static configuration"
+
+    Traefik creates a default one called `web` using the port `80` routing HTTP requests.
+
+!!! info "When enabling the [`api.insecure`](../../operations/api/#insecure) mode, Traefik exposes the dashboard on the port `8080`."
+
+A deployment manages scaling and then can create lots of containers, called [Pods](https://kubernetes.io/docs/concepts/workloads/pods/).
+Each Pod is configured following the `spec` field in the deployment.  
+Given that, a Deployment can run multiple Traefik Proxy Pods,
+a piece is required to forward the traffic to any of the instance:
+namely a [`Service`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#Service).  
+Create a file called `02-traefik-services.yml` and insert the two `Service` resources:
+
+```yaml tab="02-traefik-services.yml"
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-dashboard-service
+
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 8080
+      targetPort: dashboard
+  selector:
+    app: traefik
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-web-service
+
+spec:
+  type: LoadBalancer
+  ports:
+    - targetPort: web
+      port: 80
+  selector:
+    app: traefik
+```
+
+!!! warning "It is possible to expose a service in different ways."
+
+    Depending on your working environment and use case, the `spec.type` might change.  
+    It is strongly recommended to understand the available [service types](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) before proceeding to the next step.
+
+It is now time to apply those files on your cluster to start Traefik.
+
+```shell
+kubectl apply -f 00-role.yml \
+              -f 00-account.yml \
+              -f 01-role-binding.yml \
+              -f 02-traefik.yml \
+              -f 02-traefik-services.yml
+```
+
+## Proxying applications
+
+The only part still missing is the business application behind the reverse proxy.  
+For this guide, we use the example application [traefik/whoami](https://github.com/traefik/whoami),
+but the principles are applicable to any other application.
+
+The `whoami` application is an HTTP server running on port 80 which answers host-related information to the incoming requests.  
+As usual, start by creating a file called `03-whoami.yml` and paste the following `Deployment` resource:
+
+```yaml tab="03-whoami.yml"
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: whoami
+  labels:
+    app: whoami
+
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: whoami
+  template:
+    metadata:
+      labels:
+        app: whoami
+    spec:
+      containers:
+        - name: whoami
+          image: traefik/whoami
+          ports:
+            - name: web
+              containerPort: 80
+```
+
+And continue by creating the following `Service` resource in a file called `03-whoami-services.yml`:
+
+```yaml tab="03-whoami-services.yml"
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+
+spec:
+  ports:
+    - name: web
+      port: 80
+      targetPort: web
+      
+  selector:
+    app: whoami
+```
+
+Thanks to the Kubernetes API,
+Traefik is notified when an Ingress resource is created, updated, or deleted.  
+This makes the process dynamic.  
+The ingresses are, in a way, the [dynamic configuration](../../providers/kubernetes-ingress/) for Traefik.
+
+!!! tip
+
+    Find more information on [ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/),
+    and [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) in the official Kubernetes documentation.
+
+Create a file called `04-whoami-ingress.yml` and insert the `Ingress` resource:
+
+```yaml tab="04-whoami-ingress.yml"
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: whoami-ingress
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: whoami
+            port:
+              name: web
+```
+
+This `Ingress` configures Traefik to redirect any incoming requests starting with `/` to the `whoami:80` service.
+
+At this point, all the configurations are ready.
+It is time to apply those new files:
+
+```shell
+kubectl apply -f 03-whoami.yml \
+              -f 03-whoami-services.yml \
+              -f 04-whoami-ingress.yml
+```
+
+Now you should be able to access the `whoami` application and the Traefik dashboard.
+Load the dashboard on a web browser: [`http://localhost:8080`](http://localhost:8080).
+
+And now access the `whoami` application:
+
+```shell
+curl -v http://localhost/
+```
+
+!!! question "Going further"
+
+    - [Filter the ingresses](../providers/kubernetes-ingress.md#ingressclass) to use with [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)
+    - Use [IngressRoute CRD](../providers/kubernetes-crd.md)
+    - Protect [ingresses with TLS](../routing/providers/kubernetes-ingress.md#enabling-tls-via-annotations)
+    
+{!traefik-for-business-applications.md!}
--- a/docs/content/getting-started/quick-start.md
+++ b/docs/content/getting-started/quick-start.md
@@ -1,11 +1,11 @@
 ---
 title: "Traefik Getting Started Quickly"
-description: "Looking to get started with Traefik Proxy quickly? Read the technical documentation to learn a simple use case that leverages Docker."
+description: "Get started with Traefik Proxy and Docker."
 ---

 # Quick Start

-A Simple Use Case Using Docker
+A Use Case Using Docker
 {: .subtitle }

 ![quickstart-diagram](../assets/img/quickstart-diagram.png)
@@ -20,7 +20,7 @@ version: '3'
 services:
  reverse-proxy:
    # The official v2 Traefik docker image
-    image: traefik:v2.8
+    image: traefik:v2.11
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
@@ -38,19 +38,24 @@ services:
 Start your `reverse-proxy` with the following command:

 ```shell
-docker-compose up -d reverse-proxy
+docker compose up -d reverse-proxy
 ```

-You can open a browser and go to `http://localhost:8080/api/rawdata` to see Traefik's API rawdata (we'll go back there once we have launched a service in step 2).
+You can open a browser and go to `http://localhost:8080/api/rawdata` to see Traefik's API rawdata (you'll go back there once you have launched a service in step 2).

 ## Traefik Detects New Services and Creates the Route for You

-Now that we have a Traefik instance up and running, we will deploy new services.
+Now that you have a Traefik instance up and running, you will deploy new services.

 Edit your `docker-compose.yml` file and add the following at the end of your file.

 ```yaml
-# ...
+version: '3'
+
+services:
+
+  ...
+
  whoami:
    # A container that exposes an API to show its IP address
    image: traefik/whoami
@@ -58,17 +63,17 @@ Edit your `docker-compose.yml` file and add the following at the end of your fil
      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
 ```

-The above defines `whoami`: a simple web service that outputs information about the machine it is deployed on (its IP address, host, and so on).
+The above defines `whoami`: a web service that outputs information about the machine it is deployed on (its IP address, host, and others).

 Start the `whoami` service with the following command:

 ```shell
-docker-compose up -d whoami
+docker compose up -d whoami
 ```

 Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new container and updated its own configuration.

-When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_  (Here, we're using curl)
+When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_  (Here, you're using curl)

 ```shell
 curl -H Host:whoami.docker.localhost http://127.0.0.1
@@ -87,7 +92,7 @@ IP: 172.27.0.3
 Run more instances of your `whoami` service with the following command:

 ```shell
-docker-compose up -d --scale whoami=2
+docker compose up -d --scale whoami=2
 ```

 Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new instance of the container.
@@ -98,7 +103,7 @@ Finally, see that Traefik load-balances between the two instances of your servic
 curl -H Host:whoami.docker.localhost http://127.0.0.1
 ```

