Prepare release v3.3.7

Add SpanID and TraceID accessLogs fields only when tracing is enabled
Prepare release v3.3.6
2025-09-09 17:44:30 +03:00 · 2025-05-05 10:38:04 +02:00 · 2025-04-28 14:26:05 +02:00 · 2025-04-18 11:10:04 +02:00 · 2025-04-18 10:45:03 +02:00 · 2025-04-18 10:42:04 +02:00
917 changed files with 95408 additions and 33128 deletions
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: traefik
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.

 Documentation fixes or enhancements:
 - for Traefik v2: use branch v2.11
- for Traefik v3: use branch v3.0
+- for Traefik v3: use branch v3.3

 Bug fixes:
 - for Traefik v2: use branch v2.11
- for Traefik v3: use branch v3.0
+- for Traefik v3: use branch v3.3

 Enhancements:
 - for Traefik v2: we only accept bug fixes
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -4,38 +4,48 @@ on:
  pull_request:
    branches:
      - '*'
+    paths-ignore:
+      - 'docs/**'
+      - '**.md'
+      - 'script/gcg/**'

 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
  CGO_ENABLED: 0

 jobs:

  build-webui:
-    runs-on: ubuntu-22.04
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Build webui
-        run: |
-          make clean-webui generate-webui
-          tar czvf webui.tar.gz ./webui/static/
-
-      - name: Artifact webui
-        uses: actions/upload-artifact@v4
-        with:
-          name: webui.tar.gz
-          path: webui.tar.gz
+    uses: ./.github/workflows/template-webui.yaml

  build:
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
+
    strategy:
      matrix:
-        os: [ ubuntu-22.04, macos-latest, windows-latest ]
+        os: [ darwin, freebsd, linux, openbsd, windows ]
+        arch: [ amd64, arm64 ]
+        include:
+          - os: freebsd
+            arch: 386
+          - os: linux
+            arch: 386
+          - os: linux
+            arch: arm
+            goarm: 6
+          - os: linux
+            arch: arm
+            goarm: 7
+          - os: linux
+            arch: ppc64le
+          - os: linux
+            arch: riscv64
+          - os: linux
+            arch: s390x
+          - os: openbsd
+            arch: 386
+          - os: windows
+            arch: 386
    needs:
      - build-webui

@@ -47,8 +57,11 @@ jobs:

      - name: Set up Go ${{ env.GO_VERSION }}
        uses: actions/setup-go@v5
+        env:
+          ImageOS: ${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.goarm }}
        with:
          go-version: ${{ env.GO_VERSION }}
+          check-latest: true

      - name: Artifact webui
        uses: actions/download-artifact@v4
@@ -56,7 +69,13 @@ jobs:
          name: webui.tar.gz

      - name: Untar webui
-        run: tar xvf webui.tar.gz
+        run: |
+          tar xvf webui.tar.gz
+          rm webui.tar.gz

      - name: Build
+        env:
+          GOOS: ${{ matrix.os }}
+          GOARCH: ${{ matrix.arch }}
+          GOARM: ${{ matrix.goarm }}
        run: make binary
--- a/.github/workflows/check_doc.yml
+++ b/.github/workflows/check_doc.yml
@@ -9,7 +9,7 @@ jobs:

  docs:
    name: Check, verify and build documentation
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest

    steps:
      - name: Check out code
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -30,9 +30,15 @@ jobs:
    - name: Checkout repository
      uses: actions/checkout@v4

+    - name: setup go
+      uses: actions/setup-go@v5
+      if: ${{ matrix.language == 'go' }}
+      with:
+        go-version-file: 'go.mod'
+
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -46,7 +52,7 @@ jobs:
    # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -59,6 +65,6 @@ jobs:
    #     ./location_of_script_within_repo/buildscript.sh

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
      with:
        category: "/language:${{matrix.language}}"
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -14,7 +14,7 @@ jobs:

  docs:
    name: Doc Process
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    if: github.repository == 'traefik/traefik'

    steps:
@@ -24,7 +24,7 @@ jobs:
          fetch-depth: 0

      - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
--- a/.github/workflows/experimental.yaml
+++ b/.github/workflows/experimental.yaml
@@ -7,32 +7,33 @@ on:
      - v*

 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
  CGO_ENABLED: 0

 jobs:

+  build-webui:
+    if: github.repository == 'traefik/traefik'
+    uses: ./.github/workflows/template-webui.yaml
+
  experimental:
    if: github.repository == 'traefik/traefik'
    name: Build experimental image on branch
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest

    steps:
-
-      # https://github.com/marketplace/actions/checkout
      - name: Check out code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

-      - name: Build webui
-        run: |
-          make clean-webui generate-webui
-
      - name: Set up Go ${{ env.GO_VERSION }}
        uses: actions/setup-go@v5
+        env:
+          ImageOS: ${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.goarm }}
        with:
          go-version: ${{ env.GO_VERSION }}
+          check-latest: true

      - name: Build
        run: make generate binary
@@ -47,10 +48,20 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
+
+      - name: Artifact webui
+        uses: actions/download-artifact@v4
+        with:
+          name: webui.tar.gz
+
+      - name: Untar webui
+        run: |
+          tar xvf webui.tar.gz
+          rm webui.tar.gz

      - name: Build docker experimental image
        env:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,138 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+env:
+  GO_VERSION: '1.23'
+  CGO_ENABLED: 0
+  VERSION: ${{ github.ref_name }}
+  TRAEFIKER_EMAIL: "traefiker@traefik.io"
+  CODENAME: saintnectaire
+
+jobs:
+
+  build-webui:
+    if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
+    uses: ./.github/workflows/template-webui.yaml
+
+  build:
+    if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        os: [ linux-amd64, linux-386, linux-arm, linux-arm64, linux-ppc64le, linux-s390x, linux-riscv64, darwin, windows-amd64, windows-arm64, windows-386, freebsd, openbsd ]
+    needs:
+      - build-webui
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        env:
+          # Ensure cache consistency on Linux, see https://github.com/actions/setup-go/pull/383
+          ImageOS: ${{ matrix.os }}
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - name: Artifact webui
+        uses: actions/download-artifact@v4
+        with:
+          name: webui.tar.gz
+
+      - name: Untar webui
+        run: |
+          tar xvf webui.tar.gz
+          rm webui.tar.gz
+
+      - name: Go generate
+        run: go generate
+
+
+      - name: Generate goreleaser file
+        run: |
+          GORELEASER_CONFIG_FILE_PATH=$(go run ./internal/release "${{ matrix.os }}")
+          echo "GORELEASER_CONFIG_FILE_PATH=$GORELEASER_CONFIG_FILE_PATH" >> $GITHUB_ENV
+
+      - name: Build with goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          # 'latest', 'nightly', or a semver
+          version: '~> v2'
+          args: release --clean --timeout="90m" --config "${{ env.GORELEASER_CONFIG_FILE_PATH }}"
+
+      - name: Artifact binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.os }}-binaries
+          path: |
+            dist/**/*_checksums.txt
+            dist/**/*.tar.gz
+            dist/**/*.zip
+          retention-days: 1
+
+  release:
+    if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
+    runs-on: ubuntu-latest
+
+    needs:
+      - build
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Artifact webui
+        uses: actions/download-artifact@v4
+        with:
+          name: webui.tar.gz
+
+      - name: Untar webui
+        run: |
+          tar xvf webui.tar.gz
+          rm webui.tar.gz
+
+      - name: Retrieve the secret and decode it to a file
+        env:
+          TRAEFIKER_RSA: ${{ secrets.TRAEFIKER_RSA }}
+        run: |
+          mkdir -p ~/.ssh
+          echo "${TRAEFIKER_RSA}" | base64 --decode > ~/.ssh/traefiker_rsa
+
+      - name: Download All Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: dist/
+          pattern: "*-binaries"
+          merge-multiple: true
+
+      - name: Publish Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          cat dist/**/*_checksums.txt >> "dist/traefik_${VERSION}_checksums.txt"
+          rm dist/**/*_checksums.txt
+          tar cfz "dist/traefik-${VERSION}.src.tar.gz" \
+            --exclude-vcs \
+            --exclude .idea \
+            --exclude .travis \
+            --exclude .semaphoreci \
+            --exclude .github \
+            --exclude dist .
+          
+          chown -R "$(id -u)":"$(id -g)" dist/
+          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION}
+          
+          ./script/deploy.sh
+
--- a/.github/workflows/sync-docker-images.yaml
+++ b/.github/workflows/sync-docker-images.yaml
@@ -0,0 +1,26 @@
+name: Sync Docker Images
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *" # Run every day
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    if: github.repository == 'traefik/traefik'
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: imjasonh/setup-crane@v0.4
+      
+      - name: Sync
+        run: |
+          EXCLUDED_TAGS="1.7.9-alpine v1.0.0-beta.392 v1.0.0-beta.404 v1.0.0-beta.704 v1.0.0-rc1 v1.7.9-alpine"
+          EXCLUDED_REGEX=$(echo $EXCLUDED_TAGS | sed 's/ /|/g')
+          diff <(crane ls traefik) <(crane ls ghcr.io/traefik/traefik) | grep '^<' | awk '{print $2}' | while read -r tag; do [[ "$tag" =~ ^($EXCLUDED_REGEX)$ ]] || (echo "Processing image: traefik:$tag"; crane cp "traefik:$tag" "ghcr.io/traefik/traefik:$tag"); done
+          crane cp traefik:latest ghcr.io/traefik/traefik:latest
--- a/.github/workflows/template-webui.yaml
+++ b/.github/workflows/template-webui.yaml
@@ -0,0 +1,37 @@
+name: Build Web UI
+on:
+  workflow_call: {}
+jobs:
+
+  build-webui:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: webui/.nvmrc
+          cache: yarn
+          cache-dependency-path: webui/yarn.lock
+
+      - name: Build webui
+        working-directory: ./webui
+        run: |
+          yarn install
+          yarn build
+
+      - name: Package webui
+        run: |
+          tar czvf webui.tar.gz ./webui/static/
+
+      - name: Artifact webui
+        uses: actions/upload-artifact@v4
+        with:
+          name: webui.tar.gz
+          path: webui.tar.gz
+          retention-days: 1
--- a/.github/workflows/test-conformance.yaml
+++ b/.github/workflows/test-conformance.yaml
@@ -5,17 +5,19 @@ on:
    branches:
      - '*'
    paths:
+      - '.github/workflows/test-conformance.yaml'
      - 'pkg/provider/kubernetes/gateway/**'
+      - 'integration/fixtures/k8s-conformance/**'
      - 'integration/k8s_conformance_test.go'

 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
  CGO_ENABLED: 0

 jobs:

  test-conformance:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest

    steps:
      - name: Check out code
@@ -31,12 +33,7 @@ jobs:
      - name: Avoid generating webui
        run: touch webui/static/index.html

-      - name: Build binary
-        run: make binary
-
-      - name: Setcap
+      - name: K8s Gateway API conformance test and report
        run: |
-          sudo setcap 'cap_net_bind_service=+ep' dist/linux/amd64/traefik
-
-      - name: K8s Gateway API conformance test
-        run: make test-gateway-api-conformance-ci
+          make test-gateway-api-conformance
+          git diff --exit-code
--- a/.github/workflows/test-integration.yaml
+++ b/.github/workflows/test-integration.yaml
@@ -4,15 +4,19 @@ on:
  pull_request:
    branches:
      - '*'
+    paths-ignore:
+      - 'docs/**'
+      - '**.md'
+      - 'script/gcg/**'

 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
  CGO_ENABLED: 0

 jobs:

  build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest

    steps:
      - name: Check out code
@@ -24,6 +28,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
+          check-latest: true

      - name: Avoid generating webui
        run: touch webui/static/index.html
@@ -32,14 +37,14 @@ jobs:
        run: make binary

  test-integration:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    needs:
      - build
    strategy:
      fail-fast: true
      matrix:
        parallel: [12]
-        index: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 , 11]
+        index: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11]

    steps:
      - name: Check out code
@@ -51,6 +56,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
+          check-latest: true

      - name: Avoid generating webui
        run: touch webui/static/index.html
@@ -60,7 +66,7 @@ jobs:

      - name: Generate go test Slice
        id: test_split
-        uses: hashicorp-forge/go-test-split-action@v1
+        uses: hashicorp-forge/go-test-split-action@v2.0.0
        with:
          packages: ./integration
          total: ${{ matrix.parallel }}
--- a/.github/workflows/test-unit.yaml
+++ b/.github/workflows/test-unit.yaml
@@ -4,14 +4,18 @@ on:
  pull_request:
    branches:
      - '*'
+    paths-ignore:
+      - 'docs/**'
+      - '**.md'
+      - 'script/gcg/**'

 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'

 jobs:

  test-unit:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest

    steps:
      - name: Check out code
@@ -23,9 +27,31 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
+          check-latest: true

      - name: Avoid generating webui
        run: touch webui/static/index.html

      - name: Tests
        run: make test-unit
+
+  test-ui-unit:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Node.js ${{ env.NODE_VERSION }}
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: webui/.nvmrc
+          cache: 'yarn'
+          cache-dependency-path: webui/yarn.lock
+
+      - name: UI unit tests
+        run: |
+          yarn --cwd webui install
+          yarn --cwd webui test:unit:ci
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -6,14 +6,14 @@ on:
      - '*'

 env:
-  GO_VERSION: '1.22'
-  GOLANGCI_LINT_VERSION: v1.56.2
-  MISSSPELL_VERSION: v0.4.1
+  GO_VERSION: '1.23'
+  GOLANGCI_LINT_VERSION: v2.0.2
+  MISSPELL_VERSION: v0.6.0

 jobs:

-  validate:
-    runs-on: ubuntu-22.04
+  lint:
+    runs-on: ubuntu-latest

    steps:
      - name: Check out code
@@ -25,21 +25,39 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
+          check-latest: true

-      - name: Install golangci-lint ${{ env.GOLANGCI_LINT_VERSION }}
-        run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v7
+        with:
+          version: "${{ env.GOLANGCI_LINT_VERSION }}"

-      - name: Install missspell ${{ env.MISSSPELL_VERSION }}
-        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSSPELL_VERSION}
+  validate:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - name: Install misspell ${{ env.MISSPELL_VERSION }}
+        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/HEAD/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSPELL_VERSION}

      - name: Avoid generating webui
        run: touch webui/static/index.html

      - name: Validate
-        run: make validate
+        run: make validate-files

  validate-generate:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest

    steps:
      - name: Check out code
@@ -51,6 +69,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
+          check-latest: true

      - name: go generate
        run: |
--- a/.gitignore
+++ b/.gitignore
@@ -19,4 +19,4 @@ plugins-storage/
 plugins-local/
 traefik_changelog.md
 integration/tailscale.secret
-integration/conformance-reports/
+integration/conformance-reports/**/experimental-dev-default-report.yaml
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,285 +1,324 @@
-run:
-  timeout: 10m
-  skip-files: []
-  skip-dirs:
-    - pkg/provider/kubernetes/crd/generated/
+version: "2"

-linters-settings:
-  govet:
-    enable-all: true
-    disable:
-      - shadow
-      - fieldalignment
-  gocyclo:
-    min-complexity: 14
-  goconst:
-    min-len: 3
-    min-occurrences: 4
-  misspell:
-    locale: US
-  funlen:
-    lines: -1
-    statements: 120
-  forbidigo:
-    forbid:
-      - ^print(ln)?$
-      - ^spew\.Print(f|ln)?$
-      - ^spew\.Dump$
-  depguard:
-    rules:
-      main:
-        deny:
-          - pkg: "github.com/instana/testify"
-            desc: not allowed
-          - pkg: "github.com/pkg/errors"
-            desc: Should be replaced by standard lib errors package
-          - pkg: "k8s.io/api/networking/v1beta1"
-            desc: This API is deprecated
-          - pkg: "k8s.io/api/extensions/v1beta1"
-            desc: This API is deprecated
-  godox:
-    keywords:
-      - FIXME
-  importas:
-    no-unaliased: true
-    alias:
-      - alias: composeapi
-        pkg: github.com/docker/compose/v2/pkg/api
+formatters:
+  enable:
+    - gci
+    - gofumpt
+  exclusions:
+    generated: lax
+    paths:
+      - pkg/provider/kubernetes/crd/generated/

-      # Standard Kubernetes rewrites:
-      - alias: corev1
-        pkg: "k8s.io/api/core/v1"
-      - alias: netv1
-        pkg: "k8s.io/api/networking/v1"
-      - alias: admv1
-        pkg: "k8s.io/api/admission/v1"
-      - alias: admv1beta1
-        pkg: "k8s.io/api/admission/v1beta1"
-      - alias: metav1
-        pkg: "k8s.io/apimachinery/pkg/apis/meta/v1"
-      - alias: ktypes
-        pkg: "k8s.io/apimachinery/pkg/types"
-      - alias: kerror
-        pkg: "k8s.io/apimachinery/pkg/api/errors"
-      - alias: kclientset
-        pkg: "k8s.io/client-go/kubernetes"
-      - alias: kinformers
-        pkg: "k8s.io/client-go/informers"
-      - alias: ktesting
-        pkg: "k8s.io/client-go/testing"
-      - alias: kschema
-        pkg: "k8s.io/apimachinery/pkg/runtime/schema"
-      - alias: kscheme
-        pkg: "k8s.io/client-go/kubernetes/scheme"
-      - alias: kversion
-        pkg: "k8s.io/apimachinery/pkg/version"
-      - alias: kubefake
-        pkg: "k8s.io/client-go/kubernetes/fake"
-      - alias: discoveryfake
-        pkg: "k8s.io/client-go/discovery/fake"
-
-      # Kubernetes Gateway rewrites:
-      - alias: gateclientset
-        pkg: "sigs.k8s.io/gateway-api/pkg/client/clientset/gateway/versioned"
-      - alias: gateinformers
-        pkg: "sigs.k8s.io/gateway-api/pkg/client/informers/gateway/externalversions"
-      - alias: gatev1alpha2
-        pkg: "sigs.k8s.io/gateway-api/apis/v1alpha2"
-
-      # Traefik Kubernetes rewrites:
-      - alias: traefikv1alpha1
-        pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/traefikio/v1alpha1"
-      - alias: traefikclientset
-        pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned"
-      - alias: traefikinformers
-        pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/informers/externalversions"
-      - alias: traefikscheme
-        pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme"
-      - alias: traefikcrdfake
-        pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake"
-  tagalign:
-    align: false
-    sort: true
-    order:
-      - description
-      - json
-      - toml
-      - yaml
-      - yml
-      - label
-      - label-slice-as-struct
-      - file
-      - kv
-      - export
-  revive:
-    rules:
-      - name: struct-tag
-      - name: blank-imports
-      - name: context-as-argument
-      - name: context-keys-type
-      - name: dot-imports
-      - name: error-return
-      - name: error-strings
-      - name: error-naming
-      - name: exported
-        disabled: true
-      - name: if-return
-      - name: increment-decrement
-      - name: var-naming
-      - name: var-declaration
-      - name: package-comments
-        disabled: true
-      - name: range
-      - name: receiver-naming
-      - name: time-naming
-      - name: unexported-return
-      - name: indent-error-flow
-      - name: errorf
-      - name: empty-block
-      - name: superfluous-else
-      - name: unused-parameter
-        disabled: true
-      - name: unreachable-code
-      - name: redefines-builtin-id
-  gomoddirectives:
-    replace-allow-list:
-      - github.com/abbot/go-http-auth
-      - github.com/gorilla/mux
-      - github.com/mailgun/minheap
-      - github.com/mailgun/multibuf
-      - github.com/jaguilar/vt100
-      - github.com/cucumber/godog
-  testifylint:
-    disable:
-      - suite-dont-use-pkg
-      - require-error
-      - go-require
-  staticcheck:
-    checks:
-      - all
-      - -SA1019
 linters:
-  enable-all: true
+  default: all
  disable:
-    - deadcode # deprecated
-    - exhaustivestruct # deprecated
-    - golint # deprecated
-    - ifshort # deprecated
-    - interfacer # deprecated
-    - maligned # deprecated
-    - nosnakecase # deprecated
-    - scopelint # deprecated
-    - scopelint # deprecated
-    - structcheck # deprecated
-    - varcheck # deprecated
-    - sqlclosecheck # not relevant (SQL)
-    - rowserrcheck # not relevant (SQL)
-    - execinquery # not relevant (SQL)
+    - bodyclose # too many false-positive
+    - containedctx # too many false-positive
+    - contextcheck # too many false-positive
    - cyclop # duplicate of gocyclo
-    - lll # Not relevant
-    - gocyclo # FIXME must be fixed
-    - gocognit # Too strict
-    - nestif # Too many false-positive.
-    - prealloc # Too many false-positive.
-    - makezero # Not relevant
    - dupl # Too strict
-    - gosec # Too strict
-    - gochecknoinits
-    - gochecknoglobals
-    - wsl # Too strict
-    - nlreturn # Not relevant
-    - gomnd # Too strict
-    - stylecheck # skip because report issues related to some generated files.
-    - testpackage # Too strict
-    - tparallel # Not relevant
-    - paralleltest # Not relevant
+    - err113 # Too strict
    - exhaustive # Not relevant
    - exhaustruct # Not relevant
-    - goerr113 # Too strict
-    - wrapcheck # Too strict
-    - noctx # Too strict
-    - bodyclose # too many false-positive
    - forcetypeassert # Too strict
-    - tagliatelle # Too strict
-    - varnamelen # Not relevant
-    - nilnil # Not relevant
-    - ireturn # Not relevant
-    - contextcheck # too many false-positive
-    - containedctx # too many false-positive
-    - maintidx # kind of duplicate of gocyclo
-    - nonamedreturns # Too strict
+    - gochecknoglobals
+    - gochecknoinits
+    - gocognit # Too strict
+    - gocyclo # FIXME must be fixed
+    - gosec # Too strict
    - gosmopolitan  # not relevant
+    - ireturn # Not relevant
+    - lll # Not relevant
+    - maintidx # kind of duplicate of gocyclo
+    - makezero # Not relevant
+    - mnd # Too strict
+    - nestif # Too many false-positive.
+    - nilnil # Not relevant
+    - nlreturn # Not relevant
+    - noctx # Too strict
+    - nonamedreturns # Too strict
+    - paralleltest # Not relevant
+    - prealloc # Too many false-positive.
+    - rowserrcheck # not relevant (SQL)
+    - sqlclosecheck # not relevant (SQL)
+    - tagliatelle # Too strict
+    - testpackage # Too strict
+    - tparallel # Not relevant
+    - varnamelen # Not relevant
+    - wrapcheck # Too strict
+    - wsl # Too strict
+
+  settings:
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: github.com/instana/testify
+              desc: not allowed
+            - pkg: github.com/pkg/errors
+              desc: Should be replaced by standard lib errors package
+    errcheck:
+      exclude-functions:
+        - fmt.Fprintln
+    forbidigo:
+      forbid:
+        - pattern: ^print(ln)?$
+        - pattern: ^spew\.Print(f|ln)?$
+        - pattern: ^spew\.Dump$
+    funlen:
+      lines: -1
+      statements: 120
+    goconst:
+      min-len: 3
+      min-occurrences: 4
+    gocyclo:
+      min-complexity: 14
+    godox:
+      keywords:
+        - FIXME
+    gomoddirectives:
+      toolchain-pattern: go1\.\d+\.\d+$
+      tool-forbidden: true
+      go-version-pattern: ^1\.\d+(\.0)?$
+      replace-allow-list:
+        - github.com/abbot/go-http-auth
+        - github.com/gorilla/mux
+        - github.com/mailgun/minheap
+        - github.com/mailgun/multibuf
+        - github.com/jaguilar/vt100
+        - github.com/cucumber/godog
+    govet:
+      enable-all: true
+      disable:
+        - shadow
+        - fieldalignment
+    importas:
+      no-unaliased: true
+      alias:
+        - pkg: github.com/docker/compose/v2/pkg/api
+          alias: composeapi
+
+        # Standard Kubernetes rewrites:
+        - pkg: k8s.io/api/core/v1
+          alias: corev1
+        - pkg: k8s.io/api/networking/v1
+          alias: netv1
+        - pkg: k8s.io/api/networking/v1beta1
+          alias: netv1beta1
+        - pkg: k8s.io/api/admission/v1
+          alias: admv1
+        - pkg: k8s.io/api/admission/v1beta1
+          alias: admv1beta1
+        - pkg: k8s.io/api/extensions/v1beta1
+          alias: extv1beta1
+        - pkg: k8s.io/apimachinery/pkg/apis/meta/v1
+          alias: metav1
+        - pkg: k8s.io/apimachinery/pkg/types
+          alias: ktypes
+        - pkg: k8s.io/apimachinery/pkg/api/errors
+          alias: kerror
+        - pkg: k8s.io/client-go/kubernetes
+          alias: kclientset
+        - pkg: k8s.io/client-go/informers
+          alias: kinformers
+        - pkg: k8s.io/client-go/testing
+          alias: ktesting
+        - pkg: k8s.io/apimachinery/pkg/runtime/schema
+          alias: kschema
+        - pkg: k8s.io/client-go/kubernetes/scheme
+          alias: kscheme
+        - pkg: k8s.io/apimachinery/pkg/version
+          alias: kversion
+        - pkg: k8s.io/client-go/kubernetes/fake
+          alias: kubefake
+        - pkg: k8s.io/client-go/discovery/fake
+          alias: discoveryfake
+
+        # Kubernetes Gateway rewrites:
+        - pkg: sigs.k8s.io/gateway-api/pkg/client/clientset/gateway/versioned
+          alias: gateclientset
+        - pkg: sigs.k8s.io/gateway-api/pkg/client/informers/gateway/externalversions
+          alias: gateinformers
+        - pkg: sigs.k8s.io/gateway-api/apis/v1alpha2
+          alias: gatev1alpha2
+
+        # Traefik Kubernetes rewrites:
+        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/traefikio/v1alpha1
+          alias: traefikv1alpha1
+        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned
+          alias: traefikclientset
+        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/informers/externalversions
+          alias: traefikinformers
+        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme
+          alias: traefikscheme
+        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake
+          alias: traefikcrdfake
+    misspell:
+      locale: US
+    revive:
+      rules:
+        - name: struct-tag
+        - name: blank-imports
+        - name: context-as-argument
+        - name: context-keys-type
+        - name: dot-imports
+        - name: error-return
+        - name: error-strings
+        - name: error-naming
+        - name: exported
+          disabled: true
+        - name: if-return
+        - name: increment-decrement
+        - name: var-naming
+        - name: var-declaration
+        - name: package-comments
+          disabled: true
+        - name: range
+        - name: receiver-naming
+        - name: time-naming
+        - name: unexported-return
+        - name: indent-error-flow
+        - name: errorf
+        - name: empty-block
+        - name: superfluous-else
+        - name: unused-parameter
+          disabled: true
+        - name: unreachable-code
+        - name: redefines-builtin-id
+    tagalign:
+      align: false
+      sort: true
+      order:
+        - description
+        - json
+        - toml
+        - yaml
+        - yml
+        - label
+        - label-slice-as-struct
+        - file
+        - kv
+        - export
+    testifylint:
+      disable:
+        - suite-dont-use-pkg
+        - require-error
+        - go-require
+    perfsprint:
+      err-error: true
+      errorf: true
+      sprintf1: true
+      strconcat: false
+    staticcheck:
+      checks:
+        - all
+        - '-SA1019'
+        - '-ST1000'
+        - '-ST1003'
+        - '-ST1016'
+        - '-ST1020'
+        - '-ST1021'
+        - '-ST1022'
+        - '-QF1001'
+        - '-QF1008' # TODO must be fixed
+
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - std-error-handling
+    rules:
+      - path: (.+)_test.go
+        linters:
+          - canonicalheader
+          - fatcontext
+          - funlen
+          - goconst
+          - godot
+      - path: (.+)_test.go
+        text: ' always receives '
+        linters:
+          - unparam
+      - path: pkg/server/service/bufferpool.go
+        text: 'SA6002: argument should be pointer-like to avoid allocations'
+      - path: pkg/server/middleware/middlewares.go
+        text: Function 'buildConstructor' has too many statements
+        linters:
+          - funlen
+      - path: pkg/tracing/haystack/logger.go
+        linters:
+          - goprintffuncname
+      - path: pkg/tracing/tracing.go
+        text: printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'
+        linters:
+          - goprintffuncname
+      - path: pkg/tls/tlsmanager_test.go
+        text: 'SA1019: config.ClientCAs.Subjects has been deprecated since Go 1.18'
+      - path: pkg/types/tls_test.go
+        text: 'SA1019: tlsConfig.RootCAs.Subjects has been deprecated since Go 1.18'
+      - path: pkg/provider/kubernetes/(crd|gateway)/client.go
+        linters:
+          - interfacebloat
+      - path: pkg/metrics/metrics.go
+        linters:
+          - interfacebloat
+      - path: integration/healthcheck_test.go
+        text: Duplicate words \(wsp2,\) found
+        linters:
+          - dupword
+      - path: pkg/types/domain_test.go
+        text: Duplicate words \(sub\) found
+        linters:
+          - dupword
+      - path: pkg/provider/kubernetes/gateway/client_mock_test.go
+        text: 'unusedwrite: unused write to field'
+        linters:
+          - govet
+      - path: pkg/provider/acme/local_store.go
+        linters:
+          - musttag
+      - path: pkg/tls/certificate.go
+        text: the methods of "Certificates" use pointer receiver and non-pointer receiver.
+        linters:
+          - recvcheck
+      - path: pkg/config/static/static_config.go
+        source: 'errors.New\("Consul Catalog provider'
+        text: 'ST1005: error strings should not be capitalized'
+      - path: pkg/config/static/static_config.go
+        source: 'errors.New\("Consul provider'
+        text: 'ST1005: error strings should not be capitalized'
+      - path: pkg/config/static/static_config.go
+        source: 'errors.New\("Nomad provider'
+        text: 'ST1005: error strings should not be capitalized'
+      - path: (.+)\.go
+        text: 'struct-tag: unknown option ''inline'' in JSON tag'
+        linters:
+          - revive
+      - path: (.+)\.go
+        text: 'struct-tag: unknown option ''omitzero'' in TOML tag'
+        linters:
+          - revive
+      - path: (.+)\.go$
+        text: 'SA1019: http.CloseNotifier has been deprecated' # FIXME must be fixed
+      - path: (.+)\.go$
+        text: 'SA1019: cfg.(SSLRedirect|SSLTemporaryRedirect|SSLHost|SSLForceHost|FeaturePolicy) is deprecated'
+      - path: (.+)\.go$
+        text: 'SA1019: c.Providers.(ConsulCatalog|Consul|Nomad).Namespace is deprecated'
+      - path: (.+)\.go$
+        text: 'SA1019: dockertypes.ContainerNode is deprecated'
+      - path: pkg/provider/kubernetes/crd/kubernetes.go
+        text: "Function 'loadConfigurationFromCRD' has too many statements"
+        linters:
+          - funlen
+      - path: pkg/plugins/middlewarewasm.go
+        text: 'the methods of "wasmMiddlewareBuilder" use pointer receiver and non-pointer receiver.'
+        linters:
+          - recvcheck
+      - path: pkg/proxy/httputil/bufferpool.go
+        text: 'SA6002: argument should be pointer-like to avoid allocations'
+    paths:
+      - pkg/provider/kubernetes/crd/generated/

