Prepare release v3.0.0-beta2

Moves HTTP/3 outside the experimental section
Merge current v2.9 into master
2025-09-17 21:44:29 +03:00 · 2022-12-07 17:26:04 +01:00 · 2022-12-07 17:02:05 +01:00 · 2022-12-07 15:55:46 +01:00 · 2022-12-07 15:14:05 +01:00 · 2022-12-07 11:34:06 +01:00
529 changed files with 18314 additions and 11142 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -2,16 +2,16 @@
 PLEASE READ THIS MESSAGE.

 Documentation fixes or enhancements:
- for Traefik v1: use branch v1.7
 - for Traefik v2: use branch v2.9
+- for Traefik v3: use branch master

 Bug fixes:
- for Traefik v1: use branch v1.7
 - for Traefik v2: use branch v2.9
+- for Traefik v3: use branch master

 Enhancements:
- for Traefik v1: we only accept bug fixes
- for Traefik v2: use branch master
+- for Traefik v2: we only accept bug fixes
+- for Traefik v3: use branch master

 HOW TO WRITE A GOOD PULL REQUEST? https://doc.traefik.io/traefik/contributing/submitting-pull-requests/

--- a/.golangci.yml
+++ b/.golangci.yml
@@ -134,14 +134,6 @@ issues:
  exclude:
    - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked'
    - "should have a package comment, unless it's in another file for this package"
-    - 'SA1019: http.CloseNotifier has been deprecated' # FIXME must be fixed
-    - 'SA1019: cfg.SSLRedirect is deprecated'
-    - 'SA1019: cfg.SSLTemporaryRedirect is deprecated'
-    - 'SA1019: cfg.SSLHost is deprecated'
-    - 'SA1019: cfg.SSLForceHost is deprecated'
-    - 'SA1019: cfg.FeaturePolicy is deprecated'
-    - 'SA1019: c.Providers.ConsulCatalog.Namespace is deprecated'
-    - 'SA1019: c.Providers.Consul.Namespace is deprecated'
  exclude-rules:
    - path: '(.+)_test.go'
      linters:
@@ -162,7 +154,7 @@ issues:
      text: "Function 'buildConstructor' has too many statements"
      linters:
        - funlen
-    - path: pkg/tracing/haystack/logger.go
+    - path: pkg/logs/haystack.go
      linters:
        - goprintffuncname
    - path: pkg/tracing/tracing.go
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -64,7 +64,7 @@ blocks:
        - name: GH_VERSION
          value: 1.12.1
        - name: CODENAME
-          value: "banon"
+          value: "beaufort"
        - name: IN_DOCKER
          value: ""
      prologue:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,95 @@
-## [v2.9.3](https://github.com/traefik/traefik/tree/v2.9.3) (2022-10-27)
-[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.3)
+## [v3.0.0-beta2](https://github.com/traefik/traefik/tree/v3.0.0-beta2) (2022-12-07)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0-beta1...v3.0.0-beta2)
+
+**Enhancements:**
+- **[http3]** Moves HTTP/3 outside the experimental section ([#9570](https://github.com/traefik/traefik/pull/9570) by [sdelicata](https://github.com/sdelicata))
+
+**Bug fixes:**
+- **[logs]** Change traefik cmd error log to error level ([#9569](https://github.com/traefik/traefik/pull/9569) by [tomMoulard](https://github.com/tomMoulard))
+- **[rules]** Rework Host and HostRegexp matchers ([#9559](https://github.com/traefik/traefik/pull/9559) by [tomMoulard](https://github.com/tomMoulard))
+
+**Misc:**
+- Merge current v2.9 into master ([#9586](https://github.com/traefik/traefik/pull/9586) by [tomMoulard](https://github.com/tomMoulard))
+
+## [v2.9.6](https://github.com/traefik/traefik/tree/v2.9.6) (2022-12-07)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.5...v2.9.6)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.9.1 ([#9550](https://github.com/traefik/traefik/pull/9550) by [ldez](https://github.com/ldez))
+- **[k8s/crd]** Support of allowEmptyServices in TraefikService ([#9424](https://github.com/traefik/traefik/pull/9424) by [jeromeguiard](https://github.com/jeromeguiard))
+- **[logs]** Remove logs of the request ([#9574](https://github.com/traefik/traefik/pull/9574) by [ldez](https://github.com/ldez))
+- **[plugins]** Increase the timeout on plugin download ([#9529](https://github.com/traefik/traefik/pull/9529) by [ldez](https://github.com/ldez))
+- **[server]** Update golang.org/x/net ([#9582](https://github.com/traefik/traefik/pull/9582) by [ldez](https://github.com/ldez))
+- **[tls]** Handle broken TLS conf better ([#9572](https://github.com/traefik/traefik/pull/9572) by [mpl](https://github.com/mpl))
+- **[tracing]** Update DataDog tracing dependency to v1.43.1 ([#9526](https://github.com/traefik/traefik/pull/9526) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Add missing serialNumber passTLSClientCert option to middleware panel ([#9539](https://github.com/traefik/traefik/pull/9539) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[docker]** Add networking example ([#9542](https://github.com/traefik/traefik/pull/9542) by [Janik-Haag](https://github.com/Janik-Haag))
+- **[hub]** Add information about the Hub Agent ([#9560](https://github.com/traefik/traefik/pull/9560) by [nmengin](https://github.com/nmengin))
+- **[k8s/helm]** Update Helm installation section ([#9564](https://github.com/traefik/traefik/pull/9564) by [mloiseleur](https://github.com/mloiseleur))
+- **[middleware]** Clarify PathPrefix matcher greediness ([#9519](https://github.com/traefik/traefik/pull/9519) by [mpl](https://github.com/mpl))
+
+## [v3.0.0-beta1](https://github.com/traefik/traefik/tree/v3.0.0-beta1) (2022-12-05)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc1...v3.0.0-beta1)
+
+**Enhancements:**
+- **[ecs]** Add option to keep only healthy ECS tasks ([#8027](https://github.com/traefik/traefik/pull/8027) by [Michampt](https://github.com/Michampt))
+- **[healthcheck]** Support gRPC healthcheck ([#8583](https://github.com/traefik/traefik/pull/8583) by [jjacque](https://github.com/jjacque))
+- **[healthcheck]** Add a status option to the service health check ([#9463](https://github.com/traefik/traefik/pull/9463) by [guoard](https://github.com/guoard))
+- **[http]** Support custom headers when fetching configuration through HTTP ([#9421](https://github.com/traefik/traefik/pull/9421) by [kevinpollet](https://github.com/kevinpollet))
+- **[logs,performance]** New logger for the Traefik logs ([#9515](https://github.com/traefik/traefik/pull/9515) by [ldez](https://github.com/ldez))
+- **[logs,plugins]** Retry on plugin API calls ([#9530](https://github.com/traefik/traefik/pull/9530) by [ldez](https://github.com/ldez))
+- **[logs,provider]** Improve provider logs ([#9562](https://github.com/traefik/traefik/pull/9562) by [ldez](https://github.com/ldez))
+- **[logs]** Improve test logger assertions ([#9533](https://github.com/traefik/traefik/pull/9533) by [ldez](https://github.com/ldez))
+- **[metrics]** Support gRPC and gRPC-Web protocol in metrics ([#9483](https://github.com/traefik/traefik/pull/9483) by [longit644](https://github.com/longit644))
+- **[middleware,accesslogs]** Log TLS client subject ([#9285](https://github.com/traefik/traefik/pull/9285) by [xmessi](https://github.com/xmessi))
+- **[middleware,metrics,tracing]** Add OpenTelemetry tracing and metrics support ([#8999](https://github.com/traefik/traefik/pull/8999) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware]** Disable Content-Type auto-detection by default ([#9546](https://github.com/traefik/traefik/pull/9546) by [sdelicata](https://github.com/sdelicata))
+- **[middleware]** Add gRPC-Web middleware ([#9451](https://github.com/traefik/traefik/pull/9451) by [juliens](https://github.com/juliens))
+- **[middleware]** Add support for Brotli ([#9387](https://github.com/traefik/traefik/pull/9387) by [glinton](https://github.com/glinton))
+- **[middleware]** Renaming IPWhiteList to IPAllowList  ([#9457](https://github.com/traefik/traefik/pull/9457) by [wxmbugu](https://github.com/wxmbugu))
+- **[nomad]** Support multiple namespaces in the Nomad Provider ([#9332](https://github.com/traefik/traefik/pull/9332) by [0teh](https://github.com/0teh))
+- **[rules]** Update routing syntax ([#9531](https://github.com/traefik/traefik/pull/9531) by [skwair](https://github.com/skwair))
+- **[server]** Rework servers load-balancer to use the WRR ([#9431](https://github.com/traefik/traefik/pull/9431) by [juliens](https://github.com/juliens))
+- **[server]** Allow default entrypoints definition ([#9100](https://github.com/traefik/traefik/pull/9100) by [jilleJr](https://github.com/jilleJr))
+- **[tls,service]** Support SPIFFE mTLS between Traefik and Backend servers ([#9394](https://github.com/traefik/traefik/pull/9394) by [jlevesy](https://github.com/jlevesy))
+- **[tls]** Add Tailscale certificate resolver ([#9237](https://github.com/traefik/traefik/pull/9237) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls]** Support SNI routing with Postgres STARTTLS connections ([#9377](https://github.com/traefik/traefik/pull/9377) by [rtribotte](https://github.com/rtribotte))
+- Remove deprecated options ([#9527](https://github.com/traefik/traefik/pull/9527) by [sdelicata](https://github.com/sdelicata))
+
+**Bug fixes:**
+- **[logs]** Fix log level ([#9545](https://github.com/traefik/traefik/pull/9545) by [ldez](https://github.com/ldez))
+- **[metrics]** Fix ServerUp metric ([#9534](https://github.com/traefik/traefik/pull/9534) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls,service]** Enforce default servers transport SPIFFE config ([#9444](https://github.com/traefik/traefik/pull/9444) by [jlevesy](https://github.com/jlevesy))
+
+**Documentation:**
+- **[metrics]** Update and publish official Grafana Dashboard ([#9493](https://github.com/traefik/traefik/pull/9493) by [mloiseleur](https://github.com/mloiseleur))
+
+**Misc:**
+- Merge branch v2.9 into master ([#9554](https://github.com/traefik/traefik/pull/9554) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9536](https://github.com/traefik/traefik/pull/9536) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9532](https://github.com/traefik/traefik/pull/9532) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9482](https://github.com/traefik/traefik/pull/9482) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9464](https://github.com/traefik/traefik/pull/9464) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9449](https://github.com/traefik/traefik/pull/9449) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9419](https://github.com/traefik/traefik/pull/9419) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9351](https://github.com/traefik/traefik/pull/9351) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.9.5](https://github.com/traefik/traefik/tree/v2.9.5) (2022-11-17)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.4...v2.9.5)
+
+**Bug fixes:**
+- **[logs,middleware]** Create a new capture instance for each incoming request ([#9510](https://github.com/traefik/traefik/pull/9510) by [sdelicata](https://github.com/sdelicata))
+
+**Documentation:**
+- **[k8s/helm]** Update helm repository ([#9506](https://github.com/traefik/traefik/pull/9506) by [charlie-haley](https://github.com/charlie-haley))
+- Enhance wording of building-testing page ([#9509](https://github.com/traefik/traefik/pull/9509) by [svx](https://github.com/svx))
+- Add link descriptions and update wording ([#9507](https://github.com/traefik/traefik/pull/9507) by [svx](https://github.com/svx))
+- Removes the experimental tag on the Traefik Hub header ([#9498](https://github.com/traefik/traefik/pull/9498) by [tfny](https://github.com/tfny))
+
+## [v2.9.4](https://github.com/traefik/traefik/tree/v2.9.4) (2022-10-27)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.4)

 **Bug fixes:**
 - **[acme]** Update go-acme/lego to v4.9.0 ([#9413](https://github.com/traefik/traefik/pull/9413) by [tony-defa](https://github.com/tony-defa))
@@ -14,6 +104,11 @@
 - Simplify dashboard rule example ([#9454](https://github.com/traefik/traefik/pull/9454) by [sosoba](https://github.com/sosoba))
 - Add v2.9 to release page ([#9438](https://github.com/traefik/traefik/pull/9438) by [kevinpollet](https://github.com/kevinpollet))

+## [v2.9.3](https://github.com/traefik/traefik/tree/v2.9.3) (2022-10-27)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.3)
+
+Release canceled.
+
 ## [v2.9.2](https://github.com/traefik/traefik/tree/v2.9.2) (2022-10-27)
 [All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.2)

--- a/2
+++ b/2
@@ -189,7 +189,7 @@ generate-genconf:
 .PHONY: release-packages
 release-packages: generate-webui build-dev-image
 	rm -rf dist
-	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish --timeout="90m"
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish -p 4 --timeout="90m"
 	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
 		--exclude-vcs \
 		--exclude .idea \
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 - Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org)  (wildcard certificates support)
 - Circuit breakers, retry
 - See the magic through its clean web UI
- Websocket, HTTP/2, GRPC ready
+- Websocket, HTTP/2, gRPC ready
 - Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB)
 - Keeps access logs (JSON, CLF)
 - Fast
--- a/cmd/traefik/logger.go
+++ b/cmd/traefik/logger.go
@@ -0,0 +1,89 @@
+package main
+
+import (
+	"io"
+	stdlog "log"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/natefinch/lumberjack"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/sirupsen/logrus"
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/logs"
+)
+
+func init() {
+	// hide the first logs before the setup of the logger.
+	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
+}
+
+func setupLogger(staticConfiguration *static.Configuration) {
+	// configure log format
+	w := getLogWriter(staticConfiguration)
+
+	// configure log level
+	logLevel := getLogLevel(staticConfiguration)
+
+	// create logger
+	logCtx := zerolog.New(w).With().Timestamp()
+	if logLevel <= zerolog.DebugLevel {
+		logCtx = logCtx.Caller()
+	}
+
+	log.Logger = logCtx.Logger().Level(logLevel)
+	zerolog.DefaultContextLogger = &log.Logger
+	zerolog.SetGlobalLevel(logLevel)
+
+	// Global logrus replacement (related to lib like go-rancher-metadata, docker, etc.)
+	logrus.StandardLogger().Out = logs.NoLevel(log.Logger, zerolog.DebugLevel)
+
+	// configure default standard log.
+	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
+	stdlog.SetOutput(logs.NoLevel(log.Logger, zerolog.DebugLevel))
+}
+
+func getLogWriter(staticConfiguration *static.Configuration) io.Writer {
+	var w io.Writer = os.Stderr
+
+	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
+		_, _ = os.Create(staticConfiguration.Log.FilePath)
+		w = &lumberjack.Logger{
+			Filename:   staticConfiguration.Log.FilePath,
+			MaxSize:    staticConfiguration.Log.MaxSize,
+			MaxBackups: staticConfiguration.Log.MaxBackups,
+			MaxAge:     staticConfiguration.Log.MaxAge,
+			Compress:   true,
+		}
+	}
+
+	if staticConfiguration.Log == nil || staticConfiguration.Log.Format != "json" {
+		w = zerolog.ConsoleWriter{
+			Out:        w,
+			TimeFormat: time.RFC3339,
+			NoColor:    staticConfiguration.Log != nil && (staticConfiguration.Log.NoColor || len(staticConfiguration.Log.FilePath) > 0),
+		}
+	}
+
+	return w
+}
+
+func getLogLevel(staticConfiguration *static.Configuration) zerolog.Level {
+	levelStr := "error"
+	if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
+		levelStr = strings.ToLower(staticConfiguration.Log.Level)
+	}
+
+	logLevel, err := zerolog.ParseLevel(strings.ToLower(levelStr))
+	if err != nil {
+		log.Error().Err(err).
+			Str("logLevel", levelStr).
+			Msg("Unspecified or invalid log level, setting the level to default (ERROR)...")
+
+		logLevel = zerolog.ErrorLevel
+	}
+
+	return logLevel
+}
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -9,7 +9,6 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
-	"path/filepath"
 	"sort"
 	"strings"
 	"syscall"
@@ -18,7 +17,9 @@ import (
 	"github.com/coreos/go-systemd/daemon"
 	"github.com/go-acme/lego/v4/challenge"
 	gokitmetrics "github.com/go-kit/kit/metrics"
+	"github.com/rs/zerolog/log"
 	"github.com/sirupsen/logrus"
+	"github.com/spiffe/go-spiffe/v2/workloadapi"
 	"github.com/traefik/paerser/cli"
 	"github.com/traefik/traefik/v2/cmd"
 	"github.com/traefik/traefik/v2/cmd/healthcheck"
@@ -28,12 +29,13 @@ import (
 	"github.com/traefik/traefik/v2/pkg/config/dynamic"
 	"github.com/traefik/traefik/v2/pkg/config/runtime"
 	"github.com/traefik/traefik/v2/pkg/config/static"
-	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v2/pkg/logs"
 	"github.com/traefik/traefik/v2/pkg/metrics"
 	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
 	"github.com/traefik/traefik/v2/pkg/provider/acme"
 	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
 	"github.com/traefik/traefik/v2/pkg/provider/hub"
+	"github.com/traefik/traefik/v2/pkg/provider/tailscale"
 	"github.com/traefik/traefik/v2/pkg/provider/traefik"
 	"github.com/traefik/traefik/v2/pkg/safe"
 	"github.com/traefik/traefik/v2/pkg/server"
@@ -44,7 +46,6 @@ import (
 	"github.com/traefik/traefik/v2/pkg/tracing/jaeger"
 	"github.com/traefik/traefik/v2/pkg/types"
 	"github.com/traefik/traefik/v2/pkg/version"
-	"github.com/vulcand/oxy/roundrobin"
 )

 func main() {
@@ -78,7 +79,7 @@ Complete documentation is available at https://traefik.io`,

 	err = cli.Execute(cmdTraefik)
 	if err != nil {
-		stdlog.Println(err)
+		log.Error().Err(err).Msg("Command error")
 		logrus.Exit(1)
 	}

@@ -86,27 +87,24 @@ Complete documentation is available at https://traefik.io`,
 }

 func runCmd(staticConfiguration *static.Configuration) error {
-	configureLogging(staticConfiguration)
+	setupLogger(staticConfiguration)

 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment

-	if err := roundrobin.SetDefaultWeight(0); err != nil {
-		log.WithoutContext().Errorf("Could not set round robin default weight: %v", err)
-	}
-
 	staticConfiguration.SetEffectiveConfiguration()
 	if err := staticConfiguration.ValidateConfiguration(); err != nil {
 		return err
 	}

-	log.WithoutContext().Infof("Traefik version %s built on %s", version.Version, version.BuildDate)
+	log.Info().Str("version", version.Version).
+		Msgf("Traefik version %s built on %s", version.Version, version.BuildDate)

 	jsonConf, err := json.Marshal(staticConfiguration)
 	if err != nil {
-		log.WithoutContext().Errorf("Could not marshal static configuration: %v", err)
-		log.WithoutContext().Debugf("Static configuration loaded [struct] %#v", staticConfiguration)
+		log.Error().Err(err).Msg("Could not marshal static configuration")
+		log.Debug().Interface("staticConfiguration", staticConfiguration).Msg("Static configuration loaded [struct]")
 	} else {
-		log.WithoutContext().Debugf("Static configuration loaded %s", string(jsonConf))
+		log.Debug().RawJSON("staticConfiguration", jsonConf).Msg("Static configuration loaded [json]")
 	}

 	if staticConfiguration.Global.CheckNewVersion {
@@ -131,16 +129,16 @@ func runCmd(staticConfiguration *static.Configuration) error {

 	sent, err := daemon.SdNotify(false, "READY=1")
 	if !sent && err != nil {
-		log.WithoutContext().Errorf("Failed to notify: %v", err)
+		log.Error().Err(err).Msg("Failed to notify")
 	}

 	t, err := daemon.SdWatchdogEnabled(false)
 	if err != nil {
-		log.WithoutContext().Errorf("Could not enable Watchdog: %v", err)
+		log.Error().Err(err).Msg("Could not enable Watchdog")
 	} else if t != 0 {
 		// Send a ping each half time given
 		t /= 2
-		log.WithoutContext().Infof("Watchdog activated with timer duration %s", t)
+		log.Info().Msgf("Watchdog activated with timer duration %s", t)
 		safe.Go(func() {
 			tick := time.Tick(t)
 			for range tick {
@@ -151,17 +149,17 @@ func runCmd(staticConfiguration *static.Configuration) error {

 				if staticConfiguration.Ping == nil || errHealthCheck == nil {
 					if ok, _ := daemon.SdNotify(false, "WATCHDOG=1"); !ok {
-						log.WithoutContext().Error("Fail to tick watchdog")
+						log.Error().Msg("Fail to tick watchdog")
 					}
 				} else {
-					log.WithoutContext().Error(errHealthCheck)
+					log.Error().Err(errHealthCheck).Send()
 				}
 			}
 		})
 	}

 	svr.Wait()
-	log.WithoutContext().Info("Shutting down")
+	log.Info().Msg("Shutting down")
 	return nil
 }

@@ -190,6 +188,10 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider)

+	// Tailscale
+
+	tsProviders := initTailscaleProviders(staticConfiguration, &providerAggregator)
+
 	// Entrypoints

 	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver)
@@ -202,15 +204,11 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}

-	if staticConfiguration.Pilot != nil {
-		log.WithoutContext().Warn("Traefik Pilot has been removed.")
-	}
-
 	// Plugins

 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
 	if err != nil {
-		log.WithoutContext().WithError(err).Error("Plugins are disabled because an error has occurred.")
+		log.Error().Err(err).Msg("Plugins are disabled because an error has occurred.")
 	}

 	// Providers plugins
@@ -251,7 +249,26 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	// Service manager factory

-	roundTripperManager := service.NewRoundTripperManager()
+	var spiffeX509Source *workloadapi.X509Source
+	if staticConfiguration.Spiffe != nil && staticConfiguration.Spiffe.WorkloadAPIAddr != "" {
+		log.Info().Str("workloadAPIAddr", staticConfiguration.Spiffe.WorkloadAPIAddr).
+			Msg("Waiting on SPIFFE SVID delivery")
+
+		spiffeX509Source, err = workloadapi.NewX509Source(
+			ctx,
+			workloadapi.WithClientOptions(
+				workloadapi.WithAddr(
+					staticConfiguration.Spiffe.WorkloadAPIAddr,
+				),
+			),
+		)
+		if err != nil {
+			return nil, fmt.Errorf("unable to create SPIFFE x509 source: %w", err)
+		}
+		log.Info().Msg("Successfully obtained SPIFFE SVID.")
+	}
+
+	roundTripperManager := service.NewRoundTripperManager(spiffeX509Source)
 	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
 	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry, roundTripperManager, acmeHTTPHandler)

@@ -311,13 +328,22 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	// TLS challenge
 	watcher.AddListener(tlsChallengeProvider.ListenConfiguration)

-	// ACME
+	// Certificate Resolvers
+
 	resolverNames := map[string]struct{}{}
+
+	// ACME
 	for _, p := range acmeProviders {
 		resolverNames[p.ResolverName] = struct{}{}
 		watcher.AddListener(p.ListenConfiguration)
 	}

+	// Tailscale
+	for _, p := range tsProviders {
+		resolverNames[p.ResolverName] = struct{}{}
+		watcher.AddListener(p.HandleConfigUpdate)
+	}
+
 	// Certificate resolver logs
 	watcher.AddListener(func(config dynamic.Configuration) {
 		for rtName, rt := range config.HTTP.Routers {
@@ -329,7 +355,8 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 				// "traefik-hub" is an allowed certificate resolver name in a Traefik Hub Experimental feature context.
 				// It is used to activate its own certificate resolution, even though it is not a "classical" traefik certificate resolver.
 				(staticConfiguration.Hub == nil || rt.TLS.CertResolver != "traefik-hub") {
-				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
+				log.Error().Err(err).Str(logs.RouterName, rtName).Str("certificateResolver", rt.TLS.CertResolver).
+					Msg("Router uses a non-existent certificate resolver")
 			}
 		}
 	})
@@ -350,8 +377,24 @@ func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvid

 func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string {
 	var defaultEntryPoints []string
+
+	// Determines if at least one EntryPoint is configured to be used by default.
+	var hasDefinedDefaults bool
+	for _, ep := range staticConfiguration.EntryPoints {
+		if ep.AsDefault {
+			hasDefinedDefaults = true
+			break
+		}
+	}
+
 	for name, cfg := range staticConfiguration.EntryPoints {
-		// Traefik Hub entryPoint should not be part of the set of default entryPoints.
+		// By default all entrypoints are considered.
+		// If at least one is flagged, then only flagged entrypoints are included.
+		if hasDefinedDefaults && !cfg.AsDefault {
+			continue
+		}
+
+		// Traefik Hub entryPoint should not be used as a default entryPoint.
 		if hub.APIEntrypoint == name || hub.TunnelEntrypoint == name {
 			continue
 		}
@@ -359,7 +402,7 @@ func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string
 		protocol, err := cfg.GetProtocol()
 		if err != nil {
 			// Should never happen because Traefik should not start if protocol is invalid.
-			log.WithoutContext().Errorf("Invalid protocol: %v", err)
+			log.Error().Err(err).Msg("Invalid protocol")
 		}

 		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
@@ -382,7 +425,7 @@ func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP serv
 	}
 }

-// initACMEProvider creates an acme provider from the ACME part of globalConfiguration.
+// initACMEProvider creates and registers acme.Provider instances corresponding to the configured ACME certificate resolvers.
 func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider) []*acme.Provider {
 	localStores := map[string]*acme.LocalStore{}

@@ -405,7 +448,7 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 		}

 		if err := providerAggregator.AddProvider(p); err != nil {
-			log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
+			log.Error().Err(err).Str("resolver", name).Msg("The ACME resolve is skipped from the resolvers list")
 			continue
 		}

@@ -419,6 +462,27 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 	return resolvers
 }

+// initTailscaleProviders creates and registers tailscale.Provider instances corresponding to the configured Tailscale certificate resolvers.
+func initTailscaleProviders(cfg *static.Configuration, providerAggregator *aggregator.ProviderAggregator) []*tailscale.Provider {
+	var providers []*tailscale.Provider
+	for name, resolver := range cfg.CertificatesResolvers {
+		if resolver.Tailscale == nil {
+			continue
+		}
+
+		tsProvider := &tailscale.Provider{ResolverName: name}
+
+		if err := providerAggregator.AddProvider(tsProvider); err != nil {
+			log.Error().Err(err).Str(logs.ProviderName, name).Msg("Unable to create Tailscale provider")
+			continue
+		}
+
+		providers = append(providers, tsProvider)
+	}
+
+	return providers
+}
+
 func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	if metricsConfig == nil {
 		return nil
@@ -427,42 +491,70 @@ func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	var registries []metrics.Registry

 	if metricsConfig.Prometheus != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "prometheus"))
-		prometheusRegister := metrics.RegisterPrometheus(ctx, metricsConfig.Prometheus)
+		logger := log.With().Str(logs.MetricsProviderName, "prometheus").Logger()
+
+		prometheusRegister := metrics.RegisterPrometheus(logger.WithContext(context.Background()), metricsConfig.Prometheus)
 		if prometheusRegister != nil {
 			registries = append(registries, prometheusRegister)
-			log.FromContext(ctx).Debug("Configured Prometheus metrics")
+			logger.Debug().Msg("Configured Prometheus metrics")
 		}
 	}

 	if metricsConfig.Datadog != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "datadog"))
-		registries = append(registries, metrics.RegisterDatadog(ctx, metricsConfig.Datadog))
-		log.FromContext(ctx).Debugf("Configured Datadog metrics: pushing to %s once every %s",
-			metricsConfig.Datadog.Address, metricsConfig.Datadog.PushInterval)
+		logger := log.With().Str(logs.MetricsProviderName, "datadog").Logger()
+
+		registries = append(registries, metrics.RegisterDatadog(logger.WithContext(context.Background()), metricsConfig.Datadog))
+		logger.Debug().
+			Str("address", metricsConfig.Datadog.Address).
+			Str("pushInterval", metricsConfig.Datadog.PushInterval.String()).
+			Msgf("Configured Datadog metrics")
 	}

 	if metricsConfig.StatsD != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "statsd"))
-		registries = append(registries, metrics.RegisterStatsd(ctx, metricsConfig.StatsD))
-		log.FromContext(ctx).Debugf("Configured StatsD metrics: pushing to %s once every %s",
-			metricsConfig.StatsD.Address, metricsConfig.StatsD.PushInterval)
+		logger := log.With().Str(logs.MetricsProviderName, "statsd").Logger()
+
+		registries = append(registries, metrics.RegisterStatsd(logger.WithContext(context.Background()), metricsConfig.StatsD))
+		logger.Debug().
+			Str("address", metricsConfig.StatsD.Address).
+			Str("pushInterval", metricsConfig.StatsD.PushInterval.String()).
+			Msg("Configured StatsD metrics")
 	}

 	if metricsConfig.InfluxDB != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb"))
-		registries = append(registries, metrics.RegisterInfluxDB(ctx, metricsConfig.InfluxDB))
-		log.FromContext(ctx).Debugf("Configured InfluxDB metrics: pushing to %s once every %s",
-			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
+		logger := log.With().Str(logs.MetricsProviderName, "influxdb").Logger()
+
+		registries = append(registries, metrics.RegisterInfluxDB(logger.WithContext(context.Background()), metricsConfig.InfluxDB))
+		logger.Debug().
+			Str("address", metricsConfig.InfluxDB.Address).
+			Str("pushInterval", metricsConfig.InfluxDB.PushInterval.String()).
+			Msg("Configured InfluxDB metrics")
 	}

 	if metricsConfig.InfluxDB2 != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb2"))
-		influxDB2Register := metrics.RegisterInfluxDB2(ctx, metricsConfig.InfluxDB2)
+		logger := log.With().Str(logs.MetricsProviderName, "influxdb2").Logger()
+
+		influxDB2Register := metrics.RegisterInfluxDB2(logger.WithContext(context.Background()), metricsConfig.InfluxDB2)
 		if influxDB2Register != nil {
 			registries = append(registries, influxDB2Register)
-			log.FromContext(ctx).Debugf("Configured InfluxDB v2 metrics: pushing to %s (%s org/%s bucket) once every %s",
-				metricsConfig.InfluxDB2.Address, metricsConfig.InfluxDB2.Org, metricsConfig.InfluxDB2.Bucket, metricsConfig.InfluxDB2.PushInterval)
+			logger.Debug().
+				Str("address", metricsConfig.InfluxDB2.Address).
+				Str("bucket", metricsConfig.InfluxDB2.Bucket).
+				Str("organization", metricsConfig.InfluxDB2.Org).
+				Str("pushInterval", metricsConfig.InfluxDB2.PushInterval.String()).
+				Msg("Configured InfluxDB v2 metrics")
+		}
+	}
+
+	if metricsConfig.OpenTelemetry != nil {
+		logger := log.With().Str(logs.MetricsProviderName, "openTelemetry").Logger()
+
+		openTelemetryRegistry := metrics.RegisterOpenTelemetry(logger.WithContext(context.Background()), metricsConfig.OpenTelemetry)
+		if openTelemetryRegistry != nil {
+			registries = append(registries, openTelemetryRegistry)
+			logger.Debug().
+				Str("address", metricsConfig.OpenTelemetry.Address).
+				Str("pushInterval", metricsConfig.OpenTelemetry.PushInterval.String()).
+				Msg("Configured OpenTelemetry metrics")
 		}
 	}

@@ -490,7 +582,7 @@ func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {

 	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
 	if err != nil {
-		log.WithoutContext().Warnf("Unable to create access logger: %v", err)
+		log.Warn().Err(err).Msg("Unable to create access logger")
 		return nil
 	}

@@ -510,7 +602,7 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {

 	if conf.Zipkin != nil {
 		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Zipkin backend.")
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Zipkin backend.")
 		} else {
 			backend = conf.Zipkin
 		}
@@ -518,7 +610,7 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {

 	if conf.Datadog != nil {
 		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Datadog backend.")
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Datadog backend.")
 		} else {
 			backend = conf.Datadog
 		}
@@ -526,7 +618,7 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {

 	if conf.Instana != nil {
 		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Instana backend.")
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Instana backend.")
 		} else {
 			backend = conf.Instana
 		}
@@ -534,7 +626,7 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {

 	if conf.Haystack != nil {
 		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Haystack backend.")
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Haystack backend.")
 		} else {
 			backend = conf.Haystack
 		}
@@ -542,14 +634,22 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {

 	if conf.Elastic != nil {
 		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Elastic backend.")
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Elastic backend.")
 		} else {
 			backend = conf.Elastic
 		}
 	}

+	if conf.OpenTelemetry != nil {
+		if backend != nil {
+			log.Error().Msg("Tracing backends are all mutually exclusive: cannot create OpenTelemetry backend.")
+		} else {
+			backend = conf.OpenTelemetry
+		}
+	}
+
 	if backend == nil {
-		log.WithoutContext().Debug("Could not initialize tracing, using Jaeger by default")
+		log.Debug().Msg("Could not initialize tracing, using Jaeger by default")
 		defaultBackend := &jaeger.Config{}
 		defaultBackend.SetDefaults()
 		backend = defaultBackend
@@ -557,65 +657,12 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {

 	tracer, err := tracing.NewTracing(conf.ServiceName, conf.SpanNameLimit, backend)
 	if err != nil {
-		log.WithoutContext().Warnf("Unable to create tracer: %v", err)
+		log.Warn().Err(err).Msg("Unable to create tracer")
 		return nil
 	}
 	return tracer
 }

-func configureLogging(staticConfiguration *static.Configuration) {
-	// configure default log flags
-	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
-
-	// configure log level
-	// an explicitly defined log level always has precedence. if none is
-	// given and debug mode is disabled, the default is ERROR, and DEBUG
-	// otherwise.
-	levelStr := "error"
-	if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
-		levelStr = strings.ToLower(staticConfiguration.Log.Level)
-	}
-
-	level, err := logrus.ParseLevel(levelStr)
-	if err != nil {
-		log.WithoutContext().Errorf("Error getting level: %v", err)
-	}
-	log.SetLevel(level)
-
-	var logFile string
-	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
-		logFile = staticConfiguration.Log.FilePath
-	}
-
-	// configure log format
-	var formatter logrus.Formatter
-	if staticConfiguration.Log != nil && staticConfiguration.Log.Format == "json" {
-		formatter = &logrus.JSONFormatter{}
-	} else {
-		disableColors := len(logFile) > 0
-		formatter = &logrus.TextFormatter{DisableColors: disableColors, FullTimestamp: true, DisableSorting: true}
-	}
-	log.SetFormatter(formatter)
-
-	if len(logFile) > 0 {
-		dir := filepath.Dir(logFile)
-
-		if err := os.MkdirAll(dir, 0o755); err != nil {
-			log.WithoutContext().Errorf("Failed to create log path %s: %s", dir, err)
-		}
-
-		err = log.OpenFile(logFile)
-		logrus.RegisterExitHandler(func() {
-			if err := log.CloseFile(); err != nil {
-				log.WithoutContext().Errorf("Error while closing log: %v", err)
-			}
-		})
-		if err != nil {
-			log.WithoutContext().Errorf("Error while opening log file %s: %v", logFile, err)
-		}
-	}
-}
-
 func checkNewVersion() {
 	ticker := time.Tick(24 * time.Hour)
 	safe.Go(func() {
@@ -626,16 +673,16 @@ func checkNewVersion() {
 }

 func stats(staticConfiguration *static.Configuration) {
-	logger := log.WithoutContext()
+	logger := log.Info()

 	if staticConfiguration.Global.SendAnonymousUsage {
-		logger.Info(`Stats collection is enabled.`)
-		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
-		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Info(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
+		logger.Msg(`Stats collection is enabled.`)
+		logger.Msg(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
+		logger.Msg(`Help us improve Traefik by leaving this feature on :)`)
+		logger.Msg(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
-		logger.Info(`
+		logger.Msg(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
 More details on: https://doc.traefik.io/traefik/contributing/data-collection/
@@ -648,7 +695,7 @@ func collect(staticConfiguration *static.Configuration) {
 	safe.Go(func() {
 		for time.Sleep(10 * time.Minute); ; <-ticker {
 			if err := collector.Collect(staticConfiguration); err != nil {
-				log.WithoutContext().Debug(err)
+				log.Debug().Err(err).Send()
 			}
 		}
 	})
--- a/cmd/traefik/traefik_test.go
+++ b/cmd/traefik/traefik_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/go-kit/kit/metrics"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )

 // FooCert is a PEM-encoded TLS cert.
@@ -114,3 +115,79 @@ func TestAppendCertMetric(t *testing.T) {
 		})
 	}
 }
+
+func TestGetDefaultsEntrypoints(t *testing.T) {
+	testCases := []struct {
+		desc        string
+		entrypoints static.EntryPoints
+		expected    []string
+	}{
+		{
+			desc: "Skips special names",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address: ":80",
+				},
+				"traefik": {
+					Address: ":8080",
+				},
+				"traefikhub-api": {
+					Address: ":9900",
+				},
+				"traefikhub-tunl": {
+					Address: ":9901",
+				},
+			},
+			expected: []string{"web"},
+		},
+		{
+			desc: "Two EntryPoints not attachable",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address: ":80",
+				},
+				"websecure": {
+					Address: ":443",
+				},
+			},
+			expected: []string{"web", "websecure"},
+		},
+		{
+			desc: "Two EntryPoints only one attachable",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address: ":80",
+				},
+				"websecure": {
+					Address:   ":443",
+					AsDefault: true,
+				},
+			},
+			expected: []string{"websecure"},
+		},
+		{
+			desc: "Two attachable EntryPoints",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address:   ":80",
+					AsDefault: true,
+				},
+				"websecure": {
+					Address:   ":443",
+					AsDefault: true,
+				},
+			},
+			expected: []string{"web", "websecure"},
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			actual := getDefaultsEntrypoints(&static.Configuration{
+				EntryPoints: test.entrypoints,
+			})
+
+			assert.ElementsMatch(t, test.expected, actual)
+		})
+	}
+}
--- a/contrib/grafana/traefik-kubernetes.json
+++ b/contrib/grafana/traefik-kubernetes.json
--- a/contrib/grafana/traefik.json
+++ b/contrib/grafana/traefik.json
--- a/docs/content/assets/img/middleware/ipwhitelist.png
+++ b/docs/content/assets/img/middleware/ipwhitelist.png
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@@ -8,17 +8,22 @@ description: "Compile and test your own Traefik Proxy! Learn how to build your o
 Compile and Test Your Own Traefik!
 {: .subtitle }

-So you want to build your own Traefik binary from the sources?
+You want to build your own Traefik binary from the sources?
 Let's see how.