-The output will show alternatively one of the followings:
+The output will show alternatively one of the following:

 ```yaml
 Hostname: a656c8ddca6c
@@ -114,19 +119,6 @@ IP: 172.27.0.4

 !!! question "Where to Go Next?"

-    Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the documentation](/) and let Traefik work for you!
+    Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the user guides](../../user-guides/docker-compose/basic-example/ "Link to the user guides") and [the documentation](/ "Link to the docs landing page") and let Traefik work for you!

-!!! question "Using Traefik for Business Applications?"
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).
+{!traefik-for-business-applications.md!}
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -11,7 +11,11 @@ Automatic HTTPS
 You can configure Traefik to use an ACME provider (like Let's Encrypt) for automatic certificate generation.

 !!! warning "Let's Encrypt and Rate Limiting"
-    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits).
+    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to **one week**, and cannot be overridden.
+    
+    When running Traefik in a container this file should be persisted across restarts. 
+    If Traefik requests new certificates each time it starts up, a crash-looping container can quickly reach Let's Encrypt's ratelimits.
+    To configure where certificates are stored, please take a look at the [storage](#storage) configuration.

    Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
    when experimenting to avoid hitting this limit too fast.
@@ -112,8 +116,8 @@ Please check the [configuration examples below](#configuration-examples) for mor
    ```

    ```bash tab="CLI"
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
    # ...
    --certificatesresolvers.myresolver.acme.email=your-email@example.com
    --certificatesresolvers.myresolver.acme.storage=acme.json
@@ -237,8 +241,8 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
    ```

    ```bash tab="CLI"
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
    # ...
    --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
    ```
@@ -279,8 +283,25 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
    # ...
    ```

-    !!! important
-        A `provider` is mandatory.
+!!! warning "`CNAME` support"
+
+    `CNAME` are supported (and sometimes even [encouraged](https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname)),
+    but there are a few cases where they can be [problematic](../../getting-started/faq/#why-does-lets-encrypt-wildcard-certificate-renewalgeneration-with-dns-challenge-fail).
+
+    If needed, `CNAME` support can be disabled with the following environment variable:
+
+    ```bash
+    LEGO_DISABLE_CNAME_SUPPORT=true
+    ```
+
+!!! warning "Multiple DNS Challenge provider"
+    
+    Multiple DNS challenge provider are not supported with Traefik, but you can use `CNAME` to handle that.
+    For example, if you have `example.org` (account foo) and `example.com` (account bar) you can create a CNAME on `example.org` called `_acme-challenge.example.org` pointing to `challenge.example.com`.
+    This way, you can obtain certificates for `example.org` with the `bar` account.
+
+!!! important
+    A `provider` is mandatory.

 #### `providers`

@@ -293,112 +314,167 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used

 For complete details, refer to your provider's _Additional configuration_ link.

-| Provider Name                                                                                      | Provider Code  | Environment Variables                                                                                                                       |                                                                             |
-|----------------------------------------------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
-| [ACME DNS](https://github.com/joohoi/acme-dns)                                                     | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)     |
-| [Alibaba Cloud](https://www.alibabacloud.com)                                                      | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
-| [all-inkl](https://all-inkl.com)                                                                   | `allinkl`      | `ALL_INKL_LOGIN`, `ALL_INKL_PASSWORD`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/allinkl)      |
-| [ArvanCloud](https://www.arvancloud.com/en)                                                        | `arvancloud`   | `ARVANCLOUD_API_KEY`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)   |
-| [Auroradns](https://www.pcextreme.com/dns-health-checks)                                           | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
-| [Autodns](https://www.internetx.com/domains/autodns/)                                              | `autodns`      | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)      |
-| [Azure](https://azure.microsoft.com/services/dns/)                                                 | `azure`        | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)        |
-| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)                                         | `bindman`      | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)      |
-| [Blue Cat](https://www.bluecatnetworks.com/)                                                       | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)      |
-| [Checkdomain](https://www.checkdomain.de/)                                                         | `checkdomain`  | `CHECKDOMAIN_TOKEN`,                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/) |
-| [CloudDNS](https://vshosting.eu/)                                                                  | `clouddns`     | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)     |
-| [Cloudflare](https://www.cloudflare.com)                                                           | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
-| [ClouDNS](https://www.cloudns.net/)                                                                | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)      |
-| [CloudXNS](https://www.cloudxns.net)                                                               | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)     |
-| [ConoHa](https://www.conoha.jp)                                                                    | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)       |
-| [Constellix](https://constellix.com)                                                               | `constellix`   | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)   |
-| [deSEC](https://desec.io)                                                                          | `desec`        | `DESEC_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/desec)        |
-| [DigitalOcean](https://www.digitalocean.com)                                                       | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
-| [DNS Made Easy](https://dnsmadeeasy.com)                                                           | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)  |
-| [DNSimple](https://dnsimple.com)                                                                   | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)     |
-| [DNSPod](https://www.dnspod.com/)                                                                  | `dnspod`       | `DNSPOD_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)       |
-| [Domain Offensive (do.de)](https://www.do.de/)                                                     | `dode`         | `DODE_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/dode)         |
-| [Domeneshop](https://domene.shop)                                                                  | `domeneshop`   | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)   |
-| [DreamHost](https://www.dreamhost.com/)                                                            | `dreamhost`    | `DREAMHOST_API_KEY`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)    |
-| [Duck DNS](https://www.duckdns.org/)                                                               | `duckdns`      | `DUCKDNS_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)      |
-| [Dyn](https://dyn.com)                                                                             | `dyn`          | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)          |
-| [Dynu](https://www.dynu.com)                                                                       | `dynu`         | `DYNU_API_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)         |
-| [EasyDNS](https://easydns.com/)                                                                    | `easydns`      | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)      |
-| [EdgeDNS](https://www.akamai.com/)                                                                 | `edgedns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)      |
-| [Epik](https://www.epik.com)                                                                       | `epik`         | `EPIK_SIGNATURE`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/epik)         |
-| [Exoscale](https://www.exoscale.com)                                                               | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)     |
-| [Fast DNS](https://www.akamai.com/)                                                                | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)      |
-| [Freemyip.com](https://freemyip.com)                                                               | `freemyip`     | `FREEMYIP_TOKEN`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/freemyip)     |
-| [G-Core Lab](https://gcorelabs.com/dns/)                                                           | `gcore`        | `GCORE_PERMANENT_API_TOKEN`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/gcore)        |
-| [Gandi v5](https://doc.livedns.gandi.net)                                                          | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)      |
-| [Gandi](https://www.gandi.net)                                                                     | `gandi`        | `GANDI_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)        |
-| [Glesys](https://glesys.com/)                                                                      | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)       |
-| [GoDaddy](https://godaddy.com/)                                                                    | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)      |
-| [Google Cloud DNS](https://cloud.google.com/dns/docs/)                                             | `gcloud`       | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)       |
-| [Hetzner](https://hetzner.com)                                                                     | `hetzner`      | `HETZNER_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)      |
-| [hosting.de](https://www.hosting.de)                                                               | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)    |
-| [Hosttech](https://www.hosttech.eu)                                                                | `hosttech`     | `HOSTTECH_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)     |
-| [Hurricane Electric](https://dns.he.net)                                                           | `hurricane`    | `HURRICANE_TOKENS` [^6]                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/hurricane)    |
-| [HyperOne](https://www.hyperone.com)                                                               | `hyperone`     | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)     |
-| [IBM Cloud (SoftLayer)](https://www.ibm.com/cloud/)                                                | `ibmcloud`     | `SOFTLAYER_USERNAME`, `SOFTLAYER_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/ibmcloud)     |
-| [IIJ DNS Platform Service](https://www.iij.ad.jp)                                                  | `iijdpf`       | `IIJ_DPF_API_TOKEN` , `IIJ_DPF_DPM_SERVICE_CODE`                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/iijdpf)       |
-| [IIJ](https://www.iij.ad.jp/)                                                                      | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
-| [Infoblox](https://www.infoblox.com/)                                                              | `infoblox`     | `INFOBLOX_USER`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox)     |
-| [Infomaniak](https://www.infomaniak.com)                                                           | `infomaniak`   | `INFOMANIAK_ACCESS_TOKEN`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak)   |
-| [Internet.bs](https://internetbs.net)                                                              | `internetbs`   | `INTERNET_BS_API_KEY`, `INTERNET_BS_PASSWORD`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/internetbs)   |
-| [INWX](https://www.inwx.de/en)                                                                     | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)         |
-| [ionos](https://ionos.com/)                                                                        | `ionos`        | `IONOS_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)        |
-| [iwantmyname](https://iwantmyname.com)                                                             | `iwantmyname`  | `IWANTMYNAME_USERNAME` , `IWANTMYNAME_PASSWORD`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/iwantmyname)  |
-| [Joker.com](https://joker.com)                                                                     | `joker`        | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
-| [Lightsail](https://aws.amazon.com/lightsail/)                                                     | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)    |
-| [Linode v4](https://www.linode.com)                                                                | `linode`       | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
-| [Liquid Web](https://www.liquidweb.com/)                                                           | `liquidweb`    | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)    |
-| [Loopia](https://loopia.com/)                                                                      | `loopia`       | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER`                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/loopia)       |
-| [LuaDNS](https://luadns.com)                                                                       | `luadns`       | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)       |
-| [MyDNS.jp](https://www.mydns.jp/)                                                                  | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
-| [Mythic Beasts](https://www.mythic-beasts.com)                                                     | `mythicbeasts` | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts) |
-| [name.com](https://www.name.com/)                                                                  | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)   |
-| [Namecheap](https://www.namecheap.com)                                                             | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)    |
-| [Namesilo](https://www.namesilo.com/)                                                              | `namesilo`     | `NAMESILO_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)     |
-| [Netcup](https://www.netcup.eu/)                                                                   | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)       |
-| [Netlify](https://www.netlify.com)                                                                 | `netlify`      | `NETLIFY_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)      |
-| [Nicmanager](https://www.nicmanager.com)                                                           | `nicmanager`   | `NICMANAGER_API_EMAIL`, `NICMANAGER_API_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/nicmanager)   |
-| [NIFCloud](https://cloud.nifty.com/service/dns.htm)                                                | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)     |
-| [Njalla](https://njal.la)                                                                          | `njalla`       | `NJALLA_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/njalla)       |
-| [NS1](https://ns1.com/)                                                                            | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
-| [Open Telekom Cloud](https://cloud.telekom.de)                                                     | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)          |
-| [Openstack Designate](https://docs.openstack.org/designate)                                        | `designate`    | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/designate)    |
-| [Oracle Cloud](https://cloud.oracle.com/home)                                                      | `oraclecloud`  | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)  |
-| [OVH](https://www.ovh.com)                                                                         | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)          |
-| [Porkbun](https://porkbun.com/)                                                                    | `porkbun`      | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun)      |
-| [PowerDNS](https://www.powerdns.com)                                                               | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)         |
-| [Rackspace](https://www.rackspace.com/cloud/dns)                                                   | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)    |
-| [reg.ru](https://www.reg.ru)                                                                       | `regru`        | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/regru)        |
-| [RFC2136](https://tools.ietf.org/html/rfc2136)                                                     | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)      |
-| [RimuHosting](https://rimuhosting.com)                                                             | `rimuhosting`  | `RIMUHOSTING_API_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)  |
-| [Route 53](https://aws.amazon.com/route53/)                                                        | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)      |
-| [Sakura Cloud](https://cloud.sakura.ad.jp/)                                                        | `sakuracloud`  | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)  |
-| [Scaleway](https://www.scaleway.com)                                                               | `scaleway`     | `SCALEWAY_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)     |
-| [Selectel](https://selectel.ru/en/)                                                                | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)     |
-| [Servercow](https://servercow.de)                                                                  | `servercow`    | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)    |
-| [Simply.com](https://www.simply.com/en/domains/)                                                   | `simply`       | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/simply)       |
-| [Sonic](https://www.sonic.com/)                                                                    | `sonic`        | `SONIC_USER_ID`, `SONIC_API_KEY`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/sonic)        |
-| [Stackpath](https://www.stackpath.com/)                                                            | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)    |
-| [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)                                         | `tencentcloud` | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud) |
-| [TransIP](https://www.transip.nl/)                                                                 | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)      |
-| [UKFast SafeDNS](https://www.ans.co.uk/cloud-and-infrastructure/dedicated-servers/dns-management/) | `safedns`      | `SAFEDNS_AUTH_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/safedns)      |
-| [VegaDNS](https://github.com/shupp/VegaDNS-API)                                                    | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)      |
-| [Vercel](https://vercel.com)                                                                       | `vercel`       | `VERCEL_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vercel)       |
-| [Versio](https://www.versio.nl/domeinnamen)                                                        | `versio`       | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)       |
-| [VinylDNS](https://www.vinyldns.io)                                                                | `vinyldns`     | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns)     |
-| [Vscale](https://vscale.io/)                                                                       | `vscale`       | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)       |
-| [VULTR](https://www.vultr.com)                                                                     | `vultr`        | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)        |
-| [WEDOS](https://www.wedos.com)                                                                     | `wedos`        | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/wedos)        |
-| [Yandex](https://yandex.com)                                                                       | `yandex`       | `YANDEX_PDD_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)       |
-| [Zone.ee](https://www.zone.ee)                                                                     | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)       |
-| [Zonomi](https://zonomi.com)                                                                       | `zonomi`       | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)       |
-| External Program                                                                                   | `exec`         | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)         |
-| HTTP request                                                                                       | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
-| manual                                                                                             | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
+| Provider Name                                                          | Provider Code      | Environment Variables                                                                                                                                                            |                                                                                 |
+|------------------------------------------------------------------------|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|
+| [ACME DNS](https://github.com/joohoi/acme-dns)                         | `acme-dns`         | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`, `ACME_DNS_STORAGE_BASE_URL`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)         |
+| [Active24](https://www.active24.cz)                                    | `active24`         | `ACTIVE24_API_KEY`, `ACTIVE24_SECRET`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/active24)         |
+| [Alibaba Cloud](https://www.alibabacloud.com)                          | `alidns`           | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)           |
+| [all-inkl](https://all-inkl.com)                                       | `allinkl`          | `ALL_INKL_LOGIN`, `ALL_INKL_PASSWORD`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/allinkl)          |
+| [ArvanCloud](https://www.arvancloud.ir/en)                             | `arvancloud`       | `ARVANCLOUD_API_KEY`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)       |
+| [Auroradns](https://www.pcextreme.com/dns-health-checks)               | `auroradns`        | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)        |
+| [Autodns](https://www.internetx.com/domains/autodns/)                  | `autodns`          | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)          |
+| [Axelname](https://axelname.ru)                                        | `axelname`         | `AXELNAME_NICKNAME`, `AXELNAME_TOKEN`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/axelname)         |
+| [Azion](https://www.azion.com/en/products/edge-dns/)                   | `azion`            | `AZION_PERSONAL_TOKEN`                                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/azion)            |
+| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | DEPRECATED use `azuredns` instead.                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
+| [AzureDNS](https://azure.microsoft.com/services/dns/)                  | `azuredns`         | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_ENVIRONMENT]`, `[AZURE_PRIVATE_ZONE]`, `[AZURE_ZONE_NAME]` | [Additional configuration](https://go-acme.github.io/lego/dns/azuredns)         |
+| [Baidu Cloud](https://cloud.baidu.com)                                 | `baiducloud`       | `BAIDUCLOUD_ACCESS_KEY_ID`, `BAIDUCLOUD_SECRET_ACCESS_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/baiducloud)       |
+| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)             | `bindman`          | `BINDMAN_MANAGER_ADDRESS`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)          |
+| [Blue Cat](https://www.bluecatnetworks.com/)                           | `bluecat`          | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)          |
+| [BookMyName](https://www.bookmyname.com)                               | `bookmyname`       | `BOOKMYNAME_USERNAME`, `BOOKMYNAME_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/bookmyname)       |
+| [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
+| [Bunny](https://bunny.net)                                             | `bunny`            | `BUNNY_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/bunny)            |
+| [Checkdomain](https://www.checkdomain.de/)                             | `checkdomain`      | `CHECKDOMAIN_TOKEN`,                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/)     |
+| [Civo](https://www.civo.com/)                                          | `civo`             | `CIVO_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/civo)             |
+| [Cloud.ru](https://cloud.ru)                                           | `cloudru`          | `CLOUDRU_SERVICE_INSTANCE_ID`, `CLOUDRU_KEY_ID`, `CLOUDRU_SECRET`                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/cloudru)          |
+| [CloudDNS](https://vshosting.eu/)                                      | `clouddns`         | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)         |
+| [Cloudflare](https://www.cloudflare.com)                               | `cloudflare`       | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)       |
+| [ClouDNS](https://www.cloudns.net/)                                    | `cloudns`          | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)          |
+| [CloudXNS](https://www.cloudxns.net) (DEPRECATED)                      | `cloudxns`         | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [ConoHa v3](https://www.conoha.jp/)                                    | `conohav3`         | `CONOHAV3_TENANT_ID`, `CONOHAV3_API_USER_ID`, `CONOHAV3_API_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conohav3)         |
+| [ConoHa](https://www.conoha.jp)                                        | `conoha`           | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)           |
+| [Constellix](https://constellix.com)                                   | `constellix`       | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)       |
+| [Core-Networks](https://www.core-networks.de)                          | `corenetworks`     | `CORENETWORKS_LOGIN`, `CORENETWORKS_PASSWORD`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/corenetworks)     |
+| [CPanel and WHM](https://cpanel.net/)                                  | `cpanel`           | `CPANEL_MODE`, `CPANEL_USERNAME`, `CPANEL_TOKEN`, `CPANEL_BASE_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cpanel)           |
+| [Derak Cloud](https://derak.cloud/)                                    | `derak`            | `DERAK_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/derak)            |
+| [deSEC](https://desec.io)                                              | `desec`            | `DESEC_TOKEN`                                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/desec)            |
+| [DigitalOcean](https://www.digitalocean.com)                           | `digitalocean`     | `DO_AUTH_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean)     |
+| [DirectAdmin](https://www.directadmin.com)                             | `directadmin`      | `DIRECTADMIN_API_URL` , `DIRECTADMIN_USERNAME`, `DIRECTADMIN_PASSWORD`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/directadmin)      |
+| [DNS Made Easy](https://dnsmadeeasy.com)                               | `dnsmadeeasy`      | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)      |
+| [dnsHome.de](https://www.dnshome.de)                                   | `dnsHomede`        | `DNSHOMEDE_CREDENTIALS`                                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnshomede)        |
+| [DNSimple](https://dnsimple.com)                                       | `dnsimple`         | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)         |
+| [DNSPod](https://www.dnspod.com/) (DEPRECATED)                         | `dnspod`           | DEPRECATED  use `tencentcloud` instead.                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
+| [Domain Offensive (do.de)](https://www.do.de/)                         | `dode`             | `DODE_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dode)             |
+| [Domeneshop](https://domene.shop)                                      | `domeneshop`       | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)       |
+| [DreamHost](https://www.dreamhost.com/)                                | `dreamhost`        | `DREAMHOST_API_KEY`                                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)        |
+| [Duck DNS](https://www.duckdns.org/)                                   | `duckdns`          | `DUCKDNS_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)          |
+| [Dyn](https://dyn.com)                                                 | `dyn`              | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)              |
+| [DynDnsFree.de](https://www.dyndnsfree.de)                             | `dyndnsfree`       | `DYNDNSFREE_USERNAME`, `DYNDNSFREE_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dyndnsfree)       |
+| [Dynu](https://www.dynu.com)                                           | `dynu`             | `DYNU_API_KEY`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)             |
+| [EasyDNS](https://easydns.com/)                                        | `easydns`          | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)          |
+| [EdgeDNS](https://www.akamai.com/)                                     | `edgedns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
+| [Efficient IP](https://efficientip.com)                                | `efficientip`      | `EFFICIENTIP_USERNAME`, `EFFICIENTIP_PASSWORD`, `EFFICIENTIP_HOSTNAME`, `EFFICIENTIP_DNS_NAME`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/efficientip)      |
+| [Epik](https://www.epik.com)                                           | `epik`             | `EPIK_SIGNATURE`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/epik)             |
+| [Exoscale](https://www.exoscale.com)                                   | `exoscale`         | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)         |
+| [F5 XC](https://www.f5.com/products/distributed-cloud-services)        | `f5xc`             | `F5XC_API_TOKEN`, `F5XC_TENANT_NAME`, `F5XC_GROUP_NAME`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/f5xc)             |
+| [Fast DNS](https://www.akamai.com/)                                    | `fastdns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
+| [Freemyip.com](https://freemyip.com)                                   | `freemyip`         | `FREEMYIP_TOKEN`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/freemyip)         |
+| [G-Core](https://gcore.com/dns/)                                       | `gcore`            | `GCORE_PERMANENT_API_TOKEN`                                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcore)            |
+| [Gandi v5](https://doc.livedns.gandi.net)                              | `gandiv5`          | `GANDIV5_PERSONAL_ACCESS_TOKEN`                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)          |
+| [Gandi](https://www.gandi.net)                                         | `gandi`            | `GANDI_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)            |
+| [Glesys](https://glesys.com/)                                          | `glesys`           | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)           |
+| [GoDaddy](https://www.godaddy.com)                                     | `godaddy`          | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)          |
+| [Google Cloud DNS](https://cloud.google.com/dns/docs/)                 | `gcloud`           | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)           |
+| [Google Domains](https://domains.google) (DEPRECATED)                  | `googledomains`    | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/googledomains)    |
+| [Hetzner](https://hetzner.com)                                         | `hetzner`          | `HETZNER_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)          |
+| [hosting.de](https://www.hosting.de)                                   | `hostingde`        | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)        |
+| [Hosttech](https://www.hosttech.eu)                                    | `hosttech`         | `HOSTTECH_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)         |
+| [http.net](https://www.http.net/)                                      | `httpnet`          | `HTTPNET_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/httpnet)          |
+| [Huawei Cloud](https://huaweicloud.com)                                | `huaweicloud`      | `HUAWEICLOUD_ACCESS_KEY_ID`, `HUAWEICLOUD_SECRET_ACCESS_KEY`, `HUAWEICLOUD_REGION`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/huaweicloud)      |
+| [Hurricane Electric](https://dns.he.net)                               | `hurricane`        | `HURRICANE_TOKENS` [^6]                                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/hurricane)        |
+| [HyperOne](https://www.hyperone.com)                                   | `hyperone`         | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)         |
+| [IBM Cloud (SoftLayer)](https://www.ibm.com/cloud/)                    | `ibmcloud`         | `SOFTLAYER_USERNAME`, `SOFTLAYER_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/ibmcloud)         |
+| [IIJ DNS Platform Service](https://www.iij.ad.jp)                      | `iijdpf`           | `IIJ_DPF_API_TOKEN` , `IIJ_DPF_DPM_SERVICE_CODE`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/iijdpf)           |
+| [IIJ](https://www.iij.ad.jp/)                                          | `iij`              | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/iij)              |
+| [Infoblox](https://www.infoblox.com/)                                  | `infoblox`         | `INFOBLOX_USERNAME`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox)         |
+| [Infomaniak](https://www.infomaniak.com)                               | `infomaniak`       | `INFOMANIAK_ACCESS_TOKEN`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak)       |
+| [Internet.bs](https://internetbs.net)                                  | `internetbs`       | `INTERNET_BS_API_KEY`, `INTERNET_BS_PASSWORD`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/internetbs)       |
+| [INWX](https://www.inwx.de/en)                                         | `inwx`             | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)             |
+| [ionos](https://ionos.com/)                                            | `ionos`            | `IONOS_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)            |
+| [IPv64](https://ipv64.net)                                             | `ipv64`            | `IPV64_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/ipv64)            |
+| [iwantmyname](https://iwantmyname.com)                                 | `iwantmyname`      | `IWANTMYNAME_USERNAME` , `IWANTMYNAME_PASSWORD`                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/iwantmyname)      |
+| [Joker.com](https://joker.com)                                         | `joker`            | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/joker)            |
+| [Liara](https://liara.ir)                                              | `liara`            | `LIARA_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/liara)            |
+| [Lightsail](https://aws.amazon.com/lightsail/)                         | `lightsail`        | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)        |
+| [Lima-City](https://www.lima-city.de)                                  | `limacity`         | `LIMACITY_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/limacity)         |
+| [Linode v4](https://www.linode.com)                                    | `linode`           | `LINODE_TOKEN`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/linode)           |
+| [Liquid Web](https://www.liquidweb.com/)                               | `liquidweb`        | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)        |
+| [Loopia](https://loopia.com/)                                          | `loopia`           | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER`                                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/loopia)           |
+| [LuaDNS](https://luadns.com)                                           | `luadns`           | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)           |
+| [Mail-in-a-Box](https://mailinabox.email)                              | `mailinabox`       | `MAILINABOX_EMAIL`, `MAILINABOX_PASSWORD`, `MAILINABOX_BASE_URL`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/mailinabox)       |
+| [ManageEngine CloudDNS](https://clouddns.manageengine.com)             | `manageengine`     | `MANAGEENGINE_CLIENT_ID`, `MANAGEENGINE_CLIENT_SECRET`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/manageengine)     |
+| [Metaname](https://metaname.net)                                       | `metaname`         | `METANAME_ACCOUNT_REFERENCE`, `METANAME_API_KEY`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/metaname)         |
+| [Metaregistrar](https://metaregistrar.com)                             | `metaregistrar`    | `METAREGISTRAR_API_TOKEN`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/metaregistrar)    |
+| [mijn.host](https://mijn.host/)                                        | `mijnhost`         | `MIJNHOST_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/mijnhost)         |
+| [Mittwald](https://www.mittwald.de)                                    | `mittwald`         | `MITTWALD_TOKEN`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/mittwald)         |
+| [myaddr.{tools,dev,io}](https://myaddr.tools/)                         | `myaddr`           | `MYADDR_PRIVATE_KEYS_MAPPING`                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/myaddr)           |
+| [MyDNS.jp](https://www.mydns.jp/)                                      | `mydnsjp`          | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)          |
+| [Mythic Beasts](https://www.mythic-beasts.com)                         | `mythicbeasts`     | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts)     |
+| [name.com](https://www.name.com/)                                      | `namedotcom`       | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)       |
+| [Namecheap](https://www.namecheap.com)                                 | `namecheap`        | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)        |
+| [Namesilo](https://www.namesilo.com/)                                  | `namesilo`         | `NAMESILO_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)         |
+| [NearlyFreeSpeech.NET](https://www.nearlyfreespeech.net/)              | `nearlyfreespeech` | `NEARLYFREESPEECH_API_KEY`, `NEARLYFREESPEECH_LOGIN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/nearlyfreespeech) |
+| [Netcup](https://www.netcup.eu/)                                       | `netcup`           | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)           |
+| [Netlify](https://www.netlify.com)                                     | `netlify`          | `NETLIFY_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)          |
+| [Nicmanager](https://www.nicmanager.com)                               | `nicmanager`       | `NICMANAGER_API_EMAIL`, `NICMANAGER_API_PASSWORD`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/nicmanager)       |
+| [NIFCloud](https://cloud.nifty.com/service/dns.htm)                    | `nifcloud`         | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)         |
+| [Njalla](https://njal.la)                                              | `njalla`           | `NJALLA_TOKEN`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/njalla)           |
+| [Nodion](https://www.nodion.com)                                       | `nodion`           | `NODION_API_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/nodion)           |
+| [NS1](https://ns1.com/)                                                | `ns1`              | `NS1_API_KEY`                                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)              |
+| [Open Telekom Cloud](https://cloud.telekom.de)                         | `otc`              | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/otc)              |
+| [Openstack Designate](https://docs.openstack.org/designate)            | `designate`        | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/designate)        |
+| [Oracle Cloud](https://cloud.oracle.com/home)                          | `oraclecloud`      | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID`                                      | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)      |
+| [OVH](https://www.ovh.com)                                             | `ovh`              | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`, `OVH_CLIENT_ID`, `OVH_CLIENT_SECRET`                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)              |
+| [Plesk](https://www.plesk.com)                                         | `plesk`            | `PLESK_SERVER_BASE_URL`, `PLESK_USERNAME`, `PLESK_PASSWORD`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/plesk)            |
+| [Porkbun](https://porkbun.com/)                                        | `porkbun`          | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun)          |
+| [PowerDNS](https://www.powerdns.com)                                   | `pdns`             | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)             |
+| [Rackspace](https://www.rackspace.com/cloud/dns)                       | `rackspace`        | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)        |
+| [Rainyun/雨云](https://www.rainyun.com)                                  | `rainyun`          | `RAINYUN_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/rainyun)          |
+| [RcodeZero](https://www.rcodezero.at)                                  | `rcodezero`        | `RCODEZERO_API_TOKEN`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rcodezero)        |
+| [reg.ru](https://www.reg.ru)                                           | `regru`            | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/regru)            |
+| [Regfish](https://regfish.de)                                          | `regfish`          | `regfish`                                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/regfish)          |
+| [RFC2136](https://tools.ietf.org/html/rfc2136)                         | `rfc2136`          | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)          |
+| [RimuHosting](https://rimuhosting.com)                                 | `rimuhosting`      | `RIMUHOSTING_API_KEY`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)      |
+| [Route 53](https://aws.amazon.com/route53/)                            | `route53`          | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/route53)          |
+| [RU Center](https://nic.ru/)                                           | `nicru`            | `NICRU_USER`, `NICRU_PASSWORD`, `NICRU_SERVICE_ID`, `NICRU_SECRET`, `NICRU_SERVICE_NAME`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/nicru)            |
+| [Sakura Cloud](https://cloud.sakura.ad.jp/)                            | `sakuracloud`      | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)      |
+| [Scaleway](https://www.scaleway.com)                                   | `scaleway`         | `SCW_API_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
+| [Selectel v2](https://selectel.ru/en/)                                 | `selectelv2`       | `SELECTELV2_ACCOUNT_ID`, `SELECTELV2_PASSWORD`, `SELECTELV2_PROJECT_ID`, `SELECTELV2_USERNAME`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/selectelv2)       |
+| [Selectel](https://selectel.ru/en/)                                    | `selectel`         | `SELECTEL_API_TOKEN`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)         |
+| [SelfHost.(de/eu)](https://www.selfhost.de)                            | `selfhostde`       | `SELFHOSTDE_USERNAME`, `SELFHOSTDE_PASSWORD`, `SELFHOSTDE_RECORDS_MAPPING`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/selfhostde)       |
+| [Servercow](https://servercow.de)                                      | `servercow`        | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)        |
+| [Shellrent](https://www.shellrent.com)                                 | `shellrent`        | `SHELLRENT_USERNAME`, `SHELLRENT_TOKEN`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/shellrent)        |
+| [Simply.com](https://www.simply.com/en/domains/)                       | `simply`           | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/simply)           |
+| [Sonic](https://www.sonic.com/)                                        | `sonic`            | `SONIC_USER_ID`, `SONIC_API_KEY`                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/sonic)            |
+| [Spaceship](https://spaceship.com)                                     | `spaceship`        | `SPACESHIP_API_KEY`, `SPACESHIP_API_SECRET`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/spaceship)        |
+| [Stackpath](https://www.stackpath.com/)                                | `stackpath`        | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)        |
+| [Technitium](https://technitium.com)                                   | `technitium`       | `TECHNITIUM_SERVER_BASE_URL`, `TECHNITIUM_API_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/technitium)       |
+| [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)             | `tencentcloud`     | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud)     |
+| [Timeweb Cloud](https://timeweb.cloud)                                 | `timewebcloud`     | `TIMEWEBCLOUD_AUTH_TOKEN`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/timewebcloud)     |
+| [TransIP](https://www.transip.nl/)                                     | `transip`          | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/transip)          |
+| [UKFast SafeDNS](https://docs.ukfast.co.uk/domains/safedns/index.html) | `safedns`          | `SAFEDNS_AUTH_TOKEN`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/safedns)          |
+| [Ultradns](https://neustarsecurityservices.com/dns-services)           | `ultradns`         | `ULTRADNS_USERNAME`, `ULTRADNS_PASSWORD`                                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ultradns)         |
+| [Variomedia](https://www.variomedia.de/)                               | `variomedia`       | `VARIOMEDIA_API_TOKEN`                                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/variomedia)       |
+| [VegaDNS](https://github.com/shupp/VegaDNS-API)                        | `vegadns`          | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)          |
+| [Vercel](https://vercel.com)                                           | `vercel`           | `VERCEL_API_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vercel)           |
+| [Versio](https://www.versio.nl/domeinnamen)                            | `versio`           | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/versio)           |
+| [VinylDNS](https://www.vinyldns.io)                                    | `vinyldns`         | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST`                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns)         |
+| [VK Cloud](https://mcs.mail.ru/)                                       | `vkcloud`          | `VK_CLOUD_PASSWORD`, `VK_CLOUD_PROJECT_ID`, `VK_CLOUD_USERNAME`                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/vkcloud)          |
+| [Volcano Engine](https://www.volcengine.com)                           | `volcengine`       | `VOLC_ACCESSKEY`, `VOLC_SECRETKEY`                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/volcengine)       |
+| [Vscale](https://vscale.io/)                                           | `vscale`           | `VSCALE_API_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)           |
+| [VULTR](https://www.vultr.com)                                         | `vultr`            | `VULTR_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)            |
+| [Webnames](https://www.webnames.ru/)                                   | `webnames`         | `WEBNAMES_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/webnames)         |
+| [Websupport](https://websupport.sk)                                    | `websupport`       | `WEBSUPPORT_API_KEY`, `WEBSUPPORT_SECRET`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/websupport)       |
+| [WEDOS](https://www.wedos.com)                                         | `wedos`            | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/wedos)            |
+| [West.cn/西部数码](https://www.west.cn)                                    | `westcn`           | `WESTCN_USERNAME`, `WESTCN_PASSWORD`                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/westcn)           |
+| [Yandex 360](https://360.yandex.ru)                                    | `yandex360`        | `YANDEX360_OAUTH_TOKEN`, `YANDEX360_ORG_ID`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/yandex360)        |
+| [Yandex Cloud](https://cloud.yandex.com/en/)                           | `yandexcloud`      | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud)      |
+| [Yandex](https://yandex.com)                                           | `yandex`           | `YANDEX_PDD_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)           |
+| [Zone.ee](https://www.zone.ee)                                         | `zoneee`           | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)           |
+| [ZoneEdit](https://www.zoneedit.com)                                   | `zoneedit`         | `ZONEEDIT_USER`, `ZONEEDIT_AUTH_TOKEN`                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/zoneedit)         |
+| [Zonomi](https://zonomi.com)                                           | `zonomi`           | `ZONOMI_API_KEY`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)           |
+| External Program                                                       | `exec`             | `EXEC_PATH`                                                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/exec)             |
+| HTTP request                                                           | `httpreq`          | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)          |
+| manual                                                                 | `manual`           | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                                                          |                                                                                 |

 [^1]: More information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/).
 [^2]: [Providing credentials to your application](https://cloud.google.com/docs/authentication/production).
@@ -407,11 +483,6 @@ For complete details, refer to your provider's _Additional configuration_ link.
 [^5]: The `Global API Key` needs to be used, not the `Origin CA Key`.
 [^6]: As explained in the [LEGO hurricane configuration](https://go-acme.github.io/lego/dns/hurricane/#credentials), each domain or wildcard (record name) needs a token. So each update of record name must be followed by an update of the `HURRICANE_TOKENS` variable, and a restart of Traefik.

-!!! info "`delayBeforeCheck`"
-    By default, the `provider` verifies the TXT record _before_ letting ACME verify.
-    You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
-    This option is useful when internal networks block external DNS queries.
-
 #### `resolvers`

 Use custom DNS servers to resolve the FQDN authority.
@@ -441,6 +512,66 @@ certificatesResolvers:
 --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 ```

+#### `delayBeforeCheck`
+
+By default, the `provider` verifies the TXT record _before_ letting ACME verify.
+
+You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
+
+This option is useful when internal networks block external DNS queries.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      dnsChallenge:
+        # ...
+        delayBeforeCheck: 2s
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    delayBeforeCheck = "2s"
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.dnschallenge.delayBeforeCheck=2s
+```
+
+#### `disablePropagationCheck`
+
+**Not recommended**
+
+Disable the TXT records propagation checks before notifying ACME that the DNS challenge is ready. 
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      dnsChallenge:
+        # ...
+        disablePropagationCheck: true
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    disablePropagationCheck = true
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.dnschallenge.disablePropagationCheck=true
+```
+
 #### Wildcard Domains

 [ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
@@ -557,9 +688,21 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik

 _Optional, Default=2160_

-The `certificatesDuration` option defines the certificates' duration in hours.
+`certificatesDuration` is used to calculate two durations:
+
+- `Renew Period`: the period before the end of the certificate duration, during which the certificate should be renewed.
+- `Renew Interval`: the interval between renew attempts.
+
 It defaults to `2160` (90 days) to follow Let's Encrypt certificates' duration.

+| Certificate Duration | Renew Period      | Renew Interval          |
+|----------------------|-------------------|-------------------------|
+| >= 1 year            | 4 months          | 1 week                  |
+| >= 90 days           | 30 days           | 1 day                   |
+| >= 7 days            | 1 day             | 1 hour                  |
+| >= 24 hours          | 6 hours           | 10 min                  |
+| < 24 hours           | 20 min            | 1 min                   |
+
 !!! warning "Traefik cannot manage certificates with a duration lower than 1 hour."