 issues:
-  exclude-use-default: false
  max-issues-per-linter: 0
  max-same-issues: 0
-  exclude:
-    - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked'
-    - "should have a package comment, unless it's in another file for this package"
-    - 'fmt.Sprintf can be replaced with string'
-  exclude-rules:
-    - path: '(.+)_test.go'
-      linters:
-        - goconst
-        - funlen
-        - godot
-    - path: '(.+)_test.go'
-      text: ' always receives '
-      linters:
-        - unparam
-    - path: '(.+)\.go'
-      text: 'struct-tag: unknown option ''inline'' in JSON tag'
-      linters:
-        - revive
-    - path: pkg/server/service/bufferpool.go
-      text: 'SA6002: argument should be pointer-like to avoid allocations'
-    - path: pkg/server/middleware/middlewares.go
-      text: "Function 'buildConstructor' has too many statements"
-      linters:
-        - funlen
-    - path: pkg/logs/haystack.go
-      linters:
-        - goprintffuncname
-    - path: pkg/tracing/tracing.go
-      text: "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"
-      linters:
-        - goprintffuncname
-    - path: pkg/tls/tlsmanager_test.go
-      text: 'SA1019: config.ClientCAs.Subjects has been deprecated since Go 1.18'
-    - path: pkg/types/tls_test.go
-      text: 'SA1019: tlsConfig.RootCAs.Subjects has been deprecated since Go 1.18'
-    - path: pkg/provider/kubernetes/crd/kubernetes.go
-      text: 'SA1019: middleware.Spec.IPWhiteList is deprecated: please use IPAllowList instead.'
-    - path: pkg/server/middleware/tcp/middlewares.go
-      text: 'SA1019: config.IPWhiteList is deprecated: please use IPAllowList instead.'
-    - path: pkg/server/middleware/middlewares.go
-      text: 'SA1019: config.IPWhiteList is deprecated: please use IPAllowList instead.'
-    - path: pkg/provider/kubernetes/(crd|gateway)/client.go
-      linters:
-        - interfacebloat
-    - path: pkg/metrics/metrics.go
-      linters:
-        - interfacebloat
-    - path: integration/healthcheck_test.go
-      text: 'Duplicate words \(wsp2,\) found'
-      linters:
-        - dupword
-    - path: pkg/types/domain_test.go
-      text: 'Duplicate words \(sub\) found'
-      linters:
-        - dupword
-    - path: pkg/provider/kubernetes/crd/kubernetes.go
-      text: "Function 'loadConfigurationFromCRD' has too many statements"
-      linters:
-        - funlen
-    - path: pkg/provider/kubernetes/gateway/client_mock_test.go
-      text: 'unusedwrite: unused write to field'
-      linters:
-        - govet
-    - path: pkg/cli/deprecation.go
-      linters:
-        - goconst
-    - path: pkg/cli/loader_file.go
-      linters:
-        - goconst
--- a/.goreleaser.yml.tmpl
+++ b/.goreleaser.yml.tmpl
@@ -1,12 +1,11 @@
 project_name: traefik
+version: 2

+[[if .GOARCH]]
+dist: "./dist/[[ .GOOS ]]-[[ .GOARCH ]]"
+[[else]]
 dist: "./dist/[[ .GOOS ]]"
-
-[[ if eq .GOOS "linux" ]]
-before:
-  hooks:
-    - go generate
-[[ end ]]
+[[end]]

 builds:
  - binary: traefik
@@ -21,6 +20,9 @@ builds:
    goos:
      - "[[ .GOOS ]]"
    goarch:
+      [[if .GOARCH]]
+      - "[[ .GOARCH ]]"
+      [[else]]
      - amd64
      - '386'
      - arm
@@ -28,6 +30,7 @@ builds:
      - ppc64le
      - s390x
      - riscv64
+      [[end]]
    goarm:
      - '7'
      - '6'
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -1,63 +1,13 @@
 version: v1.0
-name: Traefik
+name: Traefik Release - deprecated
 agent:
  machine:
-    type: e1-standard-4
-    os_image: ubuntu2004
-
-fail_fast:
-  stop:
-    when: "branch != 'master'"
-
-auto_cancel:
-  queued:
-    when: "branch != 'master'"
-  running:
-    when: "branch != 'master'"
-
-global_job_config:
-  prologue:
-    commands:
-      - curl -sSfL https://raw.githubusercontent.com/ldez/semgo/master/godownloader.sh | sudo sh -s -- -b "/usr/local/bin"
-      - sudo semgo go1.22
-      - export "GOPATH=$(go env GOPATH)"
-      - export "SEMAPHORE_GIT_DIR=${GOPATH}/src/github.com/traefik/${SEMAPHORE_PROJECT_NAME}"
-      - export "PATH=${GOPATH}/bin:${PATH}"
-      - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
-      - export GOPROXY=https://proxy.golang.org,direct
-      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.56.2
-      - curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
-      - checkout
-      - cache restore traefik-$(checksum go.sum)
-
+    type: f1-standard-2
+    os_image: ubuntu2204
 blocks:
-  - name: Release
-    dependencies: []
-    run:
-      when: "tag =~ '.*'"
+  - name: 'Do nothing'
    task:
-      agent:
-        machine:
-          type: e1-standard-8
-          os_image: ubuntu2004
-      secrets:
-        - name: traefik
-      env_vars:
-        - name: GH_VERSION
-          value: 2.32.1
-        - name: CODENAME
-          value: "beaufort"
-      prologue:
-        commands:
-          - export VERSION=${SEMAPHORE_GIT_TAG_NAME}
-          - curl -sSL -o /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz
-          - tar -zxvf /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz -C /tmp
-          - sudo mv /tmp/gh_${GH_VERSION}_linux_amd64/bin/gh /usr/local/bin/gh
-          - sudo rm -rf ~/.phpbrew ~/.kerl ~/.sbt ~/.nvm ~/.npm ~/.kiex /usr/lib/jvm /opt/az /opt/firefox /usr/lib/google-cloud-sdk ~/.rbenv ~/.pip_download_cache # Remove unnecessary data.
-          - sudo service docker stop && sudo umount /var/lib/docker && sudo service docker start # Unmounts the docker disk and the whole system disk is usable.
      jobs:
-        - name: Release
+        - name: 'Do nothing'
          commands:
-            - make release-packages
-            - gh release create ${SEMAPHORE_GIT_TAG_NAME} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${SEMAPHORE_GIT_TAG_NAME} --notes ${SEMAPHORE_GIT_TAG_NAME}
-            - ./script/deploy.sh
+            - echo "Do nothing"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -47,7 +47,7 @@ Further details of specific enforcement policies may be posted separately.

 Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.

-When an inapropriate behavior is reported, maintainers will discuss on the Maintainer's Discord before marking the message as "abuse". 
+When an inappropriate behavior is reported, maintainers will discuss on the Maintainer's Discord before marking the message as "abuse". 
 This conversation beforehand avoids one-sided decisions.

 The first message will be edited and marked as abuse.
--- a/5
+++ b/5
@@ -1,8 +1,7 @@
 # syntax=docker/dockerfile:1.2
-FROM alpine:3.19
+FROM alpine:3.21

-RUN apk --no-cache --no-progress add ca-certificates tzdata \
-    && rm -rf /var/cache/apk/*
+RUN apk add --no-cache --no-progress ca-certificates tzdata

 ARG TARGETPLATFORM
 COPY ./dist/$TARGETPLATFORM/traefik /
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,6 +1,6 @@
 The MIT License (MIT)

-Copyright (c) 2016-2020 Containous SAS; 2020-2024 Traefik Labs
+Copyright (c) 2016-2020 Containous SAS; 2020-2025 Traefik Labs

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/36
+++ b/36
@@ -1,13 +1,10 @@
 SRCS = $(shell git ls-files '*.go' | grep -v '^vendor/')

-TAG_NAME := $(shell git tag -l --contains HEAD)
+TAG_NAME := $(shell git describe --abbrev=0 --tags --exact-match)
 SHA := $(shell git rev-parse HEAD)
 VERSION_GIT := $(if $(TAG_NAME),$(TAG_NAME),$(SHA))
 VERSION := $(if $(VERSION),$(VERSION),$(VERSION_GIT))

-GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
-
-REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
 BIN_NAME := traefik
 CODENAME ?= cheddar

@@ -88,7 +85,7 @@ crossbinary-default: generate generate-webui

 .PHONY: test
 #? test: Run the unit and integration tests
-test: test-unit test-integration
+test: test-ui-unit test-unit test-integration

 .PHONY: test-unit
 #? test-unit: Run the unit tests
@@ -102,15 +99,16 @@ test-integration: binary

 .PHONY: test-gateway-api-conformance
 #? test-gateway-api-conformance: Run the conformance tests
-test-gateway-api-conformance: binary
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance=true $(TESTFLAGS)
-
-## TODO: Need to be fixed to work in all situations.
-.PHONY: test-gateway-api-conformance-ci
-#? test-gateway-api-conformance-ci: Run the conformance tests
-test-gateway-api-conformance-ci:
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance=true $(TESTFLAGS)
+test-gateway-api-conformance: build-image-dirty
+	# In case of a new Minor/Major version, the k8sConformanceTraefikVersion needs to be updated.
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.3" $(TESTFLAGS)

+.PHONY: test-ui-unit
+#? test-ui-unit: Run the unit tests for the webui
+test-ui-unit:
+	$(MAKE) build-webui-image
+	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui yarn --cwd webui install
+	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui yarn --cwd webui test:unit:ci

 .PHONY: pull-images
 #? pull-images: Pull all Docker images to avoid timeout during integration tests
@@ -128,20 +126,16 @@ lint:

 .PHONY: validate-files
 #? validate-files: Validate code and docs
-validate-files: lint
+validate-files:
 	$(foreach exec,$(LINT_EXECUTABLES),\
            $(if $(shell which $(exec)),,$(error "No $(exec) in PATH")))
+	$(CURDIR)/script/validate-vendor.sh
 	$(CURDIR)/script/validate-misspell.sh
 	$(CURDIR)/script/validate-shell-script.sh

 .PHONY: validate
 #? validate: Validate code, docs, and vendor
-validate: lint
-	$(foreach exec,$(EXECUTABLES),\
-            $(if $(shell which $(exec)),,$(error "No $(exec) in PATH")))
-	$(CURDIR)/script/validate-vendor.sh
-	$(CURDIR)/script/validate-misspell.sh
-	$(CURDIR)/script/validate-shell-script.sh
+validate: lint validate-files

 # Target for building images for multiple architectures.
 .PHONY: multi-arch-image-%
@@ -181,7 +175,7 @@ docs-pull-images:
 .PHONY: generate-crd
 #? generate-crd: Generate CRD clientset and CRD manifests
 generate-crd:
-	@$(CURDIR)/script/code-gen-docker.sh
+	@$(CURDIR)/script/code-gen.sh

 .PHONY: generate-genconf
 #? generate-genconf: Generate code from dynamic configuration github.com/traefik/genconf
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@
    </picture>
 </p>

-[![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
+[![Build Status SemaphoreCI](https://traefik-oss.semaphoreci.com/badges/traefik/branches/master.svg?style=shields)](https://traefik-oss.semaphoreci.com/projects/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
 [![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
@@ -35,7 +35,8 @@ Pointing Traefik at your orchestrator should be the _only_ configuration step yo

 ---

-:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://doc.traefik.io/traefik/).
+:warning: When migrating to a new major version of Traefik, please refer to the [migration guide](https://doc.traefik.io/traefik/migration/v2-to-v3/) to ensure a smooth transition and to be aware of any breaking changes.
+

 ## Overview

@@ -58,10 +59,10 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t

 - Continuously updates its configuration (No restarts!)
 - Supports multiple load balancing algorithms
- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org)  (wildcard certificates support)
+- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org) (wildcard certificates support)
 - Circuit breakers, retry
 - See the magic through its clean web UI
- Websocket, HTTP/2, gRPC ready
+- WebSocket, HTTP/2, gRPC ready
 - Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB 2.X)
 - Keeps access logs (JSON, CLF)
 - Fast
@@ -87,9 +88,7 @@ You can access the simple HTML frontend of Traefik.

 ## Documentation

-You can find the complete documentation of Traefik v2 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).
-
-A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
+You can find the complete documentation of Traefik v3 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).

 ## Support

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,7 +1,7 @@
 # Security Policy

 You can join our security mailing list to be aware of the latest announcements from our security team.
-You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+You can subscribe by sending an email to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).

 Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).

--- a/cmd/traefik/logger.go
+++ b/cmd/traefik/logger.go
@@ -1,18 +1,20 @@
 package main

 import (
+	"errors"
+	"fmt"
 	"io"
 	stdlog "log"
 	"os"
 	"strings"
 	"time"

-	"github.com/natefinch/lumberjack"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/sirupsen/logrus"
 	"github.com/traefik/traefik/v3/pkg/config/static"
 	"github.com/traefik/traefik/v3/pkg/logs"
+	"gopkg.in/natefinch/lumberjack.v2"
 )

 func init() {
@@ -20,12 +22,21 @@ func init() {
 	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
 }

-func setupLogger(staticConfiguration *static.Configuration) {
+func setupLogger(staticConfiguration *static.Configuration) error {
+	// Validate that the experimental flag is set up at this point,
+	// rather than validating the static configuration before the setupLogger call.
+	// This ensures that validation messages are not logged using an un-configured logger.
+	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil &&
+		(staticConfiguration.Experimental == nil || !staticConfiguration.Experimental.OTLPLogs) {
+		return errors.New("the experimental OTLPLogs feature must be enabled to use OTLP logging")
+	}
+
 	// configure log format
 	w := getLogWriter(staticConfiguration)

 	// configure log level
 	logLevel := getLogLevel(staticConfiguration)
+	zerolog.SetGlobalLevel(logLevel)

 	// create logger
 	logCtx := zerolog.New(w).With().Timestamp()
@@ -34,8 +45,16 @@ func setupLogger(staticConfiguration *static.Configuration) {
 	}

 	log.Logger = logCtx.Logger().Level(logLevel)
+
+	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
+		var err error
+		log.Logger, err = logs.SetupOTelLogger(log.Logger, staticConfiguration.Log.OTLP)
+		if err != nil {
+			return fmt.Errorf("setting up OpenTelemetry logger: %w", err)
+		}
+	}
+
 	zerolog.DefaultContextLogger = &log.Logger
-	zerolog.SetGlobalLevel(logLevel)

 	// Global logrus replacement (related to lib like go-rancher-metadata, docker, etc.)
 	logrus.StandardLogger().Out = logs.NoLevel(log.Logger, zerolog.DebugLevel)
@@ -43,13 +62,18 @@ func setupLogger(staticConfiguration *static.Configuration) {
 	// configure default standard log.
 	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
 	stdlog.SetOutput(logs.NoLevel(log.Logger, zerolog.DebugLevel))
+
+	return nil
 }

 func getLogWriter(staticConfiguration *static.Configuration) io.Writer {
-	var w io.Writer = os.Stderr
+	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
+		return io.Discard
+	}

+	var w io.Writer = os.Stdout
 	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
-		_, _ = os.Create(staticConfiguration.Log.FilePath)
+		_, _ = os.OpenFile(staticConfiguration.Log.FilePath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o666)
 		w = &lumberjack.Logger{
 			Filename:   staticConfiguration.Log.FilePath,
 			MaxSize:    staticConfiguration.Log.MaxSize,
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -7,15 +7,17 @@ import (
 	"fmt"
 	"io"
 	stdlog "log"
+	"maps"
 	"net/http"
 	"os"
 	"os/signal"
+	"slices"
 	"sort"
 	"strings"
 	"syscall"
 	"time"

-	"github.com/coreos/go-systemd/daemon"
+	"github.com/coreos/go-systemd/v22/daemon"
 	"github.com/go-acme/lego/v4/challenge"
 	gokitmetrics "github.com/go-kit/kit/metrics"
 	"github.com/rs/zerolog/log"
@@ -37,6 +39,8 @@ import (
 	"github.com/traefik/traefik/v3/pkg/provider/aggregator"
 	"github.com/traefik/traefik/v3/pkg/provider/tailscale"
 	"github.com/traefik/traefik/v3/pkg/provider/traefik"
+	"github.com/traefik/traefik/v3/pkg/proxy"
+	"github.com/traefik/traefik/v3/pkg/proxy/httputil"
 	"github.com/traefik/traefik/v3/pkg/safe"
 	"github.com/traefik/traefik/v3/pkg/server"
 	"github.com/traefik/traefik/v3/pkg/server/middleware"
@@ -87,7 +91,9 @@ Complete documentation is available at https://traefik.io`,
 }

 func runCmd(staticConfiguration *static.Configuration) error {
-	setupLogger(staticConfiguration)
+	if err := setupLogger(staticConfiguration); err != nil {
+		return fmt.Errorf("setting up logger: %w", err)
+	}

 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment

@@ -186,11 +192,11 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}

-	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider)
+	acmeProviders := initACMEProvider(staticConfiguration, providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider, routinesPool)

 	// Tailscale

-	tsProviders := initTailscaleProviders(staticConfiguration, &providerAggregator)
+	tsProviders := initTailscaleProviders(staticConfiguration, providerAggregator)

 	// Observability

@@ -224,10 +230,24 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	}

 	// Plugins
+	pluginLogger := log.Ctx(ctx).With().Logger()
+	hasPlugins := staticConfiguration.Experimental != nil && (staticConfiguration.Experimental.Plugins != nil || staticConfiguration.Experimental.LocalPlugins != nil)
+	if hasPlugins {
+		pluginsList := slices.Collect(maps.Keys(staticConfiguration.Experimental.Plugins))
+		pluginsList = append(pluginsList, slices.Collect(maps.Keys(staticConfiguration.Experimental.LocalPlugins))...)
+
+		pluginLogger = pluginLogger.With().Strs("plugins", pluginsList).Logger()
+		pluginLogger.Info().Msg("Loading plugins...")
+	}

 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
+	if err != nil && staticConfiguration.Experimental != nil && staticConfiguration.Experimental.AbortOnPluginFailure {
+		return nil, fmt.Errorf("plugin: failed to create plugin builder: %w", err)
+	}
 	if err != nil {
-		log.Error().Err(err).Msg("Plugins are disabled because an error has occurred.")
+		pluginLogger.Err(err).Msg("Plugins are disabled because an error has occurred.")
+	} else if hasPlugins {
+		pluginLogger.Info().Msg("Plugins loaded.")
 	}

 	// Providers plugins
@@ -269,10 +289,16 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		log.Info().Msg("Successfully obtained SPIFFE SVID.")
 	}

-	roundTripperManager := service.NewRoundTripperManager(spiffeX509Source)
+	transportManager := service.NewTransportManager(spiffeX509Source)
+
+	var proxyBuilder service.ProxyBuilder = httputil.NewProxyBuilder(transportManager, semConvMetricRegistry)
+	if staticConfiguration.Experimental != nil && staticConfiguration.Experimental.FastProxy != nil {
+		proxyBuilder = proxy.NewSmartBuilder(transportManager, proxyBuilder, *staticConfiguration.Experimental.FastProxy)
+	}
+
 	dialerManager := tcp.NewDialerManager(spiffeX509Source)
 	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
-	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, observabilityMgr, roundTripperManager, acmeHTTPHandler)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, observabilityMgr, transportManager, proxyBuilder, acmeHTTPHandler)

 	// Router factory

@@ -306,7 +332,8 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	// Server Transports
 	watcher.AddListener(func(conf dynamic.Configuration) {
-		roundTripperManager.Update(conf.HTTP.ServersTransports)
+		transportManager.Update(conf.HTTP.ServersTransports)
+		proxyBuilder.Update(conf.HTTP.ServersTransports)
 		dialerManager.Update(conf.TCP.ServersTransports)
 	})

@@ -352,7 +379,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
 				log.Error().Err(err).Str(logs.RouterName, rtName).Str("certificateResolver", rt.TLS.CertResolver).
-					Msg("Router uses a non-existent certificate resolver")
+					Msg("Router uses a nonexistent certificate resolver")
 			}
 		}
 	})
@@ -417,7 +444,7 @@ func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP serv
 }

 // initACMEProvider creates and registers acme.Provider instances corresponding to the configured ACME certificate resolvers.
-func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider) []*acme.Provider {
+func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider, routinesPool *safe.Pool) []*acme.Provider {
 	localStores := map[string]*acme.LocalStore{}

 	var resolvers []*acme.Provider
@@ -427,7 +454,7 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 		}

 		if localStores[resolver.ACME.Storage] == nil {
-			localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
+			localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage, routinesPool)
 		}

 		p := &acme.Provider{
@@ -593,16 +620,16 @@ func checkNewVersion() {
 }

 func stats(staticConfiguration *static.Configuration) {
-	logger := log.Info()
+	logger := log.With().Logger()

 	if staticConfiguration.Global.SendAnonymousUsage {
-		logger.Msg(`Stats collection is enabled.`)
-		logger.Msg(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
-		logger.Msg(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Msg(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
+		logger.Info().Msg(`Stats collection is enabled.`)
+		logger.Info().Msg(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
+		logger.Info().Msg(`Help us improve Traefik by leaving this feature on :)`)
+		logger.Info().Msg(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
-		logger.Msg(`
+		logger.Info().Msg(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
 More details on: https://doc.traefik.io/traefik/contributing/data-collection/
--- a/cmd/traefik/traefik_test.go
+++ b/cmd/traefik/traefik_test.go
@@ -95,7 +95,6 @@ func TestAppendCertMetric(t *testing.T) {
 	}

 	for _, test := range testCases {
-		test := test
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()