 ## Building

-You need either [Docker](https://github.com/docker/docker) and `make` (Method 1), or `go` (Method 2) in order to build Traefik.
+You need either [Docker](https://github.com/docker/docker "Link to website of Docker") and `make` (Method 1), or [Go](https://go.dev/ "Link to website of Go") (Method 2) in order to build Traefik.
 For changes to its dependencies, the `dep` dependency management tool is required.

 ### Method 1: Using `Docker` and `Makefile`

 Run make with the `binary` target.
+
+```bash
+make binary
+```
+
 This will create binaries for the Linux platform in the `dist` folder.

 In case when you run build on CI, you may probably want to run docker in non-interactive mode. To achieve that define `DOCKER_NON_INTERACTIVE=true` environment variable.
@@ -160,7 +165,7 @@ TESTFLAGS="-check.f MyTestSuite.My" make test-integration
 TESTFLAGS="-check.f MyTestSuite.*Test" make test-integration
 ```

-More: https://labix.org/gocheck
+Check [gocheck](https://labix.org/gocheck "Link to website of gocheck") for more information.

 ### Method 2: `go`

--- a/docs/content/contributing/documentation.md
+++ b/docs/content/contributing/documentation.md
@@ -15,10 +15,14 @@ Let's see how.

 ### General

-This [documentation](https://doc.traefik.io/traefik/) is built with [mkdocs](https://mkdocs.org/).
+This [documentation](https://doc.traefik.io/traefik/ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to website of MkDocs").

 ### Method 1: `Docker` and `make`

+Please make sure you have the following requirements installed:
+
+- [Docker](https://www.docker.com/ "Link to website of Docker")
+
 You can build the documentation and test it locally (with live reloading), using the `docs-serve` target:

 ```bash
@@ -43,9 +47,12 @@ $ make docs-build
 ...
 ```

-### Method 2: `mkdocs`
+### Method 2: `MkDocs`

-First, make sure you have `python` and `pip` installed.
+Please make sure you have the following requirements installed:
+
+- [Python](https://www.python.org/ "Link to website of Python")
+- [pip](https://pypi.org/project/pip/ "Link to the website of pip on PyPI")

 ```bash
 $ python --version
@@ -54,7 +61,7 @@ $ pip --version
 pip 1.5.2
 ```

-Then, install mkdocs with `pip`.
+Then, install MkDocs with `pip`.

 ```bash
 pip install --user -r requirements.txt
@@ -87,7 +94,7 @@ Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/bas

 !!! note "Clean & Verify"

-    If you've made changes to the documentation, it's safter to clean it before verifying it.
+    If you've made changes to the documentation, it's safer to clean it before verifying it.

    ```bash
    $ make docs
--- a/docs/content/deprecation/features.md
+++ b/docs/content/deprecation/features.md
@@ -2,27 +2,4 @@

 This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.

-| Feature                                                     | Deprecated | End of Support | Removal |
-|-------------------------------------------------------------|------------|----------------|---------|
-| [Pilot](#pilot)                                             | 2.7        | 2.8            | 2.9     |
-| [Consul Enterprise Namespace](#consul-enterprise-namespace) | 2.8        | N/A            | 3.0     |
-| [TLS 1.0 and 1.1 Support](#tls-10-and-11)                   | N/A        | 2.8            | N/A     |
-
-## Impact
-
-### Pilot
-
-Metrics will continue to function normally up to 2.8, when they will be disabled.  
-In 2.9, the Pilot platform and all Traefik integration code will be permanently removed.
-
-Starting on 2.7 the pilot token will not be a requirement anymore for plugins.  
-Since 2.8, a [new plugin catalog](https://plugins.traefik.io) is available, decoupled from Pilot.
-
-### Consul Enterprise Namespace
-
-Starting on 2.8 the `namespace` option of Consul and Consul Catalog providers is deprecated, 
-please use the `namespaces` options instead.  
-
-### TLS 1.0 and 1.1
-
-Starting on 2.8 the default TLS options will use the minimum version of TLS 1.2. Of course, it can still be overridden with custom configuration.  
+There is no feature deprecation in Traefik v3 for now.
--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -79,7 +79,7 @@ traefik --help
 # or

 docker run traefik[:version] --help
-# ex: docker run traefik:v2.9 --help
+# ex: docker run traefik:v3.0 --help
 ```

 All available arguments can also be found [here](../reference/static-configuration/cli.md).
--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -21,7 +21,7 @@ Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and

 ```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.9
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.0
 ```

 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip

    * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v2.9`
+    ex: `traefik:v3.0`
    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
    * Any orchestrator using docker images can fetch the official Traefik docker image.

@@ -44,13 +44,13 @@ Traefik can be installed in Kubernetes using the Helm chart from <https://github

 Ensure that the following requirements are met:

-* Kubernetes 1.14+
-* Helm version 3.x is [installed](https://helm.sh/docs/intro/install/)
+* Kubernetes 1.16+
+* Helm version 3.9+ is [installed](https://helm.sh/docs/intro/install/)

-Add Traefik's chart repository to Helm:
+Add Traefik Labs chart repository to Helm:

 ```bash
-helm repo add traefik https://helm.traefik.io/traefik
+helm repo add traefik https://traefik.github.io/charts
 ```

 You can update the chart repository by running:
@@ -68,6 +68,9 @@ helm install traefik traefik/traefik
 !!! tip "Helm Features"

    All [Helm features](https://helm.sh/docs/intro/using_helm/) are supported.
+
+    Examples are provided [here](https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md). 
+
    For instance, installing the chart in a dedicated namespace:

    ```bash tab="Install in a Dedicated Namespace"
@@ -83,8 +86,7 @@ helm install traefik traefik/traefik
    as with [any helm chart](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
    {: #helm-custom-values }

-    The values are not (yet) documented, but are self-explanatory:
-    you can look at the [default `values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
+    All parameters are documented in the default [`values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml).

    You can also set Traefik command line flags using `additionalArguments`.
    Example of installation with logging set to `DEBUG`:
--- a/docs/content/getting-started/quick-start-with-kubernetes.md
+++ b/docs/content/getting-started/quick-start-with-kubernetes.md
@@ -130,7 +130,7 @@ spec:
      serviceAccountName: traefik-account
      containers:
        - name: traefik
-          image: traefik:v2.9
+          image: traefik:v3.0
          args:
            - --api.insecure
            - --providers.kubernetesingress
--- a/docs/content/getting-started/quick-start.md
+++ b/docs/content/getting-started/quick-start.md
@@ -20,7 +20,7 @@ version: '3'
 services:
  reverse-proxy:
    # The official v2 Traefik docker image
-    image: traefik:v2.9
+    image: traefik:v3.0
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
@@ -50,7 +50,12 @@ Now that we have a Traefik instance up and running, we will deploy new services.
 Edit your `docker-compose.yml` file and add the following at the end of your file.

 ```yaml
-# ...
+version: '3'
+
+services:
+
+  ...
+
  whoami:
    # A container that exposes an API to show its IP address
    image: traefik/whoami
--- a/docs/content/https/spiffe.md
+++ b/docs/content/https/spiffe.md
@@ -0,0 +1,54 @@
+---
+title: "Traefik SPIFFE Documentation"
+description: "Learn how to configure Traefik to use SPIFFE. Read the technical documentation."
+---
+
+# SPIFFE
+
+Secure the backend connection with SPIFFE.
+{: .subtitle }
+
+[SPIFFE](https://spiffe.io/docs/latest/spiffe-about/overview/) (Secure Production Identity Framework For Everyone), 
+provides a secure identity in the form of a specially crafted X.509 certificate, 
+to every workload in an environment.
+
+Traefik is able to connect to the Workload API to obtain an x509-SVID used to secure the connection with SPIFFE enabled backends.
+
+## Configuration
+
+### General
+
+Enabling SPIFFE is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
+It can be defined by using a file (YAML or TOML) or CLI arguments.
+
+### Workload API
+
+The `workloadAPIAddr` configuration defines the address of the SPIFFE [Workload API](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-workload-api).
+
+!!! info "Enabling SPIFFE in ServersTransports"
+
+    Enabling SPIFFE does not imply that backend connections are going to use it automatically.
+    Each [ServersTransport](../routing/services/index.md#serverstransport_1) that is meant to be secured with SPIFFE must [explicitly](../routing/services/index.md#spiffe) enable it.
+
+!!! warning "SPIFFE can cause Traefik to stall"
+	When using SPIFFE,
+	Traefik will wait for the first SVID to be delivered before starting.
+	If Traefik is hanging when waiting on SPIFFE SVID delivery,
+	please double check that it is correctly registered as workload in your SPIFFE infrastructure.
+
+```yaml tab="File (YAML)"
+## Static configuration
+spiffe:
+    workloadAPIAddr: localhost
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[spiffe]
+    workloadAPIAddr: localhost
+```
+
+```bash tab="CLI"
+## Static configuration
+--spiffe.workloadAPIAddr=localhost
+```
--- a/docs/content/https/tailscale.md
+++ b/docs/content/https/tailscale.md
@@ -0,0 +1,237 @@
+---
+title: "Traefik Tailscale Documentation"
+description: "Learn how to configure Traefik Proxy to resolve TLS certificates for your Tailscale services. Read the technical documentation."
+---
+
+# Tailscale
+
+Provision TLS certificates for your internal Tailscale services.
+{: .subtitle }
+
+To protect a service with TLS, a certificate from a public Certificate Authority is needed.
+In addition to its vpn role, Tailscale can also [provide certificates](https://tailscale.com/kb/1153/enabling-https/) for the machines in your Tailscale network.
+
+## Certificate resolvers
+
+To obtain a TLS certificate from the Tailscale daemon,
+a Tailscale certificate resolver needs to be configured as below.
+
+!!! info "Referencing a certificate resolver"
+
+    Defining a certificate resolver does not imply that routers are going to use it automatically.
+    Each router or entrypoint that is meant to use the resolver must explicitly [reference](../routing/routers/index.md#certresolver) it.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+    myresolver:
+        tailscale: {}
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.tailscale]
+```
+
+```bash tab="CLI"
+--certificatesresolvers.myresolver.tailscale=true
+```
+
+## Domain Definition
+
+A certificate resolver requests certificates for a set of domain names inferred from routers, according to the following:
+
+- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
+  then the certificate resolver derives this router domain name from the `main` option of `tls.domains`.
+
+- Otherwise, the certificate resolver derives the domain name from any `Host()` or `HostSNI()` matchers
+  in the [router's rule](../routing/routers/index.md#rule).
+
+!!! info "Tailscale Domain Format"
+
+    The domain is only taken into account if it is a Tailscale-specific one,
+    i.e. of the form `machine-name.domains-alias.ts.net`.
+
+## Configuration Example
+
+!!! example "Enabling Tailscale certificate resolution"
+
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+
+      websecure:
+        address: ":443"
+
+    certificatesResolvers:
+      myresolver:
+        tailscale: {}
+    ```
+
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+      [entryPoints.websecure]
+        address = ":443"
+
+    [certificatesResolvers.myresolver.tailscale]
+    ```
+
+    ```bash tab="CLI"
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
+    # ...
+    --certificatesresolvers.myresolver.tailscale=true
+    ```
+
+!!! example "Domain from Router's Rule Example"
+
+    ```yaml tab="Docker"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+    ```
+
+    ```yaml tab="Docker (Swarm)"
+    ## Dynamic configuration
+    deploy:
+      labels:
+        - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+        - traefik.http.routers.blog.tls.certresolver=myresolver
+    ```
+
+    ```yaml tab="Kubernetes"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: blogtls
+    spec:
+      entryPoints:
+        - websecure
+      routes:
+        - match: Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+          kind: Rule
+          services:
+            - name: blog
+              port: 8080
+      tls:
+        certResolver: myresolver
+    ```
+
+    ```json tab="Marathon"
+    labels: {
+      "traefik.http.routers.blog.rule": "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)",
+      "traefik.http.routers.blog.tls.certresolver": "myresolver",
+    }
+    ```
+
+    ```yaml tab="Rancher"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
+    http:
+      routers:
+        blog:
+          rule: "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
+          tls:
+            certResolver: myresolver
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+    [http.routers]
+      [http.routers.blog]
+      rule = "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
+      [http.routers.blog.tls]
+        certResolver = "myresolver"
+    ```
+
+!!! example "Domain from Router's tls.domain Example"
+
+    ```yaml tab="Docker"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+      - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
+    ```
+
+    ```yaml tab="Docker (Swarm)"
+    ## Dynamic configuration
+    deploy:
+      labels:
+        - traefik.http.routers.blog.rule=Path(`/metrics`)
+        - traefik.http.routers.blog.tls.certresolver=myresolver
+        - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
+    ```
+
+    ```yaml tab="Kubernetes"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: blogtls
+    spec:
+      entryPoints:
+        - websecure
+      routes:
+        - match: Path(`/metrics`)
+          kind: Rule
+          services:
+            - name: blog
+              port: 8080
+      tls:
+        certResolver: myresolver
+        domains:
+          - main: monitoring.yak-bebop.ts.net
+    ```
+
+    ```json tab="Marathon"
+    labels: {
+      "traefik.http.routers.blog.rule": "Path(`/metrics`)",
+      "traefik.http.routers.blog.tls.certresolver": "myresolver",
+      "traefik.http.routers.blog.tls.domains[0].main": "monitoring.yak-bebop.ts.net",
+    }
+    ```
+
+    ```yaml tab="Rancher"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+      - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
+    http:
+      routers:
+        blog:
+          rule: "Path(`/metrics`)"
+          tls:
+            certResolver: myresolver
+            domains:
+              - main: "monitoring.yak-bebop.ts.net"
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+    [http.routers]
+      [http.routers.blog]
+        rule = "Path(`/metrics`)"
+        [http.routers.blog.tls]
+          certResolver = "myresolver"
+          [[http.routers.blog.tls.domains]]
+            main = "monitoring.yak-bebop.ts.net"
+    ```
+
+## Automatic Renewals
+
+Traefik automatically tracks the expiry date of each Tailscale certificate it fetches,
+and starts to renew a certificate 14 days before its expiry to match Tailscale daemon renew policy.
--- a/docs/content/middlewares/http/chain.md
+++ b/docs/content/middlewares/http/chain.md
@@ -15,7 +15,7 @@ It makes reusing the same groups easier.

 ## Configuration Example

-Below is an example of a Chain containing `WhiteList`, `BasicAuth`, and `RedirectScheme`.
+Below is an example of a Chain containing `AllowList`, `BasicAuth`, and `RedirectScheme`.

 ```yaml tab="Docker"
 labels:
@@ -25,7 +25,7 @@ labels:
  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
  - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

@@ -80,7 +80,7 @@ kind: Middleware
 metadata:
  name: known-ips
 spec:
-  ipWhiteList:
+  ipAllowList:
    sourceRange:
    - 192.168.1.7
    - 127.0.0.1/32
@@ -93,7 +93,7 @@ spec:
 - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
 - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
 - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
 - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

@@ -105,7 +105,7 @@ spec:
  "traefik.http.middlewares.secured.chain.middlewares": "https-only,known-ips,auth-users",
  "traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
  "traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
-  "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
+  "traefik.http.middlewares.known-ips.ipallowlist.sourceRange": "192.168.1.7,127.0.0.1/32",
  "traefik.http.services.service1.loadbalancer.server.port": "80"
 }
 ```
@@ -118,7 +118,7 @@ labels:
  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
  - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

@@ -150,7 +150,7 @@ http:
        scheme: https

    known-ips:
-      ipWhiteList:
+      ipAllowList:
        sourceRange:
          - "192.168.1.7"
          - "127.0.0.1/32"
@@ -180,7 +180,7 @@ http:
  [http.middlewares.https-only.redirectScheme]
    scheme = "https"

-  [http.middlewares.known-ips.ipWhiteList]
+  [http.middlewares.known-ips.ipAllowList]
    sourceRange = ["192.168.1.7", "127.0.0.1/32"]

 [http.services]
--- a/docs/content/middlewares/http/compress.md
+++ b/docs/content/middlewares/http/compress.md
@@ -5,23 +5,24 @@ description: "Traefik Proxy's HTTP middleware lets you compress responses before

 # Compress

-Compress Responses before Sending them to the Client
+Compress Allows Compressing Responses before Sending them to the Client
 {: .subtitle }

 ![Compress](../../assets/img/middleware/compress.png)

-The Compress middleware uses gzip compression.
+The Compress middleware supports gzip and Brotli compression.
+The activation of compression, and the compression method choice rely (among other things) on the request's `Accept-Encoding` header.

 ## Configuration Examples

 ```yaml tab="Docker"
-# Enable gzip compression
+# Enable compression
 labels:
  - "traefik.http.middlewares.test-compress.compress=true"
 ```

 ```yaml tab="Kubernetes"
-# Enable gzip compression
+# Enable compression
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
@@ -31,7 +32,7 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
-# Enable gzip compression
+# Enable compression
 - "traefik.http.middlewares.test-compress.compress=true"
 ```

@@ -42,13 +43,13 @@ spec:
 ```

 ```yaml tab="Rancher"
-# Enable gzip compression
+# Enable compression
 labels:
  - "traefik.http.middlewares.test-compress.compress=true"
 ```

 ```yaml tab="File (YAML)"
-# Enable gzip compression
+# Enable compression
 http:
  middlewares:
    test-compress:
@@ -56,7 +57,7 @@ http:
 ```

 ```toml tab="File (TOML)"
-# Enable gzip compression
+# Enable compression
 [http.middlewares]
  [http.middlewares.test-compress.compress]
 ```
@@ -65,23 +66,34 @@ http:

    Responses are compressed when the following criteria are all met:

-    * The response body is larger than the configured minimum amount of bytes (default is `1024`).
-    * The `Accept-Encoding` request header contains `gzip`.
+    * The `Accept-Encoding` request header contains `gzip`, `*`, and/or `br` with or without [quality values](https://developer.mozilla.org/en-US/docs/Glossary/Quality_values).
+    If the `Accept-Encoding` request header is absent, it is meant as br compression is requested.
+    If it is present, but its value is the empty string, then compression is disabled.
    * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
-
-    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
-    It will also set the `Content-Type` header according to the detected MIME type.
+    * The response`Content-Type` header is not one among the [excludedContentTypes options](#excludedcontenttypes).
+    * The response body is larger than the [configured minimum amount of bytes](#minresponsebodybytes) (default is `1024`).

 ## Configuration Options

 ### `excludedContentTypes`

+_Optional, Default=""_ 
+
 `excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests and responses before compressing.

 The responses with content types defined in `excludedContentTypes` are not compressed.

 Content types are compared in a case-insensitive, whitespace-ignored manner.

+!!! info "In the case of gzip"
+
+    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
+    It will also set the `Content-Type` header according to the detected MIME type.
+
+!!! info "gRPC"
+
+    Note that `application/grpc` is never compressed.
+
 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
@@ -130,9 +142,9 @@ http:

 ### `minResponseBodyBytes`

-`minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.
+_Optional, Default=1024_

-The default value is `1024`, which should be a reasonable value for most cases.
+`minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.

 Responses smaller than the specified values will not be compressed.

--- a/docs/content/middlewares/http/contenttype.md
+++ b/docs/content/middlewares/http/contenttype.md
@@ -1,6 +1,6 @@
 ---
 title: "Traefik ContentType Documentation"
-description: "Traefik Proxy's HTTP middleware can automatically specify the content-type header if it has not been defined by the backend. Read the technical documentation."
+description: "Traefik Proxy's HTTP middleware automatically sets the `Content-Type` header value when it is not set by the backend. Read the technical documentation."
 ---

 # ContentType
@@ -8,84 +8,59 @@ description: "Traefik Proxy's HTTP middleware can automatically specify the cont
 Handling Content-Type auto-detection
 {: .subtitle }

-The Content-Type middleware - or rather its `autoDetect` option -
-specifies whether to let the `Content-Type` header,
-if it has not been defined by the backend,
-be automatically set to a value derived from the contents of the response.
-
-As a proxy, the default behavior should be to leave the header alone,
-regardless of what the backend did with it.
-However, the historic default was to always auto-detect and set the header if it was not already defined,
-and altering this behavior would be a breaking change which would impact many users.
-
-This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
+The Content-Type middleware sets the `Content-Type` header value to the media type detected from the response content,
+when it is not set by the backend.

 !!! info

-    As explained above, for compatibility reasons the default behavior on a router (without this middleware),
-    is still to automatically set the `Content-Type` header.
-    Therefore, given the default value of the `autoDetect` option (false),
-    simply enabling this middleware for a router switches the router's behavior.
-
    The scope of the Content-Type middleware is the MIME type detection done by the core of Traefik (the server part).
    Therefore, it has no effect against any other `Content-Type` header modifications (e.g.: in another middleware such as compress).

 ## Configuration Examples

 ```yaml tab="Docker"
-# Disable auto-detection
+# Enable auto-detection
 labels:
-  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+  - "traefik.http.middlewares.autodetect.contenttype=true"
 ```

 ```yaml tab="Kubernetes"
-# Disable auto-detection
+# Enable auto-detection
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: autodetect
 spec:
-  contentType:
-    autoDetect: false
+  contentType: {}
 ```

 ```yaml tab="Consul Catalog"
-# Disable auto-detection
- "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+# Enable auto-detection
+- "traefik.http.middlewares.autodetect.contenttype=true"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.autodetect.contenttype.autodetect": "false"
+  "traefik.http.middlewares.autodetect.contenttype": "true"
 }
 ```

 ```yaml tab="Rancher"
-# Disable auto-detection
+# Enable auto-detection
 labels:
-  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+  - "traefik.http.middlewares.autodetect.contenttype=true"
 ```

 ```yaml tab="File (YAML)"
-# Disable auto-detection
+# Enable auto-detection
 http:
  middlewares:
    autodetect:
-      contentType:
-        autoDetect: false
+      contentType: {}
 ```

 ```toml tab="File (TOML)"
-# Disable auto-detection
+# Enable auto-detection
 [http.middlewares]
  [http.middlewares.autodetect.contentType]
-     autoDetect=false
-```
-
-## Configuration Options
-
-### `autoDetect`
-
-`autoDetect` specifies whether to let the `Content-Type` header,
-if it has not been set by the backend,
-be automatically set to a value derived from the contents of the response.
+```
--- a/docs/content/middlewares/http/grpcweb.md
+++ b/docs/content/middlewares/http/grpcweb.md
@@ -0,0 +1,77 @@
+---
+title: "Traefik GrpcWeb Documentation"
+description: "In Traefik Proxy's HTTP middleware, GrpcWeb converts a gRPC Web requests to HTTP/2 gRPC requests. Read the technical documentation."
+---
+
+# GrpcWeb
+
+Converting gRPC Web requests to HTTP/2 gRPC requests.
+{: .subtitle }
+
+The GrpcWeb middleware converts gRPC Web requests to HTTP/2 gRPC requests before forwarding them to the backends.
+
+!!! tip
+
+    Please note, that Traefik needs to communicate using gRPC with the backends (h2c or HTTP/2 over TLS).
+    Check out the [gRPC](../../user-guides/grpc.md) user guide for more details.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-grpcweb.grpcweb.allowOrigins=*"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-grpcweb
+spec:
+  grpcWeb:
+    allowOrigins:
+      - "*"
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-grpcweb.grpcWeb.allowOrigins=*"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-grpcweb.grpcweb.alloworigins": "*"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-grpcweb.grpcweb.alloworigins=*"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-grpcweb:
+      grpcWeb:
+        allowOrigins:
+          - "*"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-grpcweb.grpcWeb]
+    allowOrigins = ["*"]
+```
+
+## Configuration Options
+
+### `allowOrigins`
+
+The `allowOrigins` contains the list of allowed origins.
+A wildcard origin `*` can also be configured to match all requests.
+
+More information including how to use the settings can be found at:
+
+- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
+- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
+- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
--- a/docs/content/middlewares/http/headers.md
+++ b/docs/content/middlewares/http/headers.md
@@ -364,43 +364,11 @@ The `allowedHosts` option lists fully qualified domain names that are allowed.

 The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.

-### `sslRedirect`
-
-!!! warning
-
-    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
-
-The `sslRedirect` only allow HTTPS requests when set to `true`.
-
-### `sslTemporaryRedirect`
-
-!!! warning
-
-    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
-
-Set `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
-
-### `sslHost`
-
-!!! warning
-
-    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
-
-The `sslHost` option is the host name that is used to redirect HTTP requests to HTTPS.
-
 ### `sslProxyHeaders`

 The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid HTTPS request.
 It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`).

-### `sslForceHost`
-
-!!! warning
-
-    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
-
-Set `sslForceHost` to `true` and set `sslHost` to force requests to use `SSLHost` regardless of whether they already use SSL.
-
 ### `stsSeconds`

 The `stsSeconds` is the max-age of the `Strict-Transport-Security` header.
@@ -452,14 +420,6 @@ The `publicKey` implements HPKP to prevent MITM attacks with forged certificates

 The `referrerPolicy` allows sites to control whether browsers forward the `Referer` header to other sites.

-### `featurePolicy`
-
-!!! warning
-
-    Deprecated in favor of `permissionsPolicy`
-
-The `featurePolicy` allows sites to control browser features.
-
 ### `permissionsPolicy`

 The `permissionsPolicy` allows sites to control browser features.
--- a/docs/content/middlewares/http/ipallowlist.md
+++ b/docs/content/middlewares/http/ipallowlist.md
@@ -1,32 +1,30 @@
 ---
-title: "Traefik HTTP Middlewares IPWhiteList"
-description: "Learn how to use IPWhiteList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
+title: "Traefik HTTP Middlewares IPAllowList"
+description: "Learn how to use IPAllowList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
 ---

-# IPWhiteList
+# IPAllowList

 Limiting Clients to Specific IPs
 {: .subtitle }

-![IpWhiteList](../../assets/img/middleware/ipwhitelist.png)
-
-IPWhitelist accepts / refuses requests based on the client IP.
+IPAllowList accepts / refuses requests based on the client IP.

 ## Configuration Examples

 ```yaml tab="Docker"
 # Accepts request from defined IP
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7
@@ -34,27 +32,27 @@ spec:

 ```yaml tab="Consul Catalog"
 # Accepts request from defined IP
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
 }
 ```

 ```yaml tab="Rancher"
 # Accepts request from defined IP
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="File (YAML)"
 # Accepts request from defined IP
 http:
  middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.7"
@@ -63,7 +61,7 @@ http:
 ```toml tab="File (TOML)"
 # Accepts request from defined IP
 [http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
+  [http.middlewares.test-ipallowlist.ipAllowList]
    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
 ```

@@ -86,7 +84,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th

 !!! example "Examples of Depth & X-Forwarded-For"

-    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
+    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).

    | `X-Forwarded-For`                       | `depth` | clientIP     |
    |-----------------------------------------|---------|--------------|
@@ -95,20 +93,20 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |

 ```yaml tab="Docker"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
 ```

 ```yaml tab="Kubernetes"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7
@@ -117,31 +115,31 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth": "2"
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth": "2"
 }
 ```

 ```yaml tab="Rancher"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
 ```

 ```yaml tab="File (YAML)"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 http:
  middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.7"
@@ -150,11 +148,11 @@ http:
 ```

 ```toml tab="File (TOML)"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 [http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
+  [http.middlewares.test-ipallowlist.ipAllowList]
    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+    [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
      depth = 2
 ```

@@ -177,7 +175,7 @@ http:
 ```yaml tab="Docker"
 # Exclude from `X-Forwarded-For`
 labels:
-    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+    - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="Kubernetes"
@@ -185,9 +183,9 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
    ipStrategy:
      excludedIPs:
        - 127.0.0.1/32
@@ -196,27 +194,27 @@ spec:

 ```yaml tab="Consul Catalog"
 # Exclude from `X-Forwarded-For`
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
 }
 ```

 ```yaml tab="Rancher"
 # Exclude from `X-Forwarded-For`
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="File (YAML)"
 # Exclude from `X-Forwarded-For`
 http:
  middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
        ipStrategy:
          excludedIPs:
            - "127.0.0.1/32"
@@ -226,7 +224,7 @@ http:
 ```toml tab="File (TOML)"
 # Exclude from `X-Forwarded-For`
 [http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
-    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+  [http.middlewares.test-ipallowlist.ipAllowList]
+    [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
--- a/docs/content/middlewares/http/overview.md
+++ b/docs/content/middlewares/http/overview.md
@@ -142,7 +142,7 @@ http:
 | [Errors](errorpages.md)                   | Defines custom error pages                        | Request Lifecycle           |
 | [ForwardAuth](forwardauth.md)             | Delegates Authentication                          | Security, Authentication    |
 | [Headers](headers.md)                     | Adds / Updates headers                            | Security                    |
-| [IPWhiteList](ipwhitelist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
+| [IPAllowList](ipallowlist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
 | [InFlightReq](inflightreq.md)             | Limits the number of simultaneous connections     | Security, Request lifecycle |
 | [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header              | Security                    |
 | [RateLimit](ratelimit.md)                 | Limits the call frequency                         | Security, Request lifecycle |
--- a/docs/content/middlewares/http/stripprefix.md
+++ b/docs/content/middlewares/http/stripprefix.md
@@ -88,85 +88,3 @@ For instance, `/products` also matches `/products/shoes` and `/products/shirts`.

 If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
 Using the previous example, the backend should return `/products/shoes/image.png` (and not `/image.png`, which Traefik would likely not be able to associate with the same backend).
-
-### `forceSlash`
-
-_Optional, Default=true_
-
-The `forceSlash` option ensures the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
-
-This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
-
-It is recommended to explicitly set `forceSlash` to `false`.
-
-??? info "Behavior examples"
-
-    - `forceSlash=true`
-
-    | Path       | Prefix to strip | Result |
-    |------------|-----------------|--------|
-    | `/`        | `/`             | `/`    |
-    | `/foo`     | `/foo`          | `/`    |
-    | `/foo/`    | `/foo`          | `/`    |
-    | `/foo/`    | `/foo/`         | `/`    |
-    | `/bar`     | `/foo`          | `/bar` |
-    | `/foo/bar` | `/foo`          | `/bar` |
-
-    - `forceSlash=false`
-
-    | Path       | Prefix to strip | Result |
-    |------------|-----------------|--------|
-    | `/`        | `/`             | empty  |
-    | `/foo`     | `/foo`          | empty  |
-    | `/foo/`    | `/foo`          | `/`    |
-    | `/foo/`    | `/foo/`         | empty  |
-    | `/bar`     | `/foo`          | `/bar` |
-    | `/foo/bar` | `/foo`          | `/bar` |
-
-```yaml tab="Docker"
-labels:
-  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
-  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: example
-spec:
-  stripPrefix:
-    prefixes:
-      - "/foobar"
-    forceSlash: false
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.example.stripprefix.prefixes": "/foobar",
-  "traefik.http.middlewares.example.stripprefix.forceSlash": "false"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
-  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    example:
-      stripPrefix:
-        prefixes:
-          - "/foobar"
-        forceSlash: false
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.example.stripPrefix]
-    prefixes = ["/foobar"]
-    forceSlash = false
-```
--- a/docs/content/middlewares/tcp/ipallowlist.md
+++ b/docs/content/middlewares/tcp/ipallowlist.md
@@ -1,30 +1,30 @@
 ---
-title: "Traefik TCP Middlewares IPWhiteList"
-description: "Learn how to use IPWhiteList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
+title: "Traefik TCP Middlewares IPAllowList"
+description: "Learn how to use IPAllowList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
 ---

-# IPWhiteList
+# IPAllowList

 Limiting Clients to Specific IPs
 {: .subtitle }

-IPWhitelist accepts / refuses connections based on the client IP.
+IPAllowList accepts / refuses connections based on the client IP.