 ```yaml tab="File (YAML)"
@@ -584,19 +727,6 @@ certificatesResolvers:
 # ...
 ```

-`certificatesDuration` is used to calculate two durations:
-
- `Renew Period`: the period before the end of the certificate duration, during which the certificate should be renewed.
- `Renew Interval`: the interval between renew attempts.
-
-| Certificate Duration | Renew Period      | Renew Interval          |
-|----------------------|-------------------|-------------------------|
-| >= 1 year            | 4 months          | 1 week                  |
-| >= 90 days           | 30 days           | 1 day                   |
-| >= 7 days            | 1 day             | 1 hour                  |
-| >= 24 hours          | 6 hours           | 10 min                  |
-| < 24 hours           | 20 min            | 1 min                   |
-
 ### `preferredChain`

 _Optional, Default=""_
@@ -661,23 +791,10 @@ certificatesResolvers:
 If Let's Encrypt is not reachable, the following certificates will apply:

  1. Previously generated ACME certificates (before downtime)
-  1. Expired ACME certificates
-  1. Provided certificates
+  2. Expired ACME certificates
+  3. Provided certificates

 !!! important
    For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.
-    
-!!! question "Using Traefik for Business Applications?"

-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).
+{!traefik-for-business-applications.md!}
--- a/docs/content/https/include-acme-multiple-domains-example.md
+++ b/docs/content/https/include-acme-multiple-domains-example.md
@@ -5,7 +5,7 @@ labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver
-  - traefik.http.routers.blog.tls.domains[0].main=example.org
+  - traefik.http.routers.blog.tls.domains[0].main=example.com
  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
 ```

@@ -17,12 +17,12 @@ deploy:
    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
    - traefik.http.routers.blog.tls=true
    - traefik.http.routers.blog.tls.certresolver=myresolver
-    - traefik.http.routers.blog.tls.domains[0].main=example.org
+    - traefik.http.routers.blog.tls.domains[0].main=example.com
    - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: blogtls
@@ -38,7 +38,7 @@ spec:
  tls:
    certResolver: myresolver
    domains:
-    - main: example.org
+    - main: example.com
      sans:
      - '*.example.org'
 ```
@@ -49,7 +49,7 @@ labels: {
  "traefik.http.routers.blog.tls": "true",
  "traefik.http.routers.blog.tls.certresolver": "myresolver",
  "traefik.http.routers.blog.tls.domains[0].main": "example.com",
-  "traefik.http.routers.blog.tls.domains[0].sans": "*.example.com",
+  "traefik.http.routers.blog.tls.domains[0].sans": "*.example.org",
  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
 }
 ```
@@ -60,7 +60,7 @@ labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver
-  - traefik.http.routers.blog.tls.domains[0].main=example.org
+  - traefik.http.routers.blog.tls.domains[0].main=example.com
  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
 ```

@@ -73,7 +73,7 @@ http:
      tls:
        certResolver: myresolver
        domains:
-          - main: "example.org"
+          - main: "example.com"
            sans:
              - "*.example.org"
 ```
@@ -86,6 +86,6 @@ http:
    [http.routers.blog.tls]
      certResolver = "myresolver" # From static configuration
      [[http.routers.blog.tls.domains]]
-        main = "example.org"
+        main = "example.com"
        sans = ["*.example.org"]
 ```
--- a/docs/content/https/include-acme-multiple-domains-from-rule-example.md
+++ b/docs/content/https/include-acme-multiple-domains-from-rule-example.md
@@ -18,7 +18,7 @@ deploy:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: blogtls
--- a/docs/content/https/include-acme-single-domain-example.md
+++ b/docs/content/https/include-acme-single-domain-example.md
@@ -18,7 +18,7 @@ deploy:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: blogtls
--- a/docs/content/https/overview.md
+++ b/docs/content/https/overview.md
@@ -19,3 +19,5 @@ The next sections of this documentation explain how to configure the TLS connect
 That is to say, how to obtain [TLS certificates](./tls.md#certificates-definition):
 either through a definition in the dynamic configuration, or through [Let's Encrypt](./acme.md) (ACME).
 And how to configure [TLS options](./tls.md#tls-options), and [certificates stores](./tls.md#certificates-stores).
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -134,7 +134,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSStore
 metadata:
  name: default
@@ -157,7 +157,75 @@ data:
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
 ```

-If no default certificate is provided, Traefik generates and uses a self-signed certificate.
+If no `defaultCertificate` is provided, Traefik will use the generated one.
+
+### ACME Default Certificate
+
+You can configure Traefik to use an ACME provider (like Let's Encrypt) to generate the default certificate.
+The configuration to resolve the default certificate should be defined in a TLS store:
+
+!!! important "Precedence with the `defaultGeneratedCert` option"
+
+    The `defaultGeneratedCert` definition takes precedence over the ACME default certificate configuration.
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  stores:
+    default:
+      defaultGeneratedCert:
+        resolver: myresolver
+        domain:
+          main: example.org
+          sans:
+            - foo.example.org
+            - bar.example.org
+```
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.stores]
+  [tls.stores.default.defaultGeneratedCert]
+    resolver = "myresolver"
+    [tls.stores.default.defaultGeneratedCert.domain]
+      main = "example.org"
+      sans = ["foo.example.org", "bar.example.org"]
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  defaultGeneratedCert:
+    resolver: myresolver
+    domain:
+      main: example.org
+      sans:
+        - foo.example.org
+        - bar.example.org
+```
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
+  - "traefik.tls.stores.default.defaultgeneratedcert.domain.main=example.org"
+  - "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org"
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.tls.stores.default.defaultgeneratedcert.resolver": "myresolver",
+  "traefik.tls.stores.default.defaultgeneratedcert.domain.main": "example.org",
+  "traefik.tls.stores.default.defaultgeneratedcert.domain.sans": "foo.example.org, bar.example.org",
+}
+```

 ## TLS Options

@@ -174,7 +242,7 @@ The TLS options allow one to configure some parameters of the TLS connection.