--- a/contrib/grafana/traefik-kubernetes.json
+++ b/contrib/grafana/traefik-kubernetes.json
@@ -242,7 +242,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "sum(rate(traefik_entrypoint_requests_total{entrypoint=~\"$entrypoint\"}[1m])) by (entrypoint)",
+          "expr": "sum(rate(traefik_entrypoint_requests_total{entrypoint=~\"$entrypoint\"}[$interval])) by (entrypoint)",
          "legendFormat": "{{entrypoint}}",
          "range": true,
          "refId": "A"
@@ -340,7 +340,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\",entrypoint=~\"$entrypoint\"}[5m])) by (method) + \n sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"1.2\",code=\"200\",entrypoint=~\"$entrypoint\"}[5m])) by (method)) / 2 / \n sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\",entrypoint=~\"$entrypoint\"}[5m])) by (method)\n",
+          "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\",entrypoint=~\"$entrypoint\"}[$interval])) by (method) + \n sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"1.2\",code=\"200\",entrypoint=~\"$entrypoint\"}[$interval])) by (method)) / 2 / \n sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\",entrypoint=~\"$entrypoint\"}[$interval])) by (method)\n",
          "legendFormat": "{{method}}",
          "range": true,
          "refId": "A"
@@ -408,7 +408,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "sum(rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[1m])) by (method, code)",
+          "expr": "sum(rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[$interval])) by (method, code)",
          "legendFormat": "{{method}}[{{code}}]",
          "range": true,
          "refId": "A"
@@ -507,7 +507,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        traefik_service_request_duration_seconds_sum{service=~\"$service.*\",protocol=\"http\"} / \n          traefik_service_request_duration_seconds_count{service=~\"$service.*\",protocol=\"http\"},\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)\n\n",
+          "expr": "topk(15,\n    label_replace(\n        traefik_service_request_duration_seconds_sum{service=~\"$service.*\",protocol=\"http\"} / \n          traefik_service_request_duration_seconds_count{service=~\"$service.*\",protocol=\"http\"},\n        \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)\n\n",
          "legendFormat": "{{method}}[{{code}}] on {{service}}",
          "range": true,
          "refId": "A"
@@ -606,7 +606,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        sum by (service,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+          "expr": "topk(15,\n    label_replace(\n        sum by (service,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)",
          "legendFormat": "[{{code}}] on {{service}}",
          "range": true,
          "refId": "A"
@@ -711,7 +711,7 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"1.2\",service=~\"$service.*\"}[5m])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[5m]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\"\n)",
+              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"1.2\",service=~\"$service.*\"}[$interval])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[$interval]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^@]+)@.*\"\n)",
              "legendFormat": "{{service}}",
              "range": true,
              "refId": "A"
@@ -806,7 +806,7 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",service=~\"$service.*\"}[5m])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[5m]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\"\n)",
+              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",service=~\"$service.*\"}[$interval])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[$interval]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^@]+)@.*\"\n)",
              "legendFormat": "{{service}}",
              "range": true,
              "refId": "A"
@@ -922,13 +922,13 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"2..\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+          "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"2..\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)",
          "legendFormat": "{{method}}[{{code}}] on {{service}}",
          "range": true,
          "refId": "A"
        }
      ],
-      "title": "2xx over 5 min",
+      "title": "2xx over $interval",
      "type": "timeseries"
    },
    {
@@ -1022,13 +1022,13 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"5..\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+          "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"5..\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)",
          "legendFormat": "{{method}}[{{code}}] on {{service}}",
          "range": true,
          "refId": "A"
        }
      ],
-      "title": "5xx over 5 min",
+      "title": "5xx over $interval",
      "type": "timeseries"
    },
    {
@@ -1122,13 +1122,13 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code!~\"2..|5..\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+          "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code!~\"2..|5..\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)",
          "legendFormat": "{{method}}[{{code}}] on {{service}}",
          "range": true,
          "refId": "A"
        }
      ],
-      "title": "Other codes over 5 min",
+      "title": "Other codes over $interval",
      "type": "timeseries"
    },
    {
@@ -1222,7 +1222,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_requests_bytes_total{service=~\"$service.*\",protocol=\"http\"}[1m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+          "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_requests_bytes_total{service=~\"$service.*\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)",
          "legendFormat": "{{method}} on {{service}}",
          "range": true,
          "refId": "A"
@@ -1322,7 +1322,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_responses_bytes_total{service=~\"$service.*\",protocol=\"http\"}[1m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+          "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_responses_bytes_total{service=~\"$service.*\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)",
          "legendFormat": "{{method}} on {{service}}",
          "range": true,
          "refId": "A"
@@ -1331,105 +1331,6 @@
      "title": "Responses Size",
      "type": "timeseries"
    },
-    {
-      "datasource": {
-        "type": "prometheus",
-        "uid": "${DS_PROMETHEUS}"
-      },
-      "description": "",
-      "fieldConfig": {
-        "defaults": {
-          "color": {
-            "mode": "palette-classic"
-          },
-          "custom": {
-            "axisCenteredZero": false,
-            "axisColorMode": "text",
-            "axisLabel": "",
-            "axisPlacement": "auto",
-            "barAlignment": 0,
-            "drawStyle": "line",
-            "fillOpacity": 0,
-            "gradientMode": "none",
-            "hideFrom": {
-              "legend": false,
-              "tooltip": false,
-              "viz": false
-            },
-            "lineInterpolation": "linear",
-            "lineWidth": 1,
-            "pointSize": 5,
-            "scaleDistribution": {
-              "type": "linear"
-            },
-            "showPoints": "auto",
-            "spanNulls": false,
-            "stacking": {
-              "group": "A",
-              "mode": "none"
-            },
-            "thresholdsStyle": {
-              "mode": "off"
-            }
-          },
-          "mappings": [],
-          "thresholds": {
-            "mode": "absolute",
-            "steps": [
-              {
-                "color": "green",
-                "value": null
-              },
-              {
-                "color": "red",
-                "value": 80
-              }
-            ]
-          },
-          "unit": "short"
-        },
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 8,
-        "w": 12,
-        "x": 0,
-        "y": 39
-      },
-      "id": 2,
-      "options": {
-        "legend": {
-          "calcs": [
-            "mean",
-            "max"
-          ],
-          "displayMode": "table",
-          "placement": "right",
-          "showLegend": true,
-          "sortBy": "Max",
-          "sortDesc": true
-        },
-        "tooltip": {
-          "mode": "multi",
-          "sort": "desc"
-        }
-      },
-      "targets": [
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "${DS_PROMETHEUS}"
-          },
-          "editorMode": "code",
-          "expr": "label_replace(\n    sum(traefik_service_open_connections{service=~\"$service.*\"}) by (service),\n    \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")",
-          "legendFormat": "{{service}}",
-          "range": true,
-          "refId": "A"
-        }
-      ],
-      "title": "Connections per Service",
-      "type": "timeseries"
-    },
    {
      "datasource": {
        "type": "prometheus",
@@ -1520,7 +1421,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "sum(traefik_entrypoint_open_connections{entrypoint=~\"$entrypoint\"}) by (entrypoint)\n",
+          "expr": "sum(traefik_open_connections{entrypoint=~\"$entrypoint\"}) by (entrypoint)\n",
          "legendFormat": "{{entrypoint}}",
          "range": true,
          "refId": "A"
@@ -1560,14 +1461,14 @@
          "type": "prometheus",
          "uid": "${DS_PROMETHEUS}"
        },
-        "definition": "label_values(traefik_entrypoint_open_connections, entrypoint)",
+        "definition": "label_values(traefik_open_connections, entrypoint)",
        "hide": 0,
        "includeAll": true,
        "multi": false,
        "name": "entrypoint",
        "options": [],
        "query": {
-          "query": "label_values(traefik_entrypoint_open_connections, entrypoint)",
+          "query": "label_values(traefik_open_connections, entrypoint)",
          "refId": "StandardVariableQuery"
        },
        "refresh": 1,
@@ -1576,24 +1477,87 @@
        "sort": 0,
        "type": "query"
      },
+      {
+        "auto": true,
+        "auto_count": 30,
+        "auto_min": "1m",
+        "current": {
+          "selected": false,
+          "text": "auto",
+          "value": "$__auto_interval_interval"
+        },
+        "hide": 0,
+        "name": "interval",
+        "options": [
+          {
+            "selected": true,
+            "text": "auto",
+            "value": "$__auto_interval_interval"
+          },
+          {
+            "selected": false,
+            "text": "1m",
+            "value": "1m"
+          },
+          {
+            "selected": false,
+            "text": "5m",
+            "value": "5m"
+          },
+          {
+            "selected": false,
+            "text": "10m",
+            "value": "10m"
+          },
+          {
+            "selected": false,
+            "text": "30m",
+            "value": "30m"
+          },
+          {
+            "selected": false,
+            "text": "1h",
+            "value": "1h"
+          },
+          {
+            "selected": false,
+            "text": "2h",
+            "value": "2h"
+          },
+          {
+            "selected": false,
+            "text": "4h",
+            "value": "4h"
+          },
+          {
+            "selected": false,
+            "text": "8h",
+            "value": "8h"
+          }
+        ],
+        "query": "1m,5m,10m,30m,1h,2h,4h,8h",
+        "refresh": 2,
+        "skipUrlSync": false,
+        "type": "interval"
+      },
      {
        "current": {},
        "datasource": {
          "type": "prometheus",
          "uid": "${DS_PROMETHEUS}"
        },
-        "definition": "label_values(traefik_service_open_connections, service)",
+        "definition": "label_values(traefik_service_requests_total, service)",
        "hide": 0,
        "includeAll": true,
        "multi": false,
        "name": "service",
        "options": [],
        "query": {
-          "query": "label_values(traefik_service_open_connections, service)",
+          "query": "label_values(traefik_service_requests_total, service)",
          "refId": "StandardVariableQuery"
        },
        "refresh": 2,
-        "regex": "/([^-]+-[^-]+).*/",
+        "regex": "/([^@]+)@.*/",
        "skipUrlSync": false,
        "sort": 1,
        "type": "query"
@@ -1608,6 +1572,6 @@
  "timezone": "",
  "title": "Traefik Official Kubernetes Dashboard",
  "uid": "n5bu_kv4k",
-  "version": 6,
+  "version": 7,
  "weekStart": ""
 }
--- a/contrib/grafana/traefik.json
+++ b/contrib/grafana/traefik.json
@@ -242,7 +242,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "sum(rate(traefik_entrypoint_requests_total{entrypoint=~\"$entrypoint\"}[1m])) by (entrypoint)",
+          "expr": "sum(rate(traefik_entrypoint_requests_total{entrypoint=~\"$entrypoint\"}[$interval])) by (entrypoint)",
          "legendFormat": "{{entrypoint}}",
          "range": true,
          "refId": "A"
@@ -340,7 +340,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\",entrypoint=~\"$entrypoint\"}[5m])) by (method) + \n sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"1.2\",code=\"200\",entrypoint=~\"$entrypoint\"}[5m])) by (method)) / 2 / \n sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\",entrypoint=~\"$entrypoint\"}[5m])) by (method)\n",
+          "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\",entrypoint=~\"$entrypoint\"}[$interval])) by (method) + \n sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"1.2\",code=\"200\",entrypoint=~\"$entrypoint\"}[$interval])) by (method)) / 2 / \n sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\",entrypoint=~\"$entrypoint\"}[$interval])) by (method)\n",
          "legendFormat": "{{method}}",
          "range": true,
          "refId": "A"
@@ -408,7 +408,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "sum(rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[1m])) by (method, code)",
+          "expr": "sum(rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[$interval])) by (method, code)",
          "legendFormat": "{{method}}[{{code}}]",
          "range": true,
          "refId": "A"
@@ -606,7 +606,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        sum by (service,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+          "expr": "topk(15,\n    label_replace(\n        sum by (service,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
          "legendFormat": "[{{code}}] on {{service}}",
          "range": true,
          "refId": "A"
@@ -710,7 +710,7 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"1.2\",service=~\"$service.*\"}[5m])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[5m]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\"\n)",
+              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"1.2\",service=~\"$service.*\"}[$interval])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[$interval]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\"\n)",
              "legendFormat": "{{service}}",
              "range": true,
              "refId": "A"
@@ -804,7 +804,7 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",service=~\"$service.*\"}[5m])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[5m]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\"\n)",
+              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",service=~\"$service.*\"}[$interval])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[$interval]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\"\n)",
              "legendFormat": "{{service}}",
              "range": true,
              "refId": "A"
@@ -916,13 +916,13 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"2..\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+              "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"2..\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
              "legendFormat": "{{method}}[{{code}}] on {{service}}",
              "range": true,
              "refId": "A"
            }
          ],
-          "title": "2xx over 5 min",
+          "title": "2xx over $interval",
          "type": "timeseries"
        },
        {
@@ -1015,13 +1015,13 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"5..\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+              "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"5..\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
              "legendFormat": "{{method}}[{{code}}] on {{service}}",
              "range": true,
              "refId": "A"
            }
          ],
-          "title": "5xx over 5 min",
+          "title": "5xx over $interval",
          "type": "timeseries"
        },
        {
@@ -1114,13 +1114,13 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code!~\"2..|5..\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+              "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code!~\"2..|5..\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
              "legendFormat": "{{method}}[{{code}}] on {{service}}",
              "range": true,
              "refId": "A"
            }
          ],
-          "title": "Other codes over 5 min",
+          "title": "Other codes over $interval",
          "type": "timeseries"
        },
        {
@@ -1213,7 +1213,7 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_requests_bytes_total{service=~\"$service.*\",protocol=\"http\"}[1m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+              "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_requests_bytes_total{service=~\"$service.*\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
              "legendFormat": "{{method}} on {{service}}",
              "range": true,
              "refId": "A"
@@ -1312,7 +1312,7 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_responses_bytes_total{service=~\"$service.*\",protocol=\"http\"}[1m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+              "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_responses_bytes_total{service=~\"$service.*\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
              "legendFormat": "{{method}} on {{service}}",
              "range": true,
              "refId": "A"
@@ -1321,104 +1321,6 @@
          "title": "Responses Size",
          "type": "timeseries"
        },
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "${DS_PROMETHEUS}"
-          },
-          "description": "",
-          "fieldConfig": {
-            "defaults": {
-              "color": {
-                "mode": "palette-classic"
-              },
-              "custom": {
-                "axisCenteredZero": false,
-                "axisColorMode": "text",
-                "axisLabel": "",
-                "axisPlacement": "auto",
-                "barAlignment": 0,
-                "drawStyle": "line",
-                "fillOpacity": 0,
-                "gradientMode": "none",
-                "hideFrom": {
-                  "legend": false,
-                  "tooltip": false,
-                  "viz": false
-                },
-                "lineInterpolation": "linear",
-                "lineWidth": 1,
-                "pointSize": 5,
-                "scaleDistribution": {
-                  "type": "linear"
-                },
-                "showPoints": "auto",
-                "spanNulls": false,
-                "stacking": {
-                  "group": "A",
-                  "mode": "none"
-                },
-                "thresholdsStyle": {
-                  "mode": "off"
-                }
-              },
-              "mappings": [],
-              "thresholds": {
-                "mode": "absolute",
-                "steps": [
-                  {
-                    "color": "green"
-                  },
-                  {
-                    "color": "red",
-                    "value": 80
-                  }
-                ]
-              },
-              "unit": "short"
-            },
-            "overrides": []
-          },
-          "gridPos": {
-            "h": 8,
-            "w": 12,
-            "x": 0,
-            "y": 39
-          },
-          "id": 2,
-          "options": {
-            "legend": {
-              "calcs": [
-                "mean",
-                "max"
-              ],
-              "displayMode": "table",
-              "placement": "right",
-              "showLegend": true,
-              "sortBy": "Max",
-              "sortDesc": true
-            },
-            "tooltip": {
-              "mode": "multi",
-              "sort": "desc"
-            }
-          },
-          "targets": [
-            {
-              "datasource": {
-                "type": "prometheus",
-                "uid": "${DS_PROMETHEUS}"
-              },
-              "editorMode": "code",
-              "expr": "label_replace(\n    sum(traefik_service_open_connections{service=~\"$service.*\"}) by (service),\n    \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")",
-              "legendFormat": "{{service}}",
-              "range": true,
-              "refId": "A"
-            }
-          ],
-          "title": "Connections per Service",
-          "type": "timeseries"
-        },
        {
          "datasource": {
            "type": "prometheus",
@@ -1508,7 +1410,7 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "sum(traefik_entrypoint_open_connections{entrypoint=~\"$entrypoint\"}) by (entrypoint)\n",
+              "expr": "sum(traefik_open_connections{entrypoint=~\"$entrypoint\"}) by (entrypoint)\n",
              "legendFormat": "{{entrypoint}}",
              "range": true,
              "refId": "A"
@@ -1546,20 +1448,83 @@
        "skipUrlSync": false,
        "type": "datasource"
      },
+      {
+        "auto": true,
+        "auto_count": 30,
+        "auto_min": "1m",
+        "current": {
+          "selected": false,
+          "text": "auto",
+          "value": "$__auto_interval_interval"
+        },
+        "hide": 0,
+        "name": "interval",
+        "options": [
+          {
+            "selected": true,
+            "text": "auto",
+            "value": "$__auto_interval_interval"
+          },
+          {
+            "selected": false,
+            "text": "1m",
+            "value": "1m"
+          },
+          {
+            "selected": false,
+            "text": "5m",
+            "value": "5m"
+          },
+          {
+            "selected": false,
+            "text": "10m",
+            "value": "10m"
+          },
+          {
+            "selected": false,
+            "text": "30m",
+            "value": "30m"
+          },
+          {
+            "selected": false,
+            "text": "1h",
+            "value": "1h"
+          },
+          {
+            "selected": false,
+            "text": "2h",
+            "value": "2h"
+          },
+          {
+            "selected": false,
+            "text": "4h",
+            "value": "4h"
+          },
+          {
+            "selected": false,
+            "text": "8h",
+            "value": "8h"
+          }
+        ],
+        "query": "1m,5m,10m,30m,1h,2h,4h,8h",
+        "refresh": 2,
+        "skipUrlSync": false,
+        "type": "interval"
+      },
      {
        "current": {},
        "datasource": {
          "type": "prometheus",
          "uid": "${DS_PROMETHEUS}"
        },
-        "definition": "label_values(traefik_entrypoint_open_connections, entrypoint)",
+        "definition": "label_values(traefik_open_connections, entrypoint)",
        "hide": 0,
        "includeAll": true,
        "multi": false,
        "name": "entrypoint",
        "options": [],
        "query": {
-          "query": "label_values(traefik_entrypoint_open_connections, entrypoint)",
+          "query": "label_values(traefik_open_connections, entrypoint)",
          "refId": "StandardVariableQuery"
        },
        "refresh": 1,
@@ -1574,14 +1539,14 @@
          "type": "prometheus",
          "uid": "${DS_PROMETHEUS}"
        },
-        "definition": "label_values(traefik_service_open_connections, service)",
+        "definition": "label_values(traefik_service_requests_total, service)",
        "hide": 0,
        "includeAll": true,
        "multi": false,
        "name": "service",
        "options": [],
        "query": {
-          "query": "label_values(traefik_service_open_connections, service)",
+          "query": "label_values(traefik_service_requests_total, service)",
          "refId": "StandardVariableQuery"
        },
        "refresh": 2,
@@ -1600,6 +1565,6 @@
  "timezone": "",
  "title": "Traefik Official Standalone Dashboard",
  "uid": "n5bu_kv45",
-  "version": 6,
+  "version": 7,
  "weekStart": ""
 }
--- a/docs/check.Dockerfile
+++ b/docs/check.Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.18 as alpine
+FROM alpine:3.21

 RUN apk --no-cache --no-progress add \
    build-base \
@@ -14,8 +14,8 @@ RUN apk --no-cache --no-progress add \
    ruby-json \
    zlib-dev

-RUN gem install nokogiri --version 1.15.3 --no-document -- --use-system-libraries
-RUN gem install html-proofer --version 5.0.7 --no-document -- --use-system-libraries
+RUN gem install nokogiri --version 1.18.6 --no-document -- --use-system-libraries
+RUN gem install html-proofer --version 5.0.10 --no-document -- --use-system-libraries

 # After Ruby, some NodeJS YAY!
 RUN apk --no-cache --no-progress add \
--- a/docs/content/assets/img/middleware/ipwhitelist.png
+++ b/docs/content/assets/img/middleware/ipwhitelist.png
--- a/docs/content/assets/img/traefik-architecture.png
+++ b/docs/content/assets/img/traefik-architecture.png
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@@ -92,7 +92,7 @@ For development purposes, you can specify which tests to run by using (only work

    Create `tailscale.secret` file in `integration` directory.
    
-    This file need to contains a [Tailscale auth key](https://tailscale.com/kb/1085/auth-keys) 
+    This file needs to contain a [Tailscale auth key](https://tailscale.com/kb/1085/auth-keys) 
    (an ephemeral, but reusable, one is recommended).

    Add this section to your tailscale ACLs to auto-approve the routes for the
--- a/docs/content/contributing/documentation.md
+++ b/docs/content/contributing/documentation.md
@@ -15,13 +15,13 @@ Let's see how.

 ### General

-This [documentation](https://doc.traefik.io/traefik/ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to website of MkDocs").
+This [documentation](../../ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to the website of MkDocs").

 ### Method 1: `Docker` and `make`

 Please make sure you have the following requirements installed:

- [Docker](https://www.docker.com/ "Link to website of Docker")
+- [Docker](https://www.docker.com/ "Link to the website of Docker")

 You can build the documentation and test it locally (with live reloading), using the `docs-serve` target:

@@ -51,7 +51,7 @@ $ make docs-build

 Please make sure you have the following requirements installed:

- [Python](https://www.python.org/ "Link to website of Python")
+- [Python](https://www.python.org/ "Link to the website of Python")
 - [pip](https://pypi.org/project/pip/ "Link to the website of pip on PyPI")

 ```bash
--- a/docs/content/contributing/maintainers-guidelines.md
+++ b/docs/content/contributing/maintainers-guidelines.md
@@ -32,7 +32,7 @@ The contributor should also meet one or several of the following requirements:
  including those of other maintainers and contributors.

 - The contributor is active on Traefik Community forums
-  or other technical forums/boards such as K8S slack, Reddit, StackOverflow, hacker news.
+  or other technical forums/boards, such as K8S Slack, Reddit, StackOverflow, and Hacker News.

 Any existing active maintainer can create an issue to discuss promoting a contributor to maintainer. 
 Other maintainers can vote on the issue, and if the quorum is reached, the contributor is promoted to maintainer.
--- a/docs/content/contributing/maintainers.md
+++ b/docs/content/contributing/maintainers.md
@@ -9,7 +9,6 @@ description: "Traefik Proxy is an open source software with a thriving community

 * Emile Vauge [@emilevauge](https://github.com/emilevauge)
 * Manuel Zapf [@SantoDE](https://github.com/SantoDE)
-* Ludovic Fernandez [@ldez](https://github.com/ldez)
 * Julien Salleyron [@juliens](https://github.com/juliens)
 * Nicolas Mengin [@nmengin](https://github.com/nmengin)
 * Michaël Matur [@mmatur](https://github.com/mmatur)
@@ -21,6 +20,9 @@ description: "Traefik Proxy is an open source software with a thriving community
 * Harold Ozouf [@jspdown](https://github.com/jspdown)
 * Tom Moulard [@tommoulard](https://github.com/tommoulard)
 * Landry Benguigui [@lbenguigui](https://github.com/lbenguigui)
+* Simon Delicata [@sdelicata](https://github.com/sdelicata)
+* Baptiste Mayelle [@youkoulayley](https://github.com/youkoulayley)
+* Jesper Noordsij [@jnoordsij](https://github.com/jnoordsij)

 ## Past Maintainers

@@ -31,6 +33,7 @@ People who have had an incredibly positive impact on the project, and are now fo
 * Daniel Tomcej [@dtomcej](https://github.com/dtomcej)
 * Timo Reimann [@timoreimann](https://github.com/timoreimann)
 * Marco Jantke [@mjantke](https://github.com/mjeri)
+* Ludovic Fernandez [@ldez](https://github.com/ldez)

 ## Maintainer's Guidelines

--- a/docs/content/contributing/submitting-pull-requests.md
+++ b/docs/content/contributing/submitting-pull-requests.md
@@ -17,7 +17,7 @@ or the list of [confirmed bugs](https://github.com/traefik/traefik/labels/kind%2

 ## How We Prioritize

-We wish we could review every pull request right away, but because it's a time consuming operation, it's not always possible.
+We wish we could review every pull request right away, but because it's a time-consuming operation, it's not always possible.

 The PRs we are able to handle the fastest are:

@@ -54,9 +54,10 @@ Merging a PR requires the following steps to be completed before it is merged au
    * Keep "allows edit from maintainer" checked.
    * Use semantic line breaks for documentation.
    * Ensure your PR is not a draft. We do not review drafts, but do answer questions and confer with developers on them as needed.
+    * Ensure that the dependencies in the `go.mod` file reference a tag. If referencing a tag is not possible, add a comment explaining why.
 * Pass the validation check.
 * Pass all tests.
-* Receive 3 approving reviews from maintainers.
+* Receive 2 approving reviews from maintainers.

 ## Pull Request Review Cycle

@@ -89,6 +90,9 @@ in short, it looks like this:
 You must run these local verifications before you submit your pull request to predict the pass or failure of continuous integration.
 Your PR will not be reviewed until these are green on the CI.

+* `make generate`
+* `make generate-crd`
+* `make test-gateway-api-conformance`
 * `make validate`
 * `make pull-images`
 * `make test`
@@ -112,7 +116,7 @@ In such a situation, solve the conflicts/CI/... and then remove the label `bot/n

 To prevent the bot from automatically merging a PR, add the label `bot/no-merge`.

-The label `bot/light-review` decreases the number of required LGTM from 3 to 1.
+The label `bot/light-review` decreases the number of required LGTM from 2 to 1.

 This label can be used when:

@@ -126,7 +130,7 @@ This label can be used when:
 Traefik Proxy is made by the community for the community,
 as such the goal is to engage the community to make Traefik the best reverse proxy available.
 Part of this goal is maintaining a lean codebase and ensuring code velocity.
-unfortunately, this means that sometimes we will not be able to merge a pull request.
+Unfortunately, this means that sometimes we will not be able to merge a pull request.

 Because we respect the work you did, you will always be told why we are closing your pull request.
 If you do not agree with our decision, do not worry; closed pull requests are effortless to recreate,
--- a/docs/content/contributing/submitting-security-issues.md
+++ b/docs/content/contributing/submitting-security-issues.md
@@ -8,7 +8,7 @@ description: "Security is a key part of Traefik Proxy. Read the technical docume
 ## Security Advisories

 We strongly advise you to join our mailing list to be aware of the latest announcements from our security team.
-You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+You can subscribe by sending an email to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).

 ## CVE

--- a/docs/content/deprecation/features.md
+++ b/docs/content/deprecation/features.md
@@ -4,17 +4,11 @@ This page is maintained and updated periodically to reflect our roadmap and any

 | Feature                                                                                                              | Deprecated | End of Support | Removal |
 |----------------------------------------------------------------------------------------------------------------------|------------|----------------|---------|
-| [Kubernetes CRD Provider API Version `traefik.io/v1alpha1`](#kubernetes-crd-provider-api-version-traefikiov1alpha1)  | 3.0        | N/A            | 4.0     |
 | [Kubernetes Ingress API Version `networking.k8s.io/v1beta1`](#kubernetes-ingress-api-version-networkingk8siov1beta1) | N/A        | N/A            | 3.0     |
 | [CRD API Version `apiextensions.k8s.io/v1beta1`](#kubernetes-ingress-api-version-networkingk8siov1beta1)             | N/A        | N/A            | 3.0     |

 ## Impact

-### Kubernetes CRD Provider API Version `traefik.io/v1alpha1`
-
-The Kubernetes CRD provider API Version `traefik.io/v1alpha1` is deprecated in Traefik v3.
-Please use the API Group `traefik.io/v1` instead.
-
 ### Kubernetes Ingress API Version `networking.k8s.io/v1beta1`

 The Kubernetes Ingress API Version `networking.k8s.io/v1beta1` support is removed in v3. 
--- a/docs/content/deprecation/releases.md
+++ b/docs/content/deprecation/releases.md
@@ -4,30 +4,35 @@

 Below is a non-exhaustive list of versions and their maintenance status:

-| Version | Release Date | Active Support     | Security Support | 
-|---------|--------------|--------------------|------------------|
-| 2.11    | Feb 12, 2024 | Yes                | Yes              |
-| 2.10    | Apr 24, 2023 | Ended Feb 12, 2024 | No               |
-| 2.9     | Oct 03, 2022 | Ended Apr 24, 2023 | No               |
-| 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 | No               |
-| 2.7     | May 24, 2022 | Ended Jun 29, 2022 | No               |
-| 2.6     | Jan 24, 2022 | Ended May 24, 2022 | No               |
-| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 | No               |
-| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 | No               |
-| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 | No               |
-| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 | No               |
-| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 | No               |
-| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 | No               |
-| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 | Contact Support  |
+| Version | Release Date | Active Support     | Security Support  |
+|---------|--------------|--------------------|-------------------|
+| 3.3     | Jan 06, 2025 | Yes                | Yes               |
+| 3.2     | Oct 28, 2024 | Ended Jan 06, 2025 | No                |
+| 3.1     | Jul 15, 2024 | Ended Oct 28, 2024 | No                |
+| 3.0     | Apr 29, 2024 | Ended Jul 15, 2024 | No                |
+| 2.11    | Feb 12, 2024 | Ends  Apr 29, 2025 | Ends Feb 01, 2026 |
+| 2.10    | Apr 24, 2023 | Ended Feb 12, 2024 | No                |
+| 2.9     | Oct 03, 2022 | Ended Apr 24, 2023 | No                |
+| 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 | No                |
+| 2.7     | May 24, 2022 | Ended Jun 29, 2022 | No                |
+| 2.6     | Jan 24, 2022 | Ended May 24, 2022 | No                |
+| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 | No                |
+| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 | No                |
+| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 | No                |
+| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 | No                |
+| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 | No                |
+| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 | No                |
+| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 | No                |

 ??? example "Active Support / Security Support"

-    **Active support**: receives any bug fixes.
-    **Security support**: receives only critical bug and security fixes.
+    - **Active support**: Receives any bug fixes.
+
+    - **Security support**: Receives only critical bug and security fixes.

 This page is maintained and updated periodically to reflect our roadmap and any decisions affecting the end of support for Traefik Proxy.

-Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v1 to v2 migration guide](../migration/v1-to-v2.md).
+Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v2 to v3 migration guide](../migration/v2-to-v3.md).

 !!! important "All target dates for end of support or feature removal announcements may be subject to change."

--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -79,7 +79,7 @@ traefik --help
 # or

 docker run traefik[:version] --help
-# ex: docker run traefik:v3.0 --help
+# ex: docker run traefik:v3.3 --help
 ```

 Check the [CLI reference](../reference/static-configuration/cli.md "Link to CLI reference overview") for an overview about all available arguments.
--- a/docs/content/getting-started/faq.md
+++ b/docs/content/getting-started/faq.md
@@ -93,7 +93,7 @@ The example below is a file provider only version (`yaml`) of what this configur
 ```yaml tab="Static configuration"
 # traefik.yml

-entrypoints:
+entryPoints:
  web:
    address: :80

@@ -251,3 +251,5 @@ In which case, you should make sure your infrastructure is properly set up for a
 ```shell
 LEGO_DISABLE_CNAME_SUPPORT=true
 ```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:

 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:

-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.0/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.0/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.3/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.3/traefik.sample.toml)

 ```shell
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.0
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.3
 ```

 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,22 +29,17 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip

    * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v3.0`
+    ex: `traefik:v3.3`
    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
    * Any orchestrator using docker images can fetch the official Traefik docker image.

 ## Use the Helm Chart

-!!! warning
-
-    The Traefik Chart from
-    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://doc.traefik.io/traefik/v1.7).
-
 Traefik can be installed in Kubernetes using the Helm chart from <https://github.com/traefik/traefik-helm-chart>.

 Ensure that the following requirements are met:

-* Kubernetes 1.16+
+* Kubernetes 1.22+
 * Helm version 3.9+ is [installed](https://helm.sh/docs/intro/install/)

 Add Traefik Labs chart repository to Helm:
@@ -104,38 +99,6 @@ helm install traefik traefik/traefik
      - "--log.level=DEBUG"
    ```

-### Exposing the Traefik dashboard
-
-This Helm chart does not expose the Traefik dashboard by default, for security concerns.
-Thus, there are multiple ways to expose the dashboard.
-For instance, the dashboard access could be achieved through a port-forward:
-
-```shell
-kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
-```
-
-It can then be reached at: `http://127.0.0.1:9000/dashboard/`
-
-Another way would be to apply your own configuration, for instance,
-by defining and applying an IngressRoute CRD (`kubectl apply -f dashboard.yaml`):
-
-```yaml
-# dashboard.yaml
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: dashboard
-spec:
-  entryPoints:
-    - web
-  routes:
-    - match: Host(`traefik.localhost`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
-      kind: Rule
-      services:
-        - name: api@internal
-          kind: TraefikService
-```
-
 ## Use the Binary Distribution

 Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page.
--- a/docs/content/getting-started/quick-start-with-kubernetes.md
+++ b/docs/content/getting-started/quick-start-with-kubernetes.md
@@ -35,12 +35,19 @@ rules:
      - ""
    resources:
      - services
-      - endpoints
      - secrets
+      - nodes
    verbs:
      - get
      - list
      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
@@ -58,6 +65,23 @@ rules:
      - ingresses/status
    verbs:
      - update
+  - apiGroups:
+      - traefik.io
+    resources:
+      - middlewares
+      - middlewaretcps
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - ingressrouteudps
+      - tlsoptions
+      - tlsstores
+      - serverstransports
+      - serverstransporttcps
+    verbs:
+      - get
+      - list
+      - watch
 ```

 !!! info "You can find the reference for this file [there](../../reference/dynamic-configuration/kubernetes-crd/#rbac)."
@@ -130,7 +154,7 @@ spec:
      serviceAccountName: traefik-account
      containers:
        - name: traefik
-          image: traefik:v3.0
+          image: traefik:v3.3
          args:
            - --api.insecure
            - --providers.kubernetesingress
--- a/docs/content/getting-started/quick-start.md
+++ b/docs/content/getting-started/quick-start.md
@@ -20,7 +20,7 @@ version: '3'
 services:
  reverse-proxy:
    # The official v3 Traefik docker image
-    image: traefik:v3.0
+    image: traefik:v3.3
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
@@ -38,7 +38,7 @@ services:
 Start your `reverse-proxy` with the following command:

 ```shell
-docker-compose up -d reverse-proxy
+docker compose up -d reverse-proxy
 ```

 You can open a browser and go to `http://localhost:8080/api/rawdata` to see Traefik's API rawdata (you'll go back there once you have launched a service in step 2).
@@ -68,7 +68,7 @@ The above defines `whoami`: a web service that outputs information about the mac
 Start the `whoami` service with the following command:

 ```shell
-docker-compose up -d whoami
+docker compose up -d whoami
 ```

 Browse `http://localhost:8080/api/rawdata` and see that Traefik has automatically detected the new container and updated its own configuration.
@@ -92,7 +92,7 @@ IP: 172.27.0.3
 Run more instances of your `whoami` service with the following command:

 ```shell
-docker-compose up -d --scale whoami=2
+docker compose up -d --scale whoami=2
 ```

 Browse to `http://localhost:8080/api/rawdata` and see that Traefik has automatically detected the new instance of the container.
@@ -119,6 +119,6 @@ IP: 172.27.0.4

 !!! question "Where to Go Next?"