 ## Configuration Examples

 ```yaml tab="Docker"
 # Accepts connections from defined IP
 labels:
-  - "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: MiddlewareTCP
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7
@@ -32,25 +32,25 @@ spec:

 ```yaml tab="Consul Catalog"
 # Accepts request from defined IP
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
+  "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
 }
 ```

 ```yaml tab="Rancher"
 # Accepts request from defined IP
 labels:
-  - "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```toml tab="File (TOML)"
 # Accepts request from defined IP
 [tcp.middlewares]
-  [tcp.middlewares.test-ipwhitelist.ipWhiteList]
+  [tcp.middlewares.test-ipallowlist.ipAllowList]
    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
 ```

@@ -58,8 +58,8 @@ labels:
 # Accepts request from defined IP
 tcp:
  middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.7"
--- a/docs/content/middlewares/tcp/overview.md
+++ b/docs/content/middlewares/tcp/overview.md
@@ -18,10 +18,10 @@ whoami:
  #  A container that exposes an API to show its IP address
  image: traefik/whoami
  labels:
-    # Create a middleware named `foo-ip-whitelist`
-    - "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-    # Apply the middleware named `foo-ip-whitelist` to the router named `router1`
-    - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@docker"
+    # Create a middleware named `foo-ip-allowlist`
+    - "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+    # Apply the middleware named `foo-ip-allowlist` to the router named `router1`
+    - "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@docker"
 ```

 ```yaml tab="Kubernetes IngressRoute"
@@ -43,9 +43,9 @@ spec:
 apiVersion: traefik.containo.us/v1alpha1
 kind: MiddlewareTCP
 metadata:
-  name: foo-ip-whitelist
+  name: foo-ip-allowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
    sourcerange:
      - 127.0.0.1/32
      - 192.168.1.7
@@ -60,30 +60,30 @@ spec:
  routes:
    # more fields...
    middlewares:
-      - name: foo-ip-whitelist
+      - name: foo-ip-allowlist
 ```

 ```yaml tab="Consul Catalog"
-# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@consulcatalog"
+# Create a middleware named `foo-ip-allowlist`
+- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
+- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@consulcatalog"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7",
-  "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@marathon"
+  "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7",
+  "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@marathon"
 }
 ```

 ```yaml tab="Rancher"
 # As a Rancher Label
 labels:
-  # Create a middleware named `foo-ip-whitelist`
-  - "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  # Apply the middleware named `foo-ip-whitelist` to the router named `router1`
-  - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@rancher"
+  # Create a middleware named `foo-ip-allowlist`
+  - "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  # Apply the middleware named `foo-ip-allowlist` to the router named `router1`
+  - "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@rancher"
 ```

 ```toml tab="File (TOML)"
@@ -91,11 +91,11 @@ labels:
 [tcp.routers]
  [tcp.routers.router1]
    service = "myService"
-    middlewares = ["foo-ip-whitelist"]
+    middlewares = ["foo-ip-allowlist"]
    rule = "Host(`example.com`)"

 [tcp.middlewares]
-  [tcp.middlewares.foo-ip-whitelist.ipWhiteList]
+  [tcp.middlewares.foo-ip-allowlist.ipAllowList]
    sourceRange = ["127.0.0.1/32", "192.168.1.7"]

 [tcp.services]
@@ -114,12 +114,12 @@ tcp:
    router1:
      service: myService
      middlewares:
-        - "foo-ip-whitelist"
+        - "foo-ip-allowlist"
      rule: "Host(`example.com`)"

  middlewares:
-    foo-ip-whitelist:
-      ipWhiteList:
+    foo-ip-allowlist:
+      ipAllowList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.7"
@@ -137,4 +137,4 @@ tcp:
 | Middleware                                | Purpose                                           | Area                        |
 |-------------------------------------------|---------------------------------------------------|-----------------------------|
 | [InFlightConn](inflightconn.md)           | Limits the number of simultaneous connections.    | Security, Request lifecycle |
-| [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs.                     | Security, Request lifecycle |
+| [IPAllowList](ipallowlist.md)             | Limit the allowed client IPs.                     | Security, Request lifecycle |
--- a/docs/content/migration/v2-to-v3.md
+++ b/docs/content/migration/v2-to-v3.md
@@ -0,0 +1,57 @@
+---
+title: "Traefik V3 Migration Documentation"
+description: "Migrate from Traefik Proxy v2 to v3 and update all the necessary configurations to take advantage of all the improvements. Read the technical documentation."
+---
+
+# Migration Guide: From v2 to v3
+
+How to Migrate from Traefik v2 to Traefik v3.
+{: .subtitle }
+
+The version 3 of Traefik introduces a number of breaking changes,
+which require one to update their configuration when they migrate from v2 to v3.
+The goal of this page is to recapitulate all of these changes, and in particular to give examples,
+feature by feature, of how the configuration looked like in v2, and how it now looks like in v3.
+
+## IPWhiteList
+
+In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing anything to the configuration. 
+
+## gRPC Metrics
+
+In v3, the reported status code for gRPC requests is now the value of the `Grpc-Status` header.  
+
+## Deprecated Options Removal
+
+- The `pilot` option has been removed from the static configuration.
+- The `tracing.datadog.globaltag` option has been removed.
+- The `namespace` option of Consul, Consul Catalog and Nomad providers has been removed.
+- The `tls.caOptional` option has been removed from the ForwardAuth middleware, as well as from the HTTP, Consul, Etcd, Redis, ZooKeeper, Marathon, Consul Catalog, and Docker providers.
+- `sslRedirect`, `sslTemporaryRedirect`, `sslHost`, `sslForceHost` and `featurePolicy` options of the Headers middleware have been removed.
+- The `forceSlash` option of the StripPrefix middleware has been removed.
+- the `preferServerCipherSuites` option has been removed.
+
+## Matchers
+
+In v3, the `Headers` and `HeadersRegexp` matchers have been renamed to `Header` and `HeaderRegexp` respectively.
+
+`QueryRegexp` has been introduced to match query values using a regular expression.
+
+`HeaderRegexp`, `HostRegexp`, `PathRegexp`, `QueryRegexp`, and `HostSNIRegexp` matchers now uses the [Go regexp syntax](https://golang.org/pkg/regexp/syntax/).
+
+All matchers now take a single value (except `Headers`, `HeaderRegexp`, `Query`, and `QueryRegexp` which take two)
+and should be explicitly combined using logical operators to mimic previous behavior.
+
+`Query` can take a single value to match is the query value that has no value (e.g. `/search?mobile`).
+
+`HostHeader` has been removed, use `Host` instead.
+
+## Content-Type Auto-Detection
+
+In v3, the `Content-Type` header is not auto-detected anymore when it is not set by the backend.
+One should use the `ContentType` middleware to enable the `Content-Type` header value auto-detection.
+
+## HTTP/3
+
+In v3, HTTP/3 is no longer an experimental feature.
+The `experimental.http3` option has been removed from the static configuration.
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@@ -490,3 +490,9 @@ In `v2.8.2`, Traefik now reject certificates signed with the SHA-1 hash function
 ### Traefik Pilot

 In `v2.9`, Traefik Pilot support has been removed.
+
+## v2.10
+
+### Nomad Namespace
+
+In `v2.10`, the `namespace` option of the Nomad provider is deprecated, please use the `namespaces` options instead.
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -229,6 +229,7 @@ accessLog:
    | `RetryAttempts`         | The amount of attempts the request was retried.                                                                                                                     |
    | `TLSVersion`            | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS).                                                                                         |
    | `TLSCipher`             | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS)                                                           |
+    | `TLSClientSubject`      | The string representation of the TLS client certificate's Subject (e.g. `CN=username,O=organization`)                                                               |

 ## Log Rotation

@@ -254,7 +255,7 @@ version: "3.7"

 services:
  traefik:
-    image: traefik:v2.9
+    image: traefik:v3.0
    environment:
      - TZ=US/Alaska
    command:
--- a/docs/content/observability/logs.md
+++ b/docs/content/observability/logs.md
@@ -64,7 +64,7 @@ log:

 #### `level`

-By default, the `level` is set to `ERROR`. Alternative logging levels are `DEBUG`, `PANIC`, `FATAL`, `ERROR`, `WARN`, and `INFO`.
+By default, the `level` is set to `ERROR`. Alternative logging levels are `TRACE`, `DEBUG`, `PANIC`, `FATAL`, `ERROR`, `WARN`, and `INFO`.

 ```yaml tab="File (YAML)"
 log:
@@ -80,10 +80,101 @@ log:
 --log.level=DEBUG
 ```

+#### `noColor`
+
+When using the 'common' format, disables the colorized output.
+
+```yaml tab="File (YAML)"
+log:
+  noColor: true
+```
+
+```toml tab="File (TOML)"
+[log]
+  noColor = true
+```
+
+```bash tab="CLI"
+--log.nocolor=true
+```
+
 ## Log Rotation

-Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
-This allows the logs to be rotated and processed by an external program, such as `logrotate`.
+The rotation of the log files can be configured with the following options.

-!!! warning
-    This does not work on Windows due to the lack of USR signals.
+### `maxSize`
+
+`maxSize` is the maximum size in megabytes of the log file before it gets rotated.
+It defaults to 100 megabytes.
+
+```yaml tab="File (YAML)"
+log:
+  maxSize: 1
+```
+
+```toml tab="File (TOML)"
+[log]
+  maxSize = 1
+```
+
+```bash tab="CLI"
+--log.maxsize=1
+```
+
+### `maxBackups`
+
+`maxBackups` is the maximum number of old log files to retain.
+The default is to retain all old log files (though `maxAge` may still cause them to get deleted).
+
+```yaml tab="File (YAML)"
+log:
+  maxBackups: 3
+```
+
+```toml tab="File (TOML)"
+[log]
+  maxBackups = 3
+```
+
+```bash tab="CLI"
+--log.maxbackups=3
+```
+
+### `maxAge`
+
+`maxAge` is the maximum number of days to retain old log files based on the timestamp encoded in their filename.
+Note that a day is defined as 24 hours and may not exactly correspond to calendar days due to daylight savings, leap seconds, etc.
+The default is not to remove old log files based on age.
+
+```yaml tab="File (YAML)"
+log:
+  maxAge: 3
+```
+
+```toml tab="File (TOML)"
+[log]
+  maxAge = 3
+```
+
+```bash tab="CLI"
+--log.maxage=3
+```
+
+### `compress`
+
+`compress` determines if the rotated log files should be compressed using gzip.
+The default is not to perform compression.
+
+```yaml tab="File (YAML)"
+log:
+  compress: 3
+```
+
+```toml tab="File (TOML)"
+[log]
+  compress = 3
+```
+
+```bash tab="CLI"
+--log.compress=3
+```
--- a/docs/content/observability/metrics/opentelemetry.md
+++ b/docs/content/observability/metrics/opentelemetry.md
@@ -0,0 +1,353 @@
+---
+title: "Traefik OpenTelemetry Documentation"
+description: "Traefik supports several metrics backends, including OpenTelemetry. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
+---
+
+# OpenTelemetry
+
+To enable the OpenTelemetry:
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry: {}
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry=true
+```
+
+!!! info "The OpenTelemetry exporter will export metrics to the collector by using HTTP by default, see the [gRPC Section](#grpc-configuration) to use gRPC."
+
+#### `address`
+
+_Required, Default="localhost:4318", Format="`<host>:<port>`"_
+
+Address of the OpenTelemetry Collector to send metrics to.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    address: localhost:4318
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    address = "localhost:4318"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.address=localhost:4318
+```
+
+#### `addEntryPointsLabels`
+
+_Optional, Default=true_
+
+Enable metrics on entry points.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    addEntryPointsLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    addEntryPointsLabels = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.addEntryPointsLabels=true
+```
+
+#### `addRoutersLabels`
+
+_Optional, Default=false_
+
+Enable metrics on routers.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    addRoutersLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    addRoutersLabels = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.addRoutersLabels=true
+```
+
+#### `addServicesLabels`
+
+_Optional, Default=true_
+
+Enable metrics on services.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    addServicesLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    addServicesLabels = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.addServicesLabels=true
+```
+
+#### `explicitBoundaries`
+
+_Optional, Default=".005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10"_
+
+Explicit boundaries for Histogram data points.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    explicitBoundaries:
+      - 0.1
+      - 0.3
+      - 1.2
+      - 5.0
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    explicitBoundaries = [0.1,0.3,1.2,5.0]
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.explicitBoundaries=0.1,0.3,1.2,5.0
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    headers:
+      foo: bar
+      baz: buz
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.headers.foo=bar --metrics.openTelemetry.headers.baz=buz
+```
+
+#### `insecure`
+
+_Optional, Default=false_
+
+Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    insecure: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    insecure = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.insecure=true
+```
+
+#### `pushInterval`
+
+_Optional, Default=10s_
+
+Interval at which metrics are sent to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    pushInterval: 10s
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    pushInterval = "10s"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.pushInterval=10s
+```
+
+#### `path`
+
+_Required, Default="/v1/traces"_
+
+Allows to override the default URL path used for sending metrics.
+This option has no effect when using gRPC transport.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    path: /foo/v1/traces
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    path = "/foo/v1/traces"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.path=/foo/v1/traces
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.cert=path/to/foo.cert
+--metrics.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.cert=path/to/foo.cert
+--metrics.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.insecureSkipVerify=true
+```
+
+#### gRPC configuration
+
+This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    grpc: {}
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry.grpc]
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.grpc=true
+```
--- a/docs/content/observability/metrics/overview.md
+++ b/docs/content/observability/metrics/overview.md
@@ -13,6 +13,8 @@ Traefik supports these metrics backends:
 - [Prometheus](./prometheus.md)
 - [StatsD](./statsd.md)

+Traefik Proxy hosts an official Grafana dashboard for both [on-premises](https://grafana.com/grafana/dashboards/17346) and [Kubernetes](https://grafana.com/grafana/dashboards/17347) deployments.
+
 ## Global Metrics

 | Metric                                      | Type    | Description                                             |
--- a/docs/content/observability/tracing/datadog.md
+++ b/docs/content/observability/tracing/datadog.md
@@ -65,30 +65,6 @@ tracing:
 --tracing.datadog.debug=true
 ```

-#### `globalTag`
-
-??? warning "Deprecated in favor of the [`globalTags`](#globaltags) option."
-
-    _Optional, Default=empty_
-    
-    Applies a shared key:value tag on all spans.
-    
-    ```yaml tab="File (YAML)"
-    tracing:
-      datadog:
-        globalTag: sample
-    ```
-    
-    ```toml tab="File (TOML)"
-    [tracing]
-      [tracing.datadog]
-        globalTag = "sample"
-    ```
-    
-    ```bash tab="CLI"
-    --tracing.datadog.globalTag=sample
-    ```
-
 #### `globalTags`

 _Optional, Default=empty_
--- a/docs/content/observability/tracing/opentelemetry.md
+++ b/docs/content/observability/tracing/opentelemetry.md
@@ -0,0 +1,246 @@
+---
+title: "Traefik OpenTelemetry Documentation"
+description: "Traefik supports several tracing backends, including OpenTelemetry. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
+---
+
+# OpenTelemetry
+
+To enable the OpenTelemetry tracer:
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry: {}
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry=true
+```
+
+!!! info "The OpenTelemetry trace reporter will export traces to the collector using HTTP by default, see the [gRPC Section](#grpc-configuration) to use gRPC."
+
+!!! info "Trace sampling"
+
+	By default, the OpenTelemetry trace reporter will sample 100% of traces.
+	See [OpenTelemetry's SDK configuration](https://opentelemetry.io/docs/reference/specification/sdk-environment-variables/#general-sdk-configuration) to customize the sampling strategy.
+
+#### `address`
+
+_Required, Default="localhost:4318", Format="`<host>:<port>`"_
+
+Address of the OpenTelemetry Collector to send spans to.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    address: localhost:4318
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+    address = "localhost:4318"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.address=localhost:4318
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with spans by the reporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    headers:
+      foo: bar
+      baz: buz
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.headers.foo=bar --tracing.openTelemetry.headers.baz=buz
+```
+
+#### `insecure`
+
+_Optional, Default=false_
+
+Allows reporter to send spans to the OpenTelemetry Collector without using a secured protocol.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    insecure: true
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+    insecure = true
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.insecure=true
+```
+
+#### `path`
+
+_Required, Default="/v1/traces"_
+
+Allows to override the default URL path used for sending traces.
+This option has no effect when using gRPC transport.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    path: /foo/v1/traces
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+    path = "/foo/v1/traces"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.path=/foo/v1/traces
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the TLS configuration used by the reporter to send spans to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.cert=path/to/foo.cert
+--tracing.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.cert=path/to/foo.cert
+--tracing.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.insecureSkipVerify=true
+```
+
+#### gRPC configuration
+
+_Optional_
+
+This instructs the reporter to send spans to the OpenTelemetry Collector using gRPC.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    grpc: {}
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry.grpc]
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.grpc=true
+```
--- a/docs/content/operations/dashboard.md
+++ b/docs/content/operations/dashboard.md
@@ -72,7 +72,7 @@ to allow defining:

 - One or more security features through [middlewares](../middlewares/overview.md)
  like authentication ([basicAuth](../middlewares/http/basicauth.md) , [digestAuth](../middlewares/http/digestauth.md),
-  [forwardAuth](../middlewares/http/forwardauth.md)) or [whitelisting](../middlewares/http/ipwhitelist.md).
+  [forwardAuth](../middlewares/http/forwardauth.md)) or [allowlisting](../middlewares/http/ipallowlist.md).

 - A [router rule](#dashboard-router-rule) for accessing the dashboard,
  through Traefik itself (sometimes referred as "Traefik-ception").
@@ -93,12 +93,12 @@ rule = "Host(`traefik.example.com`)"

 ```bash tab="Path Prefix Rule"
 # The dashboard can be accessed on http://example.com/dashboard/ or http://traefik.example.com/dashboard/
-rule = "PathPrefix(`/api`, `/dashboard`)"
+rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
 ```

 ```bash tab="Combination of Rules"
 # The dashboard can be accessed on http://traefik.example.com/dashboard/
-rule = "Host(`traefik.example.com`) && PathPrefix(`/api`, `/dashboard`)"
+rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
 ```

 ??? example "Dashboard Dynamic Configuration Examples"
--- a/docs/content/providers/consul-catalog.md
+++ b/docs/content/providers/consul-catalog.md
@@ -667,41 +667,6 @@ providers:

 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).

-### `namespace`
-
-??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
-
-    _Optional, Default=""_
-    
-    The `namespace` option defines the namespace in which the consul catalog services will be discovered.
-    
-    !!! warning
-    
-        The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
-        which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
-    
-    !!! warning
-    
-        One should only define either the `namespaces` option or the `namespace` option.
-    
-    ```yaml tab="File (YAML)"
-    providers:
-      consulCatalog:
-        namespace: "production" 
-        # ...
-    ```
-    
-    ```toml tab="File (TOML)"
-    [providers.consulCatalog]
-      namespace = "production"
-      # ...
-    ```
-    
-    ```bash tab="CLI"
-    --providers.consulcatalog.namespace=production
-    # ...
-    ```
-
 ### `namespaces`

 _Optional, Default=""_
--- a/docs/content/providers/consul.md
+++ b/docs/content/providers/consul.md
@@ -59,40 +59,6 @@ providers:
 --providers.consul.rootkey=traefik
 ```

-### `namespace`
-
-??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
-
-    _Optional, Default=""_
-    
-    The `namespace` option defines the namespace to query.
-    
-    !!! warning
-    
-        The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
-        which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
-    
-    !!! warning
-    
-        One should only define either the `namespaces` option or the `namespace` option.
-    
-    ```yaml tab="File (YAML)"
-    providers:
-      consul:
-        # ...
-        namespace: "production"
-    ```
-    
-    ```toml tab="File (TOML)"
-    [providers.consul]
-      # ...
-      namespace = "production"
-    ```
-    
-    ```bash tab="CLI"
-    --providers.consul.namespace=production
-    ```
-
 ### `namespaces`

 _Optional, Default=""_
--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -265,7 +265,7 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A

    services:
      traefik:
-         image: traefik:v2.9 # The official v2 Traefik docker image
+         image: traefik:v3.0 # The official v2 Traefik docker image
         ports:
           - "80:80"
         volumes:
--- a/docs/content/providers/ecs.md
+++ b/docs/content/providers/ecs.md
@@ -234,6 +234,30 @@ providers:
 # ...
 ```

+### `healthyTasksOnly`
+
+_Optional, Default=false_
+
+Determines whether Traefik discovers only healthy tasks (`HEALTHY` healthStatus).
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    healthyTasksOnly: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  healthyTasksOnly = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.healthyTasksOnly=true
+# ...
+```
+
 ### `defaultRule`

 _Optional, Default=```Host(`{{ normalize .Name }}`)```_
--- a/docs/content/providers/file.md
+++ b/docs/content/providers/file.md
@@ -18,7 +18,7 @@ It supports providing configuration through a [single configuration file](#filen

 !!! tip

-    The file provider can be a good solution for reusing common elements from other providers (e.g. declaring whitelist middlewares, basic authentication, ...)
+    The file provider can be a good solution for reusing common elements from other providers (e.g. declaring allowlist middlewares, basic authentication, ...)

 ## Configuration Examples

--- a/docs/content/providers/http.md
+++ b/docs/content/providers/http.md
@@ -76,6 +76,26 @@ providers:
 --providers.http.pollTimeout=5s
 ```

+### `headers`
+
+_Optional_
+
+Defines custom headers to be sent to the endpoint.
+
+```yaml tab="File (YAML)"
+providers:
+  headers:
+    name: value
+```
+
+```toml tab="File (TOML)"
+[providers.http.headers]
+  name = "value"
+```
+
+```bash tab="CLI"
+--providers.http.headers.name=value
+
 ### `tls`

 _Optional_
--- a/docs/content/providers/nomad.md
+++ b/docs/content/providers/nomad.md
@@ -440,26 +440,37 @@ providers:

 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).

-### `namespace`
+### `namespaces`

 _Optional, Default=""_

-The `namespace` option defines the namespace in which the Nomad services will be discovered.
+The `namespaces` option defines the namespaces in which the nomad services will be discovered.
+When using the `namespaces` option, the discovered object names will be suffixed as shown below:
+
+```text
+<resource-name>@nomad-<namespace>
+```
+
+!!! warning
+  
+    One should only define either the `namespaces` option or the `namespace` option.

 ```yaml tab="File (YAML)"
 providers:
  nomad:
-    namespace: "production"
+    namespaces:
+      - "ns1"
+      - "ns2"
    # ...
 ```

 ```toml tab="File (TOML)"
 [providers.nomad]
-  namespace = "production"
+  namespaces = ["ns1", "ns2"]
  # ...
 ```