 !!! important "TLSOption in Kubernetes"

-    When using the [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
+    When using the [TLSOption resource](../../routing/providers/kubernetes-crd/#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
    if not explicitly overwritten, should apply to all ingresses.  
    To achieve that, you'll have to create a TLSOption resource with the name `default`.
    There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
@@ -209,7 +277,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: default
@@ -219,7 +287,7 @@ spec:
  minVersion: VersionTLS12

 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: mintls13
@@ -260,7 +328,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: default
@@ -270,7 +338,7 @@ spec:
  maxVersion: VersionTLS13

 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: maxtls12
@@ -305,7 +373,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: default
@@ -324,11 +392,11 @@ spec:

 ### Curve Preferences

-This option allows to set the preferred elliptic curves in a specific order.
+This option allows to set the enabled elliptic curves for key exchange.

 The names of the curves defined by [`crypto`](https://godoc.org/crypto/tls#CurveID) (e.g. `CurveP521`) and the [RFC defined names](https://tools.ietf.org/html/rfc8446#section-4.2.7) (e. g. `secp521r1`) can be used.

-See [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.
+See [CurvePreferences](https://godoc.org/crypto/tls#Config.CurvePreferences) and [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.

 ```yaml tab="File (YAML)"
 # Dynamic configuration
@@ -350,7 +418,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: default
@@ -386,7 +454,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: default
@@ -396,39 +464,6 @@ spec:
  sniStrict: true
 ```

-### Prefer Server Cipher Suites
-
-This option allows the server to choose its most preferred cipher suite instead of the client's.
-Please note that this is enabled automatically when `minVersion` or `maxVersion` are set.
-
-```yaml tab="File (YAML)"
-# Dynamic configuration
-
-tls:
-  options:
-    default:
-      preferServerCipherSuites: true
-```
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-  [tls.options.default]
-    preferServerCipherSuites = true
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
-kind: TLSOption
-metadata:
-  name: default
-  namespace: default
-
-spec:
-  preferServerCipherSuites: true
-```
-
 ### ALPN Protocols

 _Optional, Default="h2, http/1.1, acme-tls/1"_
@@ -458,7 +493,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: default
@@ -474,15 +509,17 @@ spec:

 Traefik supports mutual authentication, through the `clientAuth` section.

-For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in `clientAuth.caFiles`.
+For authentication policies that require verification of the client certificate, the certificate authority for the certificates should be set in `clientAuth.caFiles`.
+
+In Kubernetes environment, CA certificate can be set in `clientAuth.secretNames`. See [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) for more details.

 The `clientAuth.clientAuthType` option governs the behaviour as follows:

 - `NoClientCert`: disregards any client certificate.
 - `RequestClientCert`: asks for a certificate but proceeds anyway if none is provided.
- `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles`.
- `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles`. Otherwise proceeds without any certificate.
- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles`.
+- `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`.
+- `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`. Otherwise proceeds without any certificate.
+- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`.

 ```yaml tab="File (YAML)"
 # Dynamic configuration
@@ -510,7 +547,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: default
@@ -523,3 +560,5 @@ spec:
      - secretCA
    clientAuthType: RequireAndVerifyClientCert
 ```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/includes/.markdownlint.json
+++ b/docs/content/includes/.markdownlint.json
@@ -0,0 +1,4 @@
+{
+  "extends": "../../.markdownlint.json",
+  "MD041": false
+}
--- a/docs/content/includes/traefik-for-business-applications.md
+++ b/docs/content/includes/traefik-for-business-applications.md
@@ -0,0 +1,10 @@
+---
+
+!!! question "Using Traefik OSS in Production?"
+
+    If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.
+
+    - [Watch our API Gateway Demo Video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc)
+    - [Request 24/7/365 OSS Support](https://info.traefik.io/request-commercial-support?cta=doc)
+
+    Adding API Gateway capabilities to Traefik OSS is fast and seamless. There's no rip and replace and all configurations remain intact. See it in action via [this short video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc).
--- a/docs/content/index.md
+++ b/docs/content/index.md
@@ -7,27 +7,27 @@ description: "Traefik Proxy, an open source Edge Router, auto-discovers configur

 ![Architecture](assets/img/traefik-architecture.png)

-Traefik is an [open-source](https://github.com/traefik/traefik) *Edge Router* that makes publishing your services a fun and easy experience. 
-It receives requests on behalf of your system and finds out which components are responsible for handling them. 
+Traefik is an [open-source](https://github.com/traefik/traefik) *Application Proxy* that makes publishing your services a fun and easy experience. 
+It receives requests on behalf of your system and identifies which components are responsible for handling them, and routes them securely. 

 What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
 The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request. 

-Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker, Docker Swarm, AWS, Mesos, Marathon, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
+Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker Swarm, AWS, Mesos, Marathon, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
 
 With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions).
-With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.   
+With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.

-Developing Traefik, our main goal is to make it simple to use, and we're sure you'll enjoy it.
+And if your needs change, you can add API gateway and API management capabilities seamlessly to your existing Traefik deployments. It takes less than a minute, there’s no rip-and-replace, and all your configurations are preserved. See this in action in [our API gateway demo video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=docs).
+
+Developing Traefik, our main goal is to make it effortless to use, and we're sure you'll enjoy it.

 -- The Traefik Maintainer Team 

 !!! info

-    Join our user friendly and active [Community Forum](https://community.traefik.io) to discuss, learn, and connect with the traefik community.
-    
-    Using Traefik for commercial applications?
-    Consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/) of Traefik as your [Kubernetes Ingress](https://traefik.io/solutions/kubernetes-ingress/), 
-    your [Docker Swarm Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/), 
-    or your [API gateway](https://traefik.io/solutions/api-gateway/). 
-    Get started with a [free 30-day trial](https://info.traefik.io/get-traefik-enterprise-free-for-30-days).
+    Have a question? Join our [Community Forum](https://community.traefik.io "Link to Traefik Community Forum") to discuss, learn, and connect with the Traefik community.
+
+    Using Traefik OSS in Production? Consider our enterprise-grade [API Gateway](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc) or our [24/7/365 OSS Support](https://info.traefik.io/request-commercial-support?cta=doc).
+
+    Explore our API Gateway upgrade via [this short demo video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc).
--- a/docs/content/middlewares/http/addprefix.md
+++ b/docs/content/middlewares/http/addprefix.md
@@ -22,7 +22,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Prefixing with /foo
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: add-foo
--- a/docs/content/middlewares/http/basicauth.md
+++ b/docs/content/middlewares/http/basicauth.md
@@ -10,7 +10,7 @@ Adding Basic Authentication

 ![BasicAuth](../../assets/img/middleware/basicauth.png)

-The BasicAuth middleware restricts access to your services to known users.
+The BasicAuth middleware grants access to services to authorized users only.

 ## Configuration Examples

@@ -21,14 +21,14 @@ The BasicAuth middleware restricts access to your services to known users.
 # To create user:password pair, it's possible to use this command:
 # echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
 #
-# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
+# Also note that dollar signs should NOT be doubled when they are not being evaluated (e.g. Ansible docker_container module).
 labels:
  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```

 ```yaml tab="Kubernetes"
 # Declaring the user list
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -114,7 +114,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Declaring the user list
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -207,7 +207,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -274,7 +274,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -322,7 +322,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: my-auth
@@ -367,7 +367,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -404,3 +404,4 @@ http:
  [http.middlewares.test-auth.basicAuth]
    removeHeader = true
 ```
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/buffering.md
+++ b/docs/content/middlewares/http/buffering.md
@@ -26,7 +26,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Sets the maximum request body to 2MB
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: limit
@@ -84,7 +84,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: limit
@@ -134,7 +134,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: limit
@@ -186,7 +186,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: limit
@@ -236,7 +236,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: limit
@@ -288,7 +288,7 @@ You can have the Buffering middleware replay the request using `retryExpression`
    ```

    ```yaml tab="Kubernetes"
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
      name: limit
@@ -331,3 +331,7 @@ The retry expression is defined as a logical combination of the functions below
 - `Attempts()` number of attempts (the first one counts)
 - `ResponseCode()` response code of the service
 - `IsNetworkError()` whether the response code is related to networking error
+
+### Content-Length
+
+See [Best Practices: Content‑Length](../../security/content-length.md)
--- a/docs/content/middlewares/http/chain.md
+++ b/docs/content/middlewares/http/chain.md
@@ -30,7 +30,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: test
@@ -47,7 +47,7 @@ spec:
      middlewares:
        - name: secured
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: secured
@@ -58,7 +58,7 @@ spec:
    - name: known-ips
    - name: auth-users
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: auth-users
@@ -67,7 +67,7 @@ spec:
    users:
    - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: https-only
@@ -75,7 +75,7 @@ spec:
  redirectScheme:
    scheme: https
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: known-ips
--- a/docs/content/middlewares/http/circuitbreaker.md
+++ b/docs/content/middlewares/http/circuitbreaker.md
@@ -38,7 +38,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Latency Check
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: latency-check
--- a/docs/content/middlewares/http/compress.md
+++ b/docs/content/middlewares/http/compress.md
@@ -22,7 +22,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Enable gzip compression
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-compress
@@ -88,7 +88,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-compress
@@ -142,7 +142,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-compress
--- a/docs/content/middlewares/http/contenttype.md
+++ b/docs/content/middlewares/http/contenttype.md
@@ -40,7 +40,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Disable auto-detection
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: autodetect
--- a/docs/content/middlewares/http/digestauth.md
+++ b/docs/content/middlewares/http/digestauth.md
@@ -10,7 +10,7 @@ Adding Digest Authentication

 ![BasicAuth](../../assets/img/middleware/digestauth.png)

-The DigestAuth middleware restricts access to your services to known users.
+The DigestAuth middleware grants access to services to authorized users only.

 ## Configuration Examples

@@ -22,7 +22,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Declaring the user list
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -90,7 +90,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -161,7 +161,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -228,7 +228,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -276,7 +276,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: my-auth
@@ -326,7 +326,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
--- a/docs/content/middlewares/http/errorpages.md
+++ b/docs/content/middlewares/http/errorpages.md
@@ -21,20 +21,23 @@ The Errors middleware returns a custom page in lieu of the default, according to
 ```yaml tab="Docker"
 # Dynamic Custom Error Page for 5XX Status Code
 labels:
-  - "traefik.http.middlewares.test-errors.errors.status=500-599"
+  - "traefik.http.middlewares.test-errors.errors.status=500,501,503,505-599"
  - "traefik.http.middlewares.test-errors.errors.service=serviceError"
  - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-errors
 spec:
  errors:
    status:
-      - "500-599"
+      - "500"
+      - "501"
+      - "503"
+      - "505-599"
    query: /{status}.html
    service:
      name: whoami
@@ -42,36 +45,39 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
-# Dynamic Custom Error Page for 5XX Status Code
- "traefik.http.middlewares.test-errors.errors.status=500-599"
+# Dynamic Custom Error Page for 5XX Status Code excluding 502 and 504
+- "traefik.http.middlewares.test-errors.errors.status=500,501,503,505-599"
 - "traefik.http.middlewares.test-errors.errors.service=serviceError"
 - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-errors.errors.status": "500-599",
+  "traefik.http.middlewares.test-errors.errors.status": "500,501,503,505-599",
  "traefik.http.middlewares.test-errors.errors.service": "serviceError",
  "traefik.http.middlewares.test-errors.errors.query": "/{status}.html"
 }
 ```

 ```yaml tab="Rancher"
-# Dynamic Custom Error Page for 5XX Status Code
+# Dynamic Custom Error Page for 5XX Status Code excluding 502 and 504
 labels:
-  - "traefik.http.middlewares.test-errors.errors.status=500-599"
+  - "traefik.http.middlewares.test-errors.errors.status=500,501,503,505-599"
  - "traefik.http.middlewares.test-errors.errors.service=serviceError"
  - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
 ```

 ```yaml tab="File (YAML)"
-# Custom Error Page for 5XX
+# Dynamic Custom Error Page for 5XX Status Code excluding 502 and 504
 http:
  middlewares:
    test-errors:
      errors:
        status:
-          - "500-599"
+          - "500"
+          - "501"
+          - "503"
+          - "505-599"
        service: serviceError
        query: "/{status}.html"

@@ -80,10 +86,10 @@ http:
 ```

 ```toml tab="File (TOML)"
-# Custom Error Page for 5XX
+# Dynamic Custom Error Page for 5XX Status Code excluding 502 and 504
 [http.middlewares]
  [http.middlewares.test-errors.errors]
-    status = ["500-599"]
+    status = ["500","501","503","505-599"]
    service = "serviceError"
    query = "/{status}.html"

@@ -101,14 +107,16 @@ http:

 The `status` option defines which status or range of statuses should result in an error page.

-The status code ranges are inclusive (`500-599` will trigger with every code between `500` and `599`, `500` and `599` included).
+The status code ranges are inclusive (`505-599` will trigger with every code between `505` and `599`, `505` and `599` included).

 !!! note ""

    You can define either a status code as a number (`500`),
    as multiple comma-separated numbers (`500,502`),
-    as ranges by separating two codes with a dash (`500-599`),
-    or a combination of the two (`404,418,500-599`).
+    as ranges by separating two codes with a dash (`505-599`),
+    or a combination of the two (`404,418,505-599`).
+    The comma-separated syntax is only available for label-based providers.
+    The examples above demonstrate which syntax is appropriate for each provider.

 ### `service`

--- a/docs/content/middlewares/http/forwardauth.md
+++ b/docs/content/middlewares/http/forwardauth.md
@@ -24,7 +24,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Forward authentication to example.com
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -90,7 +90,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -138,7 +138,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -190,7 +190,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -248,7 +248,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -307,7 +307,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -371,7 +371,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -440,7 +440,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -518,7 +518,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -594,7 +594,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -637,3 +637,4 @@ http:
    [http.middlewares.test-auth.forwardAuth.tls]
      insecureSkipVerify: true
 ```
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/headers.md
+++ b/docs/content/middlewares/http/headers.md
@@ -27,7 +27,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-header
@@ -90,7 +90,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-header
@@ -158,7 +158,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-header
@@ -207,18 +207,21 @@ http:
 CORS (Cross-Origin Resource Sharing) headers can be added and configured in a manner similar to the custom headers above.
 This functionality allows for more advanced security features to quickly be set.
 If CORS headers are set, then the middleware does not pass preflight requests to any service,
-instead the response will be generated and sent back to the client directly.
+instead the response will be generated and sent back to the client directly.  
+Please note that the example below is by no means authoritative or exhaustive,
+and should not be used as is for production.