-    Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the documentation](/ "Link to the docs landing page") and let Traefik work for you!
+    Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the user guides](../../user-guides/docker-compose/basic-example/ "Link to the user guides") and [the documentation](/ "Link to the docs landing page") and let Traefik work for you!

 {!traefik-for-business-applications.md!}
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -11,7 +11,7 @@ Automatic HTTPS
 You can configure Traefik to use an ACME provider (like Let's Encrypt) for automatic certificate generation.

 !!! warning "Let's Encrypt and Rate Limiting"
-    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to **one week**, and can not be overridden.
+    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to **one week**, and cannot be overridden.
    
    When running Traefik in a container this file should be persisted across restarts. 
    If Traefik requests new certificates each time it starts up, a crash-looping container can quickly reach Let's Encrypt's ratelimits.
@@ -116,8 +116,8 @@ Please check the [configuration examples below](#configuration-examples) for mor
    ```

    ```bash tab="CLI"
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
    # ...
    --certificatesresolvers.myresolver.acme.email=your-email@example.com
    --certificatesresolvers.myresolver.acme.storage=acme.json
@@ -241,8 +241,8 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
    ```

    ```bash tab="CLI"
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
    # ...
    --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
    ```
@@ -298,7 +298,7 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
    
    Multiple DNS challenge provider are not supported with Traefik, but you can use `CNAME` to handle that.
    For example, if you have `example.org` (account foo) and `example.com` (account bar) you can create a CNAME on `example.org` called `_acme-challenge.example.org` pointing to `challenge.example.com`.
-    This way, you can obtain certificates for `example.com` with the `foo` account.
+    This way, you can obtain certificates for `example.org` with the `bar` account.

 !!! important
    A `provider` is mandatory.
@@ -316,17 +316,21 @@ For complete details, refer to your provider's _Additional configuration_ link.

 | Provider Name                                                          | Provider Code      | Environment Variables                                                                                                                                                            |                                                                                 |
 |------------------------------------------------------------------------|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|
-| [ACME DNS](https://github.com/joohoi/acme-dns)                         | `acme-dns`         | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)         |
+| [ACME DNS](https://github.com/joohoi/acme-dns)                         | `acme-dns`         | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`, `ACME_DNS_STORAGE_BASE_URL`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)         |
+| [Active24](https://www.active24.cz)                                    | `active24`         | `ACTIVE24_API_KEY`, `ACTIVE24_SECRET`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/active24)         |
 | [Alibaba Cloud](https://www.alibabacloud.com)                          | `alidns`           | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)           |
 | [all-inkl](https://all-inkl.com)                                       | `allinkl`          | `ALL_INKL_LOGIN`, `ALL_INKL_PASSWORD`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/allinkl)          |
 | [ArvanCloud](https://www.arvancloud.ir/en)                             | `arvancloud`       | `ARVANCLOUD_API_KEY`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)       |
 | [Auroradns](https://www.pcextreme.com/dns-health-checks)               | `auroradns`        | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)        |
 | [Autodns](https://www.internetx.com/domains/autodns/)                  | `autodns`          | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)          |
-| [Azure](https://azure.microsoft.com/services/dns/)  (DEPRECATED)       | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`                                        | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
+| [Axelname](https://axelname.ru)                                        | `axelname`         | `AXELNAME_NICKNAME`, `AXELNAME_TOKEN`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/axelname)         |
+| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`                                        | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
 | [AzureDNS](https://azure.microsoft.com/services/dns/)                  | `azuredns`         | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_ENVIRONMENT]`, `[AZURE_PRIVATE_ZONE]`, `[AZURE_ZONE_NAME]` | [Additional configuration](https://go-acme.github.io/lego/dns/azuredns)         |
+| [Baidu Cloud](https://cloud.baidu.com)                                 | `baiducloud`       | `BAIDUCLOUD_ACCESS_KEY_ID`, `BAIDUCLOUD_SECRET_ACCESS_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/baiducloud)       |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)             | `bindman`          | `BINDMAN_MANAGER_ADDRESS`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)          |
 | [Blue Cat](https://www.bluecatnetworks.com/)                           | `bluecat`          | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)          |
-| [Brandit](https://www.brandit.com)                                     | `brandit`          | `BRANDIT_API_USERNAME`, `BRANDIT_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
+| [BookMyName](https://www.bookmyname.com)                               | `bookmyname`       | `BOOKMYNAME_USERNAME`, `BOOKMYNAME_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/bookmyname)       |
+| [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | `BRANDIT_API_USERNAME`, `BRANDIT_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
 | [Bunny](https://bunny.net)                                             | `bunny`            | `BUNNY_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/bunny)            |
 | [Checkdomain](https://www.checkdomain.de/)                             | `checkdomain`      | `CHECKDOMAIN_TOKEN`,                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/)     |
 | [Civo](https://www.civo.com/)                                          | `civo`             | `CIVO_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/civo)             |
@@ -334,13 +338,15 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [CloudDNS](https://vshosting.eu/)                                      | `clouddns`         | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)         |
 | [Cloudflare](https://www.cloudflare.com)                               | `cloudflare`       | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)       |
 | [ClouDNS](https://www.cloudns.net/)                                    | `cloudns`          | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)          |
-| [CloudXNS](https://www.cloudxns.net)                                   | `cloudxns`         | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [CloudXNS](https://www.cloudxns.net) (DEPRECATED)                      | `cloudxns`         | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
 | [ConoHa](https://www.conoha.jp)                                        | `conoha`           | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)           |
 | [Constellix](https://constellix.com)                                   | `constellix`       | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)       |
+| [Core-Networks](https://www.core-networks.de)                          | `corenetworks`     | `CORENETWORKS_LOGIN`, `CORENETWORKS_PASSWORD`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/corenetworks)     |
 | [CPanel and WHM](https://cpanel.net/)                                  | `cpanel`           | `CPANEL_MODE`, `CPANEL_USERNAME`, `CPANEL_TOKEN`, `CPANEL_BASE_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cpanel)           |
 | [Derak Cloud](https://derak.cloud/)                                    | `derak`            | `DERAK_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/derak)            |
 | [deSEC](https://desec.io)                                              | `desec`            | `DESEC_TOKEN`                                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/desec)            |
 | [DigitalOcean](https://www.digitalocean.com)                           | `digitalocean`     | `DO_AUTH_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean)     |
+| [DirectAdmin](https://www.directadmin.com)                             | `directadmin`      | `DIRECTADMIN_API_URL` , `DIRECTADMIN_USERNAME`, `DIRECTADMIN_PASSWORD`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/directadmin)      |
 | [DNS Made Easy](https://dnsmadeeasy.com)                               | `dnsmadeeasy`      | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)      |
 | [dnsHome.de](https://www.dnshome.de)                                   | `dnsHomede`        | `DNSHOMEDE_CREDENTIALS`                                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnshomede)        |
 | [DNSimple](https://dnsimple.com)                                       | `dnsimple`         | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)         |
@@ -356,6 +362,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Efficient IP](https://efficientip.com)                                | `efficientip`      | `EFFICIENTIP_USERNAME`, `EFFICIENTIP_PASSWORD`, `EFFICIENTIP_HOSTNAME`, `EFFICIENTIP_DNS_NAME`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/efficientip)      |
 | [Epik](https://www.epik.com)                                           | `epik`             | `EPIK_SIGNATURE`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/epik)             |
 | [Exoscale](https://www.exoscale.com)                                   | `exoscale`         | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)         |
+| [F5 XC](https://www.f5.com/products/distributed-cloud-services)        | `f5xc`             | `F5XC_API_TOKEN`, `F5XC_TENANT_NAME`, `F5XC_GROUP_NAME`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/f5xc)             |
 | [Fast DNS](https://www.akamai.com/)                                    | `fastdns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
 | [Freemyip.com](https://freemyip.com)                                   | `freemyip`         | `FREEMYIP_TOKEN`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/freemyip)         |
 | [G-Core](https://gcore.com/dns/)                                       | `gcore`            | `GCORE_PERMANENT_API_TOKEN`                                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcore)            |
@@ -369,6 +376,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [hosting.de](https://www.hosting.de)                                   | `hostingde`        | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)        |
 | [Hosttech](https://www.hosttech.eu)                                    | `hosttech`         | `HOSTTECH_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)         |
 | [http.net](https://www.http.net/)                                      | `httpnet`          | `HTTPNET_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/httpnet)          |
+| [Huawei Cloud](https://huaweicloud.com)                                | `huaweicloud`      | `HUAWEICLOUD_ACCESS_KEY_ID`, `HUAWEICLOUD_SECRET_ACCESS_KEY`, `HUAWEICLOUD_REGION`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/huaweicloud)      |
 | [Hurricane Electric](https://dns.he.net)                               | `hurricane`        | `HURRICANE_TOKENS` [^6]                                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/hurricane)        |
 | [HyperOne](https://www.hyperone.com)                                   | `hyperone`         | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)         |
 | [IBM Cloud (SoftLayer)](https://www.ibm.com/cloud/)                    | `ibmcloud`         | `SOFTLAYER_USERNAME`, `SOFTLAYER_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/ibmcloud)         |
@@ -384,12 +392,18 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Joker.com](https://joker.com)                                         | `joker`            | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/joker)            |
 | [Liara](https://liara.ir)                                              | `liara`            | `LIARA_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/liara)            |
 | [Lightsail](https://aws.amazon.com/lightsail/)                         | `lightsail`        | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)        |
+| [Lima-City](https://www.lima-city.de)                                  | `limacity`         | `LIMACITY_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/limacity)         |
 | [Linode v4](https://www.linode.com)                                    | `linode`           | `LINODE_TOKEN`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/linode)           |
 | [Liquid Web](https://www.liquidweb.com/)                               | `liquidweb`        | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)        |
 | [Loopia](https://loopia.com/)                                          | `loopia`           | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER`                                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/loopia)           |
 | [LuaDNS](https://luadns.com)                                           | `luadns`           | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)           |
 | [Mail-in-a-Box](https://mailinabox.email)                              | `mailinabox`       | `MAILINABOX_EMAIL`, `MAILINABOX_PASSWORD`, `MAILINABOX_BASE_URL`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/mailinabox)       |
+| [ManageEngine CloudDNS](https://clouddns.manageengine.com)             | `manageengine`     | `MANAGEENGINE_CLIENT_ID`, `MANAGEENGINE_CLIENT_SECRET`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/manageengine)     |
 | [Metaname](https://metaname.net)                                       | `metaname`         | `METANAME_ACCOUNT_REFERENCE`, `METANAME_API_KEY`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/metaname)         |
+| [Metaregistrar](https://metaregistrar.com)                             | `metaregistrar`    | `METAREGISTRAR_API_TOKEN`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/metaregistrar)    |
+| [mijn.host](https://mijn.host/)                                        | `mijnhost`         | `MIJNHOST_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/mijnhost)         |
+| [Mittwald](https://www.mittwald.de)                                    | `mittwald`         | `MITTWALD_TOKEN`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/mittwald)         |
+| [myaddr.{tools,dev,io}](https://myaddr.tools/)                         | `myaddr`           | `MYADDR_PRIVATE_KEYS_MAPPING`                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/myaddr)           |
 | [MyDNS.jp](https://www.mydns.jp/)                                      | `mydnsjp`          | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)          |
 | [Mythic Beasts](https://www.mythic-beasts.com)                         | `mythicbeasts`     | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts)     |
 | [name.com](https://www.name.com/)                                      | `namedotcom`       | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)       |
@@ -406,25 +420,32 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Open Telekom Cloud](https://cloud.telekom.de)                         | `otc`              | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/otc)              |
 | [Openstack Designate](https://docs.openstack.org/designate)            | `designate`        | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/designate)        |
 | [Oracle Cloud](https://cloud.oracle.com/home)                          | `oraclecloud`      | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID`                                      | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)      |
-| [OVH](https://www.ovh.com)                                             | `ovh`              | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)              |
+| [OVH](https://www.ovh.com)                                             | `ovh`              | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`, `OVH_CLIENT_ID`, `OVH_CLIENT_SECRET`                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)              |
 | [Plesk](https://www.plesk.com)                                         | `plesk`            | `PLESK_SERVER_BASE_URL`, `PLESK_USERNAME`, `PLESK_PASSWORD`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/plesk)            |
 | [Porkbun](https://porkbun.com/)                                        | `porkbun`          | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun)          |
 | [PowerDNS](https://www.powerdns.com)                                   | `pdns`             | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)             |
 | [Rackspace](https://www.rackspace.com/cloud/dns)                       | `rackspace`        | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)        |
+| [Rainyun/雨云](https://www.rainyun.com)                                  | `rainyun`          | `RAINYUN_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/rainyun)          |
 | [RcodeZero](https://www.rcodezero.at)                                  | `rcodezero`        | `RCODEZERO_API_TOKEN`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rcodezero)        |
 | [reg.ru](https://www.reg.ru)                                           | `regru`            | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/regru)            |
+| [Regfish](https://regfish.de)                                          | `regfish`          | `regfish`                                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/regfish)          |
 | [RFC2136](https://tools.ietf.org/html/rfc2136)                         | `rfc2136`          | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)          |
 | [RimuHosting](https://rimuhosting.com)                                 | `rimuhosting`      | `RIMUHOSTING_API_KEY`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)      |
 | [Route 53](https://aws.amazon.com/route53/)                            | `route53`          | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/route53)          |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                            | `sakuracloud`      | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)      |
-| [Scaleway](https://www.scaleway.com)                                   | `scaleway`         | `SCALEWAY_API_TOKEN`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
+| [Scaleway](https://www.scaleway.com)                                   | `scaleway`         | `SCW_API_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
+| [Selectel v2](https://selectel.ru/en/)                                 | `selectelv2`       | `SELECTELV2_ACCOUNT_ID`, `SELECTELV2_PASSWORD`, `SELECTELV2_PROJECT_ID`, `SELECTELV2_USERNAME`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/selectelv2)       |
 | [Selectel](https://selectel.ru/en/)                                    | `selectel`         | `SELECTEL_API_TOKEN`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)         |
+| [SelfHost.(de/eu)](https://www.selfhost.de)                            | `selfhostde`       | `SELFHOSTDE_USERNAME`, `SELFHOSTDE_PASSWORD`, `SELFHOSTDE_RECORDS_MAPPING`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/selfhostde)       |
 | [Servercow](https://servercow.de)                                      | `servercow`        | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)        |
 | [Shellrent](https://www.shellrent.com)                                 | `shellrent`        | `SHELLRENT_USERNAME`, `SHELLRENT_TOKEN`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/shellrent)        |
 | [Simply.com](https://www.simply.com/en/domains/)                       | `simply`           | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/simply)           |
 | [Sonic](https://www.sonic.com/)                                        | `sonic`            | `SONIC_USER_ID`, `SONIC_API_KEY`                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/sonic)            |
+| [Spaceship](https://spaceship.com)                                     | `spaceship`        | `SPACESHIP_API_KEY`, `SPACESHIP_API_SECRET`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/spaceship)        |
 | [Stackpath](https://www.stackpath.com/)                                | `stackpath`        | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)        |
+| [Technitium](https://technitium.com)                                   | `technitium`       | `TECHNITIUM_SERVER_BASE_URL`, `TECHNITIUM_API_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/technitium)       |
 | [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)             | `tencentcloud`     | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud)     |
+| [Timeweb Cloud](https://timeweb.cloud)                                 | `timewebcloud`     | `TIMEWEBCLOUD_AUTH_TOKEN`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/timewebcloud)     |
 | [TransIP](https://www.transip.nl/)                                     | `transip`          | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/transip)          |
 | [UKFast SafeDNS](https://docs.ukfast.co.uk/domains/safedns/index.html) | `safedns`          | `SAFEDNS_AUTH_TOKEN`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/safedns)          |
 | [Ultradns](https://neustarsecurityservices.com/dns-services)           | `ultradns`         | `ULTRADNS_USERNAME`, `ULTRADNS_PASSWORD`                                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ultradns)         |
@@ -434,11 +455,13 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Versio](https://www.versio.nl/domeinnamen)                            | `versio`           | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/versio)           |
 | [VinylDNS](https://www.vinyldns.io)                                    | `vinyldns`         | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST`                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns)         |
 | [VK Cloud](https://mcs.mail.ru/)                                       | `vkcloud`          | `VK_CLOUD_PASSWORD`, `VK_CLOUD_PROJECT_ID`, `VK_CLOUD_USERNAME`                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/vkcloud)          |
+| [Volcano Engine](https://www.volcengine.com)                           | `volcengine`       | `VOLC_ACCESSKEY`, `VOLC_SECRETKEY`                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/volcengine)       |
 | [Vscale](https://vscale.io/)                                           | `vscale`           | `VSCALE_API_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)           |
 | [VULTR](https://www.vultr.com)                                         | `vultr`            | `VULTR_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)            |
 | [Webnames](https://www.webnames.ru/)                                   | `webnames`         | `WEBNAMES_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/webnames)         |
 | [Websupport](https://websupport.sk)                                    | `websupport`       | `WEBSUPPORT_API_KEY`, `WEBSUPPORT_SECRET`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/websupport)       |
 | [WEDOS](https://www.wedos.com)                                         | `wedos`            | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/wedos)            |
+| [West.cn/西部数码](https://www.west.cn)                                    | `westcn`           | `WESTCN_USERNAME`, `WESTCN_PASSWORD`                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/westcn)           |
 | [Yandex 360](https://360.yandex.ru)                                    | `yandex360`        | `YANDEX360_OAUTH_TOKEN`, `YANDEX360_ORG_ID`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/yandex360)        |
 | [Yandex Cloud](https://cloud.yandex.com/en/)                           | `yandexcloud`      | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud)      |
 | [Yandex](https://yandex.com)                                           | `yandex`           | `YANDEX_PDD_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)           |
@@ -455,11 +478,6 @@ For complete details, refer to your provider's _Additional configuration_ link.
 [^5]: The `Global API Key` needs to be used, not the `Origin CA Key`.
 [^6]: As explained in the [LEGO hurricane configuration](https://go-acme.github.io/lego/dns/hurricane/#credentials), each domain or wildcard (record name) needs a token. So each update of record name must be followed by an update of the `HURRICANE_TOKENS` variable, and a restart of Traefik.

-!!! info "`delayBeforeCheck`"
-    By default, the `provider` verifies the TXT record _before_ letting ACME verify.
-    You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
-    This option is useful when internal networks block external DNS queries.
-
 #### `resolvers`

 Use custom DNS servers to resolve the FQDN authority.
@@ -489,6 +507,150 @@ certificatesResolvers:
 --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 ```

+#### `propagation.delayBeforeChecks`
+
+By default, the `provider` verifies the TXT record _before_ letting ACME verify.
+
+You can delay this operation by specifying a delay (in seconds) with `delayBeforeChecks` (value must be greater than zero).
+
+This option is useful when internal networks block external DNS queries.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      dnsChallenge:
+        # ...
+        propagation:
+          # ...
+          delayBeforeChecks: 2s
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
+      # ...
+      delayBeforeChecks = "2s"
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.dnschallenge.propagation.delayBeforeChecks=2s
+```
+
+#### `propagation.disableChecks`
+
+Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready. 
+
+Please note that disabling checks can prevent the challenge from succeeding.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      dnsChallenge:
+        # ...
+        propagation:
+          # ...
+          disableChecks: true
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
+      # ...
+      disableChecks = true
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableChecks=true
+```
+
+#### `propagation.requireAllRNS`
+
+Requires the challenge TXT record to be propagated to all recursive nameservers.
+
+!!! note
+
+    If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`),
+    it is recommended to check all recursive nameservers instead.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      dnsChallenge:
+        # ...
+        propagation:
+          # ...
+          requireAllRNS: true
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
+      # ...
+      requireAllRNS = true
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.dnschallenge.propagation.requireAllRNS=true
+```
+
+#### `propagation.disableANSChecks`
+
+Disables the challenge TXT record propagation checks against authoritative nameservers.
+
+This option will skip the propagation check against the nameservers of the authority (SOA).
+
+It should be used only if the nameservers of the authority are not reachable.
+
+!!! note
+
+    If you have disabled authoritative nameservers checks,
+    it is recommended to check all recursive nameservers instead.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      dnsChallenge:
+        # ...
+        propagation:
+          # ...
+          disableANSChecks: true
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
+      # ...
+      disableANSChecks = true
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableANSChecks=true
+```
+
 #### Wildcard Domains

 [ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
@@ -605,9 +767,22 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik

 _Optional, Default=2160_

-The `certificatesDuration` option defines the certificates' duration in hours.
+`certificatesDuration` is used to calculate two durations:
+
+- `Renew Period`: the period before the end of the certificate duration, during which the certificate should be renewed.
+- `Renew Interval`: the interval between renew attempts.
+
 It defaults to `2160` (90 days) to follow Let's Encrypt certificates' duration.

+| Certificate Duration | Renew Period      | Renew Interval          |
+|----------------------|-------------------|-------------------------|
+| >= 1 year            | 4 months          | 1 week                  |
+| >= 90 days           | 30 days           | 1 day                   |
+| >= 30 days           | 10 days           | 12 hours                |
+| >= 7 days            | 1 day             | 1 hour                  |
+| >= 24 hours          | 6 hours           | 10 min                  |
+| < 24 hours           | 20 min            | 1 min                   |
+
 !!! warning "Traefik cannot manage certificates with a duration lower than 1 hour."

 ```yaml tab="File (YAML)"
@@ -632,19 +807,6 @@ certificatesResolvers:
 # ...
 ```

-`certificatesDuration` is used to calculate two durations:
-
- `Renew Period`: the period before the end of the certificate duration, during which the certificate should be renewed.
- `Renew Interval`: the interval between renew attempts.
-
-| Certificate Duration | Renew Period      | Renew Interval          |
-|----------------------|-------------------|-------------------------|
-| >= 1 year            | 4 months          | 1 week                  |
-| >= 90 days           | 30 days           | 1 day                   |
-| >= 7 days            | 1 day             | 1 hour                  |
-| >= 24 hours          | 6 hours           | 10 min                  |
-| < 24 hours           | 20 min            | 1 min                   |
-
 ### `preferredChain`

 _Optional, Default=""_
@@ -704,6 +866,109 @@ certificatesResolvers:
 # ...
 ```

+### `caCertificates`
+
+_Optional, Default=[]_
+
+The `caCertificates` option specifies the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      caCertificates:
+        - path/certificates1.pem
+        - path/certificates2.pem
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  caCertificates = [ "path/certificates1.pem", "path/certificates2.pem" ]
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.caCertificates="path/certificates1.pem,path/certificates2.pem"
+# ...
+```
+
+??? note "LEGO Environment Variable"
+
+    It can be defined globally by using the environment variable `LEGO_CA_CERTIFICATES`.
+    This environment variable is neither a fallback nor an override of the configuration option.
+
+### `caSystemCertPool`
+
+_Optional, Default=false_
+
+The `caSystemCertPool` option defines if the certificates pool must use a copy of the system cert pool.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      caSystemCertPool: true
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  caSystemCertPool = true
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.caSystemCertPool=true
+# ...
+```
+
+??? note "LEGO Environment Variable"
+
+    It can be defined globally by using the environment variable `LEGO_CA_SYSTEM_CERT_POOL`.
+    `LEGO_CA_SYSTEM_CERT_POOL` is ignored if `LEGO_CA_CERTIFICATES` is not set or empty.
+    This environment variable is neither a fallback nor an override of the configuration option.
+
+### `caServerName`
+
+_Optional, Default=""_
+
+The `caServerName` option specifies the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      caServerName: "my-server"
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  caServerName = "my-server"
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.caServerName="my-server"
+# ...
+```
+
+??? note "LEGO Environment Variable"
+
+    It can be defined globally by using the environment variable `LEGO_CA_SERVER_NAME`.
+    `LEGO_CA_SERVER_NAME` is ignored if `LEGO_CA_CERTIFICATES` is not set or empty.
+    This environment variable is neither a fallback nor an override of the configuration option.
+
 ## Fallback

 If Let's Encrypt is not reachable, the following certificates will apply:
--- a/docs/content/https/include-acme-multiple-domains-example.md
+++ b/docs/content/https/include-acme-multiple-domains-example.md
@@ -5,22 +5,10 @@ labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver
-  - traefik.http.routers.blog.tls.domains[0].main=example.org
+  - traefik.http.routers.blog.tls.domains[0].main=example.com
  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
 ```

-```yaml tab="Docker (Swarm)"
-## Dynamic configuration
-deploy:
-  labels:
-    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
-    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
-    - traefik.http.routers.blog.tls=true
-    - traefik.http.routers.blog.tls.certresolver=myresolver
-    - traefik.http.routers.blog.tls.domains[0].main=example.org
-    - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
-```
-
 ```yaml tab="Kubernetes"
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
@@ -38,7 +26,7 @@ spec:
  tls:
    certResolver: myresolver
    domains:
-    - main: example.org
+    - main: example.com
      sans:
      - '*.example.org'
 ```
@@ -52,7 +40,7 @@ http:
      tls:
        certResolver: myresolver
        domains:
-          - main: "example.org"
+          - main: "example.com"
            sans:
              - "*.example.org"
 ```
@@ -65,6 +53,6 @@ http:
    [http.routers.blog.tls]
      certResolver = "myresolver" # From static configuration
      [[http.routers.blog.tls.domains]]
-        main = "example.org"
+        main = "example.com"
        sans = ["*.example.org"]
 ```
--- a/docs/content/includes/kubernetes-requirements.md
+++ b/docs/content/includes/kubernetes-requirements.md
@@ -1,3 +1,3 @@
 Traefik follows the [Kubernetes support policy](https://kubernetes.io/releases/version-skew-policy/#supported-versions),
 and supports at least the latest three minor versions of Kubernetes.
-General functionality cannot be guaranteed for versions older than that.
+General functionality cannot be guaranteed for older versions.
--- a/docs/content/includes/traefik-for-business-applications.md
+++ b/docs/content/includes/traefik-for-business-applications.md
@@ -1,14 +1,10 @@
 ---

-!!! question "Using Traefik for Business Applications?"
+!!! question "Using Traefik OSS in Production?"