 ```bash tab="CLI"
--providers.nomad.namespace=production
+--providers.nomad.namespaces=ns1,ns2
 # ...
 ```
--- a/docs/content/reference/dynamic-configuration/docker-labels.yml
+++ b/docs/content/reference/dynamic-configuration/docker-labels.yml
@@ -17,7 +17,7 @@
 - "traefik.http.middlewares.middleware05.compress=true"
 - "traefik.http.middlewares.middleware05.compress.excludedcontenttypes=foobar, foobar"
 - "traefik.http.middlewares.middleware05.compress.minresponsebodybytes=42"
- "traefik.http.middlewares.middleware06.contenttype.autodetect=true"
+- "traefik.http.middlewares.middleware06.contenttype=true"
 - "traefik.http.middlewares.middleware07.digestauth.headerfield=foobar"
 - "traefik.http.middlewares.middleware07.digestauth.realm=foobar"
 - "traefik.http.middlewares.middleware07.digestauth.removeheader=true"
@@ -31,7 +31,6 @@
 - "traefik.http.middlewares.middleware09.forwardauth.authresponseheadersregex=foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.authrequestheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.ca=foobar"
- "traefik.http.middlewares.middleware09.forwardauth.tls.caoptional=true"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.cert=foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.insecureskipverify=true"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.key=foobar"
@@ -54,7 +53,6 @@
 - "traefik.http.middlewares.middleware10.headers.customrequestheaders.name1=foobar"
 - "traefik.http.middlewares.middleware10.headers.customresponseheaders.name0=foobar"
 - "traefik.http.middlewares.middleware10.headers.customresponseheaders.name1=foobar"
- "traefik.http.middlewares.middleware10.headers.featurepolicy=foobar"
 - "traefik.http.middlewares.middleware10.headers.forcestsheader=true"
 - "traefik.http.middlewares.middleware10.headers.framedeny=true"
 - "traefik.http.middlewares.middleware10.headers.hostsproxyheaders=foobar, foobar"
@@ -62,18 +60,14 @@
 - "traefik.http.middlewares.middleware10.headers.permissionspolicy=foobar"
 - "traefik.http.middlewares.middleware10.headers.publickey=foobar"
 - "traefik.http.middlewares.middleware10.headers.referrerpolicy=foobar"
- "traefik.http.middlewares.middleware10.headers.sslforcehost=true"
- "traefik.http.middlewares.middleware10.headers.sslhost=foobar"
 - "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name0=foobar"
 - "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name1=foobar"
- "traefik.http.middlewares.middleware10.headers.sslredirect=true"
- "traefik.http.middlewares.middleware10.headers.ssltemporaryredirect=true"
 - "traefik.http.middlewares.middleware10.headers.stsincludesubdomains=true"
 - "traefik.http.middlewares.middleware10.headers.stspreload=true"
 - "traefik.http.middlewares.middleware10.headers.stsseconds=42"
- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth=42"
- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
- "traefik.http.middlewares.middleware11.ipwhitelist.sourcerange=foobar, foobar"
+- "traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware11.ipallowlist.sourcerange=foobar, foobar"
 - "traefik.http.middlewares.middleware12.inflightreq.amount=42"
 - "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth=42"
 - "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
@@ -118,9 +112,9 @@
 - "traefik.http.middlewares.middleware19.replacepathregex.replacement=foobar"
 - "traefik.http.middlewares.middleware20.retry.attempts=42"
 - "traefik.http.middlewares.middleware20.retry.initialinterval=42"
- "traefik.http.middlewares.middleware21.stripprefix.forceslash=true"
 - "traefik.http.middlewares.middleware21.stripprefix.prefixes=foobar, foobar"
 - "traefik.http.middlewares.middleware22.stripprefixregex.regex=foobar, foobar"
+- "traefik.http.middlewares.middleware23.grpcweb.alloworigins=foobar, foobar"
 - "traefik.http.routers.router0.entrypoints=foobar, foobar"
 - "traefik.http.routers.router0.middlewares=foobar, foobar"
 - "traefik.http.routers.router0.priority=42"
@@ -152,8 +146,10 @@
 - "traefik.http.services.service01.loadbalancer.healthcheck.interval=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.path=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.method=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.status=42"
 - "traefik.http.services.service01.loadbalancer.healthcheck.port=42"
 - "traefik.http.services.service01.loadbalancer.healthcheck.scheme=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.mode=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.timeout=foobar"
 - "traefik.http.services.service01.loadbalancer.passhostheader=true"
 - "traefik.http.services.service01.loadbalancer.responseforwarding.flushinterval=foobar"
@@ -165,7 +161,7 @@
 - "traefik.http.services.service01.loadbalancer.sticky.cookie.secure=true"
 - "traefik.http.services.service01.loadbalancer.server.port=foobar"
 - "traefik.http.services.service01.loadbalancer.server.scheme=foobar"
- "traefik.tcp.middlewares.tcpmiddleware00.ipwhitelist.sourcerange=foobar, foobar"
+- "traefik.tcp.middlewares.tcpmiddleware00.ipallowlist.sourcerange=foobar, foobar"
 - "traefik.tcp.middlewares.tcpmiddleware01.inflightconn.amount=42"
 - "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"
 - "traefik.tcp.routers.tcprouter0.middlewares=foobar, foobar"
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@@ -53,18 +53,20 @@
          url = "foobar"
        [http.services.Service01.loadBalancer.healthCheck]
          scheme = "foobar"
+          mode = "foobar"
          path = "foobar"
          method = "foobar"
+          status = 42
          port = 42
-          interval = "foobar"
-          timeout = "foobar"
+          interval = "42s"
+          timeout = "42s"
          hostname = "foobar"
          followRedirects = true
          [http.services.Service01.loadBalancer.healthCheck.headers]
            name0 = "foobar"
            name1 = "foobar"
        [http.services.Service01.loadBalancer.responseForwarding]
-          flushInterval = "foobar"
+          flushInterval = "42s"
    [http.services.Service02]
      [http.services.Service02.mirroring]
        service = "foobar"
@@ -135,7 +137,6 @@
        minResponseBodyBytes = 42
    [http.middlewares.Middleware06]
      [http.middlewares.Middleware06.contentType]
-        autoDetect = true
    [http.middlewares.Middleware07]
      [http.middlewares.Middleware07.digestAuth]
        users = ["foobar", "foobar"]
@@ -157,7 +158,6 @@
        authRequestHeaders = ["foobar", "foobar"]
        [http.middlewares.Middleware09.forwardAuth.tls]
          ca = "foobar"
-          caOptional = true
          cert = "foobar"
          key = "foobar"
          insecureSkipVerify = true
@@ -173,10 +173,6 @@
        addVaryHeader = true
        allowedHosts = ["foobar", "foobar"]
        hostsProxyHeaders = ["foobar", "foobar"]
-        sslRedirect = true
-        sslTemporaryRedirect = true
-        sslHost = "foobar"
-        sslForceHost = true
        stsSeconds = 42
        stsIncludeSubdomains = true
        stsPreload = true
@@ -189,7 +185,6 @@
        contentSecurityPolicy = "foobar"
        publicKey = "foobar"
        referrerPolicy = "foobar"
-        featurePolicy = "foobar"
        permissionsPolicy = "foobar"
        isDevelopment = true
        [http.middlewares.Middleware10.headers.customRequestHeaders]
@@ -202,9 +197,9 @@
          name0 = "foobar"
          name1 = "foobar"
    [http.middlewares.Middleware11]
-      [http.middlewares.Middleware11.ipWhiteList]
+      [http.middlewares.Middleware11.ipAllowList]
        sourceRange = ["foobar", "foobar"]
-        [http.middlewares.Middleware11.ipWhiteList.ipStrategy]
+        [http.middlewares.Middleware11.ipAllowList.ipStrategy]
          depth = 42
          excludedIPs = ["foobar", "foobar"]
    [http.middlewares.Middleware12]
@@ -280,10 +275,12 @@
    [http.middlewares.Middleware21]
      [http.middlewares.Middleware21.stripPrefix]
        prefixes = ["foobar", "foobar"]
-        forceSlash = true
    [http.middlewares.Middleware22]
      [http.middlewares.Middleware22.stripPrefixRegex]
        regex = ["foobar", "foobar"]
+    [http.middlewares.Middleware23]
+      [http.middlewares.Middleware23.grpcWeb]
+        allowOrigins = ["foobar", "foobar"]
  [http.serversTransports]
    [http.serversTransports.ServersTransport0]
      serverName = "foobar"
@@ -300,12 +297,18 @@
      [[http.serversTransports.ServersTransport0.certificates]]
        certFile = "foobar"
        keyFile = "foobar"
+
      [http.serversTransports.ServersTransport0.forwardingTimeouts]
        dialTimeout = "42s"
        responseHeaderTimeout = "42s"
        idleConnTimeout = "42s"
        readIdleTimeout = "42s"
        pingTimeout = "42s"
+
+      [http.serversTransports.ServersTransport0.spiffe]
+        ids = ["foobar", "foobar"]
+        trustDomain = "foobar"
+
    [http.serversTransports.ServersTransport1]
      serverName = "foobar"
      insecureSkipVerify = true
@@ -321,6 +324,7 @@
      [[http.serversTransports.ServersTransport1.certificates]]
        certFile = "foobar"
        keyFile = "foobar"
+
      [http.serversTransports.ServersTransport1.forwardingTimeouts]
        dialTimeout = "42s"
        responseHeaderTimeout = "42s"
@@ -328,6 +332,10 @@
        readIdleTimeout = "42s"
        pingTimeout = "42s"

+      [http.serversTransports.ServersTransport1.spiffe]
+        ids = ["foobar", "foobar"]
+        trustDomain = "foobar"
+
 [tcp]
  [tcp.routers]
    [tcp.routers.TCPRouter0]
@@ -390,7 +398,7 @@
          weight = 42
  [tcp.middlewares]
    [tcp.middlewares.TCPMiddleware00]
-      [tcp.middlewares.TCPMiddleware00.ipWhiteList]
+      [tcp.middlewares.TCPMiddleware00.ipAllowList]
        sourceRange = ["foobar", "foobar"]
    [tcp.middlewares.TCPMiddleware01]
      [tcp.middlewares.TCPMiddleware01.inFlightConn]
@@ -442,7 +450,6 @@
      cipherSuites = ["foobar", "foobar"]
      curvePreferences = ["foobar", "foobar"]
      sniStrict = true
-      preferServerCipherSuites = true
      alpnProtocols = ["foobar", "foobar"]
      [tls.options.Options0.clientAuth]
        caFiles = ["foobar", "foobar"]
@@ -453,7 +460,6 @@
      cipherSuites = ["foobar", "foobar"]
      curvePreferences = ["foobar", "foobar"]
      sniStrict = true
-      preferServerCipherSuites = true
      alpnProtocols = ["foobar", "foobar"]
      [tls.options.Options1.clientAuth]
        caFiles = ["foobar", "foobar"]
--- a/docs/content/reference/dynamic-configuration/file.yaml
+++ b/docs/content/reference/dynamic-configuration/file.yaml
@@ -58,11 +58,13 @@ http:
          - url: foobar
        healthCheck:
          scheme: foobar
+          mode: foobar
          path: foobar
          method: foobar
+          status: 42
          port: 42
-          interval: foobar
-          timeout: foobar
+          interval: 42s
+          timeout: 42s
          hostname: foobar
          followRedirects: true
          headers:
@@ -70,7 +72,7 @@ http:
            name1: foobar
        passHostHeader: true
        responseForwarding:
-          flushInterval: foobar
+          flushInterval: 42s
        serversTransport: foobar
    Service02:
      mirroring:
@@ -139,8 +141,7 @@ http:
          - foobar
        minResponseBodyBytes: 42
    Middleware06:
-      contentType:
-        autoDetect: true
+      contentType: {}
    Middleware07:
      digestAuth:
        users:
@@ -162,7 +163,6 @@ http:
        address: foobar
        tls:
          ca: foobar
-          caOptional: true
          cert: foobar
          key: foobar
          insecureSkipVerify: true
@@ -206,13 +206,9 @@ http:
        hostsProxyHeaders:
          - foobar
          - foobar
-        sslRedirect: true
-        sslTemporaryRedirect: true
-        sslHost: foobar
        sslProxyHeaders:
          name0: foobar
          name1: foobar
-        sslForceHost: true
        stsSeconds: 42
        stsIncludeSubdomains: true
        stsPreload: true
@@ -225,11 +221,10 @@ http:
        contentSecurityPolicy: foobar
        publicKey: foobar
        referrerPolicy: foobar
-        featurePolicy: foobar
        permissionsPolicy: foobar
        isDevelopment: true
    Middleware11:
-      ipWhiteList:
+      ipAllowList:
        sourceRange:
          - foobar
          - foobar
@@ -317,12 +312,16 @@ http:
        prefixes:
          - foobar
          - foobar
-        forceSlash: true
    Middleware22:
      stripPrefixRegex:
        regex:
          - foobar
          - foobar
+    Middleware23:
+      grpcWeb:
+        allowOrigins:
+          - foobar
+          - foobar
  serversTransports:
    ServersTransport0:
      serverName: foobar
@@ -344,6 +343,12 @@ http:
        pingTimeout: 42s
      disableHTTP2: true
      peerCertURI: foobar
+      spiffe:
+        ids:
+          - foobar
+          - foobar
+        trustDomain: foobar
+
    ServersTransport1:
      serverName: foobar
      insecureSkipVerify: true
@@ -364,6 +369,12 @@ http:
        pingTimeout: 42s
      disableHTTP2: true
      peerCertURI: foobar
+      spiffe:
+        ids:
+          - foobar
+          - foobar
+        trustDomain: foobar
+
 tcp:
  routers:
    TCPRouter0:
@@ -430,7 +441,7 @@ tcp:
            weight: 42
  middlewares:
    TCPMiddleware00:
-      ipWhiteList:
+      ipAllowList:
        sourceRange:
          - foobar
          - foobar
@@ -490,7 +501,6 @@ tls:
          - foobar
        clientAuthType: foobar
      sniStrict: true
-      preferServerCipherSuites: true
      alpnProtocols:
        - foobar
        - foobar
@@ -509,7 +519,6 @@ tls:
          - foobar
        clientAuthType: foobar
      sniStrict: true
-      preferServerCipherSuites: true
      alpnProtocols:
        - foobar
        - foobar
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
@@ -39,7 +39,7 @@ spec:
              entryPoints:
                description: 'EntryPoints defines the list of entry point names to
                  bind to. Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v2.9/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
                  Default: all.'
                items:
                  type: string
@@ -56,11 +56,11 @@ spec:
                      - Rule
                      type: string
                    match:
-                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#rule'
+                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule'
                      type: string
                    middlewares:
                      description: 'Middlewares defines the list of references to
-                        Middleware resources. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-middleware'
+                        Middleware resources. More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-middleware'
                      items:
                        description: MiddlewareRef is a reference to a Middleware
                          resource.
@@ -79,7 +79,7 @@ spec:
                      type: array
                    priority:
                      description: 'Priority defines the router''s priority. More
-                        info: https://doc.traefik.io/traefik/v2.9/routing/routers/#priority'
+                        info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority'
                      type: integer
                    services:
                      description: Services defines the list of Service. It can contain
@@ -145,7 +145,7 @@ spec:
                            type: string
                          sticky:
                            description: 'Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
+                              More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                            properties:
                              cookie:
                                description: Cookie defines the sticky cookie configuration.
@@ -190,16 +190,16 @@ spec:
                  type: object
                type: array
              tls:
-                description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#tls'
+                description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls'
                properties:
                  certResolver:
                    description: 'CertResolver defines the name of the certificate
                      resolver to use. Cert resolvers have to be configured in the
-                      static configuration. More info: https://doc.traefik.io/traefik/v2.9/https/acme/#certificate-resolvers'
+                      static configuration. More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers'
                    type: string
                  domains:
                    description: 'Domains defines the list of domains that will be
-                      used to issue certificates. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#domains'
+                      used to issue certificates. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains'
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -217,15 +217,15 @@ spec:
                  options:
                    description: 'Options defines the reference to a TLSOption, that
                      specifies the parameters of the TLS connection. If not defined,
-                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options'
+                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options'
                    properties:
                      name:
                        description: 'Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsoption'
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption'
                        type: string
                      namespace:
                        description: 'Namespace defines the namespace of the referenced
-                          TLSOption. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsoption'
+                          TLSOption. More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption'
                        type: string
                    required:
                    - name
@@ -241,11 +241,11 @@ spec:
                    properties:
                      name:
                        description: 'Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsstore'
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore'
                        type: string
                      namespace:
                        description: 'Namespace defines the namespace of the referenced
-                          TLSStore. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsstore'
+                          TLSStore. More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore'
                        type: string
                    required:
                    - name
@@ -307,7 +307,7 @@ spec:
              entryPoints:
                description: 'EntryPoints defines the list of entry point names to
                  bind to. Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v2.9/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
                  Default: all.'
                items:
                  type: string
@@ -318,7 +318,7 @@ spec:
                  description: RouteTCP holds the TCP route configuration.
                  properties:
                    match:
-                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#rule_1'
+                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule_1'
                      type: string
                    middlewares:
                      description: Middlewares defines the list of references to MiddlewareTCP
@@ -341,7 +341,7 @@ spec:
                      type: array
                    priority:
                      description: 'Priority defines the router''s priority. More
-                        info: https://doc.traefik.io/traefik/v2.9/routing/routers/#priority_1'
+                        info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority_1'
                      type: integer
                    services:
                      description: Services defines the list of TCP services.
@@ -366,7 +366,7 @@ spec:
                            x-kubernetes-int-or-string: true
                          proxyProtocol:
                            description: 'ProxyProtocol defines the PROXY protocol
-                              configuration. More info: https://doc.traefik.io/traefik/v2.9/routing/services/#proxy-protocol'
+                              configuration. More info: https://doc.traefik.io/traefik/v3.0/routing/services/#proxy-protocol'
                            properties:
                              version:
                                description: Version defines the PROXY Protocol version
@@ -397,16 +397,16 @@ spec:
                type: array
              tls:
                description: 'TLS defines the TLS configuration on a layer 4 / TCP
-                  Route. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#tls_1'
+                  Route. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls_1'
                properties:
                  certResolver:
                    description: 'CertResolver defines the name of the certificate
                      resolver to use. Cert resolvers have to be configured in the
-                      static configuration. More info: https://doc.traefik.io/traefik/v2.9/https/acme/#certificate-resolvers'
+                      static configuration. More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers'
                    type: string
                  domains:
                    description: 'Domains defines the list of domains that will be
-                      used to issue certificates. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#domains'
+                      used to issue certificates. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains'
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -424,7 +424,7 @@ spec:
                  options:
                    description: 'Options defines the reference to a TLSOption, that
                      specifies the parameters of the TLS connection. If not defined,
-                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options'
+                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options'
                    properties:
                      name:
                        description: Name defines the name of the referenced Traefik
@@ -518,7 +518,7 @@ spec:
              entryPoints:
                description: 'EntryPoints defines the list of entry point names to
                  bind to. Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v2.9/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
                  Default: all.'
                items:
                  type: string
@@ -597,7 +597,7 @@ spec:
    schema:
      openAPIV3Schema:
        description: 'Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/overview/'
+          More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/overview/'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -617,7 +617,7 @@ spec:
              addPrefix:
                description: 'AddPrefix holds the add prefix middleware configuration.
                  This middleware updates the path of a request before forwarding
-                  it. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/addprefix/'
+                  it. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/addprefix/'
                properties:
                  prefix:
                    description: Prefix is the string to add before the current path
@@ -627,11 +627,11 @@ spec:
              basicAuth:
                description: 'BasicAuth holds the basic auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/basicauth/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/'
                properties:
                  headerField:
                    description: 'HeaderField defines a header field to store the
-                      authenticated user. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/basicauth/#headerfield'
+                      authenticated user. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield'
                    type: string
                  realm:
                    description: 'Realm allows the protected resources on a server
@@ -651,7 +651,7 @@ spec:
              buffering:
                description: 'Buffering holds the buffering middleware configuration.
                  This middleware retries or limits the size of requests that can
-                  be forwarded to backends. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/buffering/#maxrequestbodybytes'
+                  be forwarded to backends. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#maxrequestbodybytes'
                properties:
                  maxRequestBodyBytes:
                    description: 'MaxRequestBodyBytes defines the maximum allowed
@@ -684,13 +684,13 @@ spec:
                  retryExpression:
                    description: 'RetryExpression defines the retry conditions. It
                      is a logical combination of functions with operators AND (&&)
-                      and OR (||). More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/buffering/#retryexpression'
+                      and OR (||). More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#retryexpression'
                    type: string
                type: object
              chain:
                description: 'Chain holds the configuration of the chain middleware.
                  This middleware enables to define reusable combinations of other
-                  pieces of middleware. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/chain/'
+                  pieces of middleware. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/chain/'
                properties:
                  middlewares:
                    description: Middlewares is the list of MiddlewareRef which composes
@@ -744,12 +744,13 @@ spec:
              compress:
                description: 'Compress holds the compress middleware configuration.
                  This middleware compresses responses before sending them to the
-                  client, using gzip compression. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/compress/'
+                  client, using gzip compression. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/compress/'
                properties:
                  excludedContentTypes:
                    description: ExcludedContentTypes defines the list of content
                      types to compare the Content-Type header of the incoming requests
-                      and responses before compressing.
+                      and responses before compressing. `application/grpc` is always
+                      excluded.
                    items:
                      type: string
                    type: array
@@ -761,28 +762,18 @@ spec:
                type: object
              contentType:
                description: ContentType holds the content-type middleware configuration.
-                  This middleware exists to enable the correct behavior until at least
-                  the default one can be changed in a future version.
-                properties:
-                  autoDetect:
-                    description: AutoDetect specifies whether to let the `Content-Type`
-                      header, if it has not been set by the backend, be automatically
-                      set to a value derived from the contents of the response. As
-                      a proxy, the default behavior should be to leave the header
-                      alone, regardless of what the backend did with it. However,
-                      the historic default was to always auto-detect and set the header
-                      if it was nil, and it is going to be kept that way in order
-                      to support users currently relying on it.
-                    type: boolean
+                  This middleware sets the `Content-Type` header value to the media
+                  type detected from the response content, when it is not set by the
+                  backend.
                type: object
              digestAuth:
                description: 'DigestAuth holds the digest auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/digestauth/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/digestauth/'
                properties:
                  headerField:
                    description: 'HeaderField defines a header field to store the
-                      authenticated user. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/basicauth/#headerfield'
+                      authenticated user. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield'
                    type: string
                  realm:
                    description: 'Realm allows the protected resources on a server
@@ -801,7 +792,7 @@ spec:
              errors:
                description: 'ErrorPage holds the custom error middleware configuration.
                  This middleware returns a custom page in lieu of the default, according
-                  to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/errorpages/'
+                  to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/'
                properties:
                  query:
                    description: Query defines the URL for the error page (hosted
@@ -810,7 +801,7 @@ spec:
                    type: string
                  service:
                    description: 'Service defines the reference to a Kubernetes Service
-                      that will serve the error page. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/errorpages/#service'
+                      that will serve the error page. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/#service'
                    properties:
                      kind:
                        description: Kind defines the kind of the Service.
@@ -867,7 +858,7 @@ spec:
                        type: string
                      sticky:
                        description: 'Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                        properties:
                          cookie:
                            description: Cookie defines the sticky cookie configuration.
@@ -916,7 +907,7 @@ spec:
              forwardAuth:
                description: 'ForwardAuth holds the forward auth middleware configuration.
                  This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/forwardauth/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/'
                properties:
                  address:
                    description: Address defines the authentication server address.
@@ -939,14 +930,12 @@ spec:
                    description: 'AuthResponseHeadersRegex defines the regex to match
                      headers to copy from the authentication server response and
                      set on forwarded request, after stripping all headers that match
-                      the regex. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/forwardauth/#authresponseheadersregex'
+                      the regex. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/#authresponseheadersregex'
                    type: string
                  tls:
                    description: TLS defines the configuration used to secure the
                      connection to the authentication server.
                    properties:
-                      caOptional:
-                        type: boolean
                      caSecret:
                        description: CASecret is the name of the referenced Kubernetes
                          Secret containing the CA to validate the server certificate.
@@ -967,10 +956,21 @@ spec:
                      forward) all X-Forwarded-* headers.'
                    type: boolean
                type: object
+              grpcWeb:
+                description: GrpcWeb holds the gRPC web middleware configuration.
+                  This middleware converts a gRPC web request to an HTTP/2 gRPC request.
+                properties:
+                  allowOrigins:
+                    description: AllowOrigins is a list of allowable origins. Can
+                      also be a wildcard origin "*".
+                    items:
+                      type: string
+                    type: array
+                type: object
              headers:
                description: 'Headers holds the headers middleware configuration.
                  This middleware manages the requests and responses headers. More
-                  info: https://doc.traefik.io/traefik/v2.9/middlewares/http/headers/#customrequestheaders'
+                  info: https://doc.traefik.io/traefik/v3.0/middlewares/http/headers/#customrequestheaders'
                properties:
                  accessControlAllowCredentials:
                    description: AccessControlAllowCredentials defines whether the
@@ -1054,9 +1054,6 @@ spec:
                    description: CustomResponseHeaders defines the header names and
                      values to apply to the response.
                    type: object
-                  featurePolicy:
-                    description: 'Deprecated: use PermissionsPolicy instead.'
-                    type: string
                  forceSTSHeader:
                    description: ForceSTSHeader defines whether to add the STS header
                      even when the connection is HTTP.
@@ -1092,12 +1089,6 @@ spec:
                      value. This allows sites to control whether browsers forward
                      the Referer header to other sites.
                    type: string
-                  sslForceHost:
-                    description: 'Deprecated: use RedirectRegex instead.'
-                    type: boolean
-                  sslHost:
-                    description: 'Deprecated: use RedirectRegex instead.'
-                    type: string
                  sslProxyHeaders:
                    additionalProperties:
                      type: string
@@ -1106,14 +1097,6 @@ spec:
                      useful when using other proxies (example: "X-Forwarded-Proto":
                      "https").'
                    type: object
-                  sslRedirect:
-                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
-                      instead.'
-                    type: boolean
-                  sslTemporaryRedirect:
-                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
-                      instead.'
-                    type: boolean
                  stsIncludeSubdomains:
                    description: STSIncludeSubdomains defines whether the includeSubDomains
                      directive is appended to the Strict-Transport-Security header.
@@ -1131,7 +1114,7 @@ spec:
              inFlightReq:
                description: 'InFlightReq holds the in-flight request middleware configuration.
                  This middleware limits the number of requests being processed and
-                  served concurrently. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/inflightreq/'
+                  served concurrently. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/'
                properties:
                  amount:
                    description: Amount defines the maximum amount of allowed simultaneous
@@ -1145,11 +1128,11 @@ spec:
                      group requests as originating from a common source. If several
                      strategies are defined at the same time, an error will be raised.
                      If none are set, the default is to use the requestHost. More
-                      info: https://doc.traefik.io/traefik/v2.9/middlewares/http/inflightreq/#sourcecriterion'
+                      info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/#sourcecriterion'
                    properties:
                      ipStrategy:
                        description: 'IPStrategy holds the IP strategy configuration
-                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
+                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -1174,14 +1157,14 @@ spec:
                        type: boolean
                    type: object
                type: object
-              ipWhiteList:
-                description: 'IPWhiteList holds the IP whitelist middleware configuration.
+              ipAllowList:
+                description: 'IPAllowList holds the IP allowlist middleware configuration.
                  This middleware accepts / refuses requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/'
                properties:
                  ipStrategy:
                    description: 'IPStrategy holds the IP strategy configuration used
-                      by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
+                      by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -1205,7 +1188,7 @@ spec:
              passTLSClientCert:
                description: 'PassTLSClientCert holds the pass TLS client cert middleware
                  configuration. This middleware adds the selected data from the passed
-                  client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/passtlsclientcert/'
+                  client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/passtlsclientcert/'
                properties:
                  info:
                    description: Info selects the specific client certificate details
@@ -1312,7 +1295,7 @@ spec:
              rateLimit:
                description: 'RateLimit holds the rate limit configuration. This middleware
                  ensures that services will receive a fair amount of requests, and
-                  allows one to define what fair is. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ratelimit/'
+                  allows one to define what fair is. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ratelimit/'
                properties:
                  average:
                    description: Average is the maximum rate, by default in requests/s,
@@ -1345,7 +1328,7 @@ spec:
                    properties:
                      ipStrategy:
                        description: 'IPStrategy holds the IP strategy configuration
-                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
+                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -1373,7 +1356,7 @@ spec:
              redirectRegex:
                description: 'RedirectRegex holds the redirect regex middleware configuration.
                  This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/redirectregex/#regex'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectregex/#regex'
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1391,7 +1374,7 @@ spec:
              redirectScheme:
                description: 'RedirectScheme holds the redirect scheme middleware
                  configuration. This middleware redirects requests from a scheme/port
-                  to another. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/redirectscheme/'
+                  to another. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectscheme/'
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1407,7 +1390,7 @@ spec:
              replacePath:
                description: 'ReplacePath holds the replace path middleware configuration.
                  This middleware replaces the path of the request URL and store the
-                  original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/replacepath/'
+                  original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepath/'
                properties:
                  path:
                    description: Path defines the path to use as replacement in the
@@ -1417,7 +1400,7 @@ spec:
              replacePathRegex:
                description: 'ReplacePathRegex holds the replace path regex middleware
                  configuration. This middleware replaces the path of a URL using
-                  regex matching and replacement. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/replacepathregex/'
+                  regex matching and replacement. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepathregex/'
                properties:
                  regex:
                    description: Regex defines the regular expression used to match
@@ -1433,7 +1416,7 @@ spec:
                  middleware reissues requests a given number of times to a backend
                  server if that server does not reply. As soon as the server answers,
                  the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/retry/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/retry/'
                properties:
                  attempts:
                    description: Attempts defines how many times the request should
@@ -1453,13 +1436,8 @@ spec:
              stripPrefix:
                description: 'StripPrefix holds the strip prefix middleware configuration.
                  This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefix/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefix/'
                properties:
-                  forceSlash:
-                    description: 'ForceSlash ensures that the resulting stripped path
-                      is not the empty string, by replacing it with / when necessary.
-                      Default: true.'
-                    type: boolean
                  prefixes:
                    description: Prefixes defines the prefixes to strip from the request
                      URL.
@@ -1470,7 +1448,7 @@ spec:
              stripPrefixRegex:
                description: 'StripPrefixRegex holds the strip prefix regex middleware
                  configuration. This middleware removes the matching prefixes from
-                  the URL path. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefixregex/'
+                  the URL path. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefixregex/'
                properties:
                  regex:
                    description: Regex defines the regular expression to match the
@@ -1514,7 +1492,7 @@ spec:
    schema:
      openAPIV3Schema:
        description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v2.9/middlewares/overview/'
+          More info: https://doc.traefik.io/traefik/v3.0/middlewares/overview/'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -1541,8 +1519,8 @@ spec:
                    format: int64
                    type: integer
                type: object
-              ipWhiteList:
-                description: IPWhiteList defines the IPWhiteList middleware configuration.
+              ipAllowList:
+                description: IPAllowList defines the IPAllowList middleware configuration.
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -1588,7 +1566,7 @@ spec:
        description: 'ServersTransport is the CRD implementation of a ServersTransport.
          If no serversTransport is specified, the default@internal will be used.
          The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v2.9/routing/services/#serverstransport_1'
+          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_1'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -1679,6 +1657,19 @@ spec:
                description: ServerName defines the server name used to contact the
                  server.
                type: string
+              spiffe:
+                description: Spiffe defines the SPIFFE configuration.
+                properties:
+                  ids:
+                    description: IDs defines the allowed SPIFFE IDs (takes precedence
+                      over the SPIFFE TrustDomain).
+                    items:
+                      type: string
+                    type: array
+                  trustDomain:
+                    description: TrustDomain defines the allowed SPIFFE trust domain.
+                    type: string
+                type: object
            type: object
        required:
        - metadata
@@ -1715,7 +1706,7 @@ spec:
      openAPIV3Schema:
        description: 'TLSOption is the CRD implementation of a Traefik TLS Option,
          allowing to configure some parameters of the TLS connection. More info:
-          https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options'
+          https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -1735,13 +1726,13 @@ spec:
              alpnProtocols:
                description: 'ALPNProtocols defines the list of supported application
                  level protocols for the TLS handshake, in order of preference. More
-                  info: https://doc.traefik.io/traefik/v2.9/https/tls/#alpn-protocols'
+                  info: https://doc.traefik.io/traefik/v3.0/https/tls/#alpn-protocols'
                items:
                  type: string
                type: array
              cipherSuites:
                description: 'CipherSuites defines the list of supported cipher suites
-                  for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#cipher-suites'
+                  for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#cipher-suites'
                items:
                  type: string
                type: array
@@ -1768,7 +1759,7 @@ spec:
                type: object
              curvePreferences:
                description: 'CurvePreferences defines the preferred elliptic curves
-                  in a specific order. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#curve-preferences'
+                  in a specific order. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#curve-preferences'
                items:
                  type: string
                type: array
@@ -1782,12 +1773,6 @@ spec:
                  will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
                  VersionTLS13. Default: VersionTLS10.'
                type: string
-              preferServerCipherSuites:
-                description: 'PreferServerCipherSuites defines whether the server
-                  chooses a cipher suite among his own instead of among the client''s.
-                  It is enabled automatically when minVersion or maxVersion is set.
-                  Deprecated: https://github.com/golang/go/issues/45430'
-                type: boolean
              sniStrict:
                description: SniStrict defines whether Traefik allows connections
                  from clients connections that do not specify a server_name extension.
@@ -1829,7 +1814,7 @@ spec:
        description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For
          the time being, only the TLSStore named default is supported. This means
          that you cannot have two stores that are named default in different Kubernetes
-          namespaces. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#certificates-stores'
+          namespaces. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#certificates-stores'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -1927,7 +1912,7 @@ spec:
      openAPIV3Schema:
        description: 'TraefikService is the CRD implementation of a Traefik Service.
          TraefikService object allows to: - Apply weight to Services on load-balancing
-          - Mirror traffic on services More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-traefikservice'
+          - Mirror traffic on services More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-traefikservice'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -2026,7 +2011,7 @@ spec:
                          type: string
                        sticky:
                          description: 'Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
+                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -2110,7 +2095,7 @@ spec:
                    type: string
                  sticky:
                    description: 'Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
+                      More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -2210,7 +2195,7 @@ spec:
                          type: string
                        sticky:
                          description: 'Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
+                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -2249,7 +2234,7 @@ spec:
                    type: array
                  sticky:
                    description: 'Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#stickiness-and-load-balancing'
+                      More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#stickiness-and-load-balancing'
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml
@@ -148,7 +148,7 @@ spec:
        - name: whoamitcp
          port: 8080
      middlewares:
-        - name: ipwhitelist
+        - name: ipallowlist
  tls:
    secretName: foosecret
    passthrough: false
@@ -193,7 +193,6 @@ spec:
      - foobar
    clientAuthType: RequireAndVerifyClientCert
  sniStrict: true
-  preferServerCipherSuites: true
  alpnProtocols:
    - foobar
    - foobar
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
@@ -25,7 +25,7 @@ spec:
      serviceAccountName: traefik-controller
      containers:
        - name: traefik
-          image: traefik:v2.9
+          image: traefik:v3.0
          args:
            - --entrypoints.web.address=:80
            - --entrypoints.websecure.address=:443
--- a/docs/content/reference/dynamic-configuration/kv-ref.md
+++ b/docs/content/reference/dynamic-configuration/kv-ref.md
@@ -19,7 +19,7 @@
 | `traefik/http/middlewares/Middleware05/compress/excludedContentTypes/0` | `foobar` |
 | `traefik/http/middlewares/Middleware05/compress/excludedContentTypes/1` | `foobar` |
 | `traefik/http/middlewares/Middleware05/compress/minResponseBodyBytes` | `42` |
-| `traefik/http/middlewares/Middleware06/contentType/autoDetect` | `true` |
+| `traefik/http/middlewares/Middleware06/contentType` | `` |
 | `traefik/http/middlewares/Middleware07/digestAuth/headerField` | `foobar` |
 | `traefik/http/middlewares/Middleware07/digestAuth/realm` | `foobar` |
 | `traefik/http/middlewares/Middleware07/digestAuth/removeHeader` | `true` |
@@ -37,7 +37,6 @@
 | `traefik/http/middlewares/Middleware09/forwardAuth/authResponseHeaders/1` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/authResponseHeadersRegex` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/ca` | `foobar` |
-| `traefik/http/middlewares/Middleware09/forwardAuth/tls/caOptional` | `true` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/cert` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/insecureSkipVerify` | `true` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/key` | `foobar` |
@@ -66,7 +65,6 @@
 | `traefik/http/middlewares/Middleware10/headers/customRequestHeaders/name1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/customResponseHeaders/name0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/customResponseHeaders/name1` | `foobar` |
-| `traefik/http/middlewares/Middleware10/headers/featurePolicy` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/forceSTSHeader` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/frameDeny` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/hostsProxyHeaders/0` | `foobar` |
@@ -75,20 +73,16 @@
 | `traefik/http/middlewares/Middleware10/headers/permissionsPolicy` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/publicKey` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/referrerPolicy` | `foobar` |
-| `traefik/http/middlewares/Middleware10/headers/sslForceHost` | `true` |
-| `traefik/http/middlewares/Middleware10/headers/sslHost` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/sslProxyHeaders/name0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/sslProxyHeaders/name1` | `foobar` |
-| `traefik/http/middlewares/Middleware10/headers/sslRedirect` | `true` |
-| `traefik/http/middlewares/Middleware10/headers/sslTemporaryRedirect` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/stsIncludeSubdomains` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/stsPreload` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/stsSeconds` | `42` |
-| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/depth` | `42` |
-| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/excludedIPs/0` | `foobar` |
-| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/excludedIPs/1` | `foobar` |
-| `traefik/http/middlewares/Middleware11/ipWhiteList/sourceRange/0` | `foobar` |
-| `traefik/http/middlewares/Middleware11/ipWhiteList/sourceRange/1` | `foobar` |
+| `traefik/http/middlewares/Middleware11/ipAllowList/ipStrategy/depth` | `42` |
+| `traefik/http/middlewares/Middleware11/ipAllowList/ipStrategy/excludedIPs/0` | `foobar` |
+| `traefik/http/middlewares/Middleware11/ipAllowList/ipStrategy/excludedIPs/1` | `foobar` |
+| `traefik/http/middlewares/Middleware11/ipAllowList/sourceRange/0` | `foobar` |
+| `traefik/http/middlewares/Middleware11/ipAllowList/sourceRange/1` | `foobar` |
 | `traefik/http/middlewares/Middleware12/inFlightReq/amount` | `42` |
 | `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/ipStrategy/depth` | `42` |
 | `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
@@ -135,11 +129,12 @@
 | `traefik/http/middlewares/Middleware19/replacePathRegex/replacement` | `foobar` |
 | `traefik/http/middlewares/Middleware20/retry/attempts` | `42` |
 | `traefik/http/middlewares/Middleware20/retry/initialInterval` | `42s` |
-| `traefik/http/middlewares/Middleware21/stripPrefix/forceSlash` | `true` |
 | `traefik/http/middlewares/Middleware21/stripPrefix/prefixes/0` | `foobar` |
 | `traefik/http/middlewares/Middleware21/stripPrefix/prefixes/1` | `foobar` |
 | `traefik/http/middlewares/Middleware22/stripPrefixRegex/regex/0` | `foobar` |
 | `traefik/http/middlewares/Middleware22/stripPrefixRegex/regex/1` | `foobar` |
+| `traefik/http/middlewares/Middleware23/grpcWeb/allowOrigins/0` | `foobar` |
+| `traefik/http/middlewares/Middleware23/grpcWeb/allowOrigins/1` | `foobar` |
 | `traefik/http/routers/Router0/entryPoints/0` | `foobar` |
 | `traefik/http/routers/Router0/entryPoints/1` | `foobar` |
 | `traefik/http/routers/Router0/middlewares/0` | `foobar` |
@@ -186,6 +181,9 @@
 | `traefik/http/serversTransports/ServersTransport0/rootCAs/0` | `foobar` |
 | `traefik/http/serversTransports/ServersTransport0/rootCAs/1` | `foobar` |
 | `traefik/http/serversTransports/ServersTransport0/serverName` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport0/spiffe/ids/0` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport0/spiffe/ids/1` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport0/spiffe/trustDomain` | `foobar` |
 | `traefik/http/serversTransports/ServersTransport1/certificates/0/certFile` | `foobar` |
 | `traefik/http/serversTransports/ServersTransport1/certificates/0/keyFile` | `foobar` |
 | `traefik/http/serversTransports/ServersTransport1/certificates/1/certFile` | `foobar` |
@@ -202,18 +200,23 @@
 | `traefik/http/serversTransports/ServersTransport1/rootCAs/0` | `foobar` |
 | `traefik/http/serversTransports/ServersTransport1/rootCAs/1` | `foobar` |
 | `traefik/http/serversTransports/ServersTransport1/serverName` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport1/spiffe/ids/0` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport1/spiffe/ids/1` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport1/spiffe/trustDomain` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/followRedirects` | `true` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/headers/name0` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/headers/name1` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/hostname` | `foobar` |
-| `traefik/http/services/Service01/loadBalancer/healthCheck/interval` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/interval` | `42s` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/method` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/mode` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/path` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/port` | `42` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/scheme` | `foobar` |
-| `traefik/http/services/Service01/loadBalancer/healthCheck/timeout` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/status` | `42` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/timeout` | `42s` |
 | `traefik/http/services/Service01/loadBalancer/passHostHeader` | `true` |
-| `traefik/http/services/Service01/loadBalancer/responseForwarding/flushInterval` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/responseForwarding/flushInterval` | `42s` |
 | `traefik/http/services/Service01/loadBalancer/servers/0/url` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/servers/1/url` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/serversTransport` | `foobar` |
@@ -240,8 +243,8 @@
 | `traefik/http/services/Service04/failover/fallback` | `foobar` |
 | `traefik/http/services/Service04/failover/healthCheck` | `` |
 | `traefik/http/services/Service04/failover/service` | `foobar` |
-| `traefik/tcp/middlewares/TCPMiddleware00/ipWhiteList/sourceRange/0` | `foobar` |
-| `traefik/tcp/middlewares/TCPMiddleware00/ipWhiteList/sourceRange/1` | `foobar` |
+| `traefik/tcp/middlewares/TCPMiddleware00/ipAllowList/sourceRange/0` | `foobar` |
+| `traefik/tcp/middlewares/TCPMiddleware00/ipAllowList/sourceRange/1` | `foobar` |
 | `traefik/tcp/middlewares/TCPMiddleware01/inFlightConn/amount` | `42` |
 | `traefik/tcp/routers/TCPRouter0/entryPoints/0` | `foobar` |
 | `traefik/tcp/routers/TCPRouter0/entryPoints/1` | `foobar` |
@@ -302,7 +305,6 @@
 | `traefik/tls/options/Options0/curvePreferences/1` | `foobar` |
 | `traefik/tls/options/Options0/maxVersion` | `foobar` |
 | `traefik/tls/options/Options0/minVersion` | `foobar` |
-| `traefik/tls/options/Options0/preferServerCipherSuites` | `true` |
 | `traefik/tls/options/Options0/sniStrict` | `true` |
 | `traefik/tls/options/Options1/alpnProtocols/0` | `foobar` |
 | `traefik/tls/options/Options1/alpnProtocols/1` | `foobar` |
@@ -315,7 +317,6 @@
 | `traefik/tls/options/Options1/curvePreferences/1` | `foobar` |
 | `traefik/tls/options/Options1/maxVersion` | `foobar` |
 | `traefik/tls/options/Options1/minVersion` | `foobar` |
-| `traefik/tls/options/Options1/preferServerCipherSuites` | `true` |
 | `traefik/tls/options/Options1/sniStrict` | `true` |
 | `traefik/tls/stores/Store0/defaultCertificate/certFile` | `foobar` |
 | `traefik/tls/stores/Store0/defaultCertificate/keyFile` | `foobar` |
--- a/docs/content/reference/dynamic-configuration/marathon-labels.json
+++ b/docs/content/reference/dynamic-configuration/marathon-labels.json
@@ -17,7 +17,7 @@
 "traefik.http.middlewares.middleware05.compress": "true",
 "traefik.http.middlewares.middleware05.compress.excludedcontenttypes": "foobar, foobar",
 "traefik.http.middlewares.middleware05.compress.minresponsebodybytes": "42",
-"traefik.http.middlewares.middleware06.contenttype.autodetect": "true",
+"traefik.http.middlewares.middleware06.contenttype": "true",
 "traefik.http.middlewares.middleware07.digestauth.headerfield": "foobar",
 "traefik.http.middlewares.middleware07.digestauth.realm": "foobar",
 "traefik.http.middlewares.middleware07.digestauth.removeheader": "true",
@@ -31,7 +31,6 @@
 "traefik.http.middlewares.middleware09.forwardauth.authresponseheaders": "foobar, foobar",
 "traefik.http.middlewares.middleware09.forwardauth.authresponseheadersregex": "foobar",
 "traefik.http.middlewares.middleware09.forwardauth.tls.ca": "foobar",
-"traefik.http.middlewares.middleware09.forwardauth.tls.caoptional": "true",
 "traefik.http.middlewares.middleware09.forwardauth.tls.cert": "foobar",
 "traefik.http.middlewares.middleware09.forwardauth.tls.insecureskipverify": "true",
 "traefik.http.middlewares.middleware09.forwardauth.tls.key": "foobar",
@@ -54,7 +53,6 @@
 "traefik.http.middlewares.middleware10.headers.customrequestheaders.name1": "foobar",
 "traefik.http.middlewares.middleware10.headers.customresponseheaders.name0": "foobar",
 "traefik.http.middlewares.middleware10.headers.customresponseheaders.name1": "foobar",
-"traefik.http.middlewares.middleware10.headers.featurepolicy": "foobar",
 "traefik.http.middlewares.middleware10.headers.forcestsheader": "true",
 "traefik.http.middlewares.middleware10.headers.framedeny": "true",
 "traefik.http.middlewares.middleware10.headers.hostsproxyheaders": "foobar, foobar",
@@ -62,18 +60,14 @@
 "traefik.http.middlewares.middleware10.headers.permissionspolicy": "foobar",
 "traefik.http.middlewares.middleware10.headers.publickey": "foobar",
 "traefik.http.middlewares.middleware10.headers.referrerpolicy": "foobar",
-"traefik.http.middlewares.middleware10.headers.sslforcehost": "true",
-"traefik.http.middlewares.middleware10.headers.sslhost": "foobar",
 "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name0": "foobar",
 "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name1": "foobar",
-"traefik.http.middlewares.middleware10.headers.sslredirect": "true",
-"traefik.http.middlewares.middleware10.headers.ssltemporaryredirect": "true",
 "traefik.http.middlewares.middleware10.headers.stsincludesubdomains": "true",
 "traefik.http.middlewares.middleware10.headers.stspreload": "true",
 "traefik.http.middlewares.middleware10.headers.stsseconds": "42",
-"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth": "42",
-"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips": "foobar, foobar",
-"traefik.http.middlewares.middleware11.ipwhitelist.sourcerange": "foobar, foobar",
+"traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.depth": "42",
+"traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.excludedips": "foobar, foobar",
+"traefik.http.middlewares.middleware11.ipallowlist.sourcerange": "foobar, foobar",
 "traefik.http.middlewares.middleware12.inflightreq.amount": "42",
 "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth": "42",
 "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
@@ -118,9 +112,9 @@
 "traefik.http.middlewares.middleware19.replacepathregex.replacement": "foobar",
 "traefik.http.middlewares.middleware20.retry.attempts": "42",
 "traefik.http.middlewares.middleware20.retry.initialinterval": "42",
-"traefik.http.middlewares.middleware21.stripprefix.forceslash": "true",
 "traefik.http.middlewares.middleware21.stripprefix.prefixes": "foobar, foobar",
 "traefik.http.middlewares.middleware22.stripprefixregex.regex": "foobar, foobar",
+"traefik.http.middlewares.middleware23.grpcweb.alloworigins": "foobar, foobar",
 "traefik.http.routers.router0.entrypoints": "foobar, foobar",
 "traefik.http.routers.router0.middlewares": "foobar, foobar",
 "traefik.http.routers.router0.priority": "42",
@@ -149,14 +143,16 @@
 "traefik.http.services.service01.loadbalancer.healthcheck.headers.name0": "foobar",
 "traefik.http.services.service01.loadbalancer.healthcheck.headers.name1": "foobar",
 "traefik.http.services.service01.loadbalancer.healthcheck.hostname": "foobar",
-"traefik.http.services.service01.loadbalancer.healthcheck.interval": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.interval": "42s",
 "traefik.http.services.service01.loadbalancer.healthcheck.path": "foobar",
 "traefik.http.services.service01.loadbalancer.healthcheck.method": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.status": "42",
 "traefik.http.services.service01.loadbalancer.healthcheck.port": "42",
 "traefik.http.services.service01.loadbalancer.healthcheck.scheme": "foobar",
-"traefik.http.services.service01.loadbalancer.healthcheck.timeout": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.mode": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.timeout": "42s",
 "traefik.http.services.service01.loadbalancer.passhostheader": "true",
-"traefik.http.services.service01.loadbalancer.responseforwarding.flushinterval": "foobar",
+"traefik.http.services.service01.loadbalancer.responseforwarding.flushinterval": "42s",
 "traefik.http.services.service01.loadbalancer.serverstransport": "foobar",
 "traefik.http.services.service01.loadbalancer.sticky.cookie": "true",
 "traefik.http.services.service01.loadbalancer.sticky.cookie.httponly": "true",
@@ -165,7 +161,7 @@
 "traefik.http.services.service01.loadbalancer.sticky.cookie.secure": "true",
 "traefik.http.services.service01.loadbalancer.server.port": "foobar",
 "traefik.http.services.service01.loadbalancer.server.scheme": "foobar",
-"traefik.tcp.middlewares.tcpmiddleware00.ipwhitelist.sourcerange": "foobar, foobar",
+"traefik.tcp.middlewares.tcpmiddleware00.ipallowlist.sourcerange": "foobar, foobar",
 "traefik.tcp.middlewares.tcpmiddleware01.inflightconn.amount": "42",
 "traefik.tcp.routers.tcprouter0.entrypoints": "foobar, foobar",
 "traefik.tcp.routers.tcprouter0.middlewares": "foobar, foobar",
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutes.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutes.yaml
@@ -39,7 +39,7 @@ spec:
              entryPoints:
                description: 'EntryPoints defines the list of entry point names to
                  bind to. Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v2.9/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
                  Default: all.'
                items:
                  type: string
@@ -56,11 +56,11 @@ spec:
                      - Rule
                      type: string
                    match:
-                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#rule'
+                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule'
                      type: string
                    middlewares:
                      description: 'Middlewares defines the list of references to
-                        Middleware resources. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-middleware'
+                        Middleware resources. More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-middleware'
                      items:
                        description: MiddlewareRef is a reference to a Middleware
                          resource.
@@ -79,7 +79,7 @@ spec:
                      type: array
                    priority:
                      description: 'Priority defines the router''s priority. More
-                        info: https://doc.traefik.io/traefik/v2.9/routing/routers/#priority'
+                        info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority'
                      type: integer
                    services:
                      description: Services defines the list of Service. It can contain
@@ -145,7 +145,7 @@ spec:
                            type: string
                          sticky:
                            description: 'Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
+                              More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                            properties:
                              cookie:
                                description: Cookie defines the sticky cookie configuration.
@@ -190,16 +190,16 @@ spec:
                  type: object
                type: array
              tls:
-                description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#tls'
+                description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls'
                properties:
                  certResolver:
                    description: 'CertResolver defines the name of the certificate
                      resolver to use. Cert resolvers have to be configured in the
-                      static configuration. More info: https://doc.traefik.io/traefik/v2.9/https/acme/#certificate-resolvers'
+                      static configuration. More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers'
                    type: string
                  domains:
                    description: 'Domains defines the list of domains that will be
-                      used to issue certificates. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#domains'
+                      used to issue certificates. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains'
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -217,15 +217,15 @@ spec:
                  options:
                    description: 'Options defines the reference to a TLSOption, that
                      specifies the parameters of the TLS connection. If not defined,
-                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options'
+                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options'
                    properties:
                      name:
                        description: 'Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsoption'
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption'
                        type: string
                      namespace:
                        description: 'Namespace defines the namespace of the referenced
-                          TLSOption. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsoption'
+                          TLSOption. More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption'
                        type: string
                    required:
                    - name
@@ -241,11 +241,11 @@ spec:
                    properties:
                      name:
                        description: 'Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsstore'
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore'
                        type: string
                      namespace:
                        description: 'Namespace defines the namespace of the referenced
-                          TLSStore. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsstore'
+                          TLSStore. More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore'
                        type: string
                    required:
                    - name
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml
@@ -39,7 +39,7 @@ spec:
              entryPoints:
                description: 'EntryPoints defines the list of entry point names to
                  bind to. Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v2.9/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
                  Default: all.'
                items:
                  type: string
@@ -50,7 +50,7 @@ spec:
                  description: RouteTCP holds the TCP route configuration.
                  properties:
                    match:
-                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#rule_1'
+                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule_1'
                      type: string
                    middlewares:
                      description: Middlewares defines the list of references to MiddlewareTCP
@@ -73,7 +73,7 @@ spec:
                      type: array
                    priority:
                      description: 'Priority defines the router''s priority. More
-                        info: https://doc.traefik.io/traefik/v2.9/routing/routers/#priority_1'
+                        info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority_1'
                      type: integer
                    services:
                      description: Services defines the list of TCP services.
@@ -98,7 +98,7 @@ spec:
                            x-kubernetes-int-or-string: true
                          proxyProtocol:
                            description: 'ProxyProtocol defines the PROXY protocol
-                              configuration. More info: https://doc.traefik.io/traefik/v2.9/routing/services/#proxy-protocol'
+                              configuration. More info: https://doc.traefik.io/traefik/v3.0/routing/services/#proxy-protocol'
                            properties:
                              version:
                                description: Version defines the PROXY Protocol version
@@ -129,16 +129,16 @@ spec:
                type: array
              tls:
                description: 'TLS defines the TLS configuration on a layer 4 / TCP
-                  Route. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#tls_1'
+                  Route. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls_1'
                properties:
                  certResolver:
                    description: 'CertResolver defines the name of the certificate
                      resolver to use. Cert resolvers have to be configured in the
-                      static configuration. More info: https://doc.traefik.io/traefik/v2.9/https/acme/#certificate-resolvers'
+                      static configuration. More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers'
                    type: string
                  domains:
                    description: 'Domains defines the list of domains that will be
-                      used to issue certificates. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#domains'
+                      used to issue certificates. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains'
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -156,7 +156,7 @@ spec:
                  options:
                    description: 'Options defines the reference to a TLSOption, that
                      specifies the parameters of the TLS connection. If not defined,
-                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options'
+                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options'
                    properties:
                      name:
                        description: Name defines the name of the referenced Traefik
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressrouteudps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressrouteudps.yaml
@@ -39,7 +39,7 @@ spec:
              entryPoints:
                description: 'EntryPoints defines the list of entry point names to
                  bind to. Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v2.9/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
                  Default: all.'
                items:
                  type: string
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
@@ -20,7 +20,7 @@ spec:
    schema:
      openAPIV3Schema:
        description: 'Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/overview/'
+          More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/overview/'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -40,7 +40,7 @@ spec:
              addPrefix:
                description: 'AddPrefix holds the add prefix middleware configuration.
                  This middleware updates the path of a request before forwarding
-                  it. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/addprefix/'
+                  it. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/addprefix/'
                properties:
                  prefix:
                    description: Prefix is the string to add before the current path
@@ -50,11 +50,11 @@ spec:
              basicAuth:
                description: 'BasicAuth holds the basic auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/basicauth/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/'
                properties:
                  headerField:
                    description: 'HeaderField defines a header field to store the
-                      authenticated user. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/basicauth/#headerfield'
+                      authenticated user. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield'
                    type: string
                  realm:
                    description: 'Realm allows the protected resources on a server
@@ -74,7 +74,7 @@ spec:
              buffering:
                description: 'Buffering holds the buffering middleware configuration.
                  This middleware retries or limits the size of requests that can
-                  be forwarded to backends. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/buffering/#maxrequestbodybytes'
+                  be forwarded to backends. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#maxrequestbodybytes'
                properties:
                  maxRequestBodyBytes:
                    description: 'MaxRequestBodyBytes defines the maximum allowed
@@ -107,13 +107,13 @@ spec:
                  retryExpression:
                    description: 'RetryExpression defines the retry conditions. It
                      is a logical combination of functions with operators AND (&&)
-                      and OR (||). More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/buffering/#retryexpression'
+                      and OR (||). More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#retryexpression'
                    type: string
                type: object
              chain:
                description: 'Chain holds the configuration of the chain middleware.
                  This middleware enables to define reusable combinations of other
-                  pieces of middleware. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/chain/'
+                  pieces of middleware. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/chain/'
                properties:
                  middlewares:
                    description: Middlewares is the list of MiddlewareRef which composes
@@ -167,12 +167,13 @@ spec:
              compress:
                description: 'Compress holds the compress middleware configuration.
                  This middleware compresses responses before sending them to the
-                  client, using gzip compression. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/compress/'
+                  client, using gzip compression. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/compress/'
                properties:
                  excludedContentTypes:
                    description: ExcludedContentTypes defines the list of content
                      types to compare the Content-Type header of the incoming requests
-                      and responses before compressing.
+                      and responses before compressing. `application/grpc` is always
+                      excluded.
                    items:
                      type: string
                    type: array
@@ -184,28 +185,18 @@ spec:
                type: object
              contentType:
                description: ContentType holds the content-type middleware configuration.
-                  This middleware exists to enable the correct behavior until at least
-                  the default one can be changed in a future version.
-                properties:
-                  autoDetect:
-                    description: AutoDetect specifies whether to let the `Content-Type`
-                      header, if it has not been set by the backend, be automatically
-                      set to a value derived from the contents of the response. As
-                      a proxy, the default behavior should be to leave the header
-                      alone, regardless of what the backend did with it. However,
-                      the historic default was to always auto-detect and set the header
-                      if it was nil, and it is going to be kept that way in order
-                      to support users currently relying on it.
-                    type: boolean
+                  This middleware sets the `Content-Type` header value to the media
+                  type detected from the response content, when it is not set by the
+                  backend.
                type: object
              digestAuth:
                description: 'DigestAuth holds the digest auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/digestauth/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/digestauth/'
                properties:
                  headerField:
                    description: 'HeaderField defines a header field to store the
-                      authenticated user. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/basicauth/#headerfield'
+                      authenticated user. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield'
                    type: string
                  realm:
                    description: 'Realm allows the protected resources on a server
@@ -224,7 +215,7 @@ spec:
              errors:
                description: 'ErrorPage holds the custom error middleware configuration.
                  This middleware returns a custom page in lieu of the default, according
-                  to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/errorpages/'
+                  to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/'
                properties:
                  query:
                    description: Query defines the URL for the error page (hosted
@@ -233,7 +224,7 @@ spec:
                    type: string
                  service:
                    description: 'Service defines the reference to a Kubernetes Service
-                      that will serve the error page. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/errorpages/#service'
+                      that will serve the error page. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/#service'
                    properties:
                      kind:
                        description: Kind defines the kind of the Service.
@@ -290,7 +281,7 @@ spec:
                        type: string
                      sticky:
                        description: 'Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                        properties:
                          cookie:
                            description: Cookie defines the sticky cookie configuration.
@@ -339,7 +330,7 @@ spec:
              forwardAuth:
                description: 'ForwardAuth holds the forward auth middleware configuration.
                  This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/forwardauth/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/'
                properties:
                  address:
                    description: Address defines the authentication server address.
@@ -362,14 +353,12 @@ spec:
                    description: 'AuthResponseHeadersRegex defines the regex to match
                      headers to copy from the authentication server response and
                      set on forwarded request, after stripping all headers that match
-                      the regex. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/forwardauth/#authresponseheadersregex'
+                      the regex. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/#authresponseheadersregex'
                    type: string
                  tls:
                    description: TLS defines the configuration used to secure the
                      connection to the authentication server.
                    properties:
-                      caOptional:
-                        type: boolean
                      caSecret:
                        description: CASecret is the name of the referenced Kubernetes
                          Secret containing the CA to validate the server certificate.
@@ -390,10 +379,21 @@ spec:
                      forward) all X-Forwarded-* headers.'
                    type: boolean
                type: object
+              grpcWeb:
+                description: GrpcWeb holds the gRPC web middleware configuration.
+                  This middleware converts a gRPC web request to an HTTP/2 gRPC request.
+                properties:
+                  allowOrigins:
+                    description: AllowOrigins is a list of allowable origins. Can
+                      also be a wildcard origin "*".
+                    items:
+                      type: string
+                    type: array
+                type: object
              headers:
                description: 'Headers holds the headers middleware configuration.
                  This middleware manages the requests and responses headers. More
-                  info: https://doc.traefik.io/traefik/v2.9/middlewares/http/headers/#customrequestheaders'
+                  info: https://doc.traefik.io/traefik/v3.0/middlewares/http/headers/#customrequestheaders'
                properties:
                  accessControlAllowCredentials:
                    description: AccessControlAllowCredentials defines whether the
@@ -477,9 +477,6 @@ spec:
                    description: CustomResponseHeaders defines the header names and
                      values to apply to the response.
                    type: object
-                  featurePolicy:
-                    description: 'Deprecated: use PermissionsPolicy instead.'
-                    type: string
                  forceSTSHeader:
                    description: ForceSTSHeader defines whether to add the STS header
                      even when the connection is HTTP.
@@ -515,12 +512,6 @@ spec:
                      value. This allows sites to control whether browsers forward
                      the Referer header to other sites.
                    type: string
-                  sslForceHost:
-                    description: 'Deprecated: use RedirectRegex instead.'
-                    type: boolean
-                  sslHost:
-                    description: 'Deprecated: use RedirectRegex instead.'
-                    type: string
                  sslProxyHeaders:
                    additionalProperties:
                      type: string
@@ -529,14 +520,6 @@ spec:
                      useful when using other proxies (example: "X-Forwarded-Proto":
                      "https").'
                    type: object
-                  sslRedirect:
-                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
-                      instead.'
-                    type: boolean
-                  sslTemporaryRedirect:
-                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
-                      instead.'
-                    type: boolean
                  stsIncludeSubdomains:
                    description: STSIncludeSubdomains defines whether the includeSubDomains
                      directive is appended to the Strict-Transport-Security header.
@@ -554,7 +537,7 @@ spec:
              inFlightReq:
                description: 'InFlightReq holds the in-flight request middleware configuration.
                  This middleware limits the number of requests being processed and
-                  served concurrently. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/inflightreq/'
+                  served concurrently. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/'
                properties:
                  amount:
                    description: Amount defines the maximum amount of allowed simultaneous
@@ -568,11 +551,11 @@ spec:
                      group requests as originating from a common source. If several
                      strategies are defined at the same time, an error will be raised.
                      If none are set, the default is to use the requestHost. More
-                      info: https://doc.traefik.io/traefik/v2.9/middlewares/http/inflightreq/#sourcecriterion'
+                      info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/#sourcecriterion'
                    properties:
                      ipStrategy:
                        description: 'IPStrategy holds the IP strategy configuration
-                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
+                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -597,14 +580,14 @@ spec:
                        type: boolean
                    type: object
                type: object
-              ipWhiteList:
-                description: 'IPWhiteList holds the IP whitelist middleware configuration.
+              ipAllowList:
+                description: 'IPAllowList holds the IP allowlist middleware configuration.
                  This middleware accepts / refuses requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/'
                properties:
                  ipStrategy:
                    description: 'IPStrategy holds the IP strategy configuration used
-                      by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
+                      by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -628,7 +611,7 @@ spec:
              passTLSClientCert:
                description: 'PassTLSClientCert holds the pass TLS client cert middleware
                  configuration. This middleware adds the selected data from the passed
-                  client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/passtlsclientcert/'
+                  client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/passtlsclientcert/'
                properties:
                  info:
                    description: Info selects the specific client certificate details
@@ -735,7 +718,7 @@ spec:
              rateLimit:
                description: 'RateLimit holds the rate limit configuration. This middleware
                  ensures that services will receive a fair amount of requests, and
-                  allows one to define what fair is. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ratelimit/'
+                  allows one to define what fair is. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ratelimit/'
                properties:
                  average:
                    description: Average is the maximum rate, by default in requests/s,
@@ -768,7 +751,7 @@ spec:
                    properties:
                      ipStrategy:
                        description: 'IPStrategy holds the IP strategy configuration
-                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
+                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -796,7 +779,7 @@ spec:
              redirectRegex:
                description: 'RedirectRegex holds the redirect regex middleware configuration.
                  This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/redirectregex/#regex'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectregex/#regex'
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -814,7 +797,7 @@ spec:
              redirectScheme:
                description: 'RedirectScheme holds the redirect scheme middleware
                  configuration. This middleware redirects requests from a scheme/port
-                  to another. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/redirectscheme/'
+                  to another. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectscheme/'
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -830,7 +813,7 @@ spec:
              replacePath:
                description: 'ReplacePath holds the replace path middleware configuration.
                  This middleware replaces the path of the request URL and store the
-                  original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/replacepath/'
+                  original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepath/'
                properties:
                  path:
                    description: Path defines the path to use as replacement in the
@@ -840,7 +823,7 @@ spec:
              replacePathRegex:
                description: 'ReplacePathRegex holds the replace path regex middleware
                  configuration. This middleware replaces the path of a URL using
-                  regex matching and replacement. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/replacepathregex/'
+                  regex matching and replacement. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepathregex/'
                properties:
                  regex:
                    description: Regex defines the regular expression used to match
@@ -856,7 +839,7 @@ spec:
                  middleware reissues requests a given number of times to a backend
                  server if that server does not reply. As soon as the server answers,
                  the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/retry/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/retry/'
                properties:
                  attempts:
                    description: Attempts defines how many times the request should
@@ -876,13 +859,8 @@ spec:
              stripPrefix:
                description: 'StripPrefix holds the strip prefix middleware configuration.
                  This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefix/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefix/'
                properties:
-                  forceSlash:
-                    description: 'ForceSlash ensures that the resulting stripped path
-                      is not the empty string, by replacing it with / when necessary.
-                      Default: true.'
-                    type: boolean
                  prefixes:
                    description: Prefixes defines the prefixes to strip from the request
                      URL.
@@ -893,7 +871,7 @@ spec:
              stripPrefixRegex:
                description: 'StripPrefixRegex holds the strip prefix regex middleware
                  configuration. This middleware removes the matching prefixes from
-                  the URL path. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefixregex/'
+                  the URL path. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefixregex/'
                properties:
                  regex:
                    description: Regex defines the regular expression to match the
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml
@@ -20,7 +20,7 @@ spec:
    schema:
      openAPIV3Schema:
        description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v2.9/middlewares/overview/'
+          More info: https://doc.traefik.io/traefik/v3.0/middlewares/overview/'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -47,8 +47,8 @@ spec:
                    format: int64
                    type: integer
                type: object
-              ipWhiteList:
-                description: IPWhiteList defines the IPWhiteList middleware configuration.
+              ipAllowList:
+                description: IPAllowList defines the IPAllowList middleware configuration.
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml
@@ -22,7 +22,7 @@ spec:
        description: 'ServersTransport is the CRD implementation of a ServersTransport.
          If no serversTransport is specified, the default@internal will be used.
          The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v2.9/routing/services/#serverstransport_1'
+          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_1'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -113,6 +113,19 @@ spec:
                description: ServerName defines the server name used to contact the
                  server.
                type: string
+              spiffe:
+                description: Spiffe defines the SPIFFE configuration.
+                properties:
+                  ids:
+                    description: IDs defines the allowed SPIFFE IDs (takes precedence
+                      over the SPIFFE TrustDomain).
+                    items:
+                      type: string
+                    type: array
+                  trustDomain:
+                    description: TrustDomain defines the allowed SPIFFE trust domain.
+                    type: string
+                type: object
            type: object
        required:
        - metadata
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml
@@ -21,7 +21,7 @@ spec:
      openAPIV3Schema:
        description: 'TLSOption is the CRD implementation of a Traefik TLS Option,
          allowing to configure some parameters of the TLS connection. More info:
-          https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options'
+          https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -41,13 +41,13 @@ spec:
              alpnProtocols:
                description: 'ALPNProtocols defines the list of supported application
                  level protocols for the TLS handshake, in order of preference. More
-                  info: https://doc.traefik.io/traefik/v2.9/https/tls/#alpn-protocols'
+                  info: https://doc.traefik.io/traefik/v3.0/https/tls/#alpn-protocols'
                items:
                  type: string
                type: array
              cipherSuites:
                description: 'CipherSuites defines the list of supported cipher suites
-                  for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#cipher-suites'
+                  for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#cipher-suites'
                items:
                  type: string
                type: array
@@ -74,7 +74,7 @@ spec:
                type: object
              curvePreferences:
                description: 'CurvePreferences defines the preferred elliptic curves
-                  in a specific order. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#curve-preferences'
+                  in a specific order. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#curve-preferences'
                items:
                  type: string
                type: array
@@ -88,12 +88,6 @@ spec:
                  will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
                  VersionTLS13. Default: VersionTLS10.'
                type: string
-              preferServerCipherSuites:
-                description: 'PreferServerCipherSuites defines whether the server
-                  chooses a cipher suite among his own instead of among the client''s.
-                  It is enabled automatically when minVersion or maxVersion is set.
-                  Deprecated: https://github.com/golang/go/issues/45430'
-                type: boolean
              sniStrict:
                description: SniStrict defines whether Traefik allows connections
                  from clients connections that do not specify a server_name extension.
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsstores.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsstores.yaml
@@ -22,7 +22,7 @@ spec:
        description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For
          the time being, only the TLSStore named default is supported. This means
          that you cannot have two stores that are named default in different Kubernetes
-          namespaces. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#certificates-stores'
+          namespaces. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#certificates-stores'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_traefikservices.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_traefikservices.yaml
@@ -21,7 +21,7 @@ spec:
      openAPIV3Schema:
        description: 'TraefikService is the CRD implementation of a Traefik Service.
          TraefikService object allows to: - Apply weight to Services on load-balancing
-          - Mirror traffic on services More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-traefikservice'
+          - Mirror traffic on services More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-traefikservice'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -120,7 +120,7 @@ spec:
                          type: string
                        sticky:
                          description: 'Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
+                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -204,7 +204,7 @@ spec:
                    type: string
                  sticky:
                    description: 'Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
+                      More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -304,7 +304,7 @@ spec:
                          type: string
                        sticky:
                          description: 'Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
+                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -343,7 +343,7 @@ spec:
                    type: array
                  sticky:
                    description: 'Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#stickiness-and-load-balancing'
+                      More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#stickiness-and-load-balancing'
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@@ -99,12 +99,18 @@ Storage to use. (Default: ```acme.json```)
 `--certificatesresolvers.<name>.acme.tlschallenge`:  
 Activate TLS-ALPN-01 Challenge. (Default: ```true```)

+`--certificatesresolvers.<name>.tailscale`:  
+Enables Tailscale certificate resolution. (Default: ```true```)
+
 `--entrypoints.<name>`:  
 Entry points definition. (Default: ```false```)

 `--entrypoints.<name>.address`:  
 Entry point address.

+`--entrypoints.<name>.asdefault`:  
+Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined. (Default: ```false```)
+
 `--entrypoints.<name>.forwardedheaders.insecure`:  
 Trust all forwarded headers. (Default: ```false```)

@@ -183,9 +189,6 @@ WriteTimeout is the maximum duration before timing out writes of the response. I
 `--entrypoints.<name>.udp.timeout`:  
 Timeout defines how long to wait on an idle session before releasing the related resources. (Default: ```3```)

-`--experimental.http3`:  
-Enable HTTP3. (Default: ```false```)
-
 `--experimental.hub`:  
 Enable the Traefik Hub provider. (Default: ```false```)

@@ -240,6 +243,9 @@ The TLS key for Traefik Proxy as a TLS client.
 `--log`:  
 Traefik log settings. (Default: ```false```)

+`--log.compress`:  
+Determines if the rotated log files should be compressed using gzip. (Default: ```false```)
+
 `--log.filepath`:  
 Traefik log file path. Stdout is used when omitted or empty.

@@ -249,6 +255,18 @@ Traefik log format: json | common (Default: ```common```)
 `--log.level`:  
 Log level set to traefik logs. (Default: ```ERROR```)

+`--log.maxage`:  
+Maximum number of days to retain old log files based on the timestamp encoded in their filename. (Default: ```0```)
+
+`--log.maxbackups`:  
+Maximum number of old log files to retain. (Default: ```0```)
+
+`--log.maxsize`:  
+Maximum size in megabytes of the log file before it gets rotated. (Default: ```0```)
+
+`--log.nocolor`:  
+When using the 'common' format, disables the colorized output. (Default: ```false```)
+
 `--metrics.datadog`:  
 Datadog metrics exporter type. (Default: ```false```)

@@ -336,6 +354,51 @@ InfluxDB v2 push interval. (Default: ```10```)
 `--metrics.influxdb2.token`:  
 InfluxDB v2 access token.

+`--metrics.opentelemetry`:  
+OpenTelemetry metrics exporter type. (Default: ```false```)
+
+`--metrics.opentelemetry.addentrypointslabels`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`--metrics.opentelemetry.address`:  
+Address (host:port) of the collector endpoint. (Default: ```localhost:4318```)
+
+`--metrics.opentelemetry.addrouterslabels`:  
+Enable metrics on routers. (Default: ```false```)
+
+`--metrics.opentelemetry.addserviceslabels`:  
+Enable metrics on services. (Default: ```true```)
+
+`--metrics.opentelemetry.explicitboundaries`:  
+Boundaries for latency metrics. (Default: ```0.005000, 0.010000, 0.025000, 0.050000, 0.100000, 0.250000, 0.500000, 1.000000, 2.500000, 5.000000, 10.000000```)
+
+`--metrics.opentelemetry.grpc`:  
+gRPC specific configuration for the OpenTelemetry collector. (Default: ```true```)
+
+`--metrics.opentelemetry.headers.<name>`:  
+Headers sent with payload.
+
+`--metrics.opentelemetry.insecure`:  
+Disables client transport security for the exporter. (Default: ```false```)
+
+`--metrics.opentelemetry.path`:  
+Set the URL path of the collector endpoint.
+
+`--metrics.opentelemetry.pushinterval`:  
+Period between calls to collect a checkpoint. (Default: ```10```)
+
+`--metrics.opentelemetry.tls.ca`:  
+TLS CA
+
+`--metrics.opentelemetry.tls.cert`:  
+TLS cert
+
+`--metrics.opentelemetry.tls.insecureskipverify`:  
+TLS insecure skip verify (Default: ```false```)
+
+`--metrics.opentelemetry.tls.key`:  
+TLS key
+
 `--metrics.prometheus`:  
 Prometheus metrics exporter type. (Default: ```false```)

@@ -396,9 +459,6 @@ Enable Consul backend with default settings. (Default: ```false```)
 `--providers.consul.endpoints`:  
 KV store endpoints. (Default: ```127.0.0.1:8500```)

-`--providers.consul.namespace`:  
-Sets the namespace used to discover the configuration (Consul Enterprise only).
-
 `--providers.consul.namespaces`:  
 Sets the namespaces used to discover the configuration (Consul Enterprise only).

@@ -408,9 +468,6 @@ Root key used for KV store. (Default: ```traefik```)
 `--providers.consul.tls.ca`:  
 TLS CA

-`--providers.consul.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.consul.tls.cert`:  
 TLS cert

@@ -462,9 +519,6 @@ The URI scheme for the Consul server
 `--providers.consulcatalog.endpoint.tls.ca`:  
 TLS CA

-`--providers.consulcatalog.endpoint.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.consulcatalog.endpoint.tls.cert`:  
 TLS cert

@@ -480,9 +534,6 @@ Token is used to provide a per-request ACL token which overrides the agent's def
 `--providers.consulcatalog.exposedbydefault`:  
 Expose containers by default. (Default: ```true```)

-`--providers.consulcatalog.namespace`:  
-Sets the namespace used to discover services (Consul Enterprise only).
-
 `--providers.consulcatalog.namespaces`:  
 Sets the namespaces used to discover services (Consul Enterprise only).

@@ -537,9 +588,6 @@ Polling interval for swarm mode. (Default: ```15```)
 `--providers.docker.tls.ca`:  
 TLS CA

-`--providers.docker.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.docker.tls.cert`:  
 TLS cert

@@ -559,13 +607,13 @@ Watch Docker events. (Default: ```true```)
 Enable AWS ECS backend with default settings. (Default: ```false```)

 `--providers.ecs.accesskeyid`:  
-The AWS credentials access key to use for making requests
+AWS credentials access key ID to use for making requests.

 `--providers.ecs.autodiscoverclusters`:  
-Auto discover cluster (Default: ```false```)
+Auto discover cluster. (Default: ```false```)

 `--providers.ecs.clusters`:  
-ECS Clusters name (Default: ```default```)
+ECS Cluster names. (Default: ```default```)

 `--providers.ecs.constraints`:  
 Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
@@ -574,19 +622,22 @@ Constraints is an expression that Traefik matches against the container's labels
 Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)

 `--providers.ecs.ecsanywhere`:  
-Enable ECS Anywhere support (Default: ```false```)
+Enable ECS Anywhere support. (Default: ```false```)

 `--providers.ecs.exposedbydefault`:  
-Expose services by default (Default: ```true```)
+Expose services by default. (Default: ```true```)
+
+`--providers.ecs.healthytasksonly`:  
+Determines whether to discover only healthy tasks. (Default: ```false```)

 `--providers.ecs.refreshseconds`:  
-Polling interval (in seconds) (Default: ```15```)
+Polling interval (in seconds). (Default: ```15```)

 `--providers.ecs.region`:  
-The AWS region to use for requests
+AWS region to use for requests.

 `--providers.ecs.secretaccesskey`:  
-The AWS credentials access key to use for making requests
+AWS credentials access key to use for making requests.

 `--providers.etcd`:  
 Enable Etcd backend with default settings. (Default: ```false```)
@@ -603,9 +654,6 @@ Root key used for KV store. (Default: ```traefik```)
 `--providers.etcd.tls.ca`:  
 TLS CA

-`--providers.etcd.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.etcd.tls.cert`:  
 TLS cert

@@ -636,6 +684,9 @@ Enable HTTP backend with default settings. (Default: ```false```)
 `--providers.http.endpoint`:  
 Load configuration from this endpoint.

+`--providers.http.headers.<name>`:  
+Define custom headers to be sent to the endpoint.
+
 `--providers.http.pollinterval`:  
 Polling interval for endpoint. (Default: ```5```)

@@ -645,9 +696,6 @@ Polling timeout for endpoint. (Default: ```5```)
 `--providers.http.tls.ca`:  
 TLS CA

-`--providers.http.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.http.tls.cert`:  
 TLS cert

@@ -792,9 +840,6 @@ Set a response header timeout for Marathon. (Default: ```60```)
 `--providers.marathon.tls.ca`:  
 TLS CA

-`--providers.marathon.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.marathon.tls.cert`:  
 TLS cert

@@ -834,9 +879,6 @@ Nomad region to use. If not provided, the local agent region is used.
 `--providers.nomad.endpoint.tls.ca`:  
 TLS CA

-`--providers.nomad.endpoint.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.nomad.endpoint.tls.cert`:  
 TLS cert

@@ -852,8 +894,8 @@ Token is used to provide a per-request ACL token.
 `--providers.nomad.exposedbydefault`:  
 Expose Nomad services by default. (Default: ```true```)

-`--providers.nomad.namespace`:  
-Sets the Nomad namespace used to discover services.
+`--providers.nomad.namespaces`:  
+Sets the Nomad namespaces used to discover services.

 `--providers.nomad.prefix`:  
 Prefix for nomad service tags. (Default: ```traefik```)
@@ -915,9 +957,6 @@ Root key used for KV store. (Default: ```traefik```)
 `--providers.redis.tls.ca`:  
 TLS CA

-`--providers.redis.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.redis.tls.cert`:  
 TLS cert

@@ -969,6 +1008,18 @@ If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, D
 `--serverstransport.rootcas`:  
 Add cert file for self-signed certificate.

+`--serverstransport.spiffe`:  
+Defines the SPIFFE configuration. (Default: ```false```)
+
+`--serverstransport.spiffe.ids`:  
+Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).
+
+`--serverstransport.spiffe.trustdomain`:  
+Defines the allowed SPIFFE trust domain.
+
+`--spiffe.workloadapiaddr`:  
+Defines the workload API address.
+
 `--tracing`:  
 OpenTracing configuration. (Default: ```false```)

@@ -981,9 +1032,6 @@ Sets the header name prefix used to store baggage items in a map.
 `--tracing.datadog.debug`:  
 Enables Datadog debug. (Default: ```false```)

-`--tracing.datadog.globaltag`:  
-Sets a key:value tag on all spans.
-
 `--tracing.datadog.globaltags.<name>`:  
 Sets a list of key:value tags on all spans.

@@ -1089,6 +1137,36 @@ Sets the sampling type. (Default: ```const```)
 `--tracing.jaeger.tracecontextheadername`:  
 Sets the header name used to store the trace ID. (Default: ```uber-trace-id```)

+`--tracing.opentelemetry`:  
+Settings for OpenTelemetry. (Default: ```false```)
+
+`--tracing.opentelemetry.address`:  
+Sets the address (host:port) of the collector endpoint. (Default: ```localhost:4318```)
+
+`--tracing.opentelemetry.grpc`:  
+gRPC specific configuration for the OpenTelemetry collector. (Default: ```true```)
+
+`--tracing.opentelemetry.headers.<name>`:  
+Defines additional headers to be sent with the payloads.
+
+`--tracing.opentelemetry.insecure`:  
+Disables client transport security for the exporter. (Default: ```false```)
+
+`--tracing.opentelemetry.path`:  
+Sets the URL path of the collector endpoint.
+
+`--tracing.opentelemetry.tls.ca`:  
+TLS CA
+
+`--tracing.opentelemetry.tls.cert`:  
+TLS cert
+
+`--tracing.opentelemetry.tls.insecureskipverify`:  
+TLS insecure skip verify (Default: ```false```)
+
+`--tracing.opentelemetry.tls.key`:  
+TLS key
+
 `--tracing.servicename`:  
 Set the name for this service. (Default: ```traefik```)

--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@@ -99,12 +99,18 @@ Storage to use. (Default: ```acme.json```)
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_TLSCHALLENGE`:  
 Activate TLS-ALPN-01 Challenge. (Default: ```true```)

+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_TAILSCALE`:  
+Enables Tailscale certificate resolution. (Default: ```true```)
+
 `TRAEFIK_ENTRYPOINTS_<NAME>`:  
 Entry points definition. (Default: ```false```)

 `TRAEFIK_ENTRYPOINTS_<NAME>_ADDRESS`:  
 Entry point address.

+`TRAEFIK_ENTRYPOINTS_<NAME>_ASDEFAULT`:  
+Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined. (Default: ```false```)
+
 `TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_INSECURE`:  
 Trust all forwarded headers. (Default: ```false```)

@@ -183,9 +189,6 @@ WriteTimeout is the maximum duration before timing out writes of the response. I
 `TRAEFIK_ENTRYPOINTS_<NAME>_UDP_TIMEOUT`:  
 Timeout defines how long to wait on an idle session before releasing the related resources. (Default: ```3```)

-`TRAEFIK_EXPERIMENTAL_HTTP3`:  
-Enable HTTP3. (Default: ```false```)
-
 `TRAEFIK_EXPERIMENTAL_HUB`:  
 Enable the Traefik Hub provider. (Default: ```false```)

@@ -240,6 +243,9 @@ The TLS key for Traefik Proxy as a TLS client.
 `TRAEFIK_LOG`:  
 Traefik log settings. (Default: ```false```)

+`TRAEFIK_LOG_COMPRESS`:  
+Determines if the rotated log files should be compressed using gzip. (Default: ```false```)
+
 `TRAEFIK_LOG_FILEPATH`:  
 Traefik log file path. Stdout is used when omitted or empty.

@@ -249,6 +255,18 @@ Traefik log format: json | common (Default: ```common```)
 `TRAEFIK_LOG_LEVEL`:  
 Log level set to traefik logs. (Default: ```ERROR```)

+`TRAEFIK_LOG_MAXAGE`:  
+Maximum number of days to retain old log files based on the timestamp encoded in their filename. (Default: ```0```)
+
+`TRAEFIK_LOG_MAXBACKUPS`:  
+Maximum number of old log files to retain. (Default: ```0```)
+
+`TRAEFIK_LOG_MAXSIZE`:  
+Maximum size in megabytes of the log file before it gets rotated. (Default: ```0```)
+
+`TRAEFIK_LOG_NOCOLOR`:  
+When using the 'common' format, disables the colorized output. (Default: ```false```)
+
 `TRAEFIK_METRICS_DATADOG`:  
 Datadog metrics exporter type. (Default: ```false```)

@@ -336,6 +354,51 @@ InfluxDB retention policy used when protocol is http.
 `TRAEFIK_METRICS_INFLUXDB_USERNAME`:  
 InfluxDB username (only with http).

+`TRAEFIK_METRICS_OPENTELEMETRY`:  
+OpenTelemetry metrics exporter type. (Default: ```false```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_ADDENTRYPOINTSLABELS`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_ADDRESS`:  
+Address (host:port) of the collector endpoint. (Default: ```localhost:4318```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_ADDROUTERSLABELS`:  
+Enable metrics on routers. (Default: ```false```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_ADDSERVICESLABELS`:  
+Enable metrics on services. (Default: ```true```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_EXPLICITBOUNDARIES`:  
+Boundaries for latency metrics. (Default: ```0.005000, 0.010000, 0.025000, 0.050000, 0.100000, 0.250000, 0.500000, 1.000000, 2.500000, 5.000000, 10.000000```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_GRPC`:  
+gRPC specific configuration for the OpenTelemetry collector. (Default: ```true```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_HEADERS_<NAME>`:  
+Headers sent with payload.
+
+`TRAEFIK_METRICS_OPENTELEMETRY_INSECURE`:  
+Disables client transport security for the exporter. (Default: ```false```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_PATH`:  
+Set the URL path of the collector endpoint.
+
+`TRAEFIK_METRICS_OPENTELEMETRY_PUSHINTERVAL`:  
+Period between calls to collect a checkpoint. (Default: ```10```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_TLS_CA`:  
+TLS CA
+
+`TRAEFIK_METRICS_OPENTELEMETRY_TLS_CERT`:  
+TLS cert
+
+`TRAEFIK_METRICS_OPENTELEMETRY_TLS_INSECURESKIPVERIFY`:  
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_TLS_KEY`:  
+TLS key
+
 `TRAEFIK_METRICS_PROMETHEUS`:  
 Prometheus metrics exporter type. (Default: ```false```)

@@ -432,9 +495,6 @@ The URI scheme for the Consul server
 `TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CERT`:  
 TLS cert

@@ -450,9 +510,6 @@ Token is used to provide a per-request ACL token which overrides the agent's def
 `TRAEFIK_PROVIDERS_CONSULCATALOG_EXPOSEDBYDEFAULT`:  
 Expose containers by default. (Default: ```true```)

-`TRAEFIK_PROVIDERS_CONSULCATALOG_NAMESPACE`:  
-Sets the namespace used to discover services (Consul Enterprise only).
-
 `TRAEFIK_PROVIDERS_CONSULCATALOG_NAMESPACES`:  
 Sets the namespaces used to discover services (Consul Enterprise only).

@@ -477,9 +534,6 @@ Watch Consul API events. (Default: ```false```)
 `TRAEFIK_PROVIDERS_CONSUL_ENDPOINTS`:  
 KV store endpoints. (Default: ```127.0.0.1:8500```)

-`TRAEFIK_PROVIDERS_CONSUL_NAMESPACE`:  
-Sets the namespace used to discover the configuration (Consul Enterprise only).
-
 `TRAEFIK_PROVIDERS_CONSUL_NAMESPACES`:  
 Sets the namespaces used to discover the configuration (Consul Enterprise only).

@@ -489,9 +543,6 @@ Root key used for KV store. (Default: ```traefik```)
 `TRAEFIK_PROVIDERS_CONSUL_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_CONSUL_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_CONSUL_TLS_CERT`:  
 TLS cert

@@ -537,9 +588,6 @@ Polling interval for swarm mode. (Default: ```15```)
 `TRAEFIK_PROVIDERS_DOCKER_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_DOCKER_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_DOCKER_TLS_CERT`:  
 TLS cert

@@ -559,13 +607,13 @@ Watch Docker events. (Default: ```true```)
 Enable AWS ECS backend with default settings. (Default: ```false```)

 `TRAEFIK_PROVIDERS_ECS_ACCESSKEYID`:  
-The AWS credentials access key to use for making requests
+AWS credentials access key ID to use for making requests.

 `TRAEFIK_PROVIDERS_ECS_AUTODISCOVERCLUSTERS`:  
-Auto discover cluster (Default: ```false```)
+Auto discover cluster. (Default: ```false```)

 `TRAEFIK_PROVIDERS_ECS_CLUSTERS`:  
-ECS Clusters name (Default: ```default```)
+ECS Cluster names. (Default: ```default```)

 `TRAEFIK_PROVIDERS_ECS_CONSTRAINTS`:  
 Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
@@ -574,19 +622,22 @@ Constraints is an expression that Traefik matches against the container's labels
 Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)

 `TRAEFIK_PROVIDERS_ECS_ECSANYWHERE`:  
-Enable ECS Anywhere support (Default: ```false```)
+Enable ECS Anywhere support. (Default: ```false```)

 `TRAEFIK_PROVIDERS_ECS_EXPOSEDBYDEFAULT`:  
-Expose services by default (Default: ```true```)
+Expose services by default. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_ECS_HEALTHYTASKSONLY`:  
+Determines whether to discover only healthy tasks. (Default: ```false```)

 `TRAEFIK_PROVIDERS_ECS_REFRESHSECONDS`:  
-Polling interval (in seconds) (Default: ```15```)
+Polling interval (in seconds). (Default: ```15```)

 `TRAEFIK_PROVIDERS_ECS_REGION`:  
-The AWS region to use for requests
+AWS region to use for requests.

 `TRAEFIK_PROVIDERS_ECS_SECRETACCESSKEY`:  
-The AWS credentials access key to use for making requests
+AWS credentials access key to use for making requests.

 `TRAEFIK_PROVIDERS_ETCD`:  
 Enable Etcd backend with default settings. (Default: ```false```)
@@ -603,9 +654,6 @@ Root key used for KV store. (Default: ```traefik```)
 `TRAEFIK_PROVIDERS_ETCD_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_ETCD_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_ETCD_TLS_CERT`:  
 TLS cert

@@ -636,6 +684,9 @@ Enable HTTP backend with default settings. (Default: ```false```)
 `TRAEFIK_PROVIDERS_HTTP_ENDPOINT`:  
 Load configuration from this endpoint.

+`TRAEFIK_PROVIDERS_HTTP_HEADERS_<NAME>`:  
+Define custom headers to be sent to the endpoint.
+
 `TRAEFIK_PROVIDERS_HTTP_POLLINTERVAL`:  
 Polling interval for endpoint. (Default: ```5```)

@@ -645,9 +696,6 @@ Polling timeout for endpoint. (Default: ```5```)
 `TRAEFIK_PROVIDERS_HTTP_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_HTTP_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_HTTP_TLS_CERT`:  
 TLS cert

@@ -795,9 +843,6 @@ Set a TLS handshake timeout for Marathon. (Default: ```5```)
 `TRAEFIK_PROVIDERS_MARATHON_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_MARATHON_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_MARATHON_TLS_CERT`:  
 TLS cert

@@ -834,9 +879,6 @@ Nomad region to use. If not provided, the local agent region is used.
 `TRAEFIK_PROVIDERS_NOMAD_ENDPOINT_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_NOMAD_ENDPOINT_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_NOMAD_ENDPOINT_TLS_CERT`:  
 TLS cert

@@ -852,8 +894,8 @@ Token is used to provide a per-request ACL token.
 `TRAEFIK_PROVIDERS_NOMAD_EXPOSEDBYDEFAULT`:  
 Expose Nomad services by default. (Default: ```true```)

-`TRAEFIK_PROVIDERS_NOMAD_NAMESPACE`:  
-Sets the Nomad namespace used to discover services.
+`TRAEFIK_PROVIDERS_NOMAD_NAMESPACES`:  
+Sets the Nomad namespaces used to discover services.

 `TRAEFIK_PROVIDERS_NOMAD_PREFIX`:  
 Prefix for nomad service tags. (Default: ```traefik```)
@@ -915,9 +957,6 @@ Root key used for KV store. (Default: ```traefik```)
 `TRAEFIK_PROVIDERS_REDIS_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_REDIS_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_REDIS_TLS_CERT`:  
 TLS cert

@@ -969,6 +1008,18 @@ If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, D
 `TRAEFIK_SERVERSTRANSPORT_ROOTCAS`:  
 Add cert file for self-signed certificate.

+`TRAEFIK_SERVERSTRANSPORT_SPIFFE`:  
+Defines the SPIFFE configuration. (Default: ```false```)
+
+`TRAEFIK_SERVERSTRANSPORT_SPIFFE_IDS`:  
+Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).
+
+`TRAEFIK_SERVERSTRANSPORT_SPIFFE_TRUSTDOMAIN`:  
+Defines the allowed SPIFFE trust domain.
+
+`TRAEFIK_SPIFFE_WORKLOADAPIADDR`:  
+Defines the workload API address.
+
 `TRAEFIK_TRACING`:  
 OpenTracing configuration. (Default: ```false```)

@@ -981,9 +1032,6 @@ Sets the header name prefix used to store baggage items in a map.
 `TRAEFIK_TRACING_DATADOG_DEBUG`:  
 Enables Datadog debug. (Default: ```false```)

-`TRAEFIK_TRACING_DATADOG_GLOBALTAG`:  
-Sets a key:value tag on all spans.
-
 `TRAEFIK_TRACING_DATADOG_GLOBALTAGS_<NAME>`:  
 Sets a list of key:value tags on all spans.

@@ -1089,6 +1137,36 @@ Sets the sampling type. (Default: ```const```)
 `TRAEFIK_TRACING_JAEGER_TRACECONTEXTHEADERNAME`:  
 Sets the header name used to store the trace ID. (Default: ```uber-trace-id```)

+`TRAEFIK_TRACING_OPENTELEMETRY`:  
+Settings for OpenTelemetry. (Default: ```false```)
+
+`TRAEFIK_TRACING_OPENTELEMETRY_ADDRESS`:  
+Sets the address (host:port) of the collector endpoint. (Default: ```localhost:4318```)
+
+`TRAEFIK_TRACING_OPENTELEMETRY_GRPC`:  
+gRPC specific configuration for the OpenTelemetry collector. (Default: ```true```)
+
+`TRAEFIK_TRACING_OPENTELEMETRY_HEADERS_<NAME>`:  
+Defines additional headers to be sent with the payloads.
+
+`TRAEFIK_TRACING_OPENTELEMETRY_INSECURE`:  
+Disables client transport security for the exporter. (Default: ```false```)
+
+`TRAEFIK_TRACING_OPENTELEMETRY_PATH`:  
+Sets the URL path of the collector endpoint.
+
+`TRAEFIK_TRACING_OPENTELEMETRY_TLS_CA`:  
+TLS CA
+
+`TRAEFIK_TRACING_OPENTELEMETRY_TLS_CERT`:  
+TLS cert
+
+`TRAEFIK_TRACING_OPENTELEMETRY_TLS_INSECURESKIPVERIFY`:  
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_TRACING_OPENTELEMETRY_TLS_KEY`:  
+TLS key
+
 `TRAEFIK_TRACING_SERVICENAME`:  
 Set the name for this service. (Default: ```traefik```)

--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@@ -14,6 +14,7 @@
 [entryPoints]
  [entryPoints.EntryPoint0]
    address = "foobar"
+    asDefault = true
    [entryPoints.EntryPoint0.transport]
      [entryPoints.EntryPoint0.transport.lifeCycle]
        requestAcceptGraceTimeout = "42s"
@@ -70,7 +71,6 @@
    allowEmptyServices = true
    [providers.docker.tls]
      ca = "foobar"
-      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@@ -95,7 +95,6 @@
    respectReadinessChecks = true
    [providers.marathon.tls]
      ca = "foobar"
-      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@@ -158,7 +157,6 @@
    connectByDefault = true
    serviceName = "foobar"
    watch = true
-    namespace = "foobar"
    namespaces = ["foobar", "foobar"]
    [providers.consulCatalog.endpoint]
      address = "foobar"
@@ -168,7 +166,6 @@
      endpointWaitTime = "42s"
      [providers.consulCatalog.endpoint.tls]
        ca = "foobar"
-        caOptional = true
        cert = "foobar"
        key = "foobar"
        insecureSkipVerify = true
@@ -180,7 +177,7 @@
    constraints = "foobar"
    prefix = "foobar"
    stale = true
-    namespace = "foobar"
+    namespaces = ["foobar", "foobar"]
    exposedByDefault = true
    refreshInterval = "42s"
    [providers.nomad.endpoint]
@@ -190,7 +187,6 @@
      endpointWaitTime = "42s"
      [providers.nomad.endpoint.tls]
        ca = "foobar"
-        caOptional = true
        cert = "foobar"
        key = "foobar"
        insecureSkipVerify = true
@@ -205,15 +201,14 @@
    accessKeyID = "foobar"
    secretAccessKey = "foobar"
    ecsAnywhere = true
+    healthyTasksOnly = true
  [providers.consul]
    rootKey = "foobar"
    endpoints = ["foobar", "foobar"]
    token = "foobar"
-    namespace = "foobar"
    namespaces = ["foobar", "foobar"]
    [providers.consul.tls]
      ca = "foobar"
-      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@@ -224,7 +219,6 @@
    password = "foobar"
    [providers.etcd.tls]
      ca = "foobar"
-      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@@ -241,7 +235,6 @@
    db = 42
    [providers.redis.tls]
      ca = "foobar"
-      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@@ -249,9 +242,11 @@
    endpoint = "foobar"
    pollInterval = "42s"
    pollTimeout = "42s"
+    [providers.http.headers]
+      name0 = "foobar"
+      name1 = "foobar"
    [providers.http.tls]
      ca = "foobar"
-      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@@ -312,6 +307,25 @@
    [metrics.influxDB2.additionalLabels]
      name0 = "foobar"
      name1 = "foobar"
+  [metrics.openTelemetry]
+    address = "foobar"
+    addEntryPointsLabels = true
+    addRoutersLabels = true
+    addServicesLabels = true
+    pushInterval = "42s"
+    path = "foobar"
+    explicitBoundaries =  [42.0, 42.0]
+    insecure = true
+    [metrics.openTelemetry.headers]
+      name0 = "foobar"
+      name1 = "foobar"
+    [metrics.openTelemetry.tls]
+      ca = "foobar"
+      caOptional = true
+      cert = "foobar"
+      insecureSkipVerify = true
+      key = "foobar"
+    [metrics.openTelemetry.grpc]

 [ping]
  entryPoint = "foobar"
@@ -320,8 +334,13 @@

 [log]
  level = "foobar"
-  filePath = "foobar"
  format = "foobar"
+  noColor = true
+  filePath = "foobar"
+  maxSize = 42
+  maxBackups = 42
+  maxAge = 42
+  compress = true

 [accessLog]
  filePath = "foobar"
@@ -365,7 +384,6 @@
    sampleRate = 42.0
  [tracing.datadog]
    localAgentHostPort = "foobar"
-    globalTag = "foobar"
    [tracing.datadog.globalTags]
      tag1 = "foobar"
      tag2 = "foobar"
@@ -392,6 +410,20 @@
    serverURL = "foobar"
    secretToken = "foobar"
    serviceEnvironment = "foobar"
+  [tracing.openTelemetry]
+    address = "foobar"
+    insecure = true
+    path = "foobar"
+    [tracing.openTelemetry.headers]
+      name0 = "foobar"
+      name1 = "foobar"
+    [tracing.openTelemetry.tls]
+      ca = "foobar"
+      caOptional = true
+      cert = "foobar"
+      key = "foobar"
+      insecureSkipVerify = true
+    [tracing.openTelemetry.grpc]

 [hostResolver]
  cnameFlattening = true
@@ -418,25 +450,7 @@
      [certificatesResolvers.CertificateResolver0.acme.httpChallenge]
        entryPoint = "foobar"
      [certificatesResolvers.CertificateResolver0.acme.tlsChallenge]
-  [certificatesResolvers.CertificateResolver1]
-    [certificatesResolvers.CertificateResolver1.acme]
-      email = "foobar"
-      caServer = "foobar"
-      preferredChain = "foobar"
-      storage = "foobar"
-      keyType = "foobar"
-      certificatesDuration = 42
-      [certificatesResolvers.CertificateResolver1.acme.eab]
-        kid = "foobar"
-        hmacEncoded = "foobar"
-      [certificatesResolvers.CertificateResolver1.acme.dnsChallenge]
-        provider = "foobar"
-        delayBeforeCheck = "42s"
-        resolvers = ["foobar", "foobar"]
-        disablePropagationCheck = true
-      [certificatesResolvers.CertificateResolver1.acme.httpChallenge]
-        entryPoint = "foobar"
-      [certificatesResolvers.CertificateResolver1.acme.tlsChallenge]
+  [certificatesResolvers.CertificateResolver1.tailscale]

 [hub]
  [hub.tls]
@@ -447,7 +461,6 @@

 [experimental]
  kubernetesGateway = true
-  http3 = true
  hub = true
  [experimental.plugins]
    [experimental.plugins.Descriptor0]
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@@ -14,6 +14,7 @@ serversTransport:
 entryPoints:
  EntryPoint0:
    address: foobar
+    asDefault: true
    transport:
      lifeCycle:
        requestAcceptGraceTimeout: 42s
@@ -69,7 +70,6 @@ providers:
    defaultRule: foobar
    tls:
      ca: foobar
-      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@@ -95,7 +95,6 @@ providers:
    dcosToken: foobar
    tls:
      ca: foobar
-      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@@ -170,7 +169,6 @@ providers:
    connectByDefault: true
    serviceName: foobar
    watch: true
-    namespace: foobar
    namespaces:
      - foobar
      - foobar
@@ -182,7 +180,6 @@ providers:
      endpointWaitTime: 42s
      tls:
        ca: foobar
-        caOptional: true
        cert: foobar
        key: foobar
        insecureSkipVerify: true
@@ -194,7 +191,9 @@ providers:
    constraints: foobar
    prefix: foobar
    stale: true
-    namespace: foobar
+    namespaces:
+      - foobar
+      - foobar
    exposedByDefault: true
    refreshInterval: 42s
    endpoint:
@@ -204,7 +203,6 @@ providers:
      endpointWaitTime: 42s
      tls:
        ca: foobar
-        caOptional: true
        cert: foobar
        key: foobar
        insecureSkipVerify: true
@@ -221,19 +219,18 @@ providers:
    accessKeyID: foobar
    secretAccessKey: foobar
    ecsAnywhere: true
+    healthyTasksOnly: true
  consul:
    rootKey: foobar
    endpoints:
      - foobar
      - foobar
    token: foobar
-    namespace: foobar
    namespaces:
      - foobar
      - foobar
    tls:
      ca: foobar
-      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@@ -246,7 +243,6 @@ providers:
    password: foobar
    tls:
      ca: foobar
-      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@@ -267,7 +263,6 @@ providers:
    db: 42
    tls:
      ca: foobar
-      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@@ -275,9 +270,11 @@ providers:
    endpoint: foobar
    pollInterval: 42s
    pollTimeout: 42s
+    headers:
+      name0: foobar
+      name1: foobar
    tls:
      ca: foobar
-      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@@ -338,14 +335,41 @@ metrics:
    additionalLabels:
      name0: foobar
      name1: foobar
+  openTelemetry:
+    address: foobar
+    addEntryPointsLabels: true
+    addRoutersLabels: true
+    addServicesLabels: true
+    explicitBoundaries:
+      - 42
+      - 42
+    headers:
+      name0: foobar
+      name1: foobar
+    insecure: true
+    path: foobar
+    pushInterval: 42s
+    tls:
+      ca: foobar
+      caOptional: true
+      cert: foobar
+      insecureSkipVerify: true
+      key: foobar
+    grpc: {}
+
 ping:
  entryPoint: foobar
  manualRouting: true
  terminatingStatusCode: 42
 log:
  level: foobar
-  filePath: foobar
  format: foobar
+  noColor: true
+  filePath: foobar
+  maxSize: 42
+  maxBackups: 42
+  maxAge: 42
+  compress: true
 accessLog:
  filePath: foobar
  format: foobar
@@ -389,7 +413,6 @@ tracing:
    sampleRate: 42
  datadog:
    localAgentHostPort: foobar
-    globalTag: foobar
    globalTags:
      tag1: foobar
      tag2: foobar
@@ -416,6 +439,20 @@ tracing:
    serverURL: foobar
    secretToken: foobar
    serviceEnvironment: foobar
+  openTelemetry:
+    address: foobar
+    headers:
+      name0: foobar
+      name1: foobar
+    insecure: true
+    path: foobar
+    tls:
+      ca: foobar
+      caOptional: true
+      cert: foobar
+      key: foobar
+      insecureSkipVerify: true
+    grpc: {}
 hostResolver:
  cnameFlattening: true
  resolvConfig: foobar
@@ -443,26 +480,7 @@ certificatesResolvers:
        entryPoint: foobar
      tlsChallenge: {}
  CertificateResolver1:
-    acme:
-      email: foobar
-      caServer: foobar
-      certificatesDuration: 42
-      preferredChain: foobar
-      storage: foobar
-      keyType: foobar
-      eab:
-        kid: foobar
-        hmacEncoded: foobar
-      dnsChallenge:
-        provider: foobar
-        delayBeforeCheck: 42s
-        resolvers:
-          - foobar
-          - foobar
-        disablePropagationCheck: true
-      httpChallenge:
-        entryPoint: foobar
-      tlsChallenge: {}
+    tailscale: {}
 hub:
  tls:
    insecure: true
@@ -471,7 +489,6 @@ hub:
    key: foobar
 experimental:
  kubernetesGateway: true
-  http3: true
  hub: true
  plugins:
    Descriptor0:
--- a/docs/content/routing/entrypoints.md
+++ b/docs/content/routing/entrypoints.md
@@ -233,6 +233,54 @@ If both TCP and UDP are wanted for the same port, two entryPoints definitions ar

    Full details for how to specify `address` can be found in [net.Listen](https://golang.org/pkg/net/#Listen) (and [net.Dial](https://golang.org/pkg/net/#Dial)) of the doc for go.

+### AsDefault
+
+_Optional, Default=false_
+
+The `AsDefault` option marks the EntryPoint to be in the list of default EntryPoints.
+EntryPoints in this list are used (by default) on HTTP and TCP routers that do not define their own [EntryPoints option](./routers/index.md#entrypoints).
+
+!!! info "List of default EntryPoints"
+
+    If there is no EntryPoint with the `AsDefault` option set to `true`, 
+    then the list of default EntryPoints includes all HTTP/TCP EntryPoints.
+
+    If at least one EntryPoint has the `AsDefault` option set to `true`,
+    then the list of default EntryPoints includes only EntryPoints that have the `AsDefault` option set to `true`.
+
+    Some built-in EntryPoints are always excluded from the list, namely: `traefik`, `traefikhub-api`, and `traefikhub-tunl`.
+
+!!! warning "Only TCP and HTTP"
+
+    The `AsDefault` option has no effect on UDP EntryPoints.
+    When a UDP router does not define the [EntryPoints option](./routers/index.md#entrypoints_2),
+    it is attached to all available UDP EntryPoints.
+
+??? example "Defining only one EntryPoint as default"
+
+    ```yaml tab="File (yaml)"
+    entryPoints:
+      web:
+        address: ":80"
+      websecure:
+        address: ":443"
+        asDefault: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [entryPoints.web]
+      address = ":80"
+    [entryPoints.websecure]
+      address = ":443"
+      asDefault = true
+    ```
+
+    ```bash tab="CLI"
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
+    --entrypoints.websecure.asDefault=true
+    ```
+
 ### HTTP/2

 #### `maxConcurrentStreams`
@@ -264,39 +312,32 @@ entryPoints:
 #### `http3`

 `http3` enables HTTP/3 protocol on the entryPoint.
-HTTP/3 requires a TCP entryPoint, as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP.
-In most scenarios, this entryPoint is the same as the one used for TLS traffic.
+HTTP/3 requires a TCP entryPoint,
+as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP.
+In most scenarios,
+this entryPoint is the same as the one used for TLS traffic.
+
+```yaml tab="File (YAML)"
+entryPoints:
+  name:
+  http3: {}
+```
+
+```toml tab="File (TOML)"
+[entryPoints.name.http3]
+```
+
+```bash tab="CLI"
+--entrypoints.name.http3
+```

 ??? info "HTTP/3 uses UDP+TLS"

-    As HTTP/3 uses UDP, you can't have a TCP entryPoint with HTTP/3 on the same port as a UDP entryPoint.
-    Since HTTP/3 requires the use of TLS, only routers with TLS enabled will be usable with HTTP/3.
-
-!!! warning "Enabling Experimental HTTP/3"
-
-    As the HTTP/3 spec is still in draft, HTTP/3 support in Traefik is an experimental feature and needs to be activated 
-    in the experimental section of the static configuration.
-    
-    ```yaml tab="File (YAML)"
-    experimental:
-      http3: true
-
-    entryPoints:
-      name:
-        http3: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [experimental]
-      http3 = true
-    
-    [entryPoints.name.http3]
-    ```
-    
-    ```bash tab="CLI"
-    --experimental.http3=true 
-    --entrypoints.name.http3
-    ```
+    As HTTP/3 actually uses UDP, when traefik is configured with a TCP entryPoint on port N with HTTP/3 enabled,
+    the underlying HTTP/3 server that is started automatically listens on UDP port N too. As a consequence,
+    it means port N cannot be used by another UDP entryPoint.
+    Since HTTP/3 requires the use of TLS,
+    only routers with TLS enabled will be usable with HTTP/3.

 #### `advertisedPort`

@@ -307,9 +348,6 @@ It can be used to override the authority in the `alt-svc` header, for example if
 !!! info "http3.advertisedPort"

    ```yaml tab="File (YAML)"
-    experimental:
-      http3: true
-
    entryPoints:
      name:
        http3:
@@ -317,15 +355,11 @@ It can be used to override the authority in the `alt-svc` header, for example if
    ```

    ```toml tab="File (TOML)"
-    [experimental]
-      http3 = true
-    
    [entryPoints.name.http3]
      advertisedPort = 443
    ```
    
    ```bash tab="CLI"
-    --experimental.http3=true 
    --entrypoints.name.http3.advertisedport=443
    ```

--- a/docs/content/routing/overview.md
+++ b/docs/content/routing/overview.md
@@ -325,6 +325,61 @@ serversTransport:
 --serversTransport.maxIdleConnsPerHost=7
 ```