 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-header
@@ -228,6 +231,8 @@ spec:
      - "GET"
      - "OPTIONS"
      - "PUT"
+    accessControlAllowHeaders:
+      - "*"
    accessControlAllowOriginList:
      - "https://foo.bar.org"
      - "https://example.org"
@@ -237,6 +242,7 @@ spec:

 ```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+- "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
 - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
 - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
 - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
@@ -245,6 +251,7 @@ spec:
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
+  "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*",
  "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist": "https://foo.bar.org,https://example.org",
  "traefik.http.middlewares.testheader.headers.accesscontrolmaxage": "100",
  "traefik.http.middlewares.testheader.headers.addvaryheader": "true"
@@ -254,6 +261,7 @@ spec:
 ```yaml tab="Rancher"
 labels:
  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
@@ -268,6 +276,7 @@ http:
          - GET
          - OPTIONS
          - PUT
+        accessControlAllowHeaders: "*"
        accessControlAllowOriginList:
          - https://foo.bar.org
          - https://example.org
@@ -278,7 +287,8 @@ http:
 ```toml tab="File (TOML)"
 [http.middlewares]
  [http.middlewares.testHeader.headers]
-    accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
+    accessControlAllowMethods = ["GET", "OPTIONS", "PUT"]
+    accessControlAllowHeaders = [ "*" ]
    accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
    accessControlMaxAge = 100
    addVaryHeader = true
@@ -469,3 +479,5 @@ The `permissionsPolicy` allows sites to control browser features.
 Set `isDevelopment` to `true` when developing to mitigate the unwanted effects of the `AllowedHosts`, SSL, and STS options.
 Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.
 If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false`.
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/inflightreq.md
+++ b/docs/content/middlewares/http/inflightreq.md
@@ -20,7 +20,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-inflightreq
@@ -75,7 +75,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-inflightreq
@@ -127,6 +127,8 @@ If none are set, the default is to use the `requestHost`.

 The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.

+!!! important "As a middleware, InFlightReq happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through the middleware. Therefore, during InFlightReq, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be used and/or relied upon."
+
 ##### `ipStrategy.depth`

 The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).
@@ -150,7 +152,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-inflightreq
@@ -215,7 +217,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-inflightreq
@@ -272,7 +274,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-inflightreq
@@ -323,7 +325,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-inflightreq
@@ -333,7 +335,7 @@ spec:
      requestHost: true
 ```

-```yaml tab="Cosul Catalog"
+```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```

--- a/docs/content/middlewares/http/ipallowlist.md
+++ b/docs/content/middlewares/http/ipallowlist.md
@@ -0,0 +1,246 @@
+---
+title: "Traefik HTTP Middlewares IPAllowList"
+description: "Learn how to use IPAllowList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
+---
+
+# IPAllowList
+
+Limiting Clients to Specific IPs
+{: .subtitle }
+
+IPAllowList limits allowed requests based on the client IP.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+# Accepts request from defined IP
+labels:
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ipallowlist
+spec:
+  ipAllowList:
+    sourceRange:
+      - 127.0.0.1/32
+      - 192.168.1.7
+```
+
+```yaml tab="Consul Catalog"
+# Accepts request from defined IP
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+# Accepts request from defined IP
+labels:
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
+```yaml tab="File (YAML)"
+# Accepts request from defined IP
+http:
+  middlewares:
+    test-ipallowlist:
+      ipAllowList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "192.168.1.7"
+```
+
+```toml tab="File (TOML)"
+# Accepts request from defined IP
+[http.middlewares]
+  [http.middlewares.test-ipallowlist.ipAllowList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
+```
+
+## Configuration Options
+
+### `sourceRange`
+
+_Required_
+
+The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
+
+### `ipStrategy`
+
+The `ipStrategy` option defines two parameters that set how Traefik determines the client IP: `depth`, and `excludedIPs`.  
+If no strategy is set, the default behavior is to match `sourceRange` against the Remote address found in the request.
+
+!!! important "As a middleware, whitelisting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through whitelisting. Therefore, during whitelisting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be matched against `sourceRange`."
+
+#### `ipStrategy.depth`
+
+The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
+
+- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
+- `depth` is ignored if its value is less than or equal to 0.
+
+!!! example "Examples of Depth & X-Forwarded-For"
+
+    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).
+
+    | `X-Forwarded-For`                       | `depth` | clientIP     |
+    |-----------------------------------------|---------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
+
+```yaml tab="Docker"
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
+labels:
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
+```
+
+```yaml tab="Kubernetes"
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ipallowlist
+spec:
+  ipAllowList:
+    sourceRange:
+      - 127.0.0.1/32
+      - 192.168.1.7
+    ipStrategy:
+      depth: 2
+```
+
+```yaml tab="Consul Catalog"
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+labels:
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
+```
+
+```yaml tab="File (YAML)"
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
+http:
+  middlewares:
+    test-ipallowlist:
+      ipAllowList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "192.168.1.7"
+        ipStrategy:
+          depth: 2
+```
+
+```toml tab="File (TOML)"
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
+[http.middlewares]
+  [http.middlewares.test-ipallowlist.ipAllowList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
+    [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
+      depth = 2
+```
+
+#### `ipStrategy.excludedIPs`
+
+`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.
+
+!!! important "If `depth` is specified, `excludedIPs` is ignored."
+
+!!! example "Example of ExcludedIPs & X-Forwarded-For"
+
+    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
+    |-----------------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+
+```yaml tab="Docker"
+# Exclude from `X-Forwarded-For`
+labels:
+    - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
+    - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```yaml tab="Kubernetes"
+# Exclude from `X-Forwarded-For`
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ipallowlist
+spec:
+  ipAllowList:
+    sourceRange:
+      - 127.0.0.1/32
+      - 192.168.1.0/24
+    ipStrategy:
+      excludedIPs:
+        - 127.0.0.1/32
+        - 192.168.1.7
+```
+
+```yaml tab="Consul Catalog"
+# Exclude from `X-Forwarded-For`
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+# Exclude from `X-Forwarded-For`
+labels:
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
+```yaml tab="File (YAML)"
+# Exclude from `X-Forwarded-For`
+http:
+  middlewares:
+    test-ipallowlist:
+      ipAllowList:
+        sourceRange:
+         - 127.0.0.1/32
+         - 192.168.1.0/24
+        ipStrategy:
+          excludedIPs:
+            - 127.0.0.1/32
+            - 192.168.1.7
+```
+
+```toml tab="File (TOML)"
+# Exclude from `X-Forwarded-For`
+[http.middlewares]
+  [http.middlewares.test-ipallowlist.ipAllowList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.0/24"]
+    [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+```
--- a/docs/content/middlewares/http/ipwhitelist.md
+++ b/docs/content/middlewares/http/ipwhitelist.md
@@ -8,9 +8,13 @@ description: "Learn how to use IPWhiteList in HTTP middleware for limiting clien
 Limiting Clients to Specific IPs
 {: .subtitle }

-![IpWhiteList](../../assets/img/middleware/ipwhitelist.png)
+![IPWhiteList](../../assets/img/middleware/ipwhitelist.png)

-IPWhitelist accepts / refuses requests based on the client IP.
+IPWhiteList limits allowed requests based on the client IP.
+
+!!! warning
+
+    This middleware is deprecated, please use the [IPAllowList](./ipallowlist.md) middleware instead.

 ## Configuration Examples

@@ -21,7 +25,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ipwhitelist
@@ -71,11 +75,16 @@ http:

 ### `sourceRange`

+_Required_
+
 The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).

 ### `ipStrategy`

-The `ipStrategy` option defines two parameters that set how Traefik determines the client IP: `depth`, and `excludedIPs`.
+The `ipStrategy` option defines two parameters that set how Traefik determines the client IP: `depth`, and `excludedIPs`.  
+If no strategy is set, the default behavior is to match `sourceRange` against the Remote address found in the request.
+
+!!! important "As a middleware, whitelisting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through whitelisting. Therefore, during whitelisting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be matched against `sourceRange`."

 #### `ipStrategy.depth`

@@ -103,7 +112,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ipwhitelist
@@ -177,18 +186,22 @@ http:
 ```yaml tab="Docker"
 # Exclude from `X-Forwarded-For`
 labels:
+    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="Kubernetes"
 # Exclude from `X-Forwarded-For`
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ipwhitelist
 spec:
  ipWhiteList:
    ipStrategy:
+      sourceRange:
+        - 127.0.0.1/32
+        - 192.168.1.0/24
      excludedIPs:
        - 127.0.0.1/32
        - 192.168.1.7
@@ -196,11 +209,13 @@ spec:

 ```yaml tab="Consul Catalog"
 # Exclude from `X-Forwarded-For`
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
 - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

 ```json tab="Marathon"
 "labels": {
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
 }
 ```
@@ -208,6 +223,7 @@ spec:
 ```yaml tab="Rancher"
 # Exclude from `X-Forwarded-For`
 labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

@@ -217,16 +233,20 @@ http:
  middlewares:
    test-ipwhitelist:
      ipWhiteList:
+        sourceRange:
+          - 127.0.0.1/32
+          - 192.168.1.0/24
        ipStrategy:
          excludedIPs:
-            - "127.0.0.1/32"
-            - "192.168.1.7"
+            - 127.0.0.1/32
+            - 192.168.1.7
 ```

 ```toml tab="File (TOML)"
 # Exclude from `X-Forwarded-For`
 [http.middlewares]
  [http.middlewares.test-ipwhitelist.ipWhiteList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.0/24"]
    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
--- a/docs/content/middlewares/http/overview.md
+++ b/docs/content/middlewares/http/overview.md
@@ -24,14 +24,14 @@ whoami:
    - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
 ```

-```yaml tab="Kubernetes IngressRoute"
+```yaml tab="IngressRoute"
 # As a Kubernetes Traefik IngressRoute
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: middlewares.traefik.containo.us
+  name: middlewares.traefik.io
 spec:
-  group: traefik.containo.us
+  group: traefik.io
  version: v1alpha1
  names:
    kind: Middleware
@@ -40,7 +40,7 @@ spec:
  scope: Namespaced

 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: stripprefix
@@ -50,7 +50,7 @@ spec:
      - /stripit

 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: ingressroute
@@ -156,4 +156,6 @@ http:

 ## Community Middlewares

-Please take a look at the community-contributed plugins in the [plugin catalog](https://pilot.traefik.io/plugins).
+Please take a look at the community-contributed plugins in the [plugin catalog](https://plugins.traefik.io/plugins).
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/passtlsclientcert.md
+++ b/docs/content/middlewares/http/passtlsclientcert.md
@@ -16,16 +16,16 @@ PassTLSClientCert adds the selected data from the passed client TLS certificate

 ## Configuration Examples

-Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.

 ```yaml tab="Docker"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 labels:
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-passtlsclientcert
@@ -35,7 +35,7 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header
 - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```

@@ -46,13 +46,13 @@ spec:
 ```

 ```yaml tab="Rancher"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 labels:
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```

 ```yaml tab="File (YAML)"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 http:
  middlewares:
    test-passtlsclientcert:
@@ -61,13 +61,13 @@ http:
 ```

 ```toml tab="File (TOML)"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 [http.middlewares]
  [http.middlewares.test-passtlsclientcert.passTLSClientCert]
    pem = true
 ```

-??? example "Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header"
+??? example "Pass the pem in the `X-Forwarded-Tls-Client-Cert` header"

    ```yaml tab="Docker"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
@@ -95,7 +95,7 @@ http:

    ```yaml tab="Kubernetes"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
      name: test-passtlsclientcert
@@ -254,12 +254,12 @@ http:

 PassTLSClientCert can add two headers to the request:

- `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
+- `X-Forwarded-Tls-Client-Cert` that contains the pem.
 - `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.

 !!! info

-    * Each header value is a string that has been escaped in order to be a valid URL query.
+    * `X-Forwarded-Tls-Client-Cert-Info` header value is a string that has been escaped in order to be a valid URL query.
    * These options only work accordingly to the [MutualTLS configuration](../../https/tls.md#client-authentication-mtls).
    That is to say, only the certificates that match the `clientAuth.clientAuthType` policy are passed.

@@ -371,7 +371,7 @@ The following example shows a complete certificate and explains each of the midd

 ### `pem`

-The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escaped certificate.
+The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the certificate.

 In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters:

--- a/docs/content/middlewares/http/ratelimit.md
+++ b/docs/content/middlewares/http/ratelimit.md
@@ -10,32 +10,34 @@ To Control the Number of Requests Going to a Service

 The RateLimit middleware ensures that services will receive a _fair_ amount of requests, and allows one to define what fair is.

+It is based on a [token bucket](https://en.wikipedia.org/wiki/Token_bucket) implementation. In this analogy, the [average](#average) parameter (defined below) is the rate at which the bucket refills, and the [burst](#burst) is the size (volume) of the bucket.
+
 ## Configuration Example

 ```yaml tab="Docker"
 # Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 50 requests is allowed.
+# In addition, a burst of 200 requests is allowed.
 labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=200"
 ```

 ```yaml tab="Kubernetes"
 # Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 50 requests is allowed.
-apiVersion: traefik.containo.us/v1alpha1
+# In addition, a burst of 200 requests is allowed.
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
 spec:
  rateLimit:
    average: 100
-    burst: 50
+    burst: 200
 ```

 ```yaml tab="Consul Catalog"
 # Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 50 requests is allowed.
+# In addition, a burst of 200 requests is allowed.
 - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
 ```
@@ -43,36 +45,36 @@ spec:
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
-  "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "50"
+  "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "200"
 }
 ```

 ```yaml tab="Rancher"
 # Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 50 requests is allowed.
+# In addition, a burst of 200 requests is allowed.
 labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=200"
 ```

 ```yaml tab="File (YAML)"
 # Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 50 requests is allowed.
+# In addition, a burst of 200 requests is allowed.
 http:
  middlewares:
    test-ratelimit:
      rateLimit:
        average: 100
-        burst: 50
+        burst: 200
 ```

 ```toml tab="File (TOML)"
 # Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 50 requests is allowed.
+# In addition, a burst of 200 requests is allowed.
 [http.middlewares]
  [http.middlewares.test-ratelimit.rateLimit]
    average = 100
-    burst = 50
+    burst = 200
 ```

 ## Configuration Options
@@ -94,7 +96,7 @@ labels:

 ```yaml tab="Kubernetes"
 # 100 reqs/s
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
@@ -154,7 +156,7 @@ labels:

 ```yaml tab="Kubernetes"
 # 6 reqs/minute
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
@@ -214,7 +216,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
@@ -262,6 +264,8 @@ If none are set, the default is to use the request's remote address field (as an

 The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.

+!!! important "As a middleware, rate-limiting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through rate-limiting. Therefore, during rate-limiting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be found and/or relied upon."
+
 ##### `ipStrategy.depth`

 The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).
@@ -285,7 +289,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
@@ -377,7 +381,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
@@ -428,13 +432,15 @@ http:

 Name of the header used to group incoming requests.

+!!! important "If the header is not present, rate limiting will still be applied, but all requests without the specified header will be grouped together."
+
 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
@@ -485,7 +491,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
--- a/docs/content/middlewares/http/redirectregex.md
+++ b/docs/content/middlewares/http/redirectregex.md
@@ -26,7 +26,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Redirect with domain replacement
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-redirectregex
@@ -99,3 +99,5 @@ The `replacement` option defines how to modify the URL to have the new target UR
 !!! warning

    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/redirectscheme.md
+++ b/docs/content/middlewares/http/redirectscheme.md
@@ -34,7 +34,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Redirect to https
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-redirectscheme
@@ -98,7 +98,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Redirect to https
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-redirectscheme
@@ -159,7 +159,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Redirect to https
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-redirectscheme
@@ -215,7 +215,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Redirect to https
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-redirectscheme
--- a/docs/content/middlewares/http/replacepath.md
+++ b/docs/content/middlewares/http/replacepath.md
@@ -24,7 +24,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Replace the path with /foo
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-replacepath
--- a/docs/content/middlewares/http/replacepathregex.md
+++ b/docs/content/middlewares/http/replacepathregex.md
@@ -25,7 +25,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Replace path with regex
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-replacepathregex
--- a/docs/content/middlewares/http/retry.md
+++ b/docs/content/middlewares/http/retry.md
@@ -12,8 +12,11 @@ Retrying until it Succeeds
 TODO: add schema
 -->

-The Retry middleware reissues requests a given number of times to a backend server if that server does not reply.
-As soon as the server answers, the middleware stops retrying, regardless of the response status.
+The Retry middleware reissues requests a given number of times when it cannot contact the backend service. 
+This applies at the transport level (TCP). 
+If the service does not respond to the initial connection attempt, the middleware retries.
+However, once the service responds, regardless of the HTTP status code, the middleware considers it operational and stops retrying.
+This means that the retry mechanism does not handle HTTP errors; it only retries when there is no response at the TCP level.
 The Retry middleware has an optional configuration to enable an exponential backoff.