-    If you are using Traefik in your organization, consider our enterprise-grade solutions:
+    If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.

-    - API Management  
-      [Explore](https://traefik.io/solutions/api-management/) // [Watch Demo Video](https://info.traefik.io/watch-traefik-hub-demo)
-    - API Gateway  
-      [Explore](https://traefik.io/solutions/api-gateway/) // [Watch Demo Video](https://info.traefik.io/watch-traefikee-demo)
-    - Ingress Controller  
-      [Kubernetes](https://traefik.io/solutions/kubernetes-ingress/) // [Docker Swarm](https://traefik.io/solutions/docker-swarm-ingress/)
+    - [Watch our API Gateway Demo Video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc)
+    - [Request 24/7/365 OSS Support](https://info.traefik.io/request-commercial-support?cta=doc)

-    These tools help businesses discover, deploy, secure, and manage microservices and APIs easily, at scale, across any environment.
+    Adding API Gateway capabilities to Traefik OSS is fast and seamless. There's no rip and replace and all configurations remain intact. See it in action via [this short video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc).
--- a/docs/content/index.md
+++ b/docs/content/index.md
@@ -1,31 +1,58 @@
 ---
 title: "Traefik Proxy Documentation"
-description: "Traefik Proxy, an open source Edge Router, auto-discovers configurations and supports major orchestrators, like Kubernetes. Read the technical documentation."
+description: "Traefik Proxy, an open-source Edge Router, auto-discovers configurations and supports major orchestrators, like Kubernetes. Read the technical documentation."
 ---

-# Welcome
+# What is Traefik?

 ![Architecture](assets/img/traefik-architecture.png)

-Traefik is an [open-source](https://github.com/traefik/traefik) *Edge Router* that makes publishing your services a fun and easy experience. 
-It receives requests on behalf of your system and finds out which components are responsible for handling them. 
+Traefik is an [open-source](https://github.com/traefik/traefik) *Application Proxy* that makes publishing your services a fun and easy experience. 
+It receives requests on behalf of your system, identifies which components are responsible for handling them, and routes them securely. 

 What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
 The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request. 

-Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker, Docker Swarm, AWS, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
+Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker Swarm, AWS, and [the list goes on](./reference/install-configuration/providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
 
 With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions).
-With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.   
+With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.

-Developing Traefik, our main goal is to make it effortless to use, and we're sure you'll enjoy it.
+And if your needs change, you can add API gateway and API management capabilities seamlessly to your existing Traefik deployments. It takes less than a minute, there’s no rip-and-replace, and all your configurations are preserved. See this in action in [our API gateway demo video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=docs).

-- The Traefik Maintainer Team 
+!!! quote "From the Traefik Maintainer Team" 
+    When developing Traefik, our main goal is to make it easy to use, and we're sure you'll enjoy it.
+
+## Personas
+
+Traefik supports different needs depending on your background. We keep three user personas in mind as we build and organize these docs:
+
+- **Beginners**: You are new to Traefik or new to reverse proxies. You want simple, guided steps to set things up without diving too deep into advanced topics.
+- **DevOps Engineers**: You manage infrastructure or clusters (Docker, Kubernetes, or other orchestrators). You integrate Traefik into your environment and value reliability, performance, and streamlined deployments.
+- **Developers**: You create and deploy applications or APIs. You focus on how to expose your services through Traefik, apply routing rules, and integrate it with your development workflow.
+
+## Core Concepts
+
+Traefik’s main concepts help you understand how requests flow to your services:
+
+- [Entrypoints](./reference/install-configuration/entrypoints.md) are the network entry points into Traefik. They define the port that will receive the packets and whether to listen for TCP or UDP.
+- [Routers](./reference/routing-configuration/http/router/rules-and-priority.md) are in charge of connecting incoming requests to the services that can handle them. In the process, routers may use pieces of [middleware](./reference/routing-configuration/http/middlewares/overview.md) to update the request or act before forwarding the request to the service.
+- [Services](./reference/routing-configuration/http/load-balancing/service.md) are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
+- [Providers](./reference/install-configuration/providers/overview.md) are infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores. The idea is that Traefik queries the provider APIs in order to find relevant information about routing, and when Traefik detects a change, it dynamically updates the routes.
+
+These concepts work together to manage your traffic from the moment a request arrives until it reaches your application.
+
+## How to Use the Documentation
+
+- **Navigation**: Each main section focuses on a specific stage of working with Traefik - installing, exposing services, observing, extending & migrating. 
+Use the sidebar to navigate to the section that is most appropriate for your needs.
+- **Practical Examples**: You will see code snippets and configuration examples for different environments (YAML/TOML, Labels, & Tags).
+- **Reference**: When you need to look up technical details, our reference section provides a deep dive into configuration options and key terms.

 !!! info

-    Join our user friendly and active [Community Forum](https://community.traefik.io "Link to Traefik Community Forum") to discuss, learn, and connect with the traefik community.
+    Have a question? Join our [Community Forum](https://community.traefik.io "Link to Traefik Community Forum") to discuss, learn, and connect with the Traefik community.

-    Using Traefik in your organization? Consider [Traefik Enterprise](https://traefik.io/traefik-enterprise/ "Lino to Traefik Enterprise"), our unified API Gateway and Ingress that simplifies the discovery, security, and deployment of APIs and microservices across any environment.
+    Using Traefik OSS in Production? Consider our enterprise-grade [API Gateway](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc) or our [24/7/365 OSS Support](https://info.traefik.io/request-commercial-support?cta=doc).

-    See it in action in [this short video walkthrough](https://info.traefik.io/watch-traefikee-demo "Link to video walkthrough").
+    Explore our API Gateway upgrade via [this short demo video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc).
--- a/docs/content/middlewares/http/basicauth.md
+++ b/docs/content/middlewares/http/basicauth.md
@@ -21,7 +21,7 @@ The BasicAuth middleware grants access to services to authorized users only.
 # To create user:password pair, it's possible to use this command:
 # echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
 #
-# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
+# Also note that dollar signs should NOT be doubled when they are not being evaluated (e.g. Ansible docker_container module).
 labels:
  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```
@@ -341,3 +341,5 @@ http:
  [http.middlewares.test-auth.basicAuth]
    removeHeader = true
 ```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/buffering.md
+++ b/docs/content/middlewares/http/buffering.md
@@ -264,3 +264,7 @@ The retry expression is defined as a logical combination of the functions below
 - `Attempts()` number of attempts (the first one counts)
 - `ResponseCode()` response code of the service
 - `IsNetworkError()` whether the response code is related to networking error
+
+### Content-Length
+
+See [Best Practices: Content‑Length](../../security/best-practices/content-length.md)
--- a/docs/content/middlewares/http/compress.md
+++ b/docs/content/middlewares/http/compress.md
@@ -10,7 +10,7 @@ Compress Allows Compressing Responses before Sending them to the Client

 ![Compress](../../assets/img/middleware/compress.png)

-The Compress middleware supports gzip and Brotli compression.
+The Compress middleware supports Gzip, Brotli and Zstandard compression.
 The activation of compression, and the compression method choice rely (among other things) on the request's `Accept-Encoding` header.

 ## Configuration Examples
@@ -54,8 +54,8 @@ http:

    Responses are compressed when the following criteria are all met:

-    * The `Accept-Encoding` request header contains `gzip`, `*`, and/or `br` with or without [quality values](https://developer.mozilla.org/en-US/docs/Glossary/Quality_values).
-    If the `Accept-Encoding` request header is absent, the response won't be encoded.
+    * The `Accept-Encoding` request header contains `gzip`, and/or `*`, and/or `br`, and/or `zstd` with or without [quality values](https://developer.mozilla.org/en-US/docs/Glossary/Quality_values).
+    If the `Accept-Encoding` request header is absent and no [defaultEncoding](#defaultencoding) is configured, the response won't be encoded.
    If it is present, but its value is the empty string, then compression is disabled.
    * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
    * The response`Content-Type` header is not one among the [excludedContentTypes options](#excludedcontenttypes), or is one among the [includedContentTypes options](#includedcontenttypes).
@@ -179,9 +179,15 @@ http:
 _Optional, Default=1024_

 `minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.
-
 Responses smaller than the specified values will not be compressed.

+!!! tip "Streaming"
+
+    When data is sent to the client on flush, the `minResponseBodyBytes` configuration is ignored and the data is compressed.
+    This is particularly the case when data is streamed to the client when using `Transfer-encoding: chunked` response.
+
+When chunked data is sent to the client on flush, it will be compressed by default even if the received data has not reached  
+
 ```yaml tab="Docker & Swarm"
 labels:
  - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
@@ -214,3 +220,89 @@ http:
  [http.middlewares.test-compress.compress]
    minResponseBodyBytes = 1200
 ```
+
+### `defaultEncoding`
+
+_Optional, Default=""_
+
+`defaultEncoding` specifies the default encoding if the `Accept-Encoding` header is not in the request or contains a wildcard (`*`).
+
+There is no fallback on the `defaultEncoding` when the header value is empty or unsupported.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.defaultEncoding=gzip"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-compress
+spec:
+  compress:
+    defaultEncoding: gzip
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-compress.compress.defaultEncoding=gzip"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-compress:
+      compress:
+        defaultEncoding: gzip
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+    defaultEncoding = "gzip"
+```
+
+### `encodings`
+
+_Optional, Default="gzip, br, zstd"_
+
+`encodings` specifies the list of supported compression encodings.
+At least one encoding value must be specified, and valid entries are `gzip` (Gzip), `br` (Brotli), and `zstd` (Zstandard).
+The order of the list also sets the priority, the top entry has the highest priority.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.encodings=zstd,br"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-compress
+spec:
+  compress:
+    encodings:
+      - zstd
+      - br
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-compress.compress.encodings=zstd,br"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-compress:
+      compress:
+        encodings:
+          - zstd
+          - br
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+    encodings = ["zstd","br"]
+```
--- a/docs/content/middlewares/http/forwardauth.md
+++ b/docs/content/middlewares/http/forwardauth.md
@@ -300,7 +300,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -316,13 +316,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.addAuthCookiesToResponse=Session-Cookie,State-Cookie"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    addAuthCookiesToResponse = ["Session-Cookie", "State-Cookie"]
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -334,6 +327,105 @@ http:
          - "State-Cookie"
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    addAuthCookiesToResponse = ["Session-Cookie", "State-Cookie"]
+```
+
+### `forwardBody`
+
+_Optional, Default=false_
+
+Set the `forwardBody` option to `true` to send Body.
+
+!!! info
+
+    As body is read inside Traefik before forwarding, this breaks streaming.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    forwardBody: true
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        forwardBody: true
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    forwardBody = true
+```
+
+### `maxBodySize`
+
+_Optional, Default=-1_
+
+Set the `maxBodySize` to limit the body size in bytes.
+If body is bigger than this, it returns a 401 (unauthorized).
+Default is `-1`, which means no limit.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    forwardBody: true
+    maxBodySize: 1000
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        maxBodySize: 1000
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    forwardBody = true
+    maxBodySize = 1000
+```
+
 ### `tls`

 _Optional_
@@ -571,3 +663,88 @@ http:
    [http.middlewares.test-auth.forwardAuth.tls]
      insecureSkipVerify: true
 ```
+
+### `headerField`
+
+_Optional_
+
+You can define a header field to store the authenticated user using the `headerField`option.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.headerField=X-WebAuth-User"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    # ...
+    headerField: X-WebAuth-User
+```
+
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.headerField=X-WebAuth-User"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        # ...
+        headerField: "X-WebAuth-User"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares.test-auth.forwardAuth]
+  # ...
+  headerField = "X-WebAuth-User"
+```
+
+### `preserveLocationHeader`
+
+_Optional, Default=false_
+
+`preserveLocationHeader` defines whether to forward the `Location` header to the client as is or prefix it with the domain name of the authentication server.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.preserveLocationHeader=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    # ...
+    preserveLocationHeader: true
+```
+
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.preserveLocationHeader=true"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        # ...
+        preserveLocationHeader: true
+```
+
+```toml tab="File (TOML)"
+[http.middlewares.test-auth.forwardAuth]
+  # ...
+  preserveLocationHeader = true
+```
+
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/headers.md
+++ b/docs/content/middlewares/http/headers.md
@@ -394,6 +394,10 @@ This overrides the `BrowserXssFilter` option.

 The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.

+### `contentSecurityPolicyReportOnly`
+
+The `contentSecurityPolicyReportOnly` option allows the `Content-Security-Policy-Report-Only` header value to be set with a custom value.
+
 ### `publicKey`

 The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
--- a/docs/content/middlewares/http/inflightreq.md
+++ b/docs/content/middlewares/http/inflightreq.md
@@ -101,7 +101,7 @@ If none are set, the default is to use the `requestHost`.

 #### `sourceCriterion.ipStrategy`

-The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.
+The `ipStrategy` option defines three parameters that configures how Traefik determines the client IP: `depth`, `excludedIPs` and `ipv6Subnet`.

 !!! important "As a middleware, InFlightReq happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through the middleware. Therefore, during InFlightReq, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be used and/or relied upon."

@@ -112,6 +112,9 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and select
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
 - `depth` is ignored if its value is less than or equal to 0.

+If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
+See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
+
 !!! example "Example of Depth & X-Forwarded-For"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
@@ -218,6 +221,63 @@ http:
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```

+##### `ipStrategy.ipv6Subnet`
+
+This strategy applies to `Depth` and `RemoteAddr` strategy only.
+If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
+
+This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
+
+- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
+
+!!! example "Example of ipv6Subnet"
+
+    If `ipv6Subnet` is provided, the IP is transformed in the following way.
+
+    | `IP`                      | `ipv6Subnet` | clientIP              |
+    |---------------------------|--------------|-----------------------|
+    | `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
+    | `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
+    | `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+    sourceCriterion:
+      ipStrategy:
+        ipv6Subnet: 64
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        sourceCriterion:
+          ipStrategy:
+            ipv6Subnet: 64
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
+      ipv6Subnet = 64
+```
+
 #### `sourceCriterion.requestHeaderName`

 Name of the header used to group incoming requests.
@@ -278,7 +338,7 @@ spec:
      requestHost: true
 ```

-```yaml tab="Cosul Catalog"
+```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```

--- a/docs/content/middlewares/http/ipallowlist.md
+++ b/docs/content/middlewares/http/ipallowlist.md
@@ -8,11 +8,11 @@ description: "Learn how to use IPAllowList in HTTP middleware for limiting clien
 Limiting Clients to Specific IPs
 {: .subtitle }

-IPAllowList accepts / refuses requests based on the client IP.
+IPAllowList limits allowed requests based on the client IP.

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Accepts request from defined IP
 labels:
  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
@@ -57,6 +57,8 @@ http:

 ### `sourceRange`

+_Required_
+
 The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).

 ### `ipStrategy`
@@ -73,6 +75,9 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
 - `depth` is ignored if its value is less than or equal to 0.

+If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
+See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
+
 !!! example "Examples of Depth & X-Forwarded-For"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).
@@ -83,7 +88,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Allowlisting Based on `X-Forwarded-For` with `depth=2`
 labels:
  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
@@ -149,9 +154,10 @@ http:
    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Exclude from `X-Forwarded-For`
 labels:
+    - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
    - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

@@ -163,6 +169,9 @@ metadata:
  name: test-ipallowlist
 spec:
  ipAllowList:
+    sourceRange:
+      - 127.0.0.1/32
+      - 192.168.1.0/24
    ipStrategy:
      excludedIPs:
        - 127.0.0.1/32
@@ -171,6 +180,7 @@ spec:

 ```yaml tab="Consul Catalog"
 # Exclude from `X-Forwarded-For`
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
 - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

@@ -180,16 +190,77 @@ http:
  middlewares:
    test-ipallowlist:
      ipAllowList:
+        sourceRange:
+         - 127.0.0.1/32
+         - 192.168.1.0/24
        ipStrategy:
          excludedIPs:
-            - "127.0.0.1/32"
-            - "192.168.1.7"
+            - 127.0.0.1/32
+            - 192.168.1.7
 ```

 ```toml tab="File (TOML)"
 # Exclude from `X-Forwarded-For`
 [http.middlewares]
  [http.middlewares.test-ipallowlist.ipAllowList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.0/24"]
    [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
+
+#### `ipStrategy.ipv6Subnet`
+
+This strategy applies to `Depth` and `RemoteAddr` strategy only.
+If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
+
+This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
+
+- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
+
+!!! example "Example of ipv6Subnet"
+
+    If `ipv6Subnet` is provided, the IP is transformed in the following way.
+
+    | `IP`                      | `ipv6Subnet` | clientIP              |
+    |---------------------------|--------------|-----------------------|
+    | `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
+    | `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
+    | `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ipallowlist
+spec:
+  ipallowlist:
+    sourceCriterion:
+      ipStrategy:
+        ipv6Subnet: 64
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ipallowlist:
+      ipallowlist:
+        sourceCriterion:
+          ipStrategy:
+            ipv6Subnet: 64
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ipallowlist.ipallowlist]
+    [http.middlewares.test-ipallowlist.ipallowlist.sourceCriterion.ipStrategy]
+      ipv6Subnet = 64
+```
--- a/docs/content/middlewares/http/ipwhitelist.md
+++ b/docs/content/middlewares/http/ipwhitelist.md
@@ -10,7 +10,7 @@ Limiting Clients to Specific IPs

 ![IPWhiteList](../../assets/img/middleware/ipwhitelist.png)

-IPWhiteList accepts / refuses requests based on the client IP.
+IPWhiteList limits allowed requests based on the client IP.

 !!! warning

@@ -63,6 +63,8 @@ http:

 ### `sourceRange`

+_Required_
+
 The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).

 ### `ipStrategy`
@@ -79,6 +81,9 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
 - `depth` is ignored if its value is less than or equal to 0.

+If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
+See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
+
 !!! example "Examples of Depth & X-Forwarded-For"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
@@ -158,6 +163,7 @@ http:
 ```yaml tab="Docker"
 # Exclude from `X-Forwarded-For`
 labels:
+    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

@@ -170,6 +176,9 @@ metadata:
 spec:
  ipWhiteList:
    ipStrategy:
+      sourceRange:
+        - 127.0.0.1/32
+        - 192.168.1.0/24
      excludedIPs:
        - 127.0.0.1/32
        - 192.168.1.7
@@ -177,6 +186,7 @@ spec:

 ```yaml tab="Consul Catalog"
 # Exclude from `X-Forwarded-For`
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
 - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

@@ -186,16 +196,77 @@ http:
  middlewares:
    test-ipwhitelist:
      ipWhiteList:
+        sourceRange:
+          - 127.0.0.1/32
+          - 192.168.1.0/24
        ipStrategy:
          excludedIPs:
-            - "127.0.0.1/32"
-            - "192.168.1.7"
+            - 127.0.0.1/32
+            - 192.168.1.7
 ```

 ```toml tab="File (TOML)"
 # Exclude from `X-Forwarded-For`
 [http.middlewares]
  [http.middlewares.test-ipwhitelist.ipWhiteList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.0/24"]
    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
+
+#### `ipStrategy.ipv6Subnet`
+
+This strategy applies to `Depth` and `RemoteAddr` strategy only.
+If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
+
+This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
+
+- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
+
+!!! example "Example of ipv6Subnet"
+
+    If `ipv6Subnet` is provided, the IP is transformed in the following way.
+
+    | `IP`                      | `ipv6Subnet` | clientIP              |
+    |---------------------------|--------------|-----------------------|
+    | `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
+    | `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
+    | `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-ipWhiteList.ipWhiteList.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ipWhiteList
+spec:
+  ipWhiteList:
+    sourceCriterion:
+      ipStrategy:
+        ipv6Subnet: 64
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ipWhiteList.ipWhiteList.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ipWhiteList:
+      ipWhiteList:
+        sourceCriterion:
+          ipStrategy:
+            ipv6Subnet: 64
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ipWhiteList.ipWhiteList]
+    [http.middlewares.test-ipWhiteList.ipWhiteList.sourceCriterion.ipStrategy]
+      ipv6Subnet = 64
+```
--- a/docs/content/middlewares/http/overview.md
+++ b/docs/content/middlewares/http/overview.md
@@ -24,7 +24,7 @@ whoami:
    - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
 ```

-```yaml tab="Kubernetes IngressRoute"
+```yaml tab="IngressRoute"
 # As a Kubernetes Traefik IngressRoute
 ---
 apiVersion: traefik.io/v1alpha1
--- a/docs/content/middlewares/http/ratelimit.md
+++ b/docs/content/middlewares/http/ratelimit.md
@@ -211,7 +211,7 @@ If none are set, the default is to use the request's remote address field (as an

 #### `sourceCriterion.ipStrategy`

-The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.
+The `ipStrategy` option defines three parameters that configures how Traefik determines the client IP: `depth`, `excludedIPs` and `ipv6Subnet`.

 !!! important "As a middleware, rate-limiting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through rate-limiting. Therefore, during rate-limiting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be found and/or relied upon."

@@ -222,6 +222,9 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and select
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
 - `depth` is ignored if its value is less than or equal to 0.

+If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
+See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
+
 !!! example "Example of Depth & X-Forwarded-For"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
@@ -355,10 +358,69 @@ http:
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```

+##### `ipStrategy.ipv6Subnet`
+
+This strategy applies to `Depth` and `RemoteAddr` strategy only.
+If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
+
+This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
+
+- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
+
+!!! example "Example of ipv6Subnet"
+
+    If `ipv6Subnet` is provided, the IP is transformed in the following way.
+
+    | `IP`                      | `ipv6Subnet` | clientIP              |
+    |---------------------------|--------------|-----------------------|
+    | `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
+    | `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
+    | `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  ratelimit:
+    sourceCriterion:
+      ipStrategy:
+        ipv6Subnet: 64
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      ratelimit:
+        sourceCriterion:
+          ipStrategy:
+            ipv6Subnet: 64
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.ratelimit]
+    [http.middlewares.test-ratelimit.ratelimit.sourceCriterion.ipStrategy]
+      ipv6Subnet = 64
+```
+
 #### `sourceCriterion.requestHeaderName`

 Name of the header used to group incoming requests.

+!!! important "If the header is not present, rate limiting will still be applied, but all requests without the specified header will be grouped together."
+
 ```yaml tab="Docker & Swarm"
 labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
--- a/docs/content/middlewares/http/redirectregex.md
+++ b/docs/content/middlewares/http/redirectregex.md
@@ -84,3 +84,5 @@ The `replacement` option defines how to modify the URL to have the new target UR
 !!! warning

    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/retry.md
+++ b/docs/content/middlewares/http/retry.md
@@ -12,8 +12,11 @@ Retrying until it Succeeds
 TODO: add schema
 -->

-The Retry middleware reissues requests a given number of times to a backend server if that server does not reply.
-As soon as the server answers, the middleware stops retrying, regardless of the response status.
+The Retry middleware reissues requests a given number of times when it cannot contact the backend service. 
+This applies at the transport level (TCP). 
+If the service does not respond to the initial connection attempt, the middleware retries.
+However, once the service responds, regardless of the HTTP status code, the middleware considers it operational and stops retrying.
+This means that the retry mechanism does not handle HTTP errors; it only retries when there is no response at the TCP level.
 The Retry middleware has an optional configuration to enable an exponential backoff.

 ## Configuration Examples
--- a/docs/content/middlewares/http/stripprefix.md
+++ b/docs/content/middlewares/http/stripprefix.md
@@ -145,3 +145,5 @@ http:
    prefixes = ["/foobar"]
    forceSlash = false
 ```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/overview.md
+++ b/docs/content/middlewares/overview.md
@@ -35,7 +35,7 @@ whoami:
    - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
 ```

-```yaml tab="Kubernetes IngressRoute"
+```yaml tab="IngressRoute"
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
--- a/docs/content/middlewares/tcp/ipallowlist.md
+++ b/docs/content/middlewares/tcp/ipallowlist.md
@@ -8,7 +8,7 @@ description: "Learn how to use IPAllowList in TCP middleware for limiting client
 Limiting Clients to Specific IPs
 {: .subtitle }

-IPAllowList accepts / refuses connections based on the client IP.
+IPAllowList limits allowed requests based on the client IP.