+### `spiffe`
+
+Please note that [SPIFFE](../https/spiffe.md) must be enabled in the static configuration 
+before using it to secure the connection between Traefik and the backends.  
+
+#### `spiffe.ids`
+
+_Optional_
+
+`ids` defines the allowed SPIFFE IDs.
+This takes precedence over the SPIFFE TrustDomain.
+
+```yaml tab="File (YAML)"
+## Static configuration
+serversTransport:
+    spiffe:
+      ids:
+        - spiffe://trust-domain/id1
+        - spiffe://trust-domain/id2
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[serversTransport.spiffe]
+  ids = ["spiffe://trust-domain/id1", "spiffe://trust-domain/id2"]
+```
+
+```bash tab="CLI"
+## Static configuration
+--serversTransport.spiffe.ids=spiffe://trust-domain/id1,spiffe://trust-domain/id2
+```
+
+#### `spiffe.trustDomain`
+
+_Optional_
+
+`trustDomain` defines the allowed SPIFFE trust domain.
+
+```yaml tab="File (YAML)"
+## Static configuration
+serversTransport:
+  trustDomain: spiffe://trust-domain
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[serversTransport.spiffe]
+  trustDomain = "spiffe://trust-domain"
+```
+
+```bash tab="CLI"
+## Static configuration
+--serversTransport.spiffe.trustDomain=spiffe://trust-domain
+```
+
 ### `forwardingTimeouts`