 ## Configuration Examples
@@ -27,7 +30,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Retry 4 times with exponential backoff
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-retry
--- a/docs/content/middlewares/http/stripprefix.md
+++ b/docs/content/middlewares/http/stripprefix.md
@@ -24,7 +24,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Strip prefix /foobar and /fiibar
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-stripprefix
@@ -130,7 +130,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: example
@@ -170,3 +170,5 @@ http:
    prefixes = ["/foobar"]
    forceSlash = false
 ```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/stripprefixregex.md
+++ b/docs/content/middlewares/http/stripprefixregex.md
@@ -18,7 +18,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-stripprefixregex
--- a/docs/content/middlewares/overview.md
+++ b/docs/content/middlewares/overview.md
@@ -35,9 +35,9 @@ whoami:
    - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
 ```

-```yaml tab="Kubernetes IngressRoute"
+```yaml tab="IngressRoute"
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: stripprefix
@@ -47,7 +47,7 @@ spec:
      - /stripit

 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: ingressroute
@@ -129,3 +129,5 @@ http:
 A list of HTTP middlewares can be found [here](http/overview.md).

 A list of TCP middlewares can be found [here](tcp/overview.md).
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/tcp/inflightconn.md
+++ b/docs/content/middlewares/tcp/inflightconn.md
@@ -13,7 +13,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: MiddlewareTCP
 metadata:
  name: test-inflightconn
--- a/docs/content/middlewares/tcp/ipallowlist.md
+++ b/docs/content/middlewares/tcp/ipallowlist.md
@@ -0,0 +1,60 @@
+---
+title: "Traefik TCP Middlewares IPAllowList"
+description: "Learn how to use IPAllowList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
+---
+
+# IPAllowList
+
+Limiting Clients to Specific IPs
+{: .subtitle }
+
+IPAllowList limits allowed requests based on the client IP.
+
+## Configuration Examples
+
+```yaml tab="Docker & Swarm"
+# Accepts connections from defined IP
+labels:
+  - "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: MiddlewareTCP
+metadata:
+  name: test-ipallowlist
+spec:
+  ipAllowList:
+    sourceRange:
+      - 127.0.0.1/32
+      - 192.168.1.7
+```
+
+```yaml tab="Consul Catalog"
+# Accepts request from defined IP
+- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
+```toml tab="File (TOML)"
+# Accepts request from defined IP
+[tcp.middlewares]
+  [tcp.middlewares.test-ipallowlist.ipAllowList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
+```
+
+```yaml tab="File (YAML)"
+# Accepts request from defined IP
+tcp:
+  middlewares:
+    test-ipallowlist:
+      ipAllowList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "192.168.1.7"
+```
+
+## Configuration Options
+
+### `sourceRange`
+
+The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
--- a/docs/content/middlewares/tcp/ipwhitelist.md
+++ b/docs/content/middlewares/tcp/ipwhitelist.md
@@ -8,7 +8,11 @@ description: "Learn how to use IPWhiteList in TCP middleware for limiting client
 Limiting Clients to Specific IPs
 {: .subtitle }

-IPWhitelist accepts / refuses connections based on the client IP.
+IPWhiteList accepts / refuses connections based on the client IP.
+
+!!! warning
+
+    This middleware is deprecated, please use the [IPAllowList](./ipallowlist.md) middleware instead.

 ## Configuration Examples

@@ -19,7 +23,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: MiddlewareTCP
 metadata:
  name: test-ipwhitelist
--- a/docs/content/middlewares/tcp/overview.md
+++ b/docs/content/middlewares/tcp/overview.md
@@ -24,14 +24,14 @@ whoami:
    - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@docker"
 ```

-```yaml tab="Kubernetes IngressRoute"
+```yaml tab="IngressRoute"
 # As a Kubernetes Traefik IngressRoute
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: middlewaretcps.traefik.containo.us
+  name: middlewaretcps.traefik.io
 spec:
-  group: traefik.containo.us
+  group: traefik.io
  version: v1alpha1
  names:
    kind: MiddlewareTCP
@@ -40,7 +40,7 @@ spec:
  scope: Namespaced

 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: MiddlewareTCP
 metadata:
  name: foo-ip-whitelist
@@ -51,7 +51,7 @@ spec:
      - 192.168.1.7

 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRouteTCP
 metadata:
  name: ingressroute
--- a/docs/content/migration/v1-to-v2.md
+++ b/docs/content/migration/v1-to-v2.md
@@ -23,7 +23,7 @@ feature by feature, of how the configuration looked like in v1, and how it now l
    - convert `acme.json` file from v1 to v2 format.
    - migrate the static configuration contained in the file `traefik.toml` to a Traefik v2 file.

-## Frontends and Backends Are Dead... <br/>... Long Live Routers, Middlewares, and Services
+## Frontends and Backends Are Dead, Long Live Routers, Middlewares, and Services

 During the transition from v1 to v2, a number of internal pieces and components of Traefik were rewritten and reorganized.
 As such, the combination of core notions such as frontends and backends has been replaced with the combination of [routers](../routing/routers/index.md), [services](../routing/services/index.md), and [middlewares](../middlewares/overview.md).
@@ -44,7 +44,7 @@ Then any router can refer to an instance of the wanted middleware.
      - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
    ```

-    ```yaml tab="K8s Ingress"
+    ```yaml tab="Ingress"
    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
@@ -107,10 +107,10 @@ Then any router can refer to an instance of the wanted middleware.
      - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
    ```

-    ```yaml tab="K8s IngressRoute"
+    ```yaml tab="IngressRoute"
    # The definitions below require the definitions for the Middleware and IngressRoute kinds.
-    # https://doc.traefik.io/traefik/v2.8/reference/dynamic-configuration/kubernetes-crd/#definitions
-    apiVersion: traefik.containo.us/v1alpha1
+    # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
+    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
      name: basicauth
@@ -123,7 +123,7 @@ Then any router can refer to an instance of the wanted middleware.
          - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0

    ---
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
      name: ingressroutebar
@@ -278,10 +278,10 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
        ]
    ```

-    ```yaml tab="K8s IngressRoute"
+    ```yaml tab="IngressRoute"
    # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
-    # https://doc.traefik.io/traefik/v2.8/reference/dynamic-configuration/kubernetes-crd/#definitions
-    apiVersion: traefik.containo.us/v1alpha1
+    # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
+    apiVersion: traefik.io/v1alpha1
    kind: TLSOption
    metadata:
      name: mytlsoption
@@ -297,7 +297,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
 	    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    ---
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
      name: ingressroutebar
@@ -354,7 +354,7 @@ To apply a redirection:
    ```

    ```bash tab="CLI"
-    --entrypoints=Name:web Address::80 Redirect.EntryPoint:websecure
+    --entryPoints=Name:web Address::80 Redirect.EntryPoint:websecure
    --entryPoints='Name:websecure Address::443 TLS'
    ```

@@ -394,10 +394,10 @@ To apply a redirection:
    ```bash tab="CLI"
    ## static configuration

-    --entrypoints.web.address=:80
-    --entrypoints.web.http.redirections.entrypoint.to=websecure
-    --entrypoints.web.http.redirections.entrypoint.scheme=https
-    --entrypoints.websecure.address=:443
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.redirections.entrypoint.to=websecure
+    --entryPoints.web.http.redirections.entrypoint.scheme=https
+    --entryPoints.websecure.address=:443
    --providers.docker=true
    ```

@@ -442,8 +442,8 @@ To apply a redirection:
      traefik.http.middlewares.https_redirect.redirectscheme.permanent: true
    ```

-    ```yaml tab="K8s IngressRoute"
-    apiVersion: traefik.containo.us/v1alpha1
+    ```yaml tab="IngressRoute"
+    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
      name: http-redirect-ingressroute
@@ -461,7 +461,7 @@ To apply a redirection:
            - name: https-redirect

    ---
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
      name: https-ingressroute
@@ -478,7 +478,7 @@ To apply a redirection:
      tls: {}

    ---
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
      name: https-redirect
@@ -542,7 +542,7 @@ To apply a redirection:
 ## Strip and Rewrite Path Prefixes

 With the new core notions of v2 (introduced earlier in the section
-["Frontends and Backends Are Dead... Long Live Routers, Middlewares, and Services"](#frontends-and-backends-are-dead-long-live-routers-middlewares-and-services)),
+["Frontends and Backends Are Dead, Long Live Routers, Middlewares, and Services"](#frontends-and-backends-are-dead-long-live-routers-middlewares-and-services)),
 transforming the URL path prefix of incoming requests is configured with [middlewares](../middlewares/overview.md),
 after the routing step with [router rule `PathPrefix`](../routing/routers/index.md#rule).

@@ -561,7 +561,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
      - "traefik.frontend.rule=Host:example.org;PathPrefixStrip:/admin"
    ```

-    ```yaml tab="Kubernetes Ingress"
+    ```yaml tab="Ingress"
    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
@@ -595,9 +595,9 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
      - "traefik.http.middlewares.admin-stripprefix.stripprefix.prefixes=/admin"
    ```

-    ```yaml tab="Kubernetes IngressRoute"
+    ```yaml tab="IngressRoute"
    ---
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
      name: http-redirect-ingressroute
@@ -614,7 +614,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
          middlewares:
            - name: admin-stripprefix
    ---
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
      name: admin-stripprefix
@@ -750,8 +750,8 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
    ```

    ```bash tab="CLI"
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
    --certificatesresolvers.myresolver.acme.email=your-email@example.com
    --certificatesresolvers.myresolver.acme.storage=acme.json
    --certificatesresolvers.myresolver.acme.tlschallenge=true
@@ -1078,7 +1078,7 @@ To activate the dashboard, you can either:
      routers:
        api:
          rule: Host(`traefik.docker.localhost`)
-          entrypoints:
+          entryPoints:
            - websecure
          service: api@internal
          middlewares:
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@@ -50,6 +50,7 @@ rules:
      - watch
  - apiGroups:
      - extensions
+      - networking.k8s.io
    resources:
      - ingresses
    verbs:
@@ -58,18 +59,24 @@ rules:
      - watch
  - apiGroups:
      - extensions
+      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
+      - traefik.io
      - traefik.containo.us
    resources:
      - middlewares
+      - middlewaretcps
      - ingressroutes
      - traefikservices
      - ingressroutetcps
+      - ingressrouteudps
      - tlsoptions
+      - tlsstores
+      - serverstransports
    verbs:
      - get
      - list
@@ -147,6 +154,7 @@ rules:
      - watch
  - apiGroups:
      - extensions
+      - networking.k8s.io
    resources:
      - ingresses
    verbs:
@@ -155,6 +163,7 @@ rules:
      - watch
  - apiGroups:
      - extensions
+      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
@@ -163,17 +172,18 @@ rules:
      - traefik.containo.us
    resources:
      - middlewares
+      - middlewaretcps
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
+      - serverstransports
    verbs:
      - get
      - list
      - watch
-
 ```

 After having both resources applied, Traefik will work properly.
@@ -419,7 +429,7 @@ For more advanced use cases, you can use either the [RedirectScheme middleware](

 Following up on the deprecation started [previously](#x509-commonname-deprecation),
 as the `x509ignoreCN=0` value for the `GODEBUG` is [deprecated in Go 1.17](https://tip.golang.org/doc/go1.17#crypto/x509),
-the legacy behavior related to the CommonName field can not be enabled at all anymore.
+the legacy behavior related to the CommonName field cannot be enabled at all anymore.

 ## v2.5.3 to v2.5.4

@@ -440,8 +450,8 @@ To enable HTTP/3 on an EntryPoint, please check out the [HTTP/3 configuration](.

 ### Kubernetes Gateway API Provider

-In `v2.6`, the [Kubernetes Gateway API provider](../providers/kubernetes-gateway.md) now only supports the version [v1alpha2](https://gateway-api.sigs.k8s.io/v1alpha2/guides/getting-started/) of the specification and 
-[route namespaces](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.RouteNamespaces) selectors, which requires Traefik to fetch and watch the cluster namespaces.
+In `v2.6`, the [Kubernetes Gateway API provider](../providers/kubernetes-gateway.md) now only supports the version [v1alpha2](https://gateway-api.sigs.k8s.io/v1alpha2/guides/) of the specification and 
+[route namespaces](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.RouteNamespaces) selectors, which requires Traefik to fetch and watch the cluster namespaces.
 Therefore, the [RBAC](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-gateway.md#definitions) definitions must be updated.

 ## v2.6.0 to v2.6.1
@@ -473,3 +483,234 @@ In `v2.8`, the `namespace` option of Consul and Consul Catalog providers is depr