 ## Configuration Examples

--- a/docs/content/middlewares/tcp/overview.md
+++ b/docs/content/middlewares/tcp/overview.md
@@ -24,7 +24,7 @@ whoami:
    - "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@docker"
 ```

-```yaml tab="Kubernetes IngressRoute"
+```yaml tab="IngressRoute"
 # As a Kubernetes Traefik IngressRoute
 ---
 apiVersion: traefik.io/v1alpha1
--- a/docs/content/migration/v1-to-v2.md
+++ b/docs/content/migration/v1-to-v2.md
@@ -44,7 +44,7 @@ Then any router can refer to an instance of the wanted middleware.
      - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
    ```

-    ```yaml tab="K8s Ingress"
+    ```yaml tab="Ingress"
    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
@@ -107,7 +107,7 @@ Then any router can refer to an instance of the wanted middleware.
      - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
    ```

-    ```yaml tab="K8s IngressRoute"
+    ```yaml tab="IngressRoute"
    # The definitions below require the definitions for the Middleware and IngressRoute kinds.
    # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
    apiVersion: traefik.io/v1alpha1
@@ -278,7 +278,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
        ]
    ```

-    ```yaml tab="K8s IngressRoute"
+    ```yaml tab="IngressRoute"
    # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
    # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
    apiVersion: traefik.io/v1alpha1
@@ -354,7 +354,7 @@ To apply a redirection:
    ```

    ```bash tab="CLI"
-    --entrypoints=Name:web Address::80 Redirect.EntryPoint:websecure
+    --entryPoints=Name:web Address::80 Redirect.EntryPoint:websecure
    --entryPoints='Name:websecure Address::443 TLS'
    ```

@@ -394,10 +394,10 @@ To apply a redirection:
    ```bash tab="CLI"
    ## static configuration

-    --entrypoints.web.address=:80
-    --entrypoints.web.http.redirections.entrypoint.to=websecure
-    --entrypoints.web.http.redirections.entrypoint.scheme=https
-    --entrypoints.websecure.address=:443
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.redirections.entrypoint.to=websecure
+    --entryPoints.web.http.redirections.entrypoint.scheme=https
+    --entryPoints.websecure.address=:443
    --providers.docker=true
    ```

@@ -442,7 +442,7 @@ To apply a redirection:
      traefik.http.middlewares.https_redirect.redirectscheme.permanent: true
    ```

-    ```yaml tab="K8s IngressRoute"
+    ```yaml tab="IngressRoute"
    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
@@ -561,7 +561,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
      - "traefik.frontend.rule=Host:example.org;PathPrefixStrip:/admin"
    ```

-    ```yaml tab="Kubernetes Ingress"
+    ```yaml tab="Ingress"
    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
@@ -595,7 +595,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
      - "traefik.http.middlewares.admin-stripprefix.stripprefix.prefixes=/admin"
    ```

-    ```yaml tab="Kubernetes IngressRoute"
+    ```yaml tab="IngressRoute"
    ---
    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
@@ -750,8 +750,8 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
    ```

    ```bash tab="CLI"
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
    --certificatesresolvers.myresolver.acme.email=your-email@example.com
    --certificatesresolvers.myresolver.acme.storage=acme.json
    --certificatesresolvers.myresolver.acme.tlschallenge=true
@@ -1078,7 +1078,7 @@ To activate the dashboard, you can either:
      routers:
        api:
          rule: Host(`traefik.docker.localhost`)
-          entrypoints:
+          entryPoints:
            - websecure
          service: api@internal
          middlewares:
--- a/docs/content/migration/v2-to-v3-details.md
+++ b/docs/content/migration/v2-to-v3-details.md
@@ -0,0 +1,751 @@
+---
+title: "Traefik V3 Migration Details"
+description: "Configuration changes and their details to successfully migrate from Traefik v2 to v3."
+---
+
+# Configuration Details for Migrating from Traefik v2 to v3
+
+## Static Configuration Changes
+
+### SwarmMode
+
+In v3, the provider Docker has been split into 2 providers:
+
+- Docker provider (without Swarm support)
+- Swarm provider  (Swarm support only)
+
+??? example "An example usage of v2 Docker provider with Swarm"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        swarmMode: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.docker]
+        swarmMode=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.docker.swarmMode=true
+    ```
+
+This configuration is now unsupported and would prevent Traefik to start.
+
+#### Remediation
+
+In v3, the `swarmMode` should not be used with the Docker provider, and, to use Swarm, the Swarm provider should be used instead.
+
+??? example "An example usage of the Swarm provider"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      swarm:
+        endpoint: "tcp://127.0.0.1:2377"
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.swarm]
+        endpoint="tcp://127.0.0.1:2377"
+    ```
+
+    ```bash tab="CLI"
+    --providers.swarm.endpoint=tcp://127.0.0.1:2377
+    ```
+
+#### TLS.CAOptional
+
+Docker provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        tls: 
+          caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.docker.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.docker.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `tls.caOptional` option should be removed from the Docker provider static configuration.
+
+### Kubernetes Gateway API
+
+#### Experimental Channel Resources (TLSRoute and TCPRoute)
+
+In v3, the Kubernetes Gateway API provider does not enable support for the experimental channel API resources by default.
+
+##### Remediation
+
+The `experimentalChannel` option should be used to enable the support for the experimental channel API resources.
+
+??? example "An example usage of the Kubernetes Gateway API provider with experimental channel support enabled"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      kubernetesGateway:
+        experimentalChannel: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.kubernetesGateway]
+        experimentalChannel = true
+      # ...
+    ```
+
+    ```bash tab="CLI"
+    --providers.kubernetesgateway.experimentalchannel=true
+    ```
+
+### Experimental Configuration
+
+#### HTTP3
+
+In v3, HTTP/3 is no longer an experimental feature.
+It can be enabled on entry points without the associated `experimental.http3` option, which is now removed.
+It is now unsupported and would prevent Traefik to start.
+
+??? example "An example usage of v2 Experimental `http3` option"
+
+    ```yaml tab="File (YAML)"
+    experimental:
+      http3: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [experimental]
+        http3=true
+    ```
+
+    ```bash tab="CLI"
+    --experimental.http3=true
+    ```
+
+##### Remediation
+
+The `http3` option should be removed from the static configuration experimental section.
+To configure `http3`, please checkout the [entrypoint configuration documentation](../routing/entrypoints.md#http3_1).
+
+### Consul provider
+
+#### namespace
+
+The Consul provider `namespace` option was deprecated in v2 and is now removed in v3.
+It is now unsupported and would prevent Traefik to start.
+
+??? example "An example usage of v2 Consul `namespace` option"
+
+    ```yaml tab="File (YAML)"
+    consul:
+      namespace: foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [consul]
+        namespace=foobar
+    ```
+
+    ```bash tab="CLI"
+    --consul.namespace=foobar
+    ```
+
+##### Remediation
+
+In v3, the `namespaces` option should be used instead of the `namespace` option.
+
+??? example "An example usage of Consul `namespaces` option"
+
+    ```yaml tab="File (YAML)"
+    consul:
+      namespaces:
+        - foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [consul]
+        namespaces=["foobar"]
+    ```
+
+    ```bash tab="CLI"
+    --consul.namespaces=foobar
+    ```
+
+#### TLS.CAOptional
+
+Consul provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      consul:
+        tls: 
+          caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.consul.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.consul.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `tls.caOptional` option should be removed from the Consul provider static configuration.
+
+### ConsulCatalog provider
+
+#### namespace
+
+The ConsulCatalog provider `namespace` option was deprecated in v2 and is now removed in v3.
+It is now unsupported and would prevent Traefik to start.
+
+??? example "An example usage of v2 ConsulCatalog `namespace` option"
+
+    ```yaml tab="File (YAML)"
+    consulCatalog:
+      namespace: foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [consulCatalog]
+        namespace=foobar
+    ```
+
+    ```bash tab="CLI"
+    --consulCatalog.namespace=foobar
+    ```
+
+##### Remediation
+
+In v3, the `namespaces` option should be used instead of the `namespace` option.
+
+??? example "An example usage of ConsulCatalog `namespaces` option"
+
+    ```yaml tab="File (YAML)"
+    consulCatalog:
+      namespaces:
+        - foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [consulCatalog]
+        namespaces=["foobar"]
+    ```
+
+    ```bash tab="CLI"
+    --consulCatalog.namespaces=foobar
+    ```
+
+#### Endpoint.TLS.CAOptional
+
+ConsulCatalog provider `endpoint.tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the Endpoint.TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      consulCatalog:
+        endpoint:
+          tls: 
+            caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.consulCatalog.endpoint.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.consulCatalog.endpoint.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `endpoint.tls.caOptional` option should be removed from the ConsulCatalog provider static configuration.
+
+### Nomad provider
+
+#### namespace
+
+The Nomad provider `namespace` option was deprecated in v2 and is now removed in v3.
+It is now unsupported and would prevent Traefik to start.
+
+??? example "An example usage of v2 Nomad `namespace` option"
+
+    ```yaml tab="File (YAML)"
+    nomad:
+      namespace: foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [nomad]
+        namespace=foobar
+    ```
+
+    ```bash tab="CLI"
+    --nomad.namespace=foobar
+    ```
+
+##### Remediation
+
+In v3, the `namespaces` option should be used instead of the `namespace` option.
+
+??? example "An example usage of Nomad `namespaces` option"
+
+    ```yaml tab="File (YAML)"
+    nomad:
+      namespaces:
+        - foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [nomad]
+        namespaces=["foobar"]
+    ```
+
+    ```bash tab="CLI"
+    --nomad.namespaces=foobar
+    ```
+
+#### Endpoint.TLS.CAOptional
+
+Nomad provider `endpoint.tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the Endpoint.TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      nomad:
+        endpoint:
+          tls: 
+            caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.nomad.endpoint.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.nomad.endpoint.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `endpoint.tls.caOptional` option should be removed from the Nomad provider static configuration.
+
+### Rancher v1 Provider
+
+In v3, the Rancher v1 provider has been removed because Rancher v1 is [no longer actively maintained](https://rancher.com/docs/os/v1.x/en/support/),
+and Rancher v2 is supported as a standard Kubernetes provider.
+
+??? example "An example of Traefik v2 Rancher v1 configuration"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      rancher: {}
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.rancher]
+    ```
+
+    ```bash tab="CLI"
+    --providers.rancher=true
+    ```
+
+This configuration is now unsupported and would prevent Traefik to start.
+
+#### Remediation
+
+Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
+As such, Rancher 2.x users should utilize the [Kubernetes CRD provider](../providers/kubernetes-crd.md) directly.
+
+Also, all Rancher provider related configuration should be removed from the static configuration.
+
+### Marathon provider
+
+Marathon maintenance [ended on October 31, 2021](https://github.com/mesosphere/marathon/blob/master/README.md).
+In v3, the Marathon provider has been removed.
+
+??? example "An example of v2 Marathon provider configuration"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      marathon: {}
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.marathon]
+    ```
+
+    ```bash tab="CLI"
+    --providers.marathon=true
+    ```
+
+This configuration is now unsupported and would prevent Traefik to start.
+
+#### Remediation
+
+All Marathon provider related configuration should be removed from the static configuration.
+
+### HTTP Provider
+
+#### TLS.CAOptional
+
+HTTP provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      http:
+        tls: 
+          caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.http.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.http.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `tls.caOptional` option should be removed from the HTTP provider static configuration.
+
+### ETCD Provider
+
+#### TLS.CAOptional
+
+ETCD provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      etcd:
+        tls: 
+          caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.etcd.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.etcd.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `tls.caOptional` option should be removed from the ETCD provider static configuration.
+
+### Redis Provider
+
+#### TLS.CAOptional
+
+Redis provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      redis:
+        tls: 
+          caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.redis.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.redis.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `tls.caOptional` option should be removed from the Redis provider static configuration.
+
+### InfluxDB v1
+
+InfluxDB v1.x maintenance [ended in 2021](https://www.influxdata.com/blog/influxdb-oss-and-enterprise-roadmap-update-from-influxdays-emea/).
+In v3, the InfluxDB v1 metrics provider has been removed.
+
+??? example "An example of Traefik v2 InfluxDB v1 metrics configuration"
+
+    ```yaml tab="File (YAML)"
+    metrics:
+      influxDB: {}
+    ```
+
+    ```toml tab="File (TOML)"
+    [metrics.influxDB]
+    ```
+
+    ```bash tab="CLI"
+    --metrics.influxDB=true
+    ```
+
+This configuration is now unsupported and would prevent Traefik to start.
+
+#### Remediation
+
+All InfluxDB v1 metrics provider related configuration should be removed from the static configuration.
+
+### Pilot
+
+Traefik Pilot is no longer available since October 4th, 2022.
+
+??? example "An example of v2 Pilot configuration"
+
+    ```yaml tab="File (YAML)"
+    pilot:
+      token: foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [pilot]
+        token=foobar
+    ```
+
+    ```bash tab="CLI"
+    --pilot.token=foobar
+    ```
+
+In v2, Pilot configuration was deprecated and ineffective,
+it is now unsupported and would prevent Traefik to start.
+
+#### Remediation
+
+All Pilot related configuration should be removed from the static configuration.
+
+### Kubernetes Ingress Path Matching
+
+In v3, the Kubernetes Ingress default path matching does not support regexes anymore.
+
+#### Remediation
+
+Two levels of remediation are possible:
+
+- Interpret the default path matcher `PathPrefix` with v2 syntax.
+This can done globally for all routers with the [static configuration](#configure-the-default-syntax-in-static-configuration) or on a per-router basis by using the [traefik.ingress.kubernetes.io/router.rulesyntax](../routing/providers/kubernetes-ingress.md#annotations) annotation.
+
+- Adapt the path regex to be compatible with the Go regex syntax and change the default path matcher to use the `PathRegexp` matcher with the [`traefik.ingress.kubernetes.io/router.pathmatcher`](../routing/providers/kubernetes-ingress.md#annotations) annotation.
+
+## Operations Changes
+
+### Traefik RBAC Update
+
+In v3, the support of `TCPServersTransport` has been introduced.
+When using the KubernetesCRD provider, it is therefore necessary to update [RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-crd.md) manifests.
+
+### Content-Type Auto-Detection
+
+In v3, the `Content-Type` header is not auto-detected anymore when it is not set by the backend.
+One should use the `ContentType` middleware to enable the `Content-Type` header value auto-detection.
+
+### Observability
+
+#### Open Connections Metric
+
+In v3, the open connections metric has been replaced with a global one because it was erroneously at the HTTP level, and providing misleading information.
+While previously produced at the entryPoint, router, and service levels, it is now replaced with a global metric.
+The equivalent to `traefik_entrypoint_open_connections`, `traefik_router_open_connections` and `traefik_service_open_connections` is now `traefik_open_connections`.
+
+#### Configuration Reload Failures Metrics
+
+In v3, the `traefik_config_reloads_failure_total` and `traefik_config_last_reload_failure` metrics have been suppressed since they could not be implemented.
+
+#### gRPC Metrics
+
+In v3, the reported status code for gRPC requests is now the value of the `Grpc-Status` header.
+
+#### Tracing
+
+In v3, the tracing feature has been revamped and is now powered exclusively by [OpenTelemetry](https://opentelemetry.io/ "Link to website of OTel") (OTel).
+!!! warning "Important"
+    Traefik v3 **no** longer supports direct output formats for specific vendors such as Instana, Jaeger, Zipkin, Haystack, Datadog, and Elastic.
+    Instead, it focuses on pure OpenTelemetry implementation, providing a unified and standardized approach for observability.
+
+Here are two possible transition strategies:
+
+1. OTLP Ingestion Endpoints:
+
+    Most vendors now offer OpenTelemetry Protocol (OTLP) ingestion endpoints.
+    You can seamlessly integrate Traefik v3 with these endpoints to continue leveraging tracing capabilities.
+
+2. Legacy Stack Compatibility:
+
+    For legacy stacks that cannot immediately upgrade to the latest vendor agents supporting OTLP ingestion,
+    using OpenTelemetry (OTel) collectors with appropriate exporters configuration is a viable solution.
+    This allows continued compatibility with the existing infrastructure.
+
+Please check the [OpenTelemetry Tracing provider documention](../observability/tracing/opentelemetry.md) for more information.
+
+#### Internal Resources Observability
+
+In v3, observability for internal routers or services (e.g.: `ping@internal`) is disabled by default.
+To enable it one should use the new `addInternals` option for AccessLogs, Metrics or Tracing.
+Please take a look at the observability documentation for more information:
+
+- [AccessLogs](../observability/access-logs.md#addinternals)
+- [Metrics](../observability/metrics/overview.md#addinternals)
+- [Tracing](../observability/tracing/overview.md#addinternals)
+
+#### Access logs
+
+In v3, the `ServiceURL` field is not an object anymore but a string representation.
+An update may be required if you index access logs.
+
+## Dynamic Configuration Changes
+
+### Router Rule Matchers
+
+In v3, a new rule matchers syntax has been introduced for HTTP and TCP routers.
+The default rule matchers syntax is now the v3 one, but for backward compatibility this can be configured.
+The v2 rule matchers syntax is deprecated and its support will be removed in the next major version.
+For this reason, we encourage migrating to the new syntax.
+
+By default, the `defaultRuleSyntax` static option is automatically set to `v3`, meaning that the default rule is the new one.
+
+#### New V3 Syntax Notable Changes
+
+The `Headers` and `HeadersRegexp` matchers have been renamed to `Header` and `HeaderRegexp` respectively.
+
+`PathPrefix` no longer uses regular expressions to match path prefixes.
+
+`QueryRegexp` has been introduced to match query values using a regular expression.
+
+`HeaderRegexp`, `HostRegexp`, `PathRegexp`, `QueryRegexp`, and `HostSNIRegexp` matchers now uses the [Go regexp syntax](https://golang.org/pkg/regexp/syntax/).
+
+All matchers now take a single value (except `Header`, `HeaderRegexp`, `Query`, and `QueryRegexp` which take two)
+and should be explicitly combined using logical operators to mimic previous behavior.
+
+`Query` can take a single value to match is the query value that has no value (e.g. `/search?mobile`).
+
+`HostHeader` has been removed, use `Host` instead.
+
+#### Remediation
+
+##### Configure the Default Syntax In Static Configuration
+
+The default rule matchers syntax is the expected syntax for any router that is not self opt-out from this default value.
+It can be configured in the static configuration.
+
+??? example "An example configuration for the default rule matchers syntax"
+
+    ```yaml tab="File (YAML)"
+    # static configuration
+    core:
+      defaultRuleSyntax: v2
+    ```
+
+    ```toml tab="File (TOML)"
+    # static configuration
+    [core]
+        defaultRuleSyntax="v2"
+    ```
+
+    ```bash tab="CLI"
+    # static configuration
+    --core.defaultRuleSyntax=v2
+    ```
+
+##### Configure the Syntax Per Router
+
+The rule syntax can also be configured on a per-router basis.
+This allows to have heterogeneous router configurations and ease migration.
+
+??? example "An example router with syntax configuration"
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.routers.test.ruleSyntax=v2"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: test.route
+  namespace: default
+
+spec:
+  routes:
+    - match: PathPrefix(`/foo`, `/bar`)
+      syntax: v2
+      kind: Rule
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.routers.test.ruleSyntax=v2"
+```
+
+```yaml tab="File (YAML)"
+http:
+  routers:
+    test:
+      ruleSyntax: v2
+```
+
+```toml tab="File (TOML)"
+[http.routers]
+  [http.routers.test]
+    ruleSyntax = "v2"
+```
+
+### IPWhiteList
+
+In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing anything to the configuration. 
+
+### Deprecated Options Removal
+
+- The `tracing.datadog.globaltag` option has been removed.
+- The `tls.caOptional` option has been removed from the ForwardAuth middleware, as well as from the HTTP, Consul, Etcd, Redis, ZooKeeper, Consul Catalog, and Docker providers.
+- `sslRedirect`, `sslTemporaryRedirect`, `sslHost`, `sslForceHost` and `featurePolicy` options of the Headers middleware have been removed.
+- The `forceSlash` option of the StripPrefix middleware has been removed.
+- The `preferServerCipherSuites` option has been removed.
+
+### TCP LoadBalancer `terminationDelay` option
+
+The TCP LoadBalancer `terminationDelay` option has been removed.
+This option can now be configured directly on the `TCPServersTransport` level, please take a look at this [documentation](../routing/services/index.md#terminationdelay)
+
+### Kubernetes CRDs API Group `traefik.containo.us`
+
+In v3, the Kubernetes CRDs API Group `traefik.containo.us` has been removed. 
+Please use the API Group `traefik.io` instead.
+
+### Kubernetes Ingress API Group `networking.k8s.io/v1beta1`
+
+In v3, the Kubernetes Ingress API Group `networking.k8s.io/v1beta1` ([removed since Kubernetes v1.22](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122)) support has been removed.
+
+Please use the API Group `networking.k8s.io/v1` instead.
+
+### Traefik CRD API Version `apiextensions.k8s.io/v1beta1`
+
+In v3, the Traefik CRD API Version `apiextensions.k8s.io/v1beta1` ([removed since Kubernetes v1.22](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#customresourcedefinition-v122)) support has been removed.
+
+Please use the CRD definition with the API Version `apiextensions.k8s.io/v1` instead.
--- a/docs/content/migration/v2-to-v3.md
+++ b/docs/content/migration/v2-to-v3.md
@@ -8,700 +8,70 @@ description: "Migrate from Traefik Proxy v2 to v3 and update all the necessary c
 How to Migrate from Traefik v2 to Traefik v3.
 {: .subtitle }

-The version 3 of Traefik introduces a number of breaking changes,
-which require one to update their configuration when they migrate from v2 to v3.
-The goal of this page is to recapitulate all of these changes,
-and in particular to give examples, feature by feature, 
-of how the configuration looked like in v2,
-and how it now looks like in v3.
+With Traefik v3, we are introducing a streamlined transition process from v2. Minimal breaking changes have been made to specific options in the [static configuration](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes"), and we are ensuring backward compatibility with v2 syntax in the [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes"). This will offer a gradual path for adopting the v3 syntax, allowing users to progressively migrate their Kubernetes ingress resources, Docker labels, etc., to the new format.

-## Static configuration
+Here are the steps to progressively migrate from Traefik v2 to v3:

-### Docker & Docker Swarm
+1. [Prepare configurations and test v3](#step-1-prepare-configurations-and-test-v3)
+1. [Migrate production instances to Traefik v3](#step-2-migrate-production-instances-to-traefik-v3)
+1. [Progressively migrate dynamic configuration](#step-3-progressively-migrate-dynamic-configuration)

-#### SwarmMode
+## Step 1: Prepare Configurations and Test v3

-In v3, the provider Docker has been split into 2 providers:
+Check the changes in [static configurations](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes") and [operations](./v2-to-v3-details.md#operations-changes "Link to operations changes") brought by Traefik v3.
+Modify your configurations accordingly.

- Docker provider (without Swarm support)
- Swarm provider  (Swarm support only)
+Then, add the following snippet to the static configuration:

-??? example "An example usage of v2 Docker provider with Swarm"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      docker:
-        swarmMode: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.docker]
-        swarmMode=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.docker.swarmMode=true
-    ```
-
-This configuration is now unsupported and would prevent Traefik to start.
-
-##### Remediation
-
-In v3, the `swarmMode` should not be used with the Docker provider, and, to use Swarm, the Swarm provider should be used instead.
-
-??? example "An example usage of the Swarm provider"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      swarm:
-        endpoint: "tcp://127.0.0.1:2377"
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.swarm]
-        endpoint="tcp://127.0.0.1:2377"
-    ```
-
-    ```bash tab="CLI"
-    --providers.swarm.endpoint=tcp://127.0.0.1:2377
-    ```
-
-#### TLS.CAOptional
-
-Docker provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      docker:
-        tls: 
-          caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.docker.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.docker.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `tls.caOptional` option should be removed from the Docker provider static configuration.
-
-### Experimental Configuration
-
-#### HTTP3
-
-In v3, HTTP/3 is no longer an experimental feature.
-It can be enabled on entry points without the associated `experimental.http3` option, which is now removed.
-It is now unsupported and would prevent Traefik to start.
-
-??? example "An example usage of v2 Experimental `http3` option"
-
-    ```yaml tab="File (YAML)"
-    experimental:
-      http3: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [experimental]
-        http3=true
-    ```
-
-    ```bash tab="CLI"
-    --experimental.http3=true
-    ```
-
-##### Remediation
-
-The `http3` option should be removed from the static configuration experimental section.
-
-### Consul provider
-
-#### namespace
-
-The Consul provider `namespace` option was deprecated in v2 and is now removed in v3.
-It is now unsupported and would prevent Traefik to start.
-
-??? example "An example usage of v2 Consul `namespace` option"
-
-    ```yaml tab="File (YAML)"
-    consul:
-      namespace: foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [consul]
-        namespace=foobar
-    ```
-
-    ```bash tab="CLI"
-    --consul.namespace=foobar
-    ```
-
-##### Remediation
-
-In v3, the `namespaces` option should be used instead of the `namespace` option.
-
-??? example "An example usage of Consul `namespaces` option"
-
-    ```yaml tab="File (YAML)"
-    consul:
-      namespaces:
-        - foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [consul]
-        namespaces=["foobar"]
-    ```
-
-    ```bash tab="CLI"
-    --consul.namespaces=foobar
-    ```
-
-#### TLS.CAOptional
-
-Consul provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      consul:
-        tls: 
-          caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.consul.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.consul.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `tls.caOptional` option should be removed from the Consul provider static configuration.
-
-### ConsulCatalog provider
-
-#### namespace
-
-The ConsulCatalog provider `namespace` option was deprecated in v2 and is now removed in v3.
-It is now unsupported and would prevent Traefik to start.
-
-??? example "An example usage of v2 ConsulCatalog `namespace` option"
-
-    ```yaml tab="File (YAML)"
-    consulCatalog:
-      namespace: foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [consulCatalog]
-        namespace=foobar
-    ```
-
-    ```bash tab="CLI"
-    --consulCatalog.namespace=foobar
-    ```
-
-##### Remediation
-
-In v3, the `namespaces` option should be used instead of the `namespace` option.
-
-??? example "An example usage of ConsulCatalog `namespaces` option"
-
-    ```yaml tab="File (YAML)"
-    consulCatalog:
-      namespaces:
-        - foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [consulCatalog]
-        namespaces=["foobar"]
-    ```
-
-    ```bash tab="CLI"
-    --consulCatalog.namespaces=foobar
-    ```
-
-#### Endpoint.TLS.CAOptional
-
-ConsulCatalog provider `endpoint.tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the Endpoint.TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      consulCatalog:
-        endpoint:
-          tls: 
-            caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.consulCatalog.endpoint.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.consulCatalog.endpoint.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `endpoint.tls.caOptional` option should be removed from the ConsulCatalog provider static configuration.
-
-### Nomad provider
-
-#### namespace
-
-The Nomad provider `namespace` option was deprecated in v2 and is now removed in v3.
-It is now unsupported and would prevent Traefik to start.
-
-??? example "An example usage of v2 Nomad `namespace` option"
-
-    ```yaml tab="File (YAML)"
-    nomad:
-      namespace: foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [nomad]
-        namespace=foobar
-    ```
-
-    ```bash tab="CLI"
-    --nomad.namespace=foobar
-    ```
-
-##### Remediation
-
-In v3, the `namespaces` option should be used instead of the `namespace` option.
-
-??? example "An example usage of Nomad `namespaces` option"
-
-    ```yaml tab="File (YAML)"
-    nomad:
-      namespaces:
-        - foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [nomad]
-        namespaces=["foobar"]
-    ```
-
-    ```bash tab="CLI"
-    --nomad.namespaces=foobar
-    ```
-
-#### Endpoint.TLS.CAOptional
-
-Nomad provider `endpoint.tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the Endpoint.TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      nomad:
-        endpoint:
-          tls: 
-            caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.nomad.endpoint.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.nomad.endpoint.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `endpoint.tls.caOptional` option should be removed from the Nomad provider static configuration.
-
-### Rancher v1 Provider
-
-In v3, the Rancher v1 provider has been removed because Rancher v1 is [no longer actively maintained](https://rancher.com/docs/os/v1.x/en/support/),
-and Rancher v2 is supported as a standard Kubernetes provider.
-
-??? example "An example of Traefik v2 Rancher v1 configuration"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      rancher: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.rancher]
-    ```
-
-    ```bash tab="CLI"
-    --providers.rancher=true
-    ```
-
-This configuration is now unsupported and would prevent Traefik to start.
-
-#### Remediation
-
-Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
-As such, Rancher 2.x users should utilize the [Kubernetes CRD provider](../providers/kubernetes-crd.md) directly.
-
-Also, all Rancher provider related configuration should be removed from the static configuration.
-
-### Marathon provider
-
-Marathon maintenance [ended on October 31, 2021](https://github.com/mesosphere/marathon/blob/master/README.md).
-In v3, the Marathon provider has been removed.
-
-??? example "An example of v2 Marathon provider configuration"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      marathon: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.marathon]
-    ```
-
-    ```bash tab="CLI"
-    --providers.marathon=true
-    ```
-
-This configuration is now unsupported and would prevent Traefik to start.
-
-#### Remediation
-
-All Marathon provider related configuration should be removed from the static configuration.
-
-### HTTP Provider
-
-#### TLS.CAOptional
-
-HTTP provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      http:
-        tls: 
-          caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.http.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.http.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `tls.caOptional` option should be removed from the HTTP provider static configuration.
-
-### ETCD Provider
-
-#### TLS.CAOptional
-
-ETCD provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      etcd:
-        tls: 
-          caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.etcd.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.etcd.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `tls.caOptional` option should be removed from the ETCD provider static configuration.
-
-### Redis Provider
-
-#### TLS.CAOptional
-
-Redis provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      redis:
-        tls: 
-          caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.redis.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.redis.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `tls.caOptional` option should be removed from the Redis provider static configuration.
-
-### InfluxDB v1
-
-InfluxDB v1.x maintenance [ended in 2021](https://www.influxdata.com/blog/influxdb-oss-and-enterprise-roadmap-update-from-influxdays-emea/).
-In v3, the InfluxDB v1 metrics provider has been removed.
-
-??? example "An example of Traefik v2 InfluxDB v1 metrics configuration"
-
-    ```yaml tab="File (YAML)"
-    metrics:
-      influxDB: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [metrics.influxDB]
-    ```
-
-    ```bash tab="CLI"
-    --metrics.influxDB=true
-    ```
-
-This configuration is now unsupported and would prevent Traefik to start.
-
-#### Remediation
-
-All InfluxDB v1 metrics provider related configuration should be removed from the static configuration.
-
-### Pilot
-
-Traefik Pilot is no longer available since October 4th, 2022.
-
-??? example "An example of v2 Pilot configuration"
-
-    ```yaml tab="File (YAML)"
-    pilot:
-      token: foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [pilot]
-        token=foobar
-    ```
-
-    ```bash tab="CLI"
-    --pilot.token=foobar
-    ```
-
-In v2, Pilot configuration was deprecated and ineffective,
-it is now unsupported and would prevent Traefik to start.
-
-#### Remediation
-
-All Pilot related configuration should be removed from the static configuration.
-
-## Dynamic configuration
-
-### Router Rule Matchers
-
-In v3, a new rule matchers syntax has been introduced for HTTP and TCP routers.
-The default rule matchers syntax is now the v3 one, but for backward compatibility this can be configured.
-The v2 rule matchers syntax is deprecated and its support will be removed in the next major version.
-For this reason, we encourage migrating to the new syntax.
-
-By default, the `defaultRuleSyntax` static option is automatically set to `v3`, meaning that the default rule is the new one.
-
-#### New V3 Syntax Notable Changes
-
-The `Headers` and `HeadersRegexp` matchers have been renamed to `Header` and `HeaderRegexp` respectively.
-
-`PathPrefix` no longer uses regular expressions to match path prefixes.
-
-`QueryRegexp` has been introduced to match query values using a regular expression.
-
-`HeaderRegexp`, `HostRegexp`, `PathRegexp`, `QueryRegexp`, and `HostSNIRegexp` matchers now uses the [Go regexp syntax](https://golang.org/pkg/regexp/syntax/).
-
-All matchers now take a single value (except `Header`, `HeaderRegexp`, `Query`, and `QueryRegexp` which take two)
-and should be explicitly combined using logical operators to mimic previous behavior.
-
-`Query` can take a single value to match is the query value that has no value (e.g. `/search?mobile`).
-
-`HostHeader` has been removed, use `Host` instead.
-
-#### Remediation
-
-##### Configure the Default Syntax In Static Configuration
-
-The default rule matchers syntax is the expected syntax for any router that is not self opt-out from this default value.
-It can be configured in the static configuration.
-
-??? example "An example configuration for the default rule matchers syntax"
-
-    ```yaml tab="File (YAML)"
-    # static configuration
-    core:
-      defaultRuleSyntax: v2
-    ```
-
-    ```toml tab="File (TOML)"
-    # static configuration
-    [core]
-        defaultRuleSyntax="v2"
-    ```
-
-    ```bash tab="CLI"
-    # static configuration
-    --core.defaultRuleSyntax=v2
-    ```
-
-##### Configure the Syntax Per Router
-
-The rule syntax can also be configured on a per-router basis.
-This allows to have heterogeneous router configurations and ease migration.
-
-??? example "An example router with syntax configuration"
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.routers.test.ruleSyntax=v2"
+```yaml
+# static configuration
+core:
+  defaultRuleSyntax: v2
 ```

-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: test.route
-  namespace: default
+This snippet in the static configuration makes the [v2 format](../migration/v2-to-v3-details.md#configure-the-default-syntax-in-static-configuration "Link to configure default syntax in static config") the default rule matchers syntax.

-spec:
-  routes:
-    - match: PathPrefix(`/foo`, `/bar`)
-      syntax: v2
-      kind: Rule
+Start Traefik v3 with this new configuration to test it.
+
+If you don’t get any error logs while testing, you are good to go!
+Otherwise, follow the remaining migration options highlighted in the logs.
+
+Once your Traefik test instances are starting and routing to your applications, proceed to the next step.
+
+## Step 2: Migrate Production Instances to Traefik v3
+
+We strongly advise you to follow a progressive migration strategy ([Kubernetes rolling update mechanism](https://kubernetes.io/docs/tutorials/kubernetes-basics/update/update-intro/ "Link to the Kubernetes rolling update documentation"), for example) to migrate your production instances to v3.
+
+!!! Warning
+    Ensure you have a [real-time monitoring solution](https://traefik.io/blog/capture-traefik-metrics-for-apps-on-kubernetes-with-prometheus/ "Link to the blog on capturing Traefik metrics with Prometheus") for your ingress traffic to detect issues instantly.
+
+During the progressive migration, monitor your ingress traffic for any errors. Be prepared to rollback to a working state in case of any issues.
+
+If you encounter any issues, leverage debug and access logs provided by Traefik to understand what went wrong and how to fix it.
+
+Once every Traefik instance is updated, you will be on Traefik v3!
+
+## Step 3: Progressively Migrate Dynamic Configuration
+
+!!! info
+    This step can be done later in the process, as Traefik v3 is compatible with the v2 format for [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes").
+    Enable Traefik logs to get some help if any deprecated option is in use.
+
+Check the changes in [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes").
+
+Then, progressively [switch each router to the v3 syntax](./v2-to-v3-details.md#configure-the-syntax-per-router "Link to configuring the syntax per router").
+
+Test and update each Ingress resource and ensure that ingress traffic is not impacted.
+
+Once a v3 Ingress resource migration is validated, deploy the resource and delete the v2 Ingress resource.
+Repeat it until all Ingress resources are migrated.
+
+Now, remove the following snippet added to the static configuration in Step 1:
+
+```yaml
+# static configuration
+core:
+  defaultRuleSyntax: v2
 ```