 `forwardingTimeouts` is about a number of timeouts relevant to when forwarding requests to the backend servers.
--- a/docs/content/routing/providers/consul-catalog.md
+++ b/docs/content/routing/providers/consul-catalog.md
@@ -193,6 +193,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
    traefik.http.services.myservice.loadbalancer.healthcheck.method=foobar
    ```

+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.status`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.status=42
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.port`"
    
    See [health check](../services/index.md#health-check) for more information.
--- a/docs/content/routing/providers/docker.md
+++ b/docs/content/routing/providers/docker.md
@@ -347,6 +347,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
    - "traefik.http.services.myservice.loadbalancer.healthcheck.method=foobar"
    ```

+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.status`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.status=42"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.port`"

    See [health check](../services/index.md#health-check) for more information.
--- a/docs/content/routing/providers/ecs.md
+++ b/docs/content/routing/providers/ecs.md
@@ -195,6 +195,14 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
    traefik.http.services.myservice.loadbalancer.healthcheck.method=foobar
    ```

+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.status`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.status=42
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.port`"
    
    See [health check](../services/index.md#health-check) for more information.
--- a/docs/content/routing/providers/kubernetes-crd.md
+++ b/docs/content/routing/providers/kubernetes-crd.md
@@ -48,7 +48,7 @@ The Kubernetes Ingress Controller, The Custom Resource Way.
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v2.9
+              image: traefik:v3.0
              args:
                - --log.level=DEBUG
                - --api
@@ -1287,9 +1287,9 @@ Register the `MiddlewareTCP` [kind](../../reference/dynamic-configuration/kubern
    apiVersion: traefik.containo.us/v1alpha1
    kind: MiddlewareTCP
    metadata:
-      name: ipwhitelist
+      name: ipallowlist
    spec:
-      ipWhiteList:
+      ipAllowList:
        sourceRange:
          - 127.0.0.1/32
          - 192.168.1.7
@@ -1305,13 +1305,13 @@ Register the `MiddlewareTCP` [kind](../../reference/dynamic-configuration/kubern
      entryPoints:
        - web
      routes:
-      - match: Host(`example.com`) && PathPrefix(`/whitelist`)
+      - match: Host(`example.com`) && PathPrefix(`/allowlist`)
        kind: Rule
        services:
        - name: whoami
          port: 80
        middlewares:
-        - name: ipwhitelist
+        - name: ipallowlist
          namespace: foo
    ```

--- a/docs/content/routing/providers/kubernetes-ingress.md
+++ b/docs/content/routing/providers/kubernetes-ingress.md
@@ -147,7 +147,7 @@ which in turn will create the resulting routers, services, handlers, etc.
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v2.9
+              image: traefik:v3.0
              args:
                - --entrypoints.web.address=:80
                - --providers.kubernetesingress
@@ -539,7 +539,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v2.9
+              image: traefik:v3.0
              args:
                - --entrypoints.websecure.address=:443
                - --entrypoints.websecure.http.tls
@@ -749,7 +749,7 @@ For more options, please refer to the available [annotations](#on-ingress).
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v2.9
+              image: traefik:v3.0
              args:
                - --entrypoints.websecure.address=:443
                - --providers.kubernetesingress
--- a/docs/content/routing/providers/kv.md
+++ b/docs/content/routing/providers/kv.md
@@ -172,6 +172,14 @@ A Story of key & values
    |-------------------------------------------------------------------|----------|
    | `traefik/http/services/myservice/loadbalancer/healthcheck/method` | `foobar` |

+??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/status`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    | Key (Path)                                                        | Value |
+    |-------------------------------------------------------------------|-------|
+    | `traefik/http/services/myservice/loadbalancer/healthcheck/status` | `42`  |
+
 ??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/port`"

    See [health check](../services/index.md#health-check) for more information.
--- a/docs/content/routing/providers/marathon.md
+++ b/docs/content/routing/providers/marathon.md
@@ -222,6 +222,14 @@ For example, to change the passHostHeader behavior, you'd add the label `"traefi
    "traefik.http.services.myservice.loadbalancer.healthcheck.method": "foobar"
    ```

+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.status`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```json
+    "traefik.http.services.myservice.loadbalancer.healthcheck.status": "42"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.port`"
    
    See [health check](../services/index.md#health-check) for more information.
--- a/docs/content/routing/providers/nomad.md
+++ b/docs/content/routing/providers/nomad.md
@@ -185,6 +185,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
    traefik.http.services.myservice.loadbalancer.healthcheck.path=/foo
    ```

+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.status`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.status=42
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.port`"

    See [health check](../services/index.md#health-check) for more information.
--- a/docs/content/routing/providers/rancher.md
+++ b/docs/content/routing/providers/rancher.md
@@ -228,6 +228,14 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
    - "traefik.http.services.myservice.loadbalancer.healthcheck.method=foobar"
    ```

+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.status`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.status=42"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.port`"
    
    See [health check](../services/index.md#health-check) for more information.
--- a/docs/content/routing/routers/index.md
+++ b/docs/content/routing/routers/index.md
@@ -94,7 +94,7 @@ or act before forwarding the request to the service.