 In `v2.8`, the `pilot.token` and `pilot.dashboard` options are deprecated.
 Please check our Blog for migration instructions later this year.
+
+## v2.8.2
+
+Since `v2.5.0`, the `PreferServerCipherSuites` is [deprecated and ignored](https://tip.golang.org/doc/go1.17#crypto/tls) by Go,
+in `v2.8.2` the `preferServerCipherSuites` option is also deprecated and ignored in Traefik.
+
+In `v2.8.2`, Traefik now reject certificates signed with the SHA-1 hash function. ([details](https://tip.golang.org/doc/go1.18#sha1))
+
+## v2.9
+
+### Traefik Pilot
+
+In `v2.9`, Traefik Pilot support has been removed.
+
+## v2.10
+
+### Nomad Namespace
+
+In `v2.10`, the `namespace` option of the Nomad provider is deprecated, please use the `namespaces` options instead.
+
+### Kubernetes CRDs
+
+In `v2.10`, the Kubernetes CRDs API Group `traefik.containo.us` is deprecated, and its support will end starting with Traefik v3. Please use the API Group `traefik.io` instead.
+
+As the Kubernetes CRD provider still works with both API Versions (`traefik.io/v1alpha1` and `traefik.containo.us/v1alpha1`),
+it means that for the same kind, namespace and name, the provider will only keep the `traefik.io/v1alpha1` resource.
+
+In addition, the Kubernetes CRDs API Version `traefik.containo.us/v1alpha1` will not be supported in Traefik v3 itself.
+
+Please note that it is a requirement to update the CRDs and the RBAC in the cluster before upgrading Traefik.
+To do so, please apply the required [CRDs](https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml) and [RBAC](https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml) manifests for v2.10:
+
+```bash
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+```
+
+### Traefik Hub
+
+In `v2.10`, Traefik Hub configuration has been removed because Traefik Hub v2 doesn't require this configuration.
+
+## v2.11
+
+### IPWhiteList (HTTP)
+
+In `v2.11`, the `IPWhiteList` middleware is deprecated, please use the [IPAllowList](../middlewares/http/ipallowlist.md) middleware instead.
+
+### IPWhiteList (TCP)
+
+In `v2.11`, the `IPWhiteList` middleware is deprecated, please use the [IPAllowList](../middlewares/tcp/ipallowlist.md) middleware instead.
+
+### TLS CipherSuites
+
+> By default, cipher suites without ECDHE support are no longer offered by either clients or servers during pre-TLS 1.3 handshakes.
+> This change can be reverted with the `tlsrsakex=1 GODEBUG` setting.
+> (https://go.dev/doc/go1.22#crypto/tls)
+
+The _RSA key exchange_ cipher suites are way less secure than the modern ECDHE cipher suites and exposes to potential vulnerabilities like [the Marvin Attack](https://people.redhat.com/~hkario/marvin).
+Decision has been made to support ECDHE cipher suites only by default.
+
+The following ciphers have been removed from the default list:
+
+- `TLS_RSA_WITH_AES_128_CBC_SHA`
+- `TLS_RSA_WITH_AES_256_CBC_SHA`
+- `TLS_RSA_WITH_AES_128_GCM_SHA256`
+- `TLS_RSA_WITH_AES_256_GCM_SHA384`
+
+To enable these ciphers, please set the option `CipherSuites` in your [TLS configuration](https://doc.traefik.io/traefik/https/tls/#cipher-suites) or set the environment variable `GODEBUG=tlsrsakex=1`.
+
+### Minimum TLS Version
+
+> By default, the minimum version offered by `crypto/tls` servers is now TLS 1.2 if not specified with config.MinimumVersion,
+> matching the behavior of crypto/tls clients.
+> This change can be reverted with the `tls10server=1 GODEBUG` setting.
+> (https://go.dev/doc/go1.22#crypto/tls)
+
+To enable TLS 1.0, please set the option `MinVersion` to `VersionTLS10` in your [TLS configuration](https://doc.traefik.io/traefik/https/tls/#cipher-suites) or set the environment variable `GODEBUG=tls10server=1`.
+
+## v2.11.1
+
+### Maximum Router Priority Value
+
+Before v2.11.1, the maximum user-defined router priority value is:
+
+- `MaxInt32` for 32-bit platforms,
+- `MaxInt64` for 64-bit platforms.
+
+Please check out the [go documentation](https://pkg.go.dev/math#pkg-constants) for more information.
+
+In v2.11.1, Traefik reserves a range of priorities for its internal routers and now, 
+the maximum user-defined router priority value is:
+
+- `(MaxInt32 - 1000)` for 32-bit platforms,
+- `(MaxInt64 - 1000)` for 64-bit platforms.
+
+### EntryPoint.Transport.RespondingTimeouts.<Timeout>
+
+Starting with `v2.11.1` the following timeout options are deprecated:
+
+- `<entryPoint>.transport.respondingTimeouts.readTimeout`
+- `<entryPoint>.transport.respondingTimeouts.writeTimeout`
+- `<entryPoint>.transport.respondingTimeouts.idleTimeout`
+
+They have been replaced by:
+
+- `<entryPoint>.transport.respondingTimeouts.http.readTimeout`
+- `<entryPoint>.transport.respondingTimeouts.http.writeTimeout`
+- `<entryPoint>.transport.respondingTimeouts.http.idleTimeout`
+
+### EntryPoint.Transport.RespondingTimeouts.TCP.LingeringTimeout
+
+Starting with `v2.11.1` a new `lingeringTimeout` entryPoints option has been introduced, with a default value of 2s.
+
+The lingering timeout defines the maximum duration between each TCP read operation on the connection.
+As a layer 4 timeout, it applies during HTTP handling but respects the configured HTTP server `readTimeout`.
+
+This change avoids Traefik instances with the default configuration hanging while waiting for bytes to be read on the connection.
+
+We suggest to adapt this value accordingly to your situation.
+The new default value is purposely narrowed and can close the connection too early.
+
+Increasing the `lingeringTimeout` value could be the solution notably if you are dealing with the following errors:
+
+- TCP: `Error while handling TCP connection: readfrom tcp X.X.X.X:X->X.X.X.X:X: read tcp X.X.X.X:X->X.X.X.X:X: i/o timeout`
+- HTTP: `'499 Client Closed Request' caused by: context canceled`
+- HTTP: `ReverseProxy read error during body copy: read tcp X.X.X.X:X->X.X.X.X:X: use of closed network connection`
+
+## v2.11.2
+
+### LingeringTimeout
+
+Starting with `v2.11.2` the `<entrypoint>.transport.respondingTimeouts.tcp.lingeringTimeout` introduced in `v2.11.1` has been removed.
+
+### RespondingTimeouts.TCP and RespondingTimeouts.HTTP
+
+Starting with `v2.11.2` the `respondingTimeouts.tcp` and `respondingTimeouts.http` sections introduced in `v2.11.1` have been removed.
+To configure the responding timeouts, please use the [`respondingTimeouts`](../routing/entrypoints.md#respondingtimeouts) section.  
+
+### EntryPoint.Transport.RespondingTimeouts.ReadTimeout
+
+Starting with `v2.11.2` the entryPoints [`readTimeout`](../routing/entrypoints.md#respondingtimeouts) option default value changed to 60 seconds.
+
+For HTTP, this option defines the maximum duration for reading the entire request, including the body.
+For TCP, this option defines the maximum duration for the first bytes to be read on the connection.
+
+The default value was previously set to zero, which means no timeout.
+
+This change has been done to avoid Traefik instances with the default configuration to be hanging forever while waiting for bytes to be read on the connection.
+
+Increasing the `readTimeout` value could be the solution notably if you are dealing with the following errors:
+
+- TCP: `Error while handling TCP connection: readfrom tcp X.X.X.X:X->X.X.X.X:X: read tcp X.X.X.X:X->X.X.X.X:X: i/o timeout`
+- HTTP: `'499 Client Closed Request' caused by: context canceled`
+- HTTP: `ReverseProxy read error during body copy: read tcp X.X.X.X:X->X.X.X.X:X: use of closed network connection`
+
+## v2.11.3
+
+### Connection headers
+
+In `v2.11.3`, the handling of the request Connection headers directives has changed to prevent any abuse.
+Before, Traefik removed any header listed in the Connection header just before forwarding the request to the backends.
+Now, Traefik removes the headers listed in the Connection header as soon as the request is handled.
+As a consequence, middlewares do not have access to those Connection headers,
+and a new option has been introduced to specify which ones could go through the middleware chain before being removed: `<entrypoint>.forwardedHeaders.connection`.
+
+Please check out the [entrypoint forwarded headers connection option configuration](../routing/entrypoints.md#forwarded-headers) documentation.
+
+## v2.11.14
+
+### X-Forwarded-Prefix
+
+In `v2.11.14`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
+Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
+
+## v2.11.24
+
+### Request Path Sanitization
+
+Since `v2.11.24`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends.
+Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed.
+
+If you want to disable this behavior, you can set the [`sanitizePath` option](../routing/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.
+This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
+For example, as base64 uses the “/” character internally,
+if it's not url encoded,
+it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
+
+!!! warning "Security"
+
+    Setting the `sanitizePath` option to `false` is not safe.
+    Ensure every request is properly url encoded instead.
+
+## v2.11.25
+
+### Request Path Normalization
+
+Since `v2.11.25`, the request path is now normalized by decoding unreserved characters in the request path,
+and also uppercasing the percent-encoded characters.
+This follows [RFC 3986 percent-encoding normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2),
+and [RFC 3986 case normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1).
+
+The normalization happens before the request path is sanitized,
+and cannot be disabled.
+This notably helps with encoded dots characters (which are unreserved characters) to be sanitized properly.
+
+### Routing Path
+
+Since `v2.11.25`, the reserved characters [(as per RFC 3986)](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2) are kept encoded in the request path when matching the router rules.
+Those characters, when decoded, change the meaning of the request path for routing purposes,
+and Traefik now keeps them encoded to avoid any ambiguity.
+
+### Request Path Matching Examples
+
+| Request Path      | Router Rule            | Traefik v2.11.24 | Traefik v2.11.25 |
+|-------------------|------------------------|------------------|------------------|
+| `/foo%2Fbar`      | PathPrefix(`/foo/bar`) | Match            | No match         |
+| `/foo/../bar`     | PathPrefix(`/foo`)     | No match         | No match         |
+| `/foo/../bar`     | PathPrefix(`/bar`)     | Match            | Match            |
+| `/foo/%2E%2E/bar` | PathPrefix(`/foo`)     | Match            | No match         |
+| `/foo/%2E%2E/bar` | PathPrefix(`/bar`)     | No match         | Match            |
+
+## v2.11.28
+
+### MultiPath TCP
+
+Since `v2.11.28`, the MultiPath TCP support introduced with `v2.11.26` has been removed.
+It appears that enabling MPTCP on some platforms can cause Traefik to stop with the following error logs message:
+
+- `set tcp X.X.X.X:X->X.X.X.X:X: setsockopt: operation not supported`
+
+However, it can be re-enabled by setting the `multipathtcp` variable in the GODEBUG environment variable, see the related [go documentation](https://go.dev/doc/godebug#go-124).
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -47,6 +47,8 @@ accessLog:

 ### `format`

+_Optional, Default="common"_
+
 By default, logs are written using the Common Log Format (CLF).
 To write logs in JSON, use `json` in the `format` option.
 If the given format is unsupported, the default (CLF) is used instead.
@@ -54,9 +56,23 @@ If the given format is unsupported, the default (CLF) is used instead.
 !!! info "Common Log Format"

    ```html
-    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
+    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
    ```

+```yaml tab="File (YAML)"
+accessLog:
+  format: "json"
+```
+
+```toml tab="File (TOML)"
+[accessLog]
+  format = "json"
+```
+
+```bash tab="CLI"
+--accesslog.format=json
+```
+
 ### `bufferingSize`

 To write the logs in an asynchronous fashion, specify a  `bufferingSize` option.
@@ -136,7 +152,8 @@ Each field can be set to:

 - `keep` to keep the value
 - `drop` to drop the value
- `redact` to replace the value with "redacted"
+
+Header fields may also optionally be set to `redact` to replace the value with "REDACTED".

 The `defaultMode` for `fields.names` is `keep`.

@@ -154,9 +171,9 @@ accessLog:
    headers:
      defaultMode: keep
      names:
-          User-Agent: redact
-          Authorization: drop
-          Content-Type: keep
+        User-Agent: redact
+        Authorization: drop
+        Content-Type: keep
 ```

 ```toml tab="File (TOML)"
@@ -218,10 +235,8 @@ accessLog:
    | `RequestContentSize`    | The number of bytes in the request entity (a.k.a. body) sent by the client.                                                                                         |
    | `OriginDuration`        | The time taken (in nanoseconds) by the origin server ('upstream') to return its response.                                                                           |
    | `OriginContentSize`     | The content length specified by the origin server, or 0 if unspecified.                                                                                             |
-    | `OriginStatus`          | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent.     |
-    | `OriginStatusLine`      | `OriginStatus` + Status code explanation                                                                                                                            |
+    | `OriginStatus`          | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent (0). |
    | `DownstreamStatus`      | The HTTP status code returned to the client.                                                                                                                        |
-    | `DownstreamStatusLine`  | `DownstreamStatus` + Status code explanation                                                                                                                        |
    | `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
    | `RequestCount`          | The number of requests received since the Traefik instance started.                                                                                                 |
    | `GzipRatio`             | The response body compression ratio achieved.                                                                                                                       |
@@ -254,7 +269,7 @@ version: "3.7"

 services:
  traefik:
-    image: traefik:v2.8
+    image: traefik:v2.11
    environment:
      - TZ=US/Alaska
    command:
@@ -265,3 +280,5 @@ services:
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
 ```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/observability/logs.md
+++ b/docs/content/observability/logs.md
@@ -64,7 +64,9 @@ log:

 #### `level`

-By default, the `level` is set to `ERROR`. Alternative logging levels are `DEBUG`, `PANIC`, `FATAL`, `ERROR`, `WARN`, and `INFO`.
+By default, the `level` is set to `ERROR`.
+
+Alternative logging levels are `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`, and `PANIC`.

 ```yaml tab="File (YAML)"
 log:
@@ -87,3 +89,5 @@ This allows the logs to be rotated and processed by an external program, such as

 !!! warning
    This does not work on Windows due to the lack of USR signals.
+    
+{!traefik-for-business-applications.md!}
--- a/docs/content/observability/metrics/overview.md
+++ b/docs/content/observability/metrics/overview.md
@@ -1,11 +1,11 @@
 ---
 title: "Traefik Metrics Overview"
-description: "Traefik Proxy supports four metrics backend systems: Datadog, InfluxDB, Prometheus, and StatsD. Read the full documentation to get started."
+description: "Traefik Proxy supports these metrics backend systems: Datadog, InfluxDB, Prometheus, and StatsD. Read the full documentation to get started."
 ---

 # Metrics

-Traefik supports 4 metrics backends:
+Traefik supports these metrics backends:

 - [Datadog](./datadog.md)
 - [InfluxDB](./influxdb.md)
@@ -15,426 +15,184 @@ Traefik supports 4 metrics backends:

 ## Global Metrics

-| Metric                                                                  | DataDog | InfluxDB / InfluxDB2 | Prometheus | StatsD |
-|-------------------------------------------------------------------------|---------|----------------------|------------|--------|
-| [Configuration reloads](#configuration-reloads)                         | ✓       | ✓                    | ✓          | ✓      |
-| [Last Configuration Reload Success](#last-configuration-reload-success) | ✓       | ✓                    | ✓          | ✓      |
-| [TLS certificates expiration](#tls-certificates-expiration)             | ✓       | ✓                    | ✓          | ✓      |
+| Metric                                      | Type    | Description                                             |
+|---------------------------------------------|---------|---------------------------------------------------------|
+| Config reload total                         | Count   | The total count of configuration reloads.               |
+| Config reload last success                  | Gauge   | The timestamp of the last configuration reload success. |
+| TLS certificates not after                  | Gauge   | The expiration date of certificates.                    |

-### Configuration Reloads
-
-The total count of configuration reloads.
+```prom tab="Prometheus"
+traefik_config_reloads_total
+traefik_config_last_reload_success
+traefik_tls_certs_not_after
+```

 ```dd tab="Datadog"
 config.reload.total
+config.reload.lastSuccessTimestamp
+tls.certs.notAfterTimestamp
 ```

 ```influxdb tab="InfluxDB / InfluxDB2"
 traefik.config.reload.total
-```
-
-```prom tab="Prometheus"
-traefik_config_reloads_total
+traefik.config.reload.lastSuccessTimestamp
+traefik.tls.certs.notAfterTimestamp
 ```

 ```statsd tab="StatsD"
 # Default prefix: "traefik"
 {prefix}.config.reload.total
-```
-
-### Last Configuration Reload Success
-
-The timestamp of the last configuration reload success.
-
-```dd tab="Datadog"
-config.reload.lastSuccessTimestamp
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.config.reload.lastSuccessTimestamp
-```
-
-```prom tab="Prometheus"
-traefik_config_last_reload_success
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.config.reload.lastSuccessTimestamp
-```
-
-### TLS certificates expiration
-
-The expiration date of certificates.
-
-[Labels](#labels): `cn`, `sans`, `serial`.
-
-```dd tab="Datadog"
-tls.certs.notAfterTimestamp
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.tls.certs.notAfterTimestamp
-```
-
-```prom tab="Prometheus"
-traefik_tls_certs_not_after
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.tls.certs.notAfterTimestamp
 ```

 ## EntryPoint Metrics

-| Metric                                                    | DataDog | InfluxDB / InfluxDB2 | Prometheus | StatsD |
-|-----------------------------------------------------------|---------|----------------------|------------|--------|
-| [HTTP Requests Count](#http-requests-count)               | ✓       | ✓                    | ✓          | ✓      |
-| [HTTPS Requests Count](#https-requests-count)             | ✓       | ✓                    | ✓          | ✓      |
-| [Request Duration Histogram](#request-duration-histogram) | ✓       | ✓                    | ✓          | ✓      |
-| [Open Connections Count](#open-connections-count)         | ✓       | ✓                    | ✓          | ✓      |
+| Metric                | Type      | [Labels](#labels)                          | Description                                                         |
+|-----------------------|-----------|--------------------------------------------|---------------------------------------------------------------------|
+| Requests total        | Count     | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint.         |
+| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `entrypoint`  | The total count of HTTPS requests received by an entrypoint.        |
+| Request duration      | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint.             |
+| Open connections      | Count     | `method`, `protocol`, `entrypoint`         | The current count of open connections on an entrypoint.             |
+| Requests bytes total  | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint.  |
+| Responses bytes total | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |

-### HTTP Requests Count
-
-The total count of HTTP requests received by an entrypoint.
-
-[Labels](#labels): `code`, `method`, `protocol`, `entrypoint`.
+```prom tab="Prometheus"
+traefik_entrypoint_requests_total
+traefik_entrypoint_requests_tls_total
+traefik_entrypoint_request_duration_seconds
+traefik_entrypoint_open_connections
+traefik_entrypoint_requests_bytes_total
+traefik_entrypoint_responses_bytes_total
+```

 ```dd tab="Datadog"
 entrypoint.request.total
+entrypoint.request.tls.total
+entrypoint.request.duration
+entrypoint.connections.open
+entrypoint.requests.bytes.total
+entrypoint.responses.bytes.total
 ```

 ```influxdb tab="InfluxDB / InfluxDB2"
 traefik.entrypoint.requests.total
-```
-
-```prom tab="Prometheus"
-traefik_entrypoint_requests_total
+traefik.entrypoint.requests.tls.total
+traefik.entrypoint.request.duration
+traefik.entrypoint.connections.open
+traefik.entrypoint.requests.bytes.total
+traefik.entrypoint.responses.bytes.total
 ```

 ```statsd tab="StatsD"
 # Default prefix: "traefik"
 {prefix}.entrypoint.request.total
-```
-
-### HTTPS Requests Count
-
-The total count of HTTPS requests received by an entrypoint.
-
-[Labels](#labels): `tls_version`, `tls_cipher`, `entrypoint`.
-
-```dd tab="Datadog"
-entrypoint.request.tls.total
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.entrypoint.requests.tls.total
-```
-
-```prom tab="Prometheus"
-traefik_entrypoint_requests_tls_total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.entrypoint.request.tls.total
-```
-
-### Request Duration Histogram
-
-Request processing duration histogram on an entrypoint.
-
-[Labels](#labels): `code`, `method`, `protocol`, `entrypoint`.
-
-```dd tab="Datadog"
-entrypoint.request.duration
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.entrypoint.request.duration
-```
-
-```prom tab="Prometheus"
-traefik_entrypoint_request_duration_seconds
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.entrypoint.request.duration
-```
-
-### Open Connections Count
-
-The current count of open connections on an entrypoint.
-
-[Labels](#labels): `method`, `protocol`, `entrypoint`.
-
-```dd tab="Datadog"
-entrypoint.connections.open
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.entrypoint.connections.open
-```
-
-```prom tab="Prometheus"
-traefik_entrypoint_open_connections
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.entrypoint.connections.open
+{prefix}.entrypoint.requests.bytes.total
+{prefix}.entrypoint.responses.bytes.total
 ```

 ## Router Metrics

-| Metric                                                      | DataDog | InfluxDB / InfluxDB2 | Prometheus | StatsD |
-|-------------------------------------------------------------|---------|----------------------|------------|--------|
-| [HTTP Requests Count](#http-requests-count_1)               | ✓       | ✓                    | ✓          | ✓      |
-| [HTTPS Requests Count](#https-requests-count_1)             | ✓       | ✓                    | ✓          | ✓      |
-| [Request Duration Histogram](#request-duration-histogram_1) | ✓       | ✓                    | ✓          | ✓      |
-| [Open Connections Count](#open-connections-count_1)         | ✓       | ✓                    | ✓          | ✓      |
+| Metric                | Type      | [Labels](#labels)                                 | Description                                                    |
+|-----------------------|-----------|---------------------------------------------------|----------------------------------------------------------------|
+| Requests total        | Count     | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router.          |
+| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `router`, `service`  | The total count of HTTPS requests handled by a router.         |
+| Request duration      | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router.             |
+| Open connections      | Count     | `method`, `protocol`, `router`, `service`         | The current count of open connections on a router.             |
+| Requests bytes total  | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router.  |
+| Responses bytes total | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |

-### HTTP Requests Count
-
-The total count of HTTP requests handled by a router.
-
-[Labels](#labels): `code`, `method`, `protocol`, `router`, `service`.
+```prom tab="Prometheus"
+traefik_router_requests_total
+traefik_router_requests_tls_total
+traefik_router_request_duration_seconds
+traefik_router_open_connections
+traefik_router_requests_bytes_total
+traefik_router_responses_bytes_total
+```

 ```dd tab="Datadog"
 router.request.total
+router.request.tls.total
+router.request.duration
+router.connections.open
+router.requests.bytes.total
+router.responses.bytes.total
 ```

 ```influxdb tab="InfluxDB / InfluxDB2"
 traefik.router.requests.total
-```
-
-```prom tab="Prometheus"
-traefik_router_requests_total
+traefik.router.requests.tls.total
+traefik.router.request.duration
+traefik.router.connections.open
+traefik.router.requests.bytes.total
+traefik.router.responses.bytes.total
 ```

 ```statsd tab="StatsD"
 # Default prefix: "traefik"
 {prefix}.router.request.total
-```
-
-### HTTPS Requests Count
-
-The total count of HTTPS requests handled by a router.
-
-[Labels](#labels): `tls_version`, `tls_cipher`, `router`, `service`.
-
-```dd tab="Datadog"
-router.request.tls.total
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.router.requests.tls.total
-```
-
-```prom tab="Prometheus"
-traefik_router_requests_tls_total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.router.request.tls.total
-```
-
-### Request Duration Histogram
-
-Request processing duration histogram on a router.
-
-[Labels](#labels): `code`, `method`, `protocol`, `router`, `service`.
-
-```dd tab="Datadog"
-router.request.duration
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.router.request.duration
-```
-
-```prom tab="Prometheus"
-traefik_router_request_duration_seconds
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.router.request.duration
-```
-
-### Open Connections Count
-
-The current count of open connections on a router.
-
-[Labels](#labels): `method`, `protocol`, `router`, `service`.
-
-```dd tab="Datadog"
-router.connections.open
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.router.connections.open
-```
-
-```prom tab="Prometheus"
-traefik_router_open_connections
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.router.connections.open
+{prefix}.router.requests.bytes.total
+{prefix}.router.responses.bytes.total
 ```

 ## Service Metrics

-| Metric                                                      | DataDog | InfluxDB / InfluxDB2 | Prometheus | StatsD |
-|-------------------------------------------------------------|---------|----------------------|------------|--------|
-| [HTTP Requests Count](#http-requests-count_2)               | ✓       | ✓                    | ✓          | ✓      |
-| [HTTPS Requests Count](#https-requests-count_2)             | ✓       | ✓                    | ✓          | ✓      |
-| [Request Duration Histogram](#request-duration-histogram_2) | ✓       | ✓                    | ✓          | ✓      |
-| [Open Connections Count](#open-connections-count_2)         | ✓       | ✓                    | ✓          | ✓      |
-| [Requests Retries Count](#requests-retries-count)           | ✓       | ✓                    | ✓          | ✓      |
-| [Service Server UP](#service-server-up)                     | ✓       | ✓                    | ✓          | ✓      |
+| Metric                | Type      | Labels                                  | Description                                                 |
+|-----------------------|-----------|-----------------------------------------|-------------------------------------------------------------|
+| Requests total        | Count     | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service.    |
+| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `service`  | The total count of HTTPS requests processed on a service.   |
+| Request duration      | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service.         |
+| Open connections      | Count     | `method`, `protocol`, `service`         | The current count of open connections on a service.         |
+| Server UP             | Gauge     | `service`, `url`                        | Current service's server status, 0 for a down or 1 for up.  |
+| Requests bytes total  | Count     | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service.  |
+| Responses bytes total | Count     | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |

-### HTTP Requests Count
-
-The total count of HTTP requests processed on a service.
-
-[Labels](#labels): `code`, `method`, `protocol`, `service`.
+```prom tab="Prometheus"
+traefik_service_requests_total
+traefik_service_requests_tls_total
+traefik_service_request_duration_seconds
+traefik_service_open_connections
+traefik_service_server_up
+traefik_service_requests_bytes_total
+traefik_service_responses_bytes_total
+```

 ```dd tab="Datadog"
 service.request.total
+router.service.tls.total
+service.request.duration
+service.connections.open
+service.server.up
+service.requests.bytes.total
+service.responses.bytes.total
 ```

 ```influxdb tab="InfluxDB / InfluxDB2"
 traefik.service.requests.total
-```
-
-```prom tab="Prometheus"
-traefik_service_requests_total
+traefik.service.requests.tls.total
+traefik.service.request.duration
+traefik.service.connections.open
+traefik.service.server.up
+traefik.service.requests.bytes.total
+traefik.service.responses.bytes.total
 ```

 ```statsd tab="StatsD"
 # Default prefix: "traefik"
 {prefix}.service.request.total
-```
-
-### HTTPS Requests Count
-
-The total count of HTTPS requests processed on a service.
-
-[Labels](#labels): `tls_version`, `tls_cipher`, `service`.
-
-```dd tab="Datadog"
-router.service.tls.total
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.service.requests.tls.total
-```
-
-```prom tab="Prometheus"
-traefik_service_requests_tls_total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.service.request.tls.total
-```
-
-### Request Duration Histogram
-
-Request processing duration histogram on a service.
-
-[Labels](#labels): `code`, `method`, `protocol`, `service`.
-
-```dd tab="Datadog"
-service.request.duration
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.service.request.duration
-```
-
-```prom tab="Prometheus"
-traefik_service_request_duration_seconds
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.service.request.duration
-```
-
-### Open Connections Count
-
-The current count of open connections on a service.
-
-[Labels](#labels): `method`, `protocol`, `service`.
-
-```dd tab="Datadog"
-service.connections.open
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.service.connections.open
-```
-
-```prom tab="Prometheus"
-traefik_service_open_connections
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.service.connections.open
-```
-
-### Requests Retries Count
-
-The count of requests retries on a service.
-
-[Labels](#labels): `service`.
-
-```dd tab="Datadog"
-service.retries.total
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.service.retries.total
-```
-
-```prom tab="Prometheus"
-traefik_service_retries_total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
-{prefix}.service.retries.total
-```
-
-### Service Server UP
-
-Current service's server status, described by a gauge with a value of 0 for a down server or a value of 1 for an up server.
-
-[Labels](#labels): `service`, `url`.
-
-```dd tab="Datadog"
-service.server.up
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.service.server.up
-```
-
-```prom tab="Prometheus"
-traefik_service_server_up
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.service.server.up
+{prefix}.service.requests.bytes.total
+{prefix}.service.responses.bytes.total
 ```

 ## Labels
--- a/docs/content/observability/metrics/prometheus.md
+++ b/docs/content/observability/metrics/prometheus.md
@@ -165,3 +165,74 @@ metrics:
 ```bash tab="CLI"
 --metrics.prometheus.manualrouting=true
 ```
+
+#### `headerLabels`
+
+_Optional_
+
+Defines the extra labels for the `requests_total` metrics, and for each of them, the request header containing the value for this label.
+Please note that if the header is not present in the request it will be added nonetheless with an empty value.
+In addition, the label should be a valid label name for Prometheus metrics, 
+otherwise, the Prometheus metrics provider will fail to serve any Traefik-related metric.
+
+```yaml tab="File (YAML)"
+metrics:
+  prometheus:
+    headerLabels:
+      label: headerKey
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    [metrics.prometheus.headerLabels]
+      label = "headerKey"
+```
+
+```bash tab="CLI"
+--metrics.prometheus.headerlabels.label=headerKey
+```
+
+##### Example
+
+Here is an example of the entryPoint `requests_total` metric with an additional "useragent" label.
+
+When configuring the label in Static Configuration:
+
+```yaml tab="File (YAML)"
+metrics:
+  prometheus:
+    headerLabels:
+      useragent: User-Agent
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    [metrics.prometheus.headerLabels]
+      useragent = "User-Agent"
+```
+
+```bash tab="CLI"
+--metrics.prometheus.headerlabels.useragent=User-Agent
+```
+
+And performing a request with a custom User-Agent:
+
+```bash
+curl -H "User-Agent: foobar" http://localhost
+```
+
+The following metric is produced :
+
+```bash
+traefik_entrypoint_requests_total{code="200",entrypoint="web",method="GET",protocol="http",useragent="foobar"} 1
+```
+
+!!! info "`Host` header value"
+
+    The `Host` header is never present in the Header map of a request, as per go documentation says:
+    // For incoming requests, the Host header is promoted to the
+    // Request.Host field and removed from the Header map.
+
+    As a workaround, to obtain the Host of a request as a label, one should use instead the `X-Forwarded-Host` header.
--- a/docs/content/observability/metrics/statsd.md
+++ b/docs/content/observability/metrics/statsd.md
@@ -69,7 +69,7 @@ metrics:

 _Optional, Default=false_

-Enable metrics on entry points.
+Enable metrics on routers.

 ```yaml tab="File (YAML)"
 metrics:
--- a/docs/content/observability/tracing/datadog.md
+++ b/docs/content/observability/tracing/datadog.md
@@ -23,24 +23,46 @@ tracing:

 #### `localAgentHostPort`

-_Required, Default="127.0.0.1:8126"_
+_Optional, Default="localhost:8126"_

 Local Agent Host Port instructs the reporter to send spans to the Datadog Agent at this address (host:port).

 ```yaml tab="File (YAML)"
 tracing:
  datadog:
-    localAgentHostPort: 127.0.0.1:8126
+    localAgentHostPort: localhost:8126
 ```

 ```toml tab="File (TOML)"
 [tracing]
  [tracing.datadog]
-    localAgentHostPort = "127.0.0.1:8126"
+    localAgentHostPort = "localhost:8126"
 ```

 ```bash tab="CLI"
--tracing.datadog.localAgentHostPort=127.0.0.1:8126
+--tracing.datadog.localAgentHostPort=localhost:8126
+```
+
+#### `localAgentSocket`
+
+_Optional, Default=""_
+
+Local Agent Socket instructs the reporter to send spans to the Datadog Agent at this UNIX socket.
+
+```yaml tab="File (YAML)"
+tracing:
+  datadog:
+    localAgentSocket: /var/run/datadog/apm.socket
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.datadog]
+    localAgentSocket = "/var/run/datadog/apm.socket"
+```
+
+```bash tab="CLI"
+--tracing.datadog.localAgentSocket=/var/run/datadog/apm.socket
 ```

 #### `debug`
@@ -67,24 +89,53 @@ tracing:

 #### `globalTag`

+??? warning "Deprecated in favor of the [`globalTags`](#globaltags) option."
+
+    _Optional, Default=empty_
+    
+    Applies a shared key:value tag on all spans.
+    
+    ```yaml tab="File (YAML)"
+    tracing:
+      datadog:
+        globalTag: sample
+    ```
+    
+    ```toml tab="File (TOML)"
+    [tracing]
+      [tracing.datadog]
+        globalTag = "sample"
+    ```
+    
+    ```bash tab="CLI"
+    --tracing.datadog.globalTag=sample
+    ```
+
+#### `globalTags`
+
 _Optional, Default=empty_

-Applies a shared key:value tag on all spans.
+Applies a list of shared key:value tags on all spans.

 ```yaml tab="File (YAML)"
 tracing:
  datadog:
-    globalTag: sample
+    globalTags:
+      tag1: foo
+      tag2: bar
 ```

 ```toml tab="File (TOML)"
 [tracing]
  [tracing.datadog]
-    globalTag = "sample"
+    [tracing.datadog.globalTags]
+      tag1 = "foo"
+      tag2 = "bar"
 ```

 ```bash tab="CLI"
--tracing.datadog.globalTag=sample
+--tracing.datadog.globalTags.tag1=foo
+--tracing.datadog.globalTags.tag2=bar
 ```

 #### `prioritySampling`
--- a/docs/content/operations/api.md
+++ b/docs/content/operations/api.md
@@ -16,13 +16,9 @@ including sensitive data.

 In production, it should be at least secured by authentication and authorizations.

-A good sane default (non exhaustive) set of recommendations
-would be to apply the following protection mechanisms:
-
-* At the transport level:
-  NOT publicly exposing the API's port,
-  keeping it restricted to internal networks
-  (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).
+!!! info
+    It's recommended to NOT publicly exposing the API's port, keeping it restricted to internal networks
+    (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).

 ## Configuration

@@ -50,7 +46,7 @@ And then define a routing configuration on Traefik itself with the

 --8<-- "content/operations/include-api-examples.md"

-??? warning "The router's [rule](../../routing/routers#rule) must catch requests for the URI path `/api`"
+??? warning "The router's [rule](../../routing/routers/#rule) must catch requests for the URI path `/api`"
    Using an "Host" rule is recommended, by catching all the incoming traffic on this host domain to the API.
    However, you can also use "path prefix" rule or any combination or rules.

@@ -74,7 +70,7 @@ And then define a routing configuration on Traefik itself with the

 ### `insecure`

-Enable the API in `insecure` mode, which means that the API will be available directly on the entryPoint named `traefik`.
+Enable the API in `insecure` mode, which means that the API will be available directly on the entryPoint named `traefik`, on path `/api`.

 !!! info
    If the entryPoint named `traefik` is not configured, it will be automatically created on port 8080.
@@ -140,6 +136,15 @@ api:

 All the following endpoints must be accessed with a `GET` HTTP request.

+!!! info "Pagination"
+
+    By default, up to 100 results are returned per page, and the next page can be checked using the `X-Next-Page` HTTP Header. 
+    To control pagination, use the `page` and `per_page` query parameters.
+
+    ```bash
+    curl https://traefik.example.com:8080/api/http/routers?page=2&per_page=20
+    ```
+
 | Path                           | Description                                                                                 |
 |--------------------------------|---------------------------------------------------------------------------------------------|
 | `/api/http/routers`            | Lists all the HTTP routers information.                                                     |
@@ -169,3 +174,5 @@ All the following endpoints must be accessed with a `GET` HTTP request.
 | `/debug/pprof/profile`         | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation.   |
 | `/debug/pprof/symbol`          | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation.     |
 | `/debug/pprof/trace`           | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation.       |
+
+{!traefik-for-business-applications.md!}
--- a/Show More
+++ b/Show More