-```yaml tab="Consul Catalog"
- "traefik.http.routers.test.ruleSyntax=v2"
-```
-
-```yaml tab="File (YAML)"
-http:
-  routers:
-    test:
-      ruleSyntax: v2
-```
-
-```toml tab="File (TOML)"
-[http.routers]
-  [http.routers.test]
-    ruleSyntax = "v2"
-```
-
-### IPWhiteList
-
-In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing anything to the configuration. 
-
-### Deprecated Options Removal
-
- The `tracing.datadog.globaltag` option has been removed.
- The `tls.caOptional` option has been removed from the ForwardAuth middleware, as well as from the HTTP, Consul, Etcd, Redis, ZooKeeper, Consul Catalog, and Docker providers.
- `sslRedirect`, `sslTemporaryRedirect`, `sslHost`, `sslForceHost` and `featurePolicy` options of the Headers middleware have been removed.
- The `forceSlash` option of the StripPrefix middleware has been removed.
- The `preferServerCipherSuites` option has been removed.
-
-### TCP LoadBalancer `terminationDelay` option
-
-The TCP LoadBalancer `terminationDelay` option has been removed.
-This option can now be configured directly on the `TCPServersTransport` level, please take a look at this [documentation](../routing/services/index.md#terminationdelay)
-
-### Kubernetes CRDs API Group `traefik.containo.us`
-
-In v3, the Kubernetes CRDs API Group `traefik.containo.us` has been removed. 
-Please use the API Group `traefik.io` instead.
-
-### Kubernetes Ingress API Group `networking.k8s.io/v1beta1`
-
-In v3, the Kubernetes Ingress API Group `networking.k8s.io/v1beta1` ([removed since Kubernetes v1.22](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122)) support has been removed.
-
-Please use the API Group `networking.k8s.io/v1` instead.
-
-### Traefik CRD API Version `apiextensions.k8s.io/v1beta1`
-
-In v3, the Traefik CRD API Version `apiextensions.k8s.io/v1beta1` ([removed since Kubernetes v1.22](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#customresourcedefinition-v122)) support has been removed.
-
-Please use the CRD definition with the API Version `apiextensions.k8s.io/v1` instead.
-
-## Operations
-
-### Traefik RBAC Update
-
-In v3, the support of `TCPServersTransport` has been introduced.
-When using the KubernetesCRD provider, it is therefore necessary to update [RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-crd.md) manifests.
-
-### Content-Type Auto-Detection
-
-In v3, the `Content-Type` header is not auto-detected anymore when it is not set by the backend.
-One should use the `ContentType` middleware to enable the `Content-Type` header value auto-detection.
-
-### Observability
-
-#### gRPC Metrics
-
-In v3, the reported status code for gRPC requests is now the value of the `Grpc-Status` header.  
-
-#### Tracing
-
-In v3, the tracing feature has been revamped and is now powered exclusively by [OpenTelemetry](https://opentelemetry.io/ "Link to website of OTel") (OTel).
-!!! warning "Important"
-
-    Traefik v3 **no** longer supports direct output formats for specific vendors such as Instana, Jaeger, Zipkin, Haystack, Datadog, and Elastic.
-Instead, it focuses on pure OpenTelemetry implementation, providing a unified and standardized approach for observability.
-
-Here are two possible transition strategies:
-
-1. OTLP Ingestion Endpoints:
-
-    Most vendors now offer OpenTelemetry Protocol (OTLP) ingestion endpoints.
-    You can seamlessly integrate Traefik v3 with these endpoints to continue leveraging tracing capabilities.
-
-2. Legacy Stack Compatibility:
-
-    For legacy stacks that cannot immediately upgrade to the latest vendor agents supporting OTLP ingestion,
-    using OpenTelemetry (OTel) collectors with appropriate exporters configuration is a viable solution.
-    This allows continued compatibility with the existing infrastructure.
-
-Please check the [OpenTelemetry Tracing provider documention](../observability/tracing/opentelemetry.md) for more information.
-
-#### Internal Resources Observability (AccessLogs, Metrics and Tracing)
-
-In v3, observability for internal routers or services (e.g.: `ping@internal`) is disabled by default.
-To enable it one should use the new `addInternals` option for AccessLogs, Metrics or Tracing.
-Please take a look at the observability documentation for more information:
-
- [AccessLogs](../observability/access-logs.md#addinternals)
- [Metrics](../observability/metrics/overview.md#addinternals)
- [AccessLogs](../observability/tracing/overview.md#addinternals)
+You are now fully migrated to Traefik v3 🎉
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@@ -432,7 +432,7 @@ For more advanced use cases, you can use either the [RedirectScheme middleware](

 Following up on the deprecation started [previously](#x509-commonname-deprecation),
 as the `x509ignoreCN=0` value for the `GODEBUG` is [deprecated in Go 1.17](https://tip.golang.org/doc/go1.17#crypto/x509),
-the legacy behavior related to the CommonName field can not be enabled at all anymore.
+the legacy behavior related to the CommonName field cannot be enabled at all anymore.

 ## v2.5.3 to v2.5.4

@@ -455,7 +455,7 @@ To enable HTTP/3 on an EntryPoint, please check out the [HTTP/3 configuration](.

 In `v2.6`, the [Kubernetes Gateway API provider](../providers/kubernetes-gateway.md) now only supports the version [v1alpha2](https://gateway-api.sigs.k8s.io/v1alpha2/guides/) of the specification and 
 [route namespaces](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.RouteNamespaces) selectors, which requires Traefik to fetch and watch the cluster namespaces.
-Therefore, the [RBAC](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-gateway.md#definitions) definitions must be updated.
+Therefore, the RBAC and CRD definitions must be updated.

 ## v2.6.0 to v2.6.1

@@ -513,7 +513,7 @@ In `v2.10`, the Kubernetes CRDs API Group `traefik.containo.us` is deprecated, a
 As the Kubernetes CRD provider still works with both API Versions (`traefik.io/v1alpha1` and `traefik.containo.us/v1alpha1`),
 it means that for the same kind, namespace and name, the provider will only keep the `traefik.io/v1alpha1` resource.

-In addition, the Kubernetes CRDs API Version `traefik.io/v1alpha1` will not be supported in Traefik v3 itself.
+In addition, the Kubernetes CRDs API Version `traefik.containo.us/v1alpha1` will not be supported in Traefik v3 itself.

 Please note that it is a requirement to update the CRDs and the RBAC in the cluster before upgrading Traefik.
 To do so, please apply the required [CRDs](https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml) and [RBAC](https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml) manifests for v2.10:
@@ -553,7 +553,7 @@ The following ciphers have been removed from the default list:
 - `TLS_RSA_WITH_AES_128_GCM_SHA256`
 - `TLS_RSA_WITH_AES_256_GCM_SHA384`

-To enable these ciphers, please set the option `CipherSuites` in your [TLS configuration](https://doc.traefik.io/traefik/https/tls/#cipher-suites) or set the environment variable `GODEBUG=tlsrsakex=1`.
+To enable these ciphers, please set the option `CipherSuites` in your [TLS configuration](../https/tls.md#cipher-suites) or set the environment variable `GODEBUG=tlsrsakex=1`.

 ### Minimum TLS Version

@@ -562,4 +562,118 @@ To enable these ciphers, please set the option `CipherSuites` in your [TLS confi
 > This change can be reverted with the `tls10server=1 GODEBUG` setting.
 > (https://go.dev/doc/go1.22#crypto/tls)

-To enable TLS 1.0, please set the option `MinVersion` to `VersionTLS10` in your [TLS configuration](https://doc.traefik.io/traefik/https/tls/#cipher-suites) or set the environment variable `GODEBUG=tls10server=1`.
+To enable TLS 1.0, please set the option `MinVersion` to `VersionTLS10` in your [TLS configuration](../https/tls.md#cipher-suites) or set the environment variable `GODEBUG=tls10server=1`.
+
+## v2.11.1
+
+### Maximum Router Priority Value
+
+Before v2.11.1, the maximum user-defined router priority value is:
+
+- `MaxInt32` for 32-bit platforms,
+- `MaxInt64` for 64-bit platforms.
+
+Please check out the [go documentation](https://pkg.go.dev/math#pkg-constants) for more information.
+
+In v2.11.1, Traefik reserves a range of priorities for its internal routers and now, 
+the maximum user-defined router priority value is:
+
+- `(MaxInt32 - 1000)` for 32-bit platforms,
+- `(MaxInt64 - 1000)` for 64-bit platforms.
+
+### EntryPoint.Transport.RespondingTimeouts.<Timeout>
+
+Starting with `v2.11.1` the following timeout options are deprecated:
+
+- `<entryPoint>.transport.respondingTimeouts.readTimeout`
+- `<entryPoint>.transport.respondingTimeouts.writeTimeout`
+- `<entryPoint>.transport.respondingTimeouts.idleTimeout`
+
+They have been replaced by:
+
+- `<entryPoint>.transport.respondingTimeouts.http.readTimeout`
+- `<entryPoint>.transport.respondingTimeouts.http.writeTimeout`
+- `<entryPoint>.transport.respondingTimeouts.http.idleTimeout`
+
+### EntryPoint.Transport.RespondingTimeouts.TCP.LingeringTimeout
+
+Starting with `v2.11.1` a new `lingeringTimeout` entryPoints option has been introduced, with a default value of 2s.
+
+The lingering timeout defines the maximum duration between each TCP read operation on the connection.
+As a layer 4 timeout, it applies during HTTP handling but respects the configured HTTP server `readTimeout`.
+
+This change avoids Traefik instances with the default configuration hanging while waiting for bytes to be read on the connection.
+
+We suggest to adapt this value accordingly to your situation.
+The new default value is purposely narrowed and can close the connection too early.
+
+Increasing the `lingeringTimeout` value could be the solution notably if you are dealing with the following errors:
+
+- TCP: `Error while handling TCP connection: readfrom tcp X.X.X.X:X->X.X.X.X:X: read tcp X.X.X.X:X->X.X.X.X:X: i/o timeout`
+- HTTP: `'499 Client Closed Request' caused by: context canceled`
+- HTTP: `ReverseProxy read error during body copy: read tcp X.X.X.X:X->X.X.X.X:X: use of closed network connection`
+
+## v2.11.2
+
+### LingeringTimeout
+
+Starting with `v2.11.2` the `<entrypoint>.transport.respondingTimeouts.tcp.lingeringTimeout` introduced in `v2.11.1` has been removed.
+
+### RespondingTimeouts.TCP and RespondingTimeouts.HTTP
+
+Starting with `v2.11.2` the `respondingTimeouts.tcp` and `respondingTimeouts.http` sections introduced in `v2.11.1` have been removed.
+To configure the responding timeouts, please use the [`respondingTimeouts`](../routing/entrypoints.md#respondingtimeouts) section.  
+
+### EntryPoint.Transport.RespondingTimeouts.ReadTimeout
+
+Starting with `v2.11.2` the entryPoints [`readTimeout`](../routing/entrypoints.md#respondingtimeouts) option default value changed to 60 seconds.
+
+For HTTP, this option defines the maximum duration for reading the entire request, including the body.
+For TCP, this option defines the maximum duration for the first bytes to be read on the connection.
+
+The default value was previously set to zero, which means no timeout.
+
+This change has been done to avoid Traefik instances with the default configuration to be hanging forever while waiting for bytes to be read on the connection.
+
+Increasing the `readTimeout` value could be the solution notably if you are dealing with the following errors:
+
+- TCP: `Error while handling TCP connection: readfrom tcp X.X.X.X:X->X.X.X.X:X: read tcp X.X.X.X:X->X.X.X.X:X: i/o timeout`
+- HTTP: `'499 Client Closed Request' caused by: context canceled`
+- HTTP: `ReverseProxy read error during body copy: read tcp X.X.X.X:X->X.X.X.X:X: use of closed network connection`
+
+## v2.11.3
+
+### Connection headers
+
+In `v2.11.3`, the handling of the request Connection headers directives has changed to prevent any abuse.
+Before, Traefik removed any header listed in the Connection header just before forwarding the request to the backends.
+Now, Traefik removes the headers listed in the Connection header as soon as the request is handled.
+As a consequence, middlewares do not have access to those Connection headers,
+and a new option has been introduced to specify which ones could go through the middleware chain before being removed: `<entrypoint>.forwardedHeaders.connection`.
+
+Please check out the [entrypoint forwarded headers connection option configuration](../routing/entrypoints.md#forwarded-headers) documentation.
+
+## v2.11.14
+
+### X-Forwarded-Prefix
+
+In `v2.11.14`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
+Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
+
+## v2.11.24
+
+### Request Path Sanitization
+
+Since `v2.11.24`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends.
+Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed.
+
+If you want to disable this behavior, you can set the [`sanitizePath` option](../routing/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.
+This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
+For example, as base64 uses the “/” character internally,
+if it's not url encoded,
+it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
+
+!!! warning "Security"
+
+    Setting the `sanitizePath` option to `false` is not safe.
+    Ensure every request is properly url encoded instead.
--- a/docs/content/migration/v3.md
+++ b/docs/content/migration/v3.md
@@ -0,0 +1,217 @@
+---
+title: "Traefik Migration Documentation"
+description: "Learn the steps needed to migrate to new Traefik Proxy v3 versions. Read the technical documentation."
+---
+
+# Migration: Steps needed between the versions
+
+## v3.0 to v3.1
+
+### Kubernetes Provider RBACs
+
+Starting with v3.1, the Kubernetes Providers now use the [EndpointSlices API](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/) (Kubernetes >=v1.21) to discover service endpoint addresses.
+It also brings NodePort load-balancing which requires Nodes resources lookup.
+
+Therefore, in the corresponding RBACs (see [KubernetesIngress](../routing/providers/kubernetes-ingress.md#configuration-example), [KubernetesCRD](../reference/dynamic-configuration/kubernetes-crd.md#rbac), and [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs):
+
+- the `endpoints` right has to be removed and the following `endpointslices` right has to be added:
+
+```yaml
+  ... 
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
+  ...
+```
+
+- the `nodes` right has to be added:
+
+```yaml
+  ...
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  ...
+```
+
+#### Gateway API: KubernetesGateway Provider
+
+In v3.1, the KubernetesGateway Provider is no longer an experimental feature.
+It can be enabled without the associated `experimental.kubernetesgateway` option, which is now deprecated.
+
+??? example "An example of the experimental `kubernetesgateway` option"
+
+    ```yaml tab="File (YAML)"
+    experimental:
+      kubernetesgateway: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [experimental]
+        kubernetesgateway=true
+    ```
+
+    ```bash tab="CLI"
+    --experimental.kubernetesgateway=true
+    ```
+
+##### Remediation
+
+The `kubernetesgateway` option should be removed from the experimental section of the static configuration.
+To configure `kubernetesgateway`, please check out the [KubernetesGateway Provider documentation](../providers/kubernetes-gateway.md).
+
+## v3.1.0 to v3.1.1
+
+### IngressClass Lookup
+
+The Kubernetes Ingress provider option `disableIngressClassLookup` has been deprecated in v3.1.1, and will be removed in the next major version.
+Please use the `disableClusterScopeResources` option instead to avoid cluster scope resources discovery (IngressClass, Nodes).
+
+## v3.1 to v3.2
+
+### Kubernetes CRD Provider
+
+Starting with v3.2, the CRDs has been updated on [TraefikService](../../routing/services#mirroring-service) (PR [#11032](https://github.com/traefik/traefik/pull/11032)), on [RateLimit](../../middlewares/http/ratelimit) & [InFlightReq](../../middlewares/http/inflightreq) middlewares (PR [#9747](https://github.com/traefik/traefik/pull/9747)) and on [Compress](../../middlewares/http/compress) middleware (PR [#10943](https://github.com/traefik/traefik/pull/10943)).
+
+This update adds only new optional fields.
+CRDs can be updated with this command:
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+```
+
+### Kubernetes Gateway Provider Standard Channel
+
+Starting with v3.2, the Kubernetes Gateway Provider now supports [GRPCRoute](https://gateway-api.sigs.k8s.io/api-types/grpcroute/).
+
+Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
+the `grcroutes` and `grpcroutes/status` rights have to be added.
+
+```yaml
+  ...
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - grpcroutes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - grpcroutes/status
+    verbs:
+      - update
+  ...
+```
+
+### Kubernetes Gateway Provider Experimental Channel
+
+!!! warning "Breaking changes"
+
+    Because of a breaking change introduced in Kubernetes Gateway [v1.2.0-rc1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0-rc1),
+    Traefik v3.3 only supports Kubernetes Gateway v1.2.x when experimental channel features are enabled.
+
+Starting with v3.2, the Kubernetes Gateway Provider now supports [BackendTLSPolicy](https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/).
+
+Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
+the `backendtlspolicies` and `backendtlspolicies/status` rights have to be added.
+
+```yaml
+  ...
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - backendtlspolicies
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - backendtlspolicies/status
+    verbs:
+      - update
+  ...
+```
+
+## v3.2.1
+
+### X-Forwarded-Prefix
+
+In `v3.2.1`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
+Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
+
+## v3.2.2
+
+### Swarm Provider
+
+In `v3.2.2`, the `traefik.docker.network` and `traefik.docker.lbswarm` labels have been deprecated,
+please use the `traefik.swarm.network` and `traefik.swarm.lbswarm` labels instead.
+
+## v3.2 to v3.3
+
+### ACME DNS Certificate Resolver
+
+In `v3.3`, the `acme.dnsChallenge.delaybeforecheck` and `acme.dnsChallenge.disablepropagationcheck` options of the ACME certificate resolver are deprecated, 
+please use respectively `acme.dnsChallenge.propagation.delayBeforeChecks` and `acme.dnsChallenge.propagation.disableChecks` options instead.
+
+### Tracing Global Attributes
+
+In `v3.3`, the `tracing.globalAttributes` option has been deprecated, please use the `tracing.resourceAttributes` option instead.
+The `tracing.globalAttributes` option is misleading as its name does not reflect the operation of adding resource attributes to be sent to the collector,
+and will be removed in the next major version.
+
+## v3.3.4
+
+### OpenTelemetry Request Duration metric
+
+In `v3.3.4`, the OpenTelemetry Request Duration metric (named `traefik_(entrypoint|router|service)_request_duration_seconds`) unit has been changed from milliseconds to seconds.
+To be consistent with the naming and other metrics providers, the metric now reports the duration in seconds.
+
+## v3.3.5
+
+### Compress Middleware
+
+In `v3.3.5`, the compress middleware `encodings` option default value is now `gzip, br, zstd`. 
+This change helps the algorithm selection to favor the `gzip` algorithm over the other algorithms.
+
+It impacts requests that do not specify their preferred algorithm,
+or has no order preference, in the `Accept-Encoding` header.
+
+## v3.3.6
+
+### Request Path Sanitization
+
+Since `v3.3.6`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends.
+Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed.
+
+If you want to disable this behavior, you can set the [`sanitizePath` option](../reference/install-configuration/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.
+This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
+For example, as base64 uses the “/” character internally,
+if it's not url encoded,
+it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
+
+!!! warning "Security"
+
+    Setting the `sanitizePath` option to `false` is not safe.
+    Ensure every request is properly url encoded instead.
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -30,7 +30,7 @@ accessLog: {}

 _Optional, Default="false"_

-Enables accessLogs for internal resources.
+Enables access logs for internal resources (e.g.: `ping@internal`).

 ```yaml tab="File (YAML)"
 accesslog:
@@ -67,6 +67,8 @@ accessLog:

 ### `format`

+_Optional, Default="common"_
+
 By default, logs are written using the Common Log Format (CLF).
 To write logs in JSON, use `json` in the `format` option.
 If the given format is unsupported, the default (CLF) is used instead.
@@ -77,6 +79,20 @@ If the given format is unsupported, the default (CLF) is used instead.
    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
    ```

+```yaml tab="File (YAML)"
+accessLog:
+  format: "json"
+```
+
+```toml tab="File (TOML)"
+[accessLog]
+  format = "json"
+```
+
+```bash tab="CLI"
+--accesslog.format=json
+```
+
 ### `bufferingSize`

 To write the logs in an asynchronous fashion, specify a  `bufferingSize` option.
@@ -156,7 +172,8 @@ Each field can be set to:

 - `keep` to keep the value
 - `drop` to drop the value
- `redact` to replace the value with "redacted"
+
+Header fields may also optionally be set to `redact` to replace the value with "REDACTED".

 The `defaultMode` for `fields.names` is `keep`.

@@ -187,7 +204,7 @@ accessLog:

  [accessLog.fields]
    defaultMode = "keep"
-    
+
    [accessLog.fields.names]
      "ClientUsername" = "drop"

@@ -239,9 +256,7 @@ accessLog:
    | `OriginDuration`        | The time taken (in nanoseconds) by the origin server ('upstream') to return its response.                                                                           |
    | `OriginContentSize`     | The content length specified by the origin server, or 0 if unspecified.                                                                                             |
    | `OriginStatus`          | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent (0). |
-    | `OriginStatusLine`      | `OriginStatus` + Status code explanation                                                                                                                            |
    | `DownstreamStatus`      | The HTTP status code returned to the client.                                                                                                                        |
-    | `DownstreamStatusLine`  | `DownstreamStatus` + Status code explanation                                                                                                                        |
    | `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
    | `RequestCount`          | The number of requests received since the Traefik instance started.                                                                                                 |
    | `GzipRatio`             | The response body compression ratio achieved.                                                                                                                       |
@@ -250,6 +265,8 @@ accessLog:
    | `TLSVersion`            | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS).                                                                                         |
    | `TLSCipher`             | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS)                                                           |
    | `TLSClientSubject`      | The string representation of the TLS client certificate's Subject (e.g. `CN=username,O=organization`)                                                               |
+    | `TraceId`               | A consistent identifier for tracking requests across services, including upstream ones managed by Traefik, shown as a 32-hex digit string                           |
+    | `SpanId`                | A unique identifier for Traefik’s root span (EntryPoint) within a request trace, formatted as a 16-hex digit string.                                                |

 ## Log Rotation

@@ -275,7 +292,7 @@ version: "3.7"

 services:
  traefik:
-    image: traefik:v3.0
+    image: traefik:v3.3
    environment:
      - TZ=US/Alaska
    command:
@@ -286,3 +303,419 @@ services:
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
 ```
+
+## OpenTelemetry
+
+!!! warning "Experimental Feature"
+
+    The OpenTelemetry access logs feature is currently experimental and must be explicitly enabled in the experimental section prior to use.
+    
+    ```yaml tab="File (YAML)"
+    experimental:
+      otlpLogs: true
+    ```
+    
+    ```toml tab="File (TOML)"
+    [experimental.otlpLogs]
+    ```
+    
+    ```bash tab="CLI"
+    --experimental.otlpLogs=true
+    ```
+
+To enable the OpenTelemetry Logger for access logs:
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp: {}
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp]
+```
+
+```bash tab="CLI"
+--accesslog.otlp=true
+```
+
+!!! info "Default protocol"
+
+    The OpenTelemetry Logger exporter will export access logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.
+
+### HTTP configuration
+
+_Optional_
+
+This instructs the exporter to send access logs to the OpenTelemetry Collector using HTTP.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    http: {}
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.http]
+```
+
+```bash tab="CLI"
+--accesslog.otlp.http=true
+```
+
+#### `endpoint`
+
+_Optional, Default="`https://localhost:4318/v1/logs`", Format="`<scheme>://<host>:<port><path>`"_
+
+URL of the OpenTelemetry Collector to send access logs to.
+
+!!! info "Insecure mode"
+
+    To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    http:
+      endpoint: https://collector:4318/v1/logs
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.http]
+  endpoint = "https://collector:4318/v1/logs"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.http.endpoint=https://collector:4318/v1/logs
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with access logs by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    http:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.http.headers]
+  foo = "bar"
+  baz = "buz"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.http.headers.foo=bar --accesslog.otlp.http.headers.baz=buz
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    http:
+      tls:
+        ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.http.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.http.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    http:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.http.tls.cert=path/to/foo.cert
+--accesslog.otlp.http.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    http:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.http.tls.cert=path/to/foo.cert
+--accesslog.otlp.http.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    http:
+      tls:
+        insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.http.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--accesslog.otlp.http.tls.insecureSkipVerify=true
+```
+
+### gRPC configuration
+
+_Optional_
+
+This instructs the exporter to send access logs to the OpenTelemetry Collector using gRPC.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc: {}
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc]
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc=true
+```
+
+#### `endpoint`
+
+_Required, Default="localhost:4317", Format="`<host>:<port>`"_
+
+Address of the OpenTelemetry Collector to send access logs to.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc:
+      endpoint: localhost:4317
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc]
+  endpoint = "localhost:4317"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc.endpoint=localhost:4317
+```
+
+#### `insecure`
+
+_Optional, Default=false_
+
+Allows exporter to send access logs to the OpenTelemetry Collector without using a secured protocol.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc:
+      insecure: true
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc]
+  insecure = true
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc.insecure=true
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with access logs by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc.headers]
+  foo = "bar"
+  baz = "buz"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc.headers.foo=bar --accesslog.otlp.grpc.headers.baz=buz
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc:
+      tls:
+        ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc.tls.cert=path/to/foo.cert
+--accesslog.otlp.grpc.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc.tls.cert=path/to/foo.cert
+--accesslog.otlp.grpc.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc:
+      tls:
+        insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc.tls.insecureSkipVerify=true
+```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/observability/logs.md
+++ b/docs/content/observability/logs.md
@@ -169,14 +169,430 @@ The default is not to perform compression.

 ```yaml tab="File (YAML)"
 log:
-  compress: 3
+  compress: true
 ```

 ```toml tab="File (TOML)"
 [log]
-  compress = 3
+  compress = true
 ```

 ```bash tab="CLI"
--log.compress=3
+--log.compress=true
 ```
+
+## OpenTelemetry
+
+!!! warning "Experimental Feature"
+    
+    The OpenTelemetry logs feature is currently experimental and must be explicitly enabled in the experimental section prior to use.
+    
+    ```yaml tab="File (YAML)"
+    experimental:
+      otlpLogs: true
+    ```
+    
+    ```toml tab="File (TOML)"
+    [experimental.otlpLogs]
+    ```
+    
+    ```bash tab="CLI"
+    --experimental.otlpLogs=true
+    ```
+
+To enable the OpenTelemetry Logger for logs:
+
+```yaml tab="File (YAML)"
+log:
+  otlp: {}
+```
+
+```toml tab="File (TOML)"
+[log.otlp]
+```
+
+```bash tab="CLI"
+--log.otlp=true
+```
+
+!!! info "Default protocol"
+
+    The OpenTelemetry Logger exporter will export logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.
+
+### HTTP configuration
+
+_Optional_
+
+This instructs the exporter to send logs to the OpenTelemetry Collector using HTTP.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    http: {}
+```
+
+```toml tab="File (TOML)"
+[log.otlp.http]
+```
+
+```bash tab="CLI"
+--log.otlp.http=true
+```
+
+#### `endpoint`
+
+_Optional, Default="`https://localhost:4318/v1/logs`", Format="`<scheme>://<host>:<port><path>`"_
+
+URL of the OpenTelemetry Collector to send logs to.
+
+!!! info "Insecure mode"
+
+    To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    http:
+      endpoint: https://collector:4318/v1/logs
+```
+
+```toml tab="File (TOML)"
+[log.otlp.http]
+  endpoint = "https://collector:4318/v1/logs"
+```
+
+```bash tab="CLI"
+--log.otlp.http.endpoint=https://collector:4318/v1/logs
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with logs by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    http:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[log.otlp.http.headers]
+  foo = "bar"
+  baz = "buz"
+```
+
+```bash tab="CLI"
+--log.otlp.http.headers.foo=bar --log.otlp.http.headers.baz=buz
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    http:
+      tls:
+        ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[log.otlp.http.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--log.otlp.http.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    http:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[log.otlp.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--log.otlp.http.tls.cert=path/to/foo.cert
+--log.otlp.http.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    http:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[log.otlp.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--log.otlp.http.tls.cert=path/to/foo.cert
+--log.otlp.http.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    http:
+      tls:
+        insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[log.otlp.http.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--log.otlp.http.tls.insecureSkipVerify=true
+```
+
+### gRPC configuration
+
+_Optional_
+
+This instructs the exporter to send logs to the OpenTelemetry Collector using gRPC.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc: {}
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc]
+```
+
+```bash tab="CLI"
+--log.otlp.grpc=true
+```
+
+#### `endpoint`
+
+_Required, Default="localhost:4317", Format="`<host>:<port>`"_
+
+Address of the OpenTelemetry Collector to send logs to.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc:
+      endpoint: localhost:4317
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc]
+  endpoint = "localhost:4317"
+```
+
+```bash tab="CLI"
+--log.otlp.grpc.endpoint=localhost:4317
+```
+
+#### `insecure`
+
+_Optional, Default=false_
+
+Allows exporter to send logs to the OpenTelemetry Collector without using a secured protocol.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc:
+      insecure: true
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc]
+  insecure = true
+```
+
+```bash tab="CLI"
+--log.otlp.grpc.insecure=true
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with logs by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc.headers]
+  foo = "bar"
+  baz = "buz"
+```
+
+```bash tab="CLI"
+--log.otlp.grpc.headers.foo=bar --log.otlp.grpc.headers.baz=buz
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc:
+      tls:
+        ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--log.otlp.grpc.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--log.otlp.grpc.tls.cert=path/to/foo.cert
+--log.otlp.grpc.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--log.otlp.grpc.tls.cert=path/to/foo.cert
+--log.otlp.grpc.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc:
+      tls:
+        insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--log.otlp.grpc.tls.insecureSkipVerify=true
+```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/observability/metrics/datadog.md
+++ b/docs/content/observability/metrics/datadog.md
@@ -27,7 +27,9 @@ _Required, Default="127.0.0.1:8125"_

 Address instructs exporter to send metrics to datadog-agent at this address.

-This address can be a Unix Domain Socket (UDS) address with the following form: `unix:///path/to/datadog.socket`.  
+This address can be a Unix Domain Socket (UDS) in the following format: `unix:///path/to/datadog.socket`.
+When the prefix is set to `unix`, the socket type will be automatically determined. 
+To explicitly define the socket type and avoid automatic detection, you can use the prefixes `unixgram` for `SOCK_DGRAM` (datagram sockets) and `unixstream` for `SOCK_STREAM` (stream sockets), respectively.

 ```yaml tab="File (YAML)"
 metrics:
@@ -66,6 +68,7 @@ metrics:
 ```bash tab="CLI"
 --metrics.datadog.addEntryPointsLabels=true
 ```
+
 #### `addRoutersLabels`

 _Optional, Default=false_
--- a/docs/content/observability/metrics/opentelemetry.md
+++ b/docs/content/observability/metrics/opentelemetry.md
@@ -23,7 +23,7 @@ metrics:

 !!! info "Default protocol"

-    The OpenTelemetry exporter will export metrics to the collector using HTTP by default to https://localhost:4318/v1/metrics, see the [gRPC Section](#grpc-configuration) to use gRPC.
+    The OpenTelemetry exporter will export metrics to the collector using HTTPS by default to https://localhost:4318/v1/metrics, see the [gRPC Section](#grpc-configuration) to use gRPC.

 #### `addEntryPointsLabels`

@@ -139,6 +139,28 @@ metrics:
 --metrics.otlp.pushInterval=10s
 ```

+#### `serviceName`
+
+_Optional, Default="traefik"_
+
+OTEL service name to use.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    serviceName: name
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp]
+    serviceName = "name"
+```
+
+```bash tab="CLI"
+--metrics.otlp.serviceName=name
+```
+
 ### HTTP configuration

 _Optional_
@@ -162,25 +184,29 @@ metrics:

 #### `endpoint`

-_Required, Default="http://localhost:4318/v1/metrics", Format="`<scheme>://<host>:<port><path>`"_
+_Optional, Default="https://localhost:4318/v1/metrics", Format="`<scheme>://<host>:<port><path>`"_

 URL of the OpenTelemetry Collector to send metrics to.

+!!! info "Insecure mode"
+
+    To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
+
 ```yaml tab="File (YAML)"
 metrics:
  otlp:
    http:
-      endpoint: http://localhost:4318/v1/metrics
+      endpoint: https://collector:4318/v1/metrics
 ```

 ```toml tab="File (TOML)"
 [metrics]
  [metrics.otlp.http]
-    endpoint = "http://localhost:4318/v1/metrics"
+    endpoint = "https://collector:4318/v1/metrics"
 ```

 ```bash tab="CLI"
--metrics.otlp.http.endpoint=http://localhost:4318/v1/metrics
+--metrics.otlp.http.endpoint=https://collector:4318/v1/metrics
 ```

 #### `headers`
--- a/docs/content/observability/metrics/overview.md
+++ b/docs/content/observability/metrics/overview.md
@@ -5,7 +5,7 @@ description: "Traefik Proxy supports these metrics backend systems: Datadog, Inf

 # Metrics

-Traefik supports these metrics backends:
+Traefik provides metrics in the [OpenTelemetry](./opentelemetry.md) format as well as the following vendor specific backends:

 - [Datadog](./datadog.md)
 - [InfluxDB2](./influxdb2.md)
@@ -21,7 +21,7 @@ and [Kubernetes](https://grafana.com/grafana/dashboards/17347) deployments.

 _Optional, Default="false"_

-Enables metrics for internal resources.
+Enables metrics for internal resources (e.g.: `ping@internals`).

 ```yaml tab="File (YAML)"
 metrics:
@@ -46,6 +46,13 @@ addInternals = true
 | Open connections           | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
 | TLS certificates not after | Gauge |                          | The expiration date of certificates.                               |

+```opentelemetry tab="OpenTelemetry"
+traefik_config_reloads_total
+traefik_config_last_reload_success
+traefik_open_connections
+traefik_tls_certs_not_after
+```
+
 ```prom tab="Prometheus"
 traefik_config_reloads_total
 traefik_config_last_reload_success
@@ -75,13 +82,6 @@ traefik.tls.certs.notAfterTimestamp
 {prefix}.tls.certs.notAfterTimestamp
 ```

-```opentelemetry tab="OpenTelemetry"
-traefik_config_reloads_total
-traefik_config_last_reload_success
-traefik_open_connections
-traefik_tls_certs_not_after
-```
-
 ### Labels

 Here is a comprehensive list of labels that are provided by the global metrics:
@@ -91,201 +91,9 @@ Here is a comprehensive list of labels that are provided by the global metrics:
 | `entrypoint` | Entrypoint that handled the connection | "example_entrypoint" |
 | `protocol`   | Connection protocol                    | "TCP"                |

-## HTTP Metrics
+## OpenTelemetry Semantic Conventions

-### EntryPoint Metrics
-
-| Metric                | Type      | [Labels](#labels)                          | Description                                                         |
-|-----------------------|-----------|--------------------------------------------|---------------------------------------------------------------------|
-| Requests total        | Count     | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint.         |
-| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `entrypoint`  | The total count of HTTPS requests received by an entrypoint.        |
-| Request duration      | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint.             |
-| Requests bytes total  | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint.  |
-| Responses bytes total | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
-
-```prom tab="Prometheus"
-traefik_entrypoint_requests_total
-traefik_entrypoint_requests_tls_total
-traefik_entrypoint_request_duration_seconds
-traefik_entrypoint_requests_bytes_total
-traefik_entrypoint_responses_bytes_total
-```
-
-```dd tab="Datadog"
-entrypoint.request.total
-entrypoint.request.tls.total
-entrypoint.request.duration
-entrypoint.requests.bytes.total
-entrypoint.responses.bytes.total
-```
-
-```influxdb tab="InfluxDB2"
-traefik.entrypoint.requests.total
-traefik.entrypoint.requests.tls.total
-traefik.entrypoint.request.duration
-traefik.entrypoint.requests.bytes.total
-traefik.entrypoint.responses.bytes.total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
-{prefix}.entrypoint.request.total
-{prefix}.entrypoint.request.tls.total
-{prefix}.entrypoint.request.duration
-{prefix}.entrypoint.requests.bytes.total
-{prefix}.entrypoint.responses.bytes.total
-```
-
-```opentelemetry tab="OpenTelemetry"
-traefik_entrypoint_requests_total
-traefik_entrypoint_requests_tls_total
-traefik_entrypoint_request_duration_seconds
-traefik_entrypoint_requests_bytes_total
-traefik_entrypoint_responses_bytes_total
-```
-
-### Router Metrics
-
-| Metric                | Type      | [Labels](#labels)                                 | Description                                                    |
-|-----------------------|-----------|---------------------------------------------------|----------------------------------------------------------------|
-| Requests total        | Count     | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router.          |
-| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `router`, `service`  | The total count of HTTPS requests handled by a router.         |
-| Request duration      | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router.             |
-| Requests bytes total  | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router.  |
-| Responses bytes total | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
-
-```prom tab="Prometheus"
-traefik_router_requests_total
-traefik_router_requests_tls_total
-traefik_router_request_duration_seconds
-traefik_router_requests_bytes_total
-traefik_router_responses_bytes_total
-```
-
-```dd tab="Datadog"
-router.request.total
-router.request.tls.total
-router.request.duration
-router.requests.bytes.total
-router.responses.bytes.total
-```
-
-```influxdb tab="InfluxDB2"
-traefik.router.requests.total
-traefik.router.requests.tls.total
-traefik.router.request.duration
-traefik.router.requests.bytes.total
-traefik.router.responses.bytes.total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
-{prefix}.router.request.total
-{prefix}.router.request.tls.total
-{prefix}.router.request.duration
-{prefix}.router.requests.bytes.total
-{prefix}.router.responses.bytes.total
-```
-
-```opentelemetry tab="OpenTelemetry"
-traefik_router_requests_total
-traefik_router_requests_tls_total
-traefik_router_request_duration_seconds
-traefik_router_requests_bytes_total
-traefik_router_responses_bytes_total
-```
-
-### Service Metrics
-
-| Metric                | Type      | Labels                                  | Description                                                 |
-|-----------------------|-----------|-----------------------------------------|-------------------------------------------------------------|
-| Requests total        | Count     | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service.    |
-| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `service`  | The total count of HTTPS requests processed on a service.   |
-| Request duration      | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service.         |
-| Retries total         | Count     | `service`                               | The count of requests retries on a service.                 |
-| Server UP             | Gauge     | `service`, `url`                        | Current service's server status, 0 for a down or 1 for up.  |
-| Requests bytes total  | Count     | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service.  |
-| Responses bytes total | Count     | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
-
-```prom tab="Prometheus"
-traefik_service_requests_total
-traefik_service_requests_tls_total
-traefik_service_request_duration_seconds
-traefik_service_retries_total
-traefik_service_server_up
-traefik_service_requests_bytes_total
-traefik_service_responses_bytes_total
-```
-
-```dd tab="Datadog"
-service.request.total
-router.service.tls.total
-service.request.duration
-service.retries.total
-service.server.up
-service.requests.bytes.total
-service.responses.bytes.total
-```
-
-```influxdb tab="InfluxDB2"
-traefik.service.requests.total
-traefik.service.requests.tls.total
-traefik.service.request.duration
-traefik.service.retries.total
-traefik.service.server.up
-traefik.service.requests.bytes.total
-traefik.service.responses.bytes.total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
-{prefix}.service.request.total
-{prefix}.service.request.tls.total
-{prefix}.service.request.duration
-{prefix}.service.retries.total
-{prefix}.service.server.up
-{prefix}.service.requests.bytes.total
-{prefix}.service.responses.bytes.total
-```
-
-```opentelemetry tab="OpenTelemetry"
-traefik_service_requests_total
-traefik_service_requests_tls_total
-traefik_service_request_duration_seconds
-traefik_service_retries_total
-traefik_service_server_up
-traefik_service_requests_bytes_total
-traefik_service_responses_bytes_total
-```
-
-### Labels
-
-Here is a comprehensive list of labels that are provided by the metrics:
-
-| Label         | Description                           | example                    |
-|---------------|---------------------------------------|----------------------------|
-| `cn`          | Certificate Common Name               | "example.com"              |
-| `code`        | Request code                          | "200"                      |
-| `entrypoint`  | Entrypoint that handled the request   | "example_entrypoint"       |
-| `method`      | Request Method                        | "GET"                      |
-| `protocol`    | Request protocol                      | "http"                     |
-| `router`      | Router that handled the request       | "example_router"           |
-| `sans`        | Certificate Subject Alternative NameS | "example.com"              |
-| `serial`      | Certificate Serial Number             | "123..."                   |
-| `service`     | Service that handled the request      | "example_service@provider" |
-| `tls_cipher`  | TLS cipher used for the request       | "TLS_FALLBACK_SCSV"        |
-| `tls_version` | TLS version used for the request      | "1.0"                      |
-| `url`         | Service server url                    | "http://example.com"       |
-
-!!! info "`method` label value"
-
-    If the HTTP method verb on a request is not one defined in the set of common methods for [`HTTP/1.1`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
-    or the [`PRI`](https://datatracker.ietf.org/doc/html/rfc7540#section-11.6) verb (for `HTTP/2`),
-    then the value for the method label becomes `EXTENSION_METHOD`.
-
-## Semantic Conventions for HTTP Metrics
-
-Traefik Proxy follows [official OTLP semantic conventions v1.23.1](https://github.com/open-telemetry/semantic-conventions/blob/v1.23.1/docs/http/http-metrics.md).
+Traefik Proxy follows [official OpenTelemetry semantic conventions v1.23.1](https://github.com/open-telemetry/semantic-conventions/blob/v1.23.1/docs/http/http-metrics.md).

 ### HTTP Server

@@ -328,3 +136,197 @@ Here is a comprehensive list of labels that are provided by the metrics:
 | `server.address`            | Name of the local HTTP server that received the request      | "example.com" |
 | `server.port`               | Port of the local HTTP server that received the request      | "80"          |
 | `url.scheme`                | The URI scheme component identifying the used protocol       | "http"        |
+
+## HTTP Metrics
+
+On top of the official OpenTelemetry semantic conventions, Traefik provides its own metrics to monitor the incoming traffic.
+
+### EntryPoint Metrics
+
+| Metric                | Type      | [Labels](#labels)                          | Description                                                         |
+|-----------------------|-----------|--------------------------------------------|---------------------------------------------------------------------|
+| Requests total        | Count     | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint.         |
+| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `entrypoint`  | The total count of HTTPS requests received by an entrypoint.        |
+| Request duration      | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint.             |
+| Requests bytes total  | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint.  |
+| Responses bytes total | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
+
+```opentelemetry tab="OpenTelemetry"
+traefik_entrypoint_requests_total
+traefik_entrypoint_requests_tls_total
+traefik_entrypoint_request_duration_seconds
+traefik_entrypoint_requests_bytes_total
+traefik_entrypoint_responses_bytes_total
+```
+
+```prom tab="Prometheus"
+traefik_entrypoint_requests_total
+traefik_entrypoint_requests_tls_total
+traefik_entrypoint_request_duration_seconds
+traefik_entrypoint_requests_bytes_total
+traefik_entrypoint_responses_bytes_total
+```
+
+```dd tab="Datadog"
+entrypoint.request.total
+entrypoint.request.tls.total
+entrypoint.request.duration
+entrypoint.requests.bytes.total
+entrypoint.responses.bytes.total
+```
+
+```influxdb tab="InfluxDB2"
+traefik.entrypoint.requests.total
+traefik.entrypoint.requests.tls.total
+traefik.entrypoint.request.duration
+traefik.entrypoint.requests.bytes.total
+traefik.entrypoint.responses.bytes.total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.entrypoint.request.total
+{prefix}.entrypoint.request.tls.total
+{prefix}.entrypoint.request.duration
+{prefix}.entrypoint.requests.bytes.total
+{prefix}.entrypoint.responses.bytes.total
+```
+
+### Router Metrics
+
+| Metric                | Type      | [Labels](#labels)                                 | Description                                                    |
+|-----------------------|-----------|---------------------------------------------------|----------------------------------------------------------------|
+| Requests total        | Count     | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router.          |
+| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `router`, `service`  | The total count of HTTPS requests handled by a router.         |
+| Request duration      | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router.             |
+| Requests bytes total  | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router.  |
+| Responses bytes total | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
+
+```opentelemetry tab="OpenTelemetry"
+traefik_router_requests_total
+traefik_router_requests_tls_total
+traefik_router_request_duration_seconds
+traefik_router_requests_bytes_total
+traefik_router_responses_bytes_total
+```
+
+```prom tab="Prometheus"
+traefik_router_requests_total
+traefik_router_requests_tls_total
+traefik_router_request_duration_seconds
+traefik_router_requests_bytes_total
+traefik_router_responses_bytes_total
+```
+
+```dd tab="Datadog"
+router.request.total
+router.request.tls.total
+router.request.duration
+router.requests.bytes.total
+router.responses.bytes.total
+```
+
+```influxdb tab="InfluxDB2"
+traefik.router.requests.total
+traefik.router.requests.tls.total
+traefik.router.request.duration
+traefik.router.requests.bytes.total
+traefik.router.responses.bytes.total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.router.request.total
+{prefix}.router.request.tls.total
+{prefix}.router.request.duration
+{prefix}.router.requests.bytes.total
+{prefix}.router.responses.bytes.total
+```
+
+### Service Metrics
+
+| Metric                | Type      | Labels                                  | Description                                                 |
+|-----------------------|-----------|-----------------------------------------|-------------------------------------------------------------|
+| Requests total        | Count     | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service.    |
+| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `service`  | The total count of HTTPS requests processed on a service.   |
+| Request duration      | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service.         |
+| Retries total         | Count     | `service`                               | The count of requests retries on a service.                 |
+| Server UP             | Gauge     | `service`, `url`                        | Current service's server status, 0 for a down or 1 for up.  |
+| Requests bytes total  | Count     | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service.  |
+| Responses bytes total | Count     | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
+
+```opentelemetry tab="OpenTelemetry"
+traefik_service_requests_total
+traefik_service_requests_tls_total
+traefik_service_request_duration_seconds
+traefik_service_retries_total
+traefik_service_server_up
+traefik_service_requests_bytes_total
+traefik_service_responses_bytes_total
+```
+
+```prom tab="Prometheus"
+traefik_service_requests_total
+traefik_service_requests_tls_total
+traefik_service_request_duration_seconds
+traefik_service_retries_total
+traefik_service_server_up
+traefik_service_requests_bytes_total
+traefik_service_responses_bytes_total
+```
+
+```dd tab="Datadog"
+service.request.total
+router.service.tls.total
+service.request.duration
+service.retries.total
+service.server.up
+service.requests.bytes.total
+service.responses.bytes.total
+```
+
+```influxdb tab="InfluxDB2"
+traefik.service.requests.total
+traefik.service.requests.tls.total
+traefik.service.request.duration
+traefik.service.retries.total
+traefik.service.server.up
+traefik.service.requests.bytes.total
+traefik.service.responses.bytes.total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.service.request.total
+{prefix}.service.request.tls.total
+{prefix}.service.request.duration
+{prefix}.service.retries.total
+{prefix}.service.server.up
+{prefix}.service.requests.bytes.total
+{prefix}.service.responses.bytes.total
+```
+
+### Labels
+
+Here is a comprehensive list of labels that are provided by the metrics:
+
+| Label         | Description                           | example                    |
+|---------------|---------------------------------------|----------------------------|
+| `cn`          | Certificate Common Name               | "example.com"              |
+| `code`        | Request code                          | "200"                      |
+| `entrypoint`  | Entrypoint that handled the request   | "example_entrypoint"       |
+| `method`      | Request Method                        | "GET"                      |
+| `protocol`    | Request protocol                      | "http"                     |
+| `router`      | Router that handled the request       | "example_router"           |
+| `sans`        | Certificate Subject Alternative NameS | "example.com"              |
+| `serial`      | Certificate Serial Number             | "123..."                   |
+| `service`     | Service that handled the request      | "example_service@provider" |
+| `tls_cipher`  | TLS cipher used for the request       | "TLS_FALLBACK_SCSV"        |
+| `tls_version` | TLS version used for the request      | "1.0"                      |
+| `url`         | Service server url                    | "http://example.com"       |
+
+!!! info "`method` label value"
+
+    If the HTTP method verb on a request is not one defined in the set of common methods for [`HTTP/1.1`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
+    or the [`PRI`](https://datatracker.ietf.org/doc/html/rfc7540#section-11.6) verb (for `HTTP/2`),
+    then the value for the method label becomes `EXTENSION_METHOD`.
--- a/docs/content/observability/overview.md
+++ b/docs/content/observability/overview.md
@@ -5,16 +5,80 @@ description: "Traefik provides Logs, Access Logs, Metrics and Tracing. Read the

 # Overview

-Traefik's Observability system
-{: .subtitle }
+Traefik’s observability features include logs, access logs, metrics, and tracing. You can configure these options globally or at more specific levels, such as per router or per entry point.

-## Logs
+## Configuration Example
+
+Enable access logs, metrics, and tracing globally
+
+```yaml tab="File (YAML)"
+accessLog: {}
+
+metrics:
+  otlp: {}
+
+tracing: {}
+```
+
+```yaml tab="File (TOML)"
+[accessLog]
+
+[metrics]
+  [metrics.otlp]
+
+[tracing]
+```
+
+```bash tab="CLI"
+--accesslog=true
+--metrics.otlp=true
+--tracing=true
+```
+
+You can disable access logs, metrics, and tracing for a specific entrypoint attached to a router:
+
+```yaml tab="File (YAML)"
+# Static Configuration
+entryPoints:
+  EntryPoint0:
+    address: ':8000/udp'
+    observability:
+      accessLogs: false
+      tracing: false
+      metrics: false
+```
+
+```toml tab="File (TOML)"
+# Static Configuration
+[entryPoints.EntryPoint0]
+  address = ":8000/udp"
+
+    [entryPoints.EntryPoint0.observability]
+      accessLogs = false
+      tracing = false
+      metrics = false
+```
+
+```bash tab="CLI"
+# Static Configuration
+--entryPoints.EntryPoint0.address=:8000/udp
+--entryPoints.EntryPoint0.observability.accessLogs=false
+--entryPoints.EntryPoint0.observability.metrics=false
+--entryPoints.EntryPoint0.observability.tracing=false
+```
+
+!!!note "Default Behavior"
+    A router with its own observability configuration will override the global default.
+
+## Configuration Options
+
+### Logs

 Traefik logs informs about everything that happens within Traefik (startup, configuration, events, shutdown, and so on).

 Read the [Logs documentation](./logs.md) to learn how to configure it.

-## Access Logs
+### Access Logs

 Access logs are a key part of observability in Traefik.

@@ -24,19 +88,19 @@ including the source IP address, requested URL, response status code, and more.

 Read the [Access Logs documentation](./access-logs.md) to learn how to configure it.

-## Metrics
+### Metrics

 Traefik offers a metrics feature that provides valuable insights about the performance and usage.
 These metrics include the number of requests received, the requests duration, and more.

-Traefik supports these metrics systems: Prometheus, Datadog, InfluxDB 2.X, and StatsD.
+On top of supporting metrics in the OpenTelemetry format, Traefik supports the following vendor specific metrics systems: Prometheus, Datadog, InfluxDB 2.X, and StatsD.

 Read the [Metrics documentation](./metrics/overview.md) to learn how to configure it