 ### EntryPoints

-If not specified, HTTP routers will accept requests from all defined entry points.
+If not specified, HTTP routers will accept requests from all EntryPoints in the [list of default EntryPoints](../entrypoints.md#asdefault).
 If you want to limit the router scope to a set of entry points, set the `entryPoints` option.

 ??? example "Listens to Every EntryPoint"
@@ -106,7 +106,7 @@ If you want to limit the router scope to a set of entry points, set the `entryPo
    http:
      routers:
        Router-1:
-          # By default, routers listen to every entry points
+          # By default, routers listen to every EntryPoints.
          rule: "Host(`example.com`)"
          service: "service-1"
    ```
@@ -115,7 +115,7 @@ If you want to limit the router scope to a set of entry points, set the `entryPo
    ## Dynamic configuration
    [http.routers]
      [http.routers.Router-1]
-        # By default, routers listen to every entry points
+        # By default, routers listen to every EntryPoints.
        rule = "Host(`example.com`)"
        service = "service-1"
    ```
@@ -214,77 +214,226 @@ If you want to limit the router scope to a set of entry points, set the `entryPo
 Rules are a set of matchers configured with values, that determine if a particular request matches specific criteria.
 If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service.

-??? tip "Backticks or Quotes?"
-    To set the value of a rule, use [backticks](https://en.wiktionary.org/wiki/backtick) ``` ` ``` or escaped double-quotes `\"`.
-
-    Single quotes `'` are not accepted since the values are [Golang's String Literals](https://golang.org/ref/spec#String_literals).
-
-!!! example "Host is example.com"
-
-    ```toml
-    rule = "Host(`example.com`)"
-    ```
-
-!!! example "Host is example.com OR Host is example.org AND path is /traefik"
-
-    ```toml
-    rule = "Host(`example.com`) || (Host(`example.org`) && Path(`/traefik`))"
-    ```
-
 The table below lists all the available matchers:

-| Rule                                                                                       | Description                                                                                                    |
-|--------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|
-| ```Headers(`key`, `value`)```                                                              | Check if there is a key `key`defined in the headers, with the value `value`                                    |
-| ```HeadersRegexp(`key`, `regexp`)```                                                       | Check if there is a key `key`defined in the headers, with a value that matches the regular expression `regexp` |
-| ```Host(`example.com`, ...)```                                                             | Check if the request domain (host header value) targets one of the given `domains`.                            |
-| ```HostHeader(`example.com`, ...)```                                                       | Same as `Host`, only exists for historical reasons.                                                            |
-| ```HostRegexp(`example.com`, `{subdomain:[a-z]+}.example.com`, ...)```                     | Match the request domain. See "Regexp Syntax" below.                                                           |
-| ```Method(`GET`, ...)```                                                                   | Check if the request method is one of the given `methods` (`GET`, `POST`, `PUT`, `DELETE`, `PATCH`, `HEAD`)    |
-| ```Path(`/path`, `/articles/{cat:[a-z]+}/{id:[0-9]+}`, ...)```                             | Match exact request path. See "Regexp Syntax" below.                                                           |
-| ```PathPrefix(`/products/`, `/articles/{cat:[a-z]+}/{id:[0-9]+}`)```                       | Match request prefix path. See "Regexp Syntax" below.                                                          |
-| ```Query(`foo=bar`, `bar=baz`)```                                                          | Match Query String parameters. It accepts a sequence of key=value pairs.                                       |
-| ```ClientIP(`10.0.0.0/16`, `::1`)```                                                       | Match if the request client IP is one of the given IP/CIDR. It accepts IPv4, IPv6 and CIDR formats.            |
+| Rule                                                            | Description                                                                    |
+|-----------------------------------------------------------------|:-------------------------------------------------------------------------------|
+| [```Header(`key`, `value`)```](#header-and-headerregexp)        | Matches requests containing a header named `key` set to `value`.               |
+| [```HeaderRegexp(`key`, `regexp`)```](#header-and-headerregexp) | Matches requests containing a header named `key` matching `regexp`.            |
+| [```Host(`domain`)```](#host-and-hostregexp)                    | Matches requests host set to `domain`.                                         |
+| [```HostRegexp(`regexp`)```](#host-and-hostregexp)              | Matches requests host matching `regexp`.                                       |
+| [```Method(`method`)```](#method)                               | Matches requests method set to `method`.                                       |
+| [```Path(`path`)```](#path-pathprefix-and-pathregexp)           | Matches requests path set to `path`.                                           |
+| [```PathPrefix(`prefix`)```](#path-pathprefix-and-pathregexp)   | Matches requests path prefix set to `prefix`.                                  |
+| [```PathRegexp(`regexp`)```](#path-pathprefix-and-pathregexp)   | Matches request path using `regexp`.                                           |
+| [```Query(`key`, `value`)```](#query-and-queryregexp)           | Matches requests query parameters named `key` set to `value`.                  |
+| [```QueryRegexp(`key`, `regexp`)```](#query-and-queryregexp)    | Matches requests query parameters named `key` matching `regexp`.               |
+| [```ClientIP(`ip`)```](#clientip)                               | Matches requests client IP using `ip`. It accepts IPv4, IPv6 and CIDR formats. |

-!!! important "Non-ASCII Domain Names"
+!!! tip "Backticks or Quotes?"

-    Non-ASCII characters are not supported in `Host` and `HostRegexp` expressions, and by doing so the associated router will be invalid.
-    For the `Host` expression, domain names containing non-ASCII characters must be provided as punycode encoded values ([rfc 3492](https://tools.ietf.org/html/rfc3492)).
-    As well, when using the `HostRegexp` expressions, in order to match domain names containing non-ASCII characters, the regular expression should match a punycode encoded domain name.
+    To set the value of a rule, use [backticks](https://en.wiktionary.org/wiki/backtick) ``` ` ``` or escaped double-quotes `\"`.
+
+    Single quotes `'` are not accepted since the values are [Go's String Literals](https://golang.org/ref/spec#String_literals).

 !!! important "Regexp Syntax"

-    `HostRegexp`, `PathPrefix`, and `Path` accept an expression with zero or more groups enclosed by curly braces, which are called named regexps.
-    Named regexps, of the form `{name:regexp}`, are the only expressions considered for regexp matching.
-    The regexp name (`name` in the above example) is an arbitrary value, that exists only for historical reasons.
+    Matchers that accept a regexp as their value use a [Go](https://golang.org/pkg/regexp/) flavored syntax.

-    Any `regexp` supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used.
-    For example, here is a case insensitive path matcher syntax: ```Path(`/{path:(?i:Products)}`)```.
-
-!!! info "Combining Matchers Using Operators and Parenthesis"
+!!! info "Expressing Complex Rules Using Operators and Parenthesis"

    The usual AND (`&&`) and OR (`||`) logical operators can be used, with the expected precedence rules,
    as well as parentheses.

-!!! info "Inverting a matcher"
+    One can invert a matcher by using the NOT (`!`) operator.

-    One can invert a matcher by using the `!` operator.
+    The following rule matches requests where:

-!!! important "Rule, Middleware, and Services"
+    - either host is `example.com` OR,
+    - host is `example.org` AND path is NOT `/traefik`

-    The rule is evaluated "before" any middleware has the opportunity to work, and "before" the request is forwarded to the service.
+    ```yaml
+    Host(`example.com`) || (Host(`example.org`) && !Path(`/traefik`))
+    ```

-!!! info "Path Vs PathPrefix"
+#### Header and HeaderRegexp

-    Use `Path` if your service listens on the exact path only. For instance, `Path: /products` would match `/products` but not `/products/shoes`.
+The `Header` and `HeaderRegexp` matchers allow to match requests that contain specific header.

-    Use a `*Prefix*` matcher if your service listens on a particular base path but also serves requests on sub-paths.
-    For instance, `PathPrefix: /products` would match `/products` but also `/products/shoes` and `/products/shirts`.
-    Since the path is forwarded as-is, your service is expected to listen on `/products`.
+!!! example "Examples"

-!!! info "ClientIP matcher"
+    Match requests with a `Content-Type` header set to `application/yaml`:

-    The `ClientIP` matcher will only match the request client IP and does not use the `X-Forwarded-For` header for matching.
+    ```yaml
+    Header(`Content-Type`, `application/yaml`)
+    ```
+
+    Match requests with a `Content-Type` header set to either `application/json` or `application/yaml`:
+
+    ```yaml
+    HeaderRegexp(`Content-Type`, `^application/(json|yaml)$`)
+    ```
+
+    To match headers [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity), use the `(?i)` option:
+
+    ```yaml
+    HeaderRegexp(`Content-Type`, `(?i)^application/(json|yaml)$`)
+    ```
+
+#### Host and HostRegexp
+
+The `Host` and `HostRegexp` matchers allow to match requests that are targeted to a given host.
+
+These matchers do not support non-ASCII characters, use punycode encoded values ([rfc 3492](https://tools.ietf.org/html/rfc3492)) to match such domains.
+
+If no Host is set in the request URL (e.g., it's an IP address), these matchers will look at the `Host` header.
+
+These matchers will match the request's host in lowercase.
+
+!!! example "Examples"
+
+    Match requests with `Host` set to `example.com`:
+
+    ```yaml
+    Host(`example.com`)
+    ```
+
+    Match requests sent to any subdomain of `example.com`:
+
+    ```yaml
+    HostRegexp(`^.+\.example\.com$`)
+    ```
+
+    Match requests with `Host` set to either `example.com` or `example.org`:
+
+    ```yaml
+    HostRegexp(`^example\.(com|org)$`)
+    ```
+
+    To match domains [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity), use the `(?i)` option:
+
+    ```yaml
+    HostRegexp(`(?i)^example\.(com|org)$`)
+    ```
+
+#### Method
+
+The `Method` matchers allows to match requests sent with the given method.
+
+!!! example "Example"
+
+    Match `OPTIONS` requests:
+
+    ```yaml
+    Method(`OPTIONS`)
+    ```
+
+#### Path, PathPrefix, and PathRegexp
+
+These matchers allow matching requests based on their URL path.
+
+For exact matches, use `Path` and its prefixed alternative `PathPrefix`, for regexp matches, use `PathRegexp`.
+
+Path are always starting with a `/`, except for `PathRegexp`.
+
+!!! example "Examples"
+
+    Match `/products` but neither `/products/shoes` nor `/products/`:
+
+    ```yaml
+    Path(`/products`)
+    ```
+
+    Match `/products` as well as everything under `/products`,
+    such as `/products/shoes`, `/products/` but also `/products-for-sale`:
+
+    ```yaml
+    PathPrefix(`/products`)
+    ```
+
+    Match both `/products/shoes` and `/products/socks` with and ID like `/products/shoes/57`:
+
+    ```yaml
+    PathRegexp(`^/products/(shoes|socks)/[0-9]+$`)
+    ```
+
+    Match requests with a path ending in either `.jpeg`, `.jpg` or `.png`:
+
+    ```yaml
+    PathRegexp(`\.(jpeg|jpg|png)$`)
+    ```
+
+    Match `/products` as well as everything under `/products`,
+    such as `/products/shoes`, `/products/` but also `/products-for-sale`,
+    [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity):
+
+    ```yaml
+    HostRegexp(`(?i)^/products`)
+    ```
+
+#### Query and QueryRegexp
+
+The `Query` and `QueryRegexp` matchers allow to match requests based on query parameters.
+
+!!! example "Examples"
+
+    Match requests with a `mobile` query parameter set to `true`, such as in `/search?mobile=true`:
+
+    ```yaml
+    Query(`mobile`, `true`)
+    ```
+
+    To match requests with a query parameter `mobile` that has no value, such as in `/search?mobile`, use:
+
+    ```yaml
+    Query(`mobile`)
+    ```
+
+    Match requests with a `mobile` query parameter set to either `true` or `yes`:
+
+    ```yaml
+    QueryRegexp(`mobile`, `^(true|yes)$`)
+    ```
+
+    Match requests with a `mobile` query parameter set to any value (including the empty value):
+
+    ```yaml
+    QueryRegexp(`mobile`, `^.*$`)
+    ```
+
+    To match query parameters [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity), use the `(?i)` option:
+
+    ```yaml
+    QueryRegexp(`mobile`, `(?i)^(true|yes)$`)
+    ```
+
+#### ClientIP
+
+The `ClientIP` matcher allows matching requests sent from the given client IP.
+
+It only matches the request client IP and does not use the `X-Forwarded-For` header for matching.
+
+!!! example "Examples"
+
+    Match requests coming from a given IP:
+
+    ```yaml tab="IPv4"
+    ClientIP(`10.76.105.11`)
+    ```
+
+    ```yaml tab="IPv6"
+    ClientIP(`::1`)
+    ```
+
+    Match requests coming from a given subnet:
+
+    ```yaml tab="IPv4"
+    ClientIP(`192.168.1.0/24`)
+    ```
+
+    ```yaml tab="IPv6"
+    ClientIP(`fe80::/10`)
+    ```

 ### Priority

@@ -299,7 +448,7 @@ A value of `0` for the priority is ignored: `priority = 0` means that the defaul
    http:
      routers:
        Router-1:
-          rule: "HostRegexp(`{subdomain:[a-z]+}.traefik.com`)"
+          rule: "HostRegexp(`[a-z]+\.traefik\.com`)"
          # ...
        Router-2:
          rule: "Host(`foobar.traefik.com`)"
@@ -310,7 +459,7 @@ A value of `0` for the priority is ignored: `priority = 0` means that the defaul
    ## Dynamic configuration
    [http.routers]
      [http.routers.Router-1]
-        rule = "HostRegexp(`{subdomain:[a-z]+}.traefik.com`)"
+        rule = "HostRegexp(`[a-z]+\\.traefik\\.com`)"
        # ...
      [http.routers.Router-2]
        rule = "Host(`foobar.traefik.com`)"
@@ -319,10 +468,10 @@ A value of `0` for the priority is ignored: `priority = 0` means that the defaul

    In this case, all requests with host `foobar.traefik.com` will be routed through `Router-1` instead of `Router-2`.

-    | Name     | Rule                                               | Priority |
-    |----------|----------------------------------------------------|----------|
-    | Router-1 | ```HostRegexp(`{subdomain:[a-z]+}.traefik.com`)``` | 44       |
-    | Router-2 | ```Host(`foobar.traefik.com`)```                   | 26       |
+    | Name     | Rule                                     | Priority |
+    |----------|------------------------------------------|----------|
+    | Router-1 | ```HostRegexp(`[a-z]+\.traefik\.com`)``` | 44       |
+    | Router-2 | ```Host(`foobar.traefik.com`)```         | 26       |

    The previous table shows that `Router-1` has a higher priority than `Router-2`.

@@ -335,7 +484,7 @@ A value of `0` for the priority is ignored: `priority = 0` means that the defaul
    http:
      routers:
        Router-1:
-          rule: "HostRegexp(`{subdomain:[a-z]+}.traefik.com`)"
+          rule: "HostRegexp(`[a-z]+\\.traefik\\.com`)"
          entryPoints:
          - "web"
          service: service-1
@@ -352,7 +501,7 @@ A value of `0` for the priority is ignored: `priority = 0` means that the defaul
    ## Dynamic configuration
    [http.routers]
      [http.routers.Router-1]
-        rule = "HostRegexp(`{subdomain:[a-z]+}.traefik.com`)"
+        rule = "HostRegexp(`[a-z]+\\.traefik\\.com`)"
        entryPoints = ["web"]
        service = "service-1"
        priority = 1
@@ -666,12 +815,12 @@ The [supported `provider` table](../../https/acme.md#providers) indicates if the

 ### General

-If both HTTP routers and TCP routers listen to the same entry points, the TCP routers will apply *before* the HTTP routers.
+If both HTTP routers and TCP routers listen to the same EntryPoint, the TCP routers will apply *before* the HTTP routers.
 If no matching route is found for the TCP routers, then the HTTP routers will take over.

 ### EntryPoints

-If not specified, TCP routers will accept requests from all defined entry points.
+If not specified, TCP routers will accept requests from all EntryPoints in the [list of default EntryPoints](../entrypoints.md#asdefault)..
 If you want to limit the router scope to a set of entry points, set the entry points option.

 ??? info "How to handle Server First protocols?"
@@ -684,9 +833,9 @@ If you want to limit the router scope to a set of entry points, set the entry po
    a situation where both sides are waiting for data and the
    connection appears to have hanged.

-    The only way that Traefik can deal with such a case, is to make 
-    sure that on the concerned entry point, there is no TLS router 
-    whatsoever (neither TCP nor HTTP), and there is at least one 
+    The only way that Traefik can deal with such a case, is to make
+    sure that on the concerned entry point, there is no TLS router
+    whatsoever (neither TCP nor HTTP), and there is at least one
    non-TLS TCP router that leads to the server in question.

 ??? example "Listens to Every Entry Point"
@@ -699,7 +848,7 @@ If you want to limit the router scope to a set of entry points, set the entry po
    tcp:
      routers:
        Router-1:
-          # By default, routers listen to every entrypoints
+          # By default, routers listen to every EntryPoints.
          rule: "HostSNI(`example.com`)"
          service: "service-1"
          # will route TLS requests (and ignore non tls requests)
@@ -711,7 +860,7 @@ If you want to limit the router scope to a set of entry points, set the entry po

    [tcp.routers]
      [tcp.routers.Router-1]
-        # By default, routers listen to every entrypoints
+        # By default, routers listen to every EntryPoints.
        rule = "HostSNI(`example.com`)"
        service = "service-1"
        # will route TLS requests (and ignore non tls requests)
@@ -751,7 +900,7 @@ If you want to limit the router scope to a set of entry points, set the entry po
    --entrypoints.other.address=:9090
    ```

-??? example "Listens to Specific Entry Points"
+??? example "Listens to Specific EntryPoints"

    **Dynamic Configuration**

@@ -817,48 +966,49 @@ If you want to limit the router scope to a set of entry points, set the entry po

 ### Rule

-Rules are a set of matchers configured with values, that determine if a particular request matches specific criteria.
+Rules are a set of matchers configured with values, that determine if a particular connection matches specific criteria.
 If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service.

-??? tip "Backticks or Quotes?"
-
-     To set the value of a rule, use [backticks](https://en.wiktionary.org/wiki/backtick) ``` ` ``` or escaped double-quotes `\"`.
-
-    Single quotes `'` are not accepted since the values are [Golang's String Literals](https://golang.org/ref/spec#String_literals).
-
-!!! example "HostSNI is example.com"
-
-    ```toml
-    rule = "HostSNI(`example.com`)"
-    ```
-
-!!! example "HostSNI is example.com OR HostSNI is example.org AND ClientIP is 0.0.0.0"
-
-    ```toml
-    rule = "HostSNI(`example.com`) || (HostSNI(`example.org`) && ClientIP(`0.0.0.0`))"
-    ```
-
 The table below lists all the available matchers:

-| Rule                                                                      | Description                                                                                             |
-|---------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
-| ```HostSNI(`domain-1`, ...)```                                            | Checks if the Server Name Indication corresponds to the given `domains`.                                |
-| ```HostSNIRegexp(`example.com`, `{subdomain:[a-z]+}.example.com`, ...)``` | Checks if the Server Name Indication matches the given regular expressions. See "Regexp Syntax" below.  |
-| ```ClientIP(`10.0.0.0/16`, `::1`)```                                      | Checks if the connection client IP is one of the given IP/CIDR. It accepts IPv4, IPv6 and CIDR formats. |
-| ```ALPN(`mqtt`, `h2c`)```                                                 | Checks if any of the connection ALPN protocols is one of the given protocols.                           |
+| Rule                                                        | Description                                                                                      |
+|-------------------------------------------------------------|:-------------------------------------------------------------------------------------------------|
+| [```HostSNI(`domain`)```](#hostsni-and-hostsniregexp)       | Checks if the connection's Server Name Indication is equal to `domain`.                          |
+| [```HostSNIRegexp(`regexp`)```](#hostsni-and-hostsniregexp) | Checks if the connection's Server Name Indication matches `regexp`.                              |
+| [```ClientIP(`ip`)```](#clientip_1)                         | Checks if the connection's client IP correspond to `ip`. It accepts IPv4, IPv6 and CIDR formats. |
+| [```ALPN(`protocol`)```](#alpn)                             | Checks if the connection's ALPN protocol equals `protocol`.                                      |

-!!! important "Non-ASCII Domain Names"
+!!! tip "Backticks or Quotes?"

-    Non-ASCII characters are not supported in the `HostSNI` and `HostSNIRegexp` expressions, and so using them would invalidate the associated TCP router.
-    Domain names containing non-ASCII characters must be provided as punycode encoded values ([rfc 3492](https://tools.ietf.org/html/rfc3492)).
+     To set the value of a rule, use [backticks](https://en.wiktionary.org/wiki/backtick) ``` ` ``` or escaped double-quotes `\"`.
+
+    Single quotes `'` are not accepted since the values are [Go's String Literals](https://golang.org/ref/spec#String_literals).

 !!! important "Regexp Syntax"

-    `HostSNIRegexp` accepts an expression with zero or more groups enclosed by curly braces, which are called named regexps.
-    Named regexps, of the form `{name:regexp}`, are the only expressions considered for regexp matching.
-    The regexp name (`name` in the above example) is an arbitrary value, that exists only for historical reasons.
+    Matchers that accept a regexp as their value use a [Go](https://golang.org/pkg/regexp/) flavored syntax.

-    Any `regexp` supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used.
+!!! info "Expressing Complex Rules Using Operators and Parenthesis"
+
+    The usual AND (`&&`) and OR (`||`) logical operators can be used, with the expected precedence rules,
+    as well as parentheses.
+
+    One can invert a matcher by using the NOT (`!`) operator.
+
+    The following rule matches connections where:
+
+    - either Server Name Indication is `example.com` OR,
+    - Server Name Indication is `example.org` AND ALPN protocol is NOT `h2`
+
+    ```yaml
+    HostSNI(`example.com`) || (HostSNI(`example.org`) && !ALPN(`h2`))
+    ```
+
+#### HostSNI and HostSNIRegexp
+
+`HostSNI` and `HostSNIRegexp` matchers allow to match connections targeted to a given domain.
+
+These matchers do not support non-ASCII characters, use punycode encoded values ([rfc 3492](https://tools.ietf.org/html/rfc3492)) to match such domains.

 !!! important "HostSNI & TLS"

@@ -868,29 +1018,76 @@ The table below lists all the available matchers:
    when one wants a non-TLS router that matches all (non-TLS) requests,
    one should use the specific ```HostSNI(`*`)``` syntax.

-!!! info "Combining Matchers Using Operators and Parenthesis"
+!!! example "Examples"

-    The usual AND (`&&`) and OR (`||`) logical operators can be used, with the expected precedence rules,
-    as well as parentheses.
+    Match all connections:

-!!! info "Inverting a matcher"
+    ```yaml tab="HostSNI"
+    HostSNI(`*`)
+    ```

-    One can invert a matcher by using the `!` operator.
+    ```yaml tab="HostSNIRegexp"
+    HostSNIRegexp(`^.*$`)
+    ```

-!!! important "Rule, Middleware, and Services"
+    Match TCP connections sent to `example.com`:

-    The rule is evaluated "before" any middleware has the opportunity to work, and "before" the request is forwarded to the service.
+    ```yaml
+    HostSNI(`example.com`)
+    ```

-!!! important "ALPN ACME-TLS/1"
+    Match TCP connections openned on any subdomain of `example.com`:

-    It would be a security issue to let a user-defined router catch the response to
-    an ACME TLS challenge previously initiated by Traefik.
-    For this reason, the `ALPN` matcher is not allowed to match the `ACME-TLS/1`
-    protocol, and Traefik returns an error if this is attempted.
+    ```yaml
+    HostSNIRegexp(`^.+\.example\.com$`)
+    ```
+
+#### ClientIP
+
+The `ClientIP` matcher allows matching connections opened by a client with the given IP.
+
+!!! example "Examples"
+
+    Match connections opened by a given IP:
+
+    ```yaml tab="IPv4"
+    ClientIP(`10.76.105.11`)
+    ```
+
+    ```yaml tab="IPv6"
+    ClientIP(`::1`)
+    ```
+
+    Match connections coming from a given subnet:
+
+    ```yaml tab="IPv4"
+    ClientIP(`192.168.1.0/24`)
+    ```
+
+    ```yaml tab="IPv6"
+    ClientIP(`fe80::/10`)
+    ```
+
+#### ALPN
+
+The `ALPN` matcher allows matching connections the given protocol.
+
+It would be a security issue to let a user-defined router catch the response to
+an ACME TLS challenge previously initiated by Traefik.
+For this reason, the `ALPN` matcher is not allowed to match the `ACME-TLS/1`
+protocol, and Traefik returns an error if this is attempted.
+
+!!! example "Example"
+
+    Match connections using the ALPN protocol `h2`:
+
+    ```yaml
+    ALPN(`h2`)
+    ```

 ### Priority

-To avoid path overlap, routes are sorted, by default, in descending order using rules length. 
+To avoid path overlap, routes are sorted, by default, in descending order using rules length.
 The priority is directly equal to the length of the rule, and so the longest length has the highest priority.

 A value of `0` for the priority is ignored: `priority = 0` means that the default rules length sorting is used.
@@ -986,7 +1183,7 @@ The middlewares will take effect only if the rule matches, and before connecting
      [tcp.routers.my-router]
        rule = "HostSNI(`*`)"
        # declared elsewhere
-        middlewares = ["ipwhitelist"]
+        middlewares = ["ipallowlist"]
        service = "service-foo"
    ```

@@ -998,7 +1195,7 @@ The middlewares will take effect only if the rule matches, and before connecting
          rule: "HostSNI(`*`)"
          # declared elsewhere
          middlewares:
-          - ipwhitelist
+          - ipallowlist
          service: service-foo
    ```

@@ -1041,6 +1238,30 @@ By default, a router with a TLS section will terminate the TLS connections, mean
        [tcp.routers.Router-1.tls]
    ```

+??? info "Postgres STARTTLS"
+
+    Traefik supports the Postgres STARTTLS protocol,
+    which allows TLS routing for Postgres connections.
+
+    To do so, Traefik reads the first bytes sent by a Postgres client,
+    identifies if they correspond to the message of a STARTTLS negotiation,
+    and, if so, acknowledges and signals the client that it can start the TLS handshake.
+
+    Please note/remember that there are subtleties inherent to STARTTLS in whether
+    the connection ends up being a TLS one or not. These subtleties depend on the
+    `sslmode` value in the client configuration (and on the server authentication
+    rules). Therefore, it is recommended to use the `require` value for the
+    `sslmode`.
+
+    Afterwards, the TLS handshake, and routing based on TLS, can proceed as expected.
+
+    !!! warning "Postgres STARTTLS with TCP TLS PassThrough routers"
+
+        As mentioned above, the `sslmode` configuration parameter does have an impact on
+        whether a STARTTLS session will succeed. In particular in the context of TCP TLS
+        PassThrough, some of the values (such as `allow`) do not even make sense. Which
+        is why, once more it is recommended to use the `require` value.
+
 #### `passthrough`

 As seen above, a TLS router will terminate the TLS connection by default.
@@ -1196,14 +1417,14 @@ So UDP "routers" at this time are pretty much only load-balancers in one form or
 	It basically means that some state is kept about an ongoing communication between a client and a backend,
 	notably so that the proxy knows where to forward a response packet from a backend.
 	As expected, a `timeout` is associated to each of these sessions,
-	so that they get cleaned out if they go through a period of inactivity longer than a given duration. 
-	Timeout can be configured using the `entryPoints.name.udp.timeout` option as described 
-	under [entry points](../entrypoints/#udp-options).
+	so that they get cleaned out if they go through a period of inactivity longer than a given duration.
+	Timeout can be configured using the `entryPoints.name.udp.timeout` option as described
+	under [EntryPoints](../entrypoints/#udp-options).

 ### EntryPoints

-If not specified, UDP routers will accept packets from all defined (UDP) entry points.
-If one wants to limit the router scope to a set of entry points, one should set the entry points option.
+If not specified, UDP routers will accept packets from all defined (UDP) EntryPoints.
+If one wants to limit the router scope to a set of EntryPoints, one should set the `entryPoints` option.

 ??? example "Listens to Every Entry Point"

@@ -1267,7 +1488,7 @@ If one wants to limit the router scope to a set of entry points, one should set
    --entrypoints.streaming.address=":9191/udp"
    ```

-??? example "Listens to Specific Entry Points"
+??? example "Listens to Specific EntryPoints"

    **Dynamic Configuration**

--- a/docs/content/routing/services/index.md
+++ b/docs/content/routing/services/index.md
@@ -316,7 +316,8 @@ On subsequent requests, to keep the session alive with the same server, the clie
 #### Health Check

 Configure health check to remove unhealthy servers from the load balancing rotation.
-Traefik will consider your servers healthy as long as they return status codes between `2XX` and `3XX` to the health check requests (carried out every `interval`).
+Traefik will consider HTTP(s) servers healthy as long as they return a status code to the health check request (carried out every `interval`) between `2XX` and `3XX`, or matching the configured status.
+For gRPC servers, Traefik will consider them healthy as long as they return `SERVING` to [gRPC health check v1](https://github.com/grpc/grpc/blob/master/doc/health-checking.md) requests.

 To propagate status changes (e.g. all servers of this service are down) upwards, HealthCheck must also be enabled on the parent(s) of this service.

@@ -324,6 +325,7 @@ Below are the available options for the health check mechanism:

 - `path` (required), defines the server URL path for the health check endpoint .
 - `scheme` (optional), replaces the server URL `scheme` for the health check endpoint.
+- `mode` (default: http), if defined to `grpc`, will use the gRPC health check protocol to probe the server.
 - `hostname` (optional), sets the value of `hostname` in the `Host` header of the health check request.
 - `port` (optional), replaces the server URL `port` for the health check endpoint.
 - `interval` (default: 30s), defines the frequency of the health check calls.
@@ -331,6 +333,7 @@ Below are the available options for the health check mechanism:
 - `headers` (optional), defines custom headers to be sent to the health check endpoint.
 - `followRedirects` (default: true), defines whether redirects should be followed during the health check calls.
 - `method` (default: GET), defines the HTTP method that will be used while connecting to the endpoint.
+- `status` (optional), defines the expected HTTP status code of the response to the health check request.

 !!! info "Interval & Timeout Format"

@@ -774,6 +777,82 @@ spec:
    peerCertURI: foobar
 ```

+#### `spiffe`
+
+Please note that [SPIFFE](../../https/spiffe.md) must be enabled in the static configuration
+before using it to secure the connection between Traefik and the backends.
+
+##### `spiffe.ids`
+
+_Optional_
+
+`ids` defines the allowed SPIFFE IDs. 
+This takes precedence over the SPIFFE TrustDomain.
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  serversTransports:
+    mytransport:
+      spiffe:
+        ids:
+          - spiffe://trust-domain/id1
+          - spiffe://trust-domain/id2
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.serversTransports.mytransport.spiffe]
+  ids = ["spiffe://trust-domain/id1", "spiffe://trust-domain/id2"]
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: mytransport
+  namespace: default
+
+spec:
+    spiffe:
+      ids:
+        - spiffe://trust-domain/id1
+        - spiffe://trust-domain/id2
+```
+
+##### `spiffe.trustDomain`
+
+_Optional_
+
+`trustDomain` defines the allowed SPIFFE trust domain.
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  serversTransports:
+    mytransport:
+        spiffe:
+          trustDomain: spiffe://trust-domain
+```
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.serversTransports.mytransport.spiffe]
+  trustDomain = "spiffe://trust-domain"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: mytransport
+  namespace: default
+
+spec:
+    spiffe:
+      trustDomain: "spiffe://trust-domain"
+```
+
 #### `forwardingTimeouts`

 `forwardingTimeouts` are the timeouts applied when forwarding requests to the servers.
--- a/docs/content/traefik-hub/index.md
+++ b/docs/content/traefik-hub/index.md
@@ -1,4 +1,4 @@
-# Traefik Hub (Experimental)
+# Traefik Hub

 ## Overview

@@ -29,6 +29,12 @@ This agent can:
    * The Traefik Hub Agent must be installed to connect to the Traefik Hub platform.
    * Activate this feature in the experimental section of the static configuration.

+!!! information "Configuration Discovery"
+
+    According to installation options, the Traefik Hub Agent listens to the Docker or Kubernetes API to discover containers/services.
+
+    It doesn't support the routers discovered by Traefik Proxy using other providers, e.g., using the File provider.
+
 !!! example "Minimal Static Configuration to Activate Traefik Hub for Docker"

    ```yaml tab="File (YAML)"
--- a/docs/content/user-guides/crd-acme/03-deployments.yml
+++ b/docs/content/user-guides/crd-acme/03-deployments.yml
@@ -26,7 +26,7 @@ spec:
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
-          image: traefik:v2.9
+          image: traefik:v3.0
          args:
            - --api.insecure
            - --accesslog
--- a/docs/content/user-guides/crd-acme/k3s.yml
+++ b/docs/content/user-guides/crd-acme/k3s.yml
@@ -26,5 +26,5 @@ node:
    - K3S_CLUSTER_SECRET=somethingtotallyrandom
  volumes:
    # this is where you would place a alternative traefik image (saved as a .tar file with
-    # 'docker save'), if you want to use it, instead of the traefik:v2.9 image.
+    # 'docker save'), if you want to use it, instead of the traefik:v3.0 image.
    - /somewhere/on/your/host/custom-image:/var/lib/rancher/k3s/agent/images
--- a/docs/content/user-guides/docker-compose/acme-dns/docker-compose.yml
+++ b/docs/content/user-guides/docker-compose/acme-dns/docker-compose.yml
@@ -3,7 +3,7 @@ version: "3.3"
 services:

  traefik:
-    image: "traefik:v2.9"
+    image: "traefik:v3.0"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
--- a/docs/content/user-guides/docker-compose/acme-dns/docker-compose_secrets.yml
+++ b/docs/content/user-guides/docker-compose/acme-dns/docker-compose_secrets.yml
@@ -13,7 +13,7 @@ secrets:
 services:

  traefik:
-    image: "traefik:v2.9"
+    image: "traefik:v3.0"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
--- a/docs/content/user-guides/docker-compose/acme-http/docker-compose.yml
+++ b/docs/content/user-guides/docker-compose/acme-http/docker-compose.yml
@@ -3,7 +3,7 @@ version: "3.3"
 services:

  traefik:
-    image: "traefik:v2.9"
+    image: "traefik:v3.0"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
--- a/docs/content/user-guides/docker-compose/acme-tls/docker-compose.yml
+++ b/docs/content/user-guides/docker-compose/acme-tls/docker-compose.yml
@@ -3,7 +3,7 @@ version: "3.3"
 services:

  traefik:
-    image: "traefik:v2.9"
+    image: "traefik:v3.0"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
--- a/docs/content/user-guides/docker-compose/basic-example/docker-compose.yml
+++ b/docs/content/user-guides/docker-compose/basic-example/docker-compose.yml
@@ -3,7 +3,7 @@ version: "3.3"
 services:

  traefik:
-    image: "traefik:v2.9"
+    image: "traefik:v3.0"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
--- a/docs/content/user-guides/docker-compose/basic-example/index.md
+++ b/docs/content/user-guides/docker-compose/basic-example/index.md
@@ -16,6 +16,35 @@ This will also be used as a starting point for the other docker-compose guides.
 --8<-- "content/user-guides/docker-compose/basic-example/docker-compose.yml"
 ```

+??? Networking
+
+    The Traefik container has to be attached to the same network as the containers to be exposed.
+    If no networks are specified in the docker-compose file, Docker creates a default one that allows Traefik to reach the containers defined in the same file.
+    You can [customize the network](https://docs.docker.com/compose/networking/#specify-custom-networks) as described in the example below.
+    You can use a [pre-existing network](https://docs.docker.com/compose/networking/#use-a-pre-existing-network) too.
+
+    ```yaml
+    version: "3.3"
+
+    networks:
+      traefiknet: {}
+
+    services:
+
+      traefik:
+        image: "traefik:v3.0"
+        ...
+        networks:
+          - traefiknet
+
+      whoami:
+        image: "traefik/whoami"
+        ...
+        networks:
+          - traefiknet
+
+    ```
+
 - Replace `whoami.localhost` by your **own domain** within the `traefik.http.routers.whoami.rule` label of the `whoami` service.
 - Run `docker-compose up -d` within the folder where you created the previous file.
 - Wait a bit and visit `http://your_own_domain` to confirm everything went fine.
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -109,6 +109,8 @@ nav:
      - 'Overview': 'https/overview.md'
      - 'TLS': 'https/tls.md'
      - 'Let''s Encrypt': 'https/acme.md'
+      - 'Tailscale': 'https/tailscale.md'
+      - 'SPIFFE': 'https/spiffe.md'
  - 'Middlewares':
    - 'Overview': 'middlewares/overview.md'
    - 'HTTP':
@@ -123,8 +125,9 @@ nav:
        - 'DigestAuth': 'middlewares/http/digestauth.md'
        - 'Errors': 'middlewares/http/errorpages.md'
        - 'ForwardAuth': 'middlewares/http/forwardauth.md'
+        - 'GrpcWeb': 'middlewares/http/grpcweb.md'
        - 'Headers': 'middlewares/http/headers.md'
-        - 'IpWhitelist': 'middlewares/http/ipwhitelist.md'
+        - 'IpAllowList': 'middlewares/http/ipallowlist.md'
        - 'InFlightReq': 'middlewares/http/inflightreq.md'
        - 'PassTLSClientCert': 'middlewares/http/passtlsclientcert.md'
        - 'RateLimit': 'middlewares/http/ratelimit.md'
@@ -138,7 +141,7 @@ nav:
    - 'TCP':
        - 'Overview': 'middlewares/tcp/overview.md'
        - 'InFlightConn': 'middlewares/tcp/inflightconn.md'
-        - 'IpWhitelist': 'middlewares/tcp/ipwhitelist.md'
+        - 'IpAllowList': 'middlewares/tcp/ipallowlist.md'
  - 'Traefik Hub': 'traefik-hub/index.md'
  - 'Plugins & Plugin Catalog': 'plugins/index.md'
  - 'Operations':
@@ -154,6 +157,7 @@ nav:
          - 'Datadog': 'observability/metrics/datadog.md'
          - 'InfluxDB': 'observability/metrics/influxdb.md'
          - 'InfluxDB2': 'observability/metrics/influxdb2.md'
+          - 'OpenTelemetry': 'observability/metrics/opentelemetry.md'
          - 'Prometheus': 'observability/metrics/prometheus.md'
          - 'StatsD': 'observability/metrics/statsd.md'
      - 'Tracing':
@@ -164,6 +168,7 @@ nav:
          - 'Instana': 'observability/tracing/instana.md'
          - 'Haystack': 'observability/tracing/haystack.md'
          - 'Elastic': 'observability/tracing/elastic.md'
+          - 'OpenTelemetry': 'observability/tracing/opentelemetry.md'
  - 'User Guides':
      - 'Kubernetes and Let''s Encrypt': 'user-guides/crd-acme/index.md'
      - 'gRPC Examples': 'user-guides/grpc.md'
@@ -175,6 +180,7 @@ nav:
          - 'HTTP Challenge': 'user-guides/docker-compose/acme-http/index.md'
          - 'DNS Challenge': 'user-guides/docker-compose/acme-dns/index.md'
  - 'Migration':
+      - 'Traefik v2 to v3': 'migration/v2-to-v3.md'
      - 'Traefik v2 minor migrations': 'migration/v2.md'
      - 'Traefik v1 to v2': 'migration/v1-to-v2.md'
  - 'Contributing':
--- a/go.mod
+++ b/go.mod
@@ -7,6 +7,7 @@ require (
 	github.com/ExpediaDotCom/haystack-client-go v0.0.0-20190315171017-e7edbdf53a61
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/abbot/go-http-auth v0.0.0-00010101000000-000000000000
+	github.com/andybalholm/brotli v1.0.4
 	github.com/aws/aws-sdk-go v1.44.47
 	github.com/cenkalti/backoff/v4 v4.1.3
 	github.com/compose-spec/compose-go v1.0.3
@@ -19,7 +20,7 @@ require (
 	github.com/docker/go-connections v0.4.0
 	github.com/fatih/structs v1.1.0
 	github.com/gambol99/go-marathon v0.0.0-20180614232016-99a156b96fb2
-	github.com/go-acme/lego/v4 v4.9.0
+	github.com/go-acme/lego/v4 v4.9.1
 	github.com/go-check/check v0.0.0-00010101000000-000000000000
 	github.com/go-kit/kit v0.10.1-0.20200915143503-439c4d2ed3ea
 	github.com/golang/protobuf v1.5.2
@@ -30,12 +31,14 @@ require (
 	github.com/hashicorp/consul/api v1.14.0
 	github.com/hashicorp/go-hclog v1.2.0
 	github.com/hashicorp/go-multierror v1.1.1
+	github.com/hashicorp/go-retryablehttp v0.7.1
 	github.com/hashicorp/go-version v1.6.0
 	github.com/hashicorp/nomad/api v0.0.0-20220506174431-b5665129cd1f
+	github.com/improbable-eng/grpc-web v0.15.0
 	github.com/influxdata/influxdb-client-go/v2 v2.7.0
 	github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d
 	github.com/instana/go-sensor v1.38.3
-	github.com/klauspost/compress v1.14.2
+	github.com/klauspost/compress v1.15.0
 	github.com/kvtools/consul v1.0.2
 	github.com/kvtools/etcdv3 v1.0.2
 	github.com/kvtools/redis v1.0.2
@@ -44,9 +47,10 @@ require (
 	github.com/lucas-clemente/quic-go v0.28.1
 	github.com/mailgun/ttlmap v0.0.0-20170619185759-c1c17f74874f
 	github.com/miekg/dns v1.1.50
-	github.com/mitchellh/copystructure v1.0.0
+	github.com/mitchellh/copystructure v1.2.0
 	github.com/mitchellh/hashstructure v1.0.0
 	github.com/mitchellh/mapstructure v1.5.0
+	github.com/natefinch/lumberjack v0.0.0-20201021141957-47ffae23317c
 	github.com/opentracing/opentracing-go v1.2.0
 	github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5
 	github.com/openzipkin/zipkin-go v0.2.2
@@ -56,9 +60,12 @@ require (
 	github.com/prometheus/client_golang v1.12.2-0.20220704083116-e8f91604d835
 	github.com/prometheus/client_model v0.2.0
 	github.com/rancher/go-rancher-metadata v0.0.0-20200311180630-7f4c936a06ac
-	github.com/sirupsen/logrus v1.8.1
-	github.com/stretchr/testify v1.8.0
+	github.com/rs/zerolog v1.28.0
+	github.com/sirupsen/logrus v1.9.0
+	github.com/spiffe/go-spiffe/v2 v2.1.1
+	github.com/stretchr/testify v1.8.1
 	github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154
+	github.com/tailscale/tscert v0.0.0-20220316030059-54bbcb9f74e2
 	github.com/traefik/paerser v0.1.9
 	github.com/traefik/yaegi v0.14.3
 	github.com/uber/jaeger-client-go v2.30.0+incompatible
@@ -66,36 +73,49 @@ require (
 	github.com/unrolled/render v1.0.2
 	github.com/unrolled/secure v1.0.9
 	github.com/vdemeester/shakers v0.1.0
-	github.com/vulcand/oxy v1.4.1
+	github.com/vulcand/oxy/v2 v2.0.0-20221121151423-d5cb734e4467
 	github.com/vulcand/predicate v1.2.0
 	go.elastic.co/apm v1.13.1
 	go.elastic.co/apm/module/apmot v1.13.1
-	golang.org/x/mod v0.4.2
-	golang.org/x/net v0.0.0-20220927171203-f486391704dc
-	golang.org/x/text v0.3.7
-	golang.org/x/time v0.0.0-20220224211638-0e9765cccd65
-	golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2
-	google.golang.org/grpc v1.41.0
-	gopkg.in/DataDog/dd-trace-go.v1 v1.38.1
+	go.opentelemetry.io/collector/pdata v0.64.1
+	go.opentelemetry.io/otel v1.11.1
+	go.opentelemetry.io/otel/bridge/opentracing v1.11.1
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.33.0
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.33.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.11.1
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.11.1
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.11.1
+	go.opentelemetry.io/otel/metric v0.33.0
+	go.opentelemetry.io/otel/sdk v1.11.1
+	go.opentelemetry.io/otel/sdk/metric v0.33.0
+	go.opentelemetry.io/otel/trace v1.11.1
+	golang.org/x/exp v0.0.0-20221114191408-850992195362
+	golang.org/x/mod v0.6.0
+	golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10
+	golang.org/x/text v0.5.0
+	golang.org/x/time v0.0.0-20220609170525-579cf78fd858
+	golang.org/x/tools v0.2.0
+	google.golang.org/grpc v1.50.1
+	gopkg.in/DataDog/dd-trace-go.v1 v1.43.1
 	gopkg.in/fsnotify.v1 v1.4.7
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.22.1
-	k8s.io/apiextensions-apiserver v0.21.3
-	k8s.io/apimachinery v0.22.1
-	k8s.io/client-go v0.22.1
-	k8s.io/utils v0.0.0-20210820185131-d34e5cb4466e
+	k8s.io/api v0.25.0
+	k8s.io/apiextensions-apiserver v0.25.0
+	k8s.io/apimachinery v0.25.0
+	k8s.io/client-go v0.25.0
+	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed
 	mvdan.cc/xurls/v2 v2.1.0
 	sigs.k8s.io/gateway-api v0.4.0
 )

 require (
-	cloud.google.com/go v0.81.0 // indirect
+	cloud.google.com/go v0.97.0 // indirect
 	github.com/AlecAivazis/survey/v2 v2.2.3 // indirect
 	github.com/Azure/azure-sdk-for-go v40.3.0+incompatible // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.24 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.27 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
 	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
@@ -106,13 +126,15 @@ require (
 	github.com/DataDog/datadog-agent/pkg/obfuscate v0.0.0-20211129110424-6491aa3bf583 // indirect
 	github.com/DataDog/datadog-go v4.8.2+incompatible // indirect
 	github.com/DataDog/datadog-go/v5 v5.0.2 // indirect
-	github.com/DataDog/sketches-go v1.0.0 // indirect
+	github.com/DataDog/sketches-go v1.2.1 // indirect
 	github.com/HdrHistogram/hdrhistogram-go v1.1.2 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.1.1 // indirect
-	github.com/Microsoft/go-winio v0.5.1 // indirect
+	github.com/Microsoft/go-winio v0.5.2 // indirect
 	github.com/Microsoft/hcsshim v0.8.23 // indirect
 	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
+	github.com/PuerkitoBio/purell v1.1.1 // indirect
+	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/Shopify/sarama v1.23.1 // indirect
 	github.com/VividCortex/gohistogram v1.0.0 // indirect
 	github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412 // indirect
@@ -137,9 +159,10 @@ require (
 	github.com/containerd/continuity v0.1.0 // indirect
 	github.com/containerd/typeurl v1.0.2 // indirect
 	github.com/coreos/go-semver v0.3.0 // indirect
-	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
+	github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534 // indirect
 	github.com/cpu/goacmedns v0.1.1 // indirect
 	github.com/deepmap/oapi-codegen v1.9.1 // indirect
+	github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
 	github.com/dgraph-io/ristretto v0.1.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
@@ -156,7 +179,8 @@ require (
 	github.com/elastic/go-licenser v0.3.1 // indirect
 	github.com/elastic/go-sysinfo v1.1.1 // indirect
 	github.com/elastic/go-windows v1.0.0 // indirect
-	github.com/evanphx/json-patch v4.11.0+incompatible // indirect
+	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
+	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/exoscale/egoscale v0.90.0 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
@@ -164,7 +188,11 @@ require (
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
-	github.com/go-logr/logr v0.4.0 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.19.5 // indirect
+	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/go-redis/redis/v8 v8.11.5 // indirect
 	github.com/go-resty/resty/v2 v2.1.1-0.20191201195748-d7b97669fe48 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
@@ -173,21 +201,22 @@ require (
 	github.com/gogo/googleapis v1.4.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
-	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b // indirect
+	github.com/golang/glog v1.0.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/mock v1.6.0 // indirect
 	github.com/google/btree v1.0.1 // indirect
-	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/google/gnostic v0.5.7-v3refs // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
-	github.com/googleapis/gax-go/v2 v2.0.5 // indirect
-	github.com/googleapis/gnostic v0.5.5 // indirect
+	github.com/googleapis/gax-go/v2 v2.1.0 // indirect
 	github.com/gophercloud/gophercloud v1.0.0 // indirect
 	github.com/gophercloud/utils v0.0.0-20210216074907-f6de111f2eae // indirect
 	github.com/gravitational/trace v1.1.16-0.20220114165159-14a9a7dd6aaf // indirect
-	github.com/grpc-ecosystem/go-grpc-middleware v1.2.0 // indirect
+	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 // indirect
 	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
 	github.com/hashicorp/consul/sdk v0.10.0 // indirect
 	github.com/hashicorp/cronexpr v1.1.1 // indirect
@@ -195,7 +224,6 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-msgpack v0.5.5 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
 	github.com/hashicorp/go-uuid v1.0.2 // indirect
@@ -229,6 +257,7 @@ require (
 	github.com/liquidweb/liquidweb-cli v0.6.9 // indirect
 	github.com/liquidweb/liquidweb-go v1.6.3 // indirect
 	github.com/looplab/fsm v0.1.0 // indirect
+	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mailgun/minheap v0.0.0-20170619185613-3dbe6c6bf55f // indirect
 	github.com/mailgun/multibuf v0.1.2 // indirect
 	github.com/mailgun/timetools v0.0.0-20141028012446-7e6055773c51 // indirect
@@ -246,8 +275,9 @@ require (
 	github.com/miekg/pkcs11 v1.0.3 // indirect
 	github.com/mimuret/golang-iij-dpf v0.7.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
-	github.com/mitchellh/reflectwalk v1.0.1 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/buildkit v0.8.2-0.20210401015549-df49b648c8bf // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/sys/mount v0.2.0 // indirect
@@ -256,6 +286,7 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
 	github.com/nrdcg/auroradns v1.1.0 // indirect
 	github.com/nrdcg/desec v0.6.0 // indirect
@@ -268,7 +299,7 @@ require (
 	github.com/onsi/ginkgo v1.16.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.2 // indirect
-	github.com/opencontainers/runc v1.0.2 // indirect
+	github.com/opencontainers/runc v1.0.3 // indirect
 	github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492 // indirect
 	github.com/oracle/oci-go-sdk v24.3.0+incompatible // indirect
 	github.com/ovh/go-ovh v1.1.0 // indirect
@@ -277,6 +308,7 @@ require (
 	github.com/pquerna/otp v1.3.0 // indirect
 	github.com/prometheus/common v0.35.0 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/rs/cors v1.7.0 // indirect
 	github.com/sacloud/api-client-go v0.2.1 // indirect
 	github.com/sacloud/go-http v0.1.2 // indirect
 	github.com/sacloud/iaas-api-go v1.3.2 // indirect
@@ -285,15 +317,14 @@ require (
 	github.com/santhosh-tekuri/jsonschema v1.2.4 // indirect
 	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.9 // indirect
 	github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 // indirect
-	github.com/segmentio/fasthash v1.0.3 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
 	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
 	github.com/softlayer/softlayer-go v1.0.6 // indirect
 	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
 	github.com/spf13/cast v1.3.1 // indirect
-	github.com/spf13/cobra v1.2.1 // indirect
+	github.com/spf13/cobra v1.4.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/objx v0.4.0 // indirect
+	github.com/stretchr/objx v0.5.0 // indirect
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.490 // indirect
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.490 // indirect
 	github.com/theupdateframework/notary v0.6.1 // indirect
@@ -309,27 +340,33 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/yandex-cloud/go-genproto v0.0.0-20220805142335-27b56ddae16f // indirect
 	github.com/yandex-cloud/go-sdk v0.0.0-20220805164847-cf028e604997 // indirect
+	github.com/zeebo/errs v1.2.2 // indirect
 	go.elastic.co/apm/module/apmhttp v1.13.1 // indirect
 	go.elastic.co/fastjson v1.1.0 // indirect
 	go.etcd.io/etcd/api/v3 v3.5.4 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.5.4 // indirect
 	go.etcd.io/etcd/client/v3 v3.5.4 // indirect
 	go.opencensus.io v0.23.0 // indirect
-	go.uber.org/atomic v1.7.0 // indirect
-	go.uber.org/multierr v1.6.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.11.1 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.33.0 // indirect
+	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.8.0 // indirect
 	go.uber.org/ratelimit v0.2.0 // indirect
-	go.uber.org/zap v1.18.1 // indirect
-	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f // indirect
+	go.uber.org/zap v1.21.0 // indirect
+	go4.org/intern v0.0.0-20211027215823-ae77deb06f29 // indirect
+	go4.org/unsafe/assume-no-moving-gc v0.0.0-20220617031537-928513b29760 // indirect
+	golang.org/x/crypto v0.1.0 // indirect
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
 	golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
-	golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab // indirect
-	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
+	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
+	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/term v0.3.0 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-	google.golang.org/api v0.44.0 // indirect
+	google.golang.org/api v0.57.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20211021150943-2b146023228c // indirect
-	google.golang.org/protobuf v1.28.0 // indirect
+	google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.66.6 // indirect
 	gopkg.in/ns1/ns1-go.v2 v2.6.5 // indirect
@@ -337,10 +374,13 @@ require (
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	howett.net/plist v0.0.0-20181124034731-591f970eefbb // indirect
-	k8s.io/klog/v2 v2.10.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
-	sigs.k8s.io/yaml v1.2.0 // indirect
+	inet.af/netaddr v0.0.0-20220617031823-097006376321 // indirect
+	k8s.io/klog/v2 v2.70.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
+	nhooyr.io/websocket v1.8.7 // indirect
+	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
 )

 // Containous forks
@@ -357,3 +397,5 @@ replace github.com/jaguilar/vt100 => github.com/tonistiigi/vt100 v0.0.0-20190402
 // ambiguous import: found package github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/http in multiple modules
 // tencentcloud uses monorepo with multimodule but the go.mod files are incomplete.
 exclude github.com/tencentcloud/tencentcloud-sdk-go v3.0.83+incompatible
+
+// replace github.com/go-logr/logr => github.com/go-logr/logr v0.4.0
--- a/go.sum
+++ b/go.sum
--- a/integration/access_log_test.go
+++ b/integration/access_log_test.go
@@ -12,8 +12,8 @@ import (
 	"time"

 	"github.com/go-check/check"
+	"github.com/rs/zerolog/log"
 	"github.com/traefik/traefik/v2/integration/try"
-	"github.com/traefik/traefik/v2/pkg/log"
 	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
 	checker "github.com/vdemeester/shakers"
 )
@@ -54,7 +54,7 @@ func (s *AccessLogSuite) TestAccessLog(c *check.C) {
 	defer func() {
 		traefikLog, err := os.ReadFile(traefikTestLogFile)
 		c.Assert(err, checker.IsNil)
-		log.WithoutContext().Info(string(traefikLog))
+		log.Info().Msg(string(traefikLog))
 	}()

 	err := cmd.Start()
@@ -262,7 +262,7 @@ func digestParts(resp *http.Response) map[string]string {
 func getMD5(data string) string {
 	digest := md5.New()
 	if _, err := digest.Write([]byte(data)); err != nil {
-		log.WithoutContext().Error(err)
+		log.Error().Err(err).Send()
 	}
 	return fmt.Sprintf("%x", digest.Sum(nil))
 }
@@ -270,7 +270,7 @@ func getMD5(data string) string {
 func getCnonce() string {
 	b := make([]byte, 8)
 	if _, err := io.ReadFull(rand.Reader, b); err != nil {
-		log.WithoutContext().Error(err)
+		log.Error().Err(err).Send()
 	}
 	return fmt.Sprintf("%x", b)[:16]
 }
@@ -435,7 +435,7 @@ func (s *AccessLogSuite) TestAccessLogBackendNotFound(c *check.C) {
 	checkNoOtherTraefikProblems(c)
 }

-func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
+func (s *AccessLogSuite) TestAccessLogFrontendAllowlist(c *check.C) {
 	ensureWorkingDirectoryIsClean()

 	expected := []accessLogValue{
@@ -443,7 +443,7 @@ func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
 			formatOnly: false,
 			code:       "403",
 			user:       "-",
-			routerName: "rt-frontendWhitelist",
+			routerName: "rt-frontendAllowlist",
 			serviceURL: "-",
 		},
 	}
@@ -458,7 +458,7 @@ func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {

 	checkStatsForLogFile(c)

-	waitForTraefik(c, "frontendWhitelist")
+	waitForTraefik(c, "frontendAllowlist")

 	// Verify Traefik started OK
 	checkTraefikStarted(c)
@@ -466,7 +466,7 @@ func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
 	// Test rate limit
 	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
 	c.Assert(err, checker.IsNil)
-	req.Host = "frontend.whitelist.docker.local"
+	req.Host = "frontend.allowlist.docker.local"

 	err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(http.StatusForbidden), try.HasBody())
 	c.Assert(err, checker.IsNil)
--- a/integration/consul_test.go
+++ b/integration/consul_test.go
@@ -102,7 +102,6 @@ func (s *ConsulSuite) TestSimpleConfiguration(c *check.C) {
 		"traefik/http/middlewares/compressor/compress":            "",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/0": "foo",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/1": "bar",
-		"traefik/http/middlewares/striper/stripPrefix/forceSlash": "true",
 	}

 	for k, v := range data {
--- a/integration/etcd_test.go
+++ b/integration/etcd_test.go
@@ -97,7 +97,6 @@ func (s *EtcdSuite) TestSimpleConfiguration(c *check.C) {
 		"traefik/http/middlewares/compressor/compress":            "",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/0": "foo",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/1": "bar",
-		"traefik/http/middlewares/striper/stripPrefix/forceSlash": "true",
 	}

 	for k, v := range data {
--- a/integration/fake_dns_server.go
+++ b/integration/fake_dns_server.go
@@ -6,7 +6,7 @@ import (
 	"os"

 	"github.com/miekg/dns"
-	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/rs/zerolog/log"
 )

 type handler struct {
@@ -17,14 +17,12 @@ type handler struct {
 // Simplified version of the Challenge Test Server from Boulder
 // https://github.com/letsencrypt/boulder/blob/a6597b9f120207eff192c3e4107a7e49972a0250/test/challtestsrv/dnsone.go#L40
 func (s *handler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	logger := log.WithoutContext()
-
 	m := new(dns.Msg)
 	m.SetReply(r)
 	m.Compress = false

 	for _, q := range r.Question {
-		logger.Infof("Query -- [%s] %s", q.Name, dns.TypeToString[q.Qtype])
+		log.Info().Msgf("Query -- [%s] %s", q.Name, dns.TypeToString[q.Qtype])

 		switch q.Qtype {
 		case dns.TypeA:
@@ -94,7 +92,7 @@ func (s *handler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	m.Ns = append(m.Ns, auth)

 	if err := w.WriteMsg(m); err != nil {
-		logger.Fatalf("Failed to write message %v", err)
+		log.Fatal().Err(err).Msg("Failed to write message")
 	}
 }

@@ -106,9 +104,9 @@ func startFakeDNSServer(traefikIP string) *dns.Server {
 	}

 	go func() {
-		log.WithoutContext().Infof("Start a fake DNS server.")
+		log.Info().Msg("Start a fake DNS server.")
 		if err := srv.ListenAndServe(); err != nil {
-			log.WithoutContext().Fatalf("Failed to set udp listener %v", err)
+			log.Fatal().Err(err).Msg("Failed to set udp listener")
 		}
 	}()

--- a/integration/fixtures/acme/acme_base.toml
+++ b/integration/fixtures/acme/acme_base.toml
@@ -4,6 +4,7 @@

 [log]
  level = "DEBUG"
+  noColor = true

 [entryPoints]
  [entryPoints.web]
--- a/integration/fixtures/acme/acme_domains.toml
+++ b/integration/fixtures/acme/acme_domains.toml
@@ -4,6 +4,7 @@

 [log]
  level = "DEBUG"
+  noColor = true

 [entryPoints]
  [entryPoints.web]
--- a/integration/fixtures/acme/acme_multiple_resolvers.toml
+++ b/integration/fixtures/acme/acme_multiple_resolvers.toml
@@ -4,6 +4,7 @@

 [log]
  level = "DEBUG"
+  noColor = true

 [entryPoints]
  [entryPoints.web]
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Moulard	e54ee89330	Prepare release v3.0.0-beta2	2022-12-07 17:26:04 +01:00
Simon Delicata	fdd3f2abef	Moves HTTP/3 outside the experimental section	2022-12-07 17:02:05 +01:00
Tom Moulard	517917cd7c	Merge current v2.9 into master	2022-12-07 15:55:46 +01:00
Tom Moulard	d97d3a6726	Prepare release v2.9.6	2022-12-07 15:14:05 +01:00
Tom Moulard	6c75052a13	Change traefik cmd error log to error level	2022-12-07 11:34:06 +01:00
Ludovic Fernandez	a8df674dcf	fix: flaky tests	2022-12-07 10:56:05 +01:00
Ludovic Fernandez	abd569701f	fix: update golang.org/x/net	2022-12-07 10:02:04 +01:00
mpl	7e3fe48b80	Handle broken TLS conf better Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com> Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-12-06 18:28:05 +01:00
Tom Moulard	8cf9385938	Rework Host and HostRegexp matchers Co-authored-by: Simon Delicata <simon.delicata@traefik.io>	2022-12-06 10:40:06 +01:00
Romain	519ed8bde5	Prepare release v3.0.0-beta1	2022-12-05 16:58:04 +01:00
romain	46a61ce9c8	Merge remote-tracking branch 'upstream/v2.9' into merge-branch-v2.9-into-master	2022-12-05 15:23:06 +01:00
Ludovic Fernandez	778188ed34	fix: remove logs of the request	2022-12-05 11:30:05 +01:00
Nicolas Mengin	88603810a8	Add information about the Hub Agent	2022-12-01 14:30:06 +01:00
mloiseleur	c7647b4938	doc: Update Helm installation section	2022-12-01 10:10:05 +01:00
Janik	af71443b61	Added networking example	2022-11-30 15:04:05 +01:00
Ludovic Fernandez	c57876c116	Improve provider logs	2022-11-30 09:50:05 +01:00
Tom Moulard	0d81fac3fc	Add OpenTelemetry tracing and metrics support	2022-11-29 15:34:05 +01:00
Simon Delicata	db287c4d31	Disable Content-Type auto-detection by default	2022-11-29 11:48:05 +01:00
Antoine	4d86668af3	Update routing syntax Co-authored-by: Tom Moulard <tom.moulard@traefik.io>	2022-11-28 15:48:05 +01:00
Fernandez Ludovic	b93141992e	Merge branch v2.9 into master	2022-11-28 09:01:53 +01:00
Ludovic Fernandez	18d66d7432	Update go-acme/lego to v4.9.1	2022-11-28 08:48:04 +01:00
Simon Delicata	a3e4c85ec0	Remove deprecated options	2022-11-25 10:50:06 +01:00
Ludovic Fernandez	bee86b5ac7	fix: log level	2022-11-25 09:52:04 +01:00
Ludovic Fernandez	0ba51d62fa	fix: flaky with shutdown tests	2022-11-24 17:06:07 +01:00
Kevin Pollet	268d1edc8f	Fix flaky healthcheck test	2022-11-24 16:32:05 +01:00
Ludovic Fernandez	580e7fa774	fix: flaky tests on the configuration watcher	2022-11-24 16:00:06 +01:00
Romain	7c72780820	Add missing serialNumber passTLSClientCert option to middleware panel	2022-11-24 12:30:05 +01:00
Ali Afsharzadeh	46c266661c	Add a status option to the service health check	2022-11-24 11:40:05 +01:00
Fernandez Ludovic	61325d7b91	Merge branch v2.9 into master	2022-11-23 17:30:49 +01:00
Kevin Pollet	68e8eb2435	Update k3s image to rancher/k3s:v1.20.15-k3s1	2022-11-23 17:28:04 +01:00
Kevin Pollet	3f8aa13e68	Fix error when setting ServerUp metric labels	2022-11-23 16:04:05 +01:00
Ludovic Fernandez	08279047ae	Improve test logger assertions	2022-11-23 12:14:04 +01:00
Ludovic Fernandez	3dd4968c41	Retry on plugin API calls	2022-11-23 11:42:04 +01:00
Fernandez Ludovic	ba1ca68977	Merge branch v2.9 into master	2022-11-23 09:22:52 +01:00
Ludovic Fernandez	81a5b1b4c8	Increase the timeout on plugin download	2022-11-22 18:30:05 +01:00
Romain	52e6ce95cf	Update DataDog tracing dependency to v1.43.1	2022-11-22 15:12:06 +01:00
Jérôme Guiard	d547718fdd	Support of allowEmptyServices in TraefikService	2022-11-22 10:18:04 +01:00
Ludovic Fernandez	56f7515ecd	New logger for the Traefik logs	2022-11-21 18:36:05 +01:00
mpl	af4e74c39d	doc: clarify PathPrefix greediness	2022-11-21 17:30:06 +01:00
xmessi	27c02b5a56	Log TLS client subject	2022-11-21 10:18:05 +01:00
Romain	f6b7940b76	Prepare release v2.9.5 (#9513 )	2022-11-17 15:57:23 +01:00
Simon Delicata	f1b91a119d	Create a new capture instance for each incoming request Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-11-17 10:26:06 +01:00
Romain	630de7481e	Support SNI routing with Postgres STARTTLS connections Co-authored-by: Michael Kuhnt <michael.kuhnt@daimler.com> Co-authored-by: Julien Salleyron <julien@containo.us> Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2022-11-16 15:34:10 +01:00
Julien Salleyron	fadee5e87b	Rework servers load-balancer to use the WRR Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2022-11-16 11:38:07 +01:00
sven	35d8281f4d	docs(contributing): enhance wording of building-testing page	2022-11-15 19:34:04 +01:00
Greg	67d9c8da0b	Add support for Brotli Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com> Co-authored-by: Tom Moulard <tom.moulard@traefik.io> Co-authored-by: Romain <rtribotte@users.noreply.github.com> Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2022-11-15 10:56:08 +01:00
sven	00de5c711a	docs(contributing): add link descriptions and update wording	2022-11-15 10:28:07 +01:00
Charlie Haley	b935c80dbd	docs: update helm repository	2022-11-14 16:04:16 +01:00
tfny	22c6630412	Removes the experimental tag on the Traefik Hub header	2022-11-09 00:12:05 +01:00
mloiseleur	1a1cfd1adc	Update and publish official Grafana Dashboard	2022-11-08 15:32:06 +01:00
Ngọc Long	240fb871b6	Support gRPC and gRPC-Web protocol in metrics	2022-11-08 10:52:09 +01:00
Kevin Pollet	b2c4221429	Update vulcand/oxy to v1.4.2	2022-11-07 10:28:08 +01:00
Ludovic Fernandez	d131ef57da	chore: update nhooyr.io/websocket	2022-11-03 16:30:08 +01:00
Ludovic Fernandez	97de552e06	chore: update github.com/opencontainers/runc	2022-11-03 16:28:05 +01:00
kevinpollet	281fa25844	Merge branch v2.9 into master	2022-10-28 09:22:36 +02:00
Fernandez Ludovic	454f552691	Prepare release v2.9.4	2022-10-27 20:40:05 +02:00
Julien Salleyron	bd3eaf4f5e	Add GrpcWeb middleware Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2022-10-27 17:34:06 +02:00
Ludovic Fernandez	7a6bfd3336	chore: change TCP middleware package	2022-10-26 17:42:07 +02:00
Wambugu	1b9873cae9	Renaming IPWhiteList to IPAllowList	2022-10-26 17:16:05 +02:00
Fernandez Ludovic	e86f21ae7b	Merge branch 'v2.9' into master	2022-10-24 11:24:41 +02:00
Julien Levesy	194247caae	Check if default servers transport spiffe config is not nil	2022-10-18 10:28:07 +02:00
kevinpollet	cd0654026a	Merge branch v2.9 into master	2022-10-17 18:53:37 +02:00
Julien Levesy	b39ce8cc58	Support SPIFFE mTLS between Traefik and Backend servers	2022-10-14 17:16:08 +02:00
Kevin Pollet	33f0aed5ea	Support custom headers when fetching configuration through HTTP	2022-10-14 15:10:10 +02:00
kalle (jag)	188ef84c4f	Allow to define default entrypoints (for HTTP/TCP)	2022-10-11 09:36:08 +02:00
kevinpollet	a5c520664a	Merge branch v2.9 into master	2022-10-06 16:40:09 +02:00
Kevin Pollet	38d7011487	Add Tailscale certificate resolver Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2022-09-30 15:20:08 +02:00
jjacque	033fccccc7	Support gRPC healthcheck	2022-09-20 16:54:08 +02:00
Michael Hampton	df99a9fb57	Add option to keep only healthy ECS tasks	2022-09-20 15:42:08 +02:00
Thomas Harris	d6b69e1347	Support multiple namespaces in the Nomad Provider	2022-09-19 16:26:08 +02:00
romain	4bd055cf97	Merge branch v2.9 into master	2022-09-19 13:52:58 +02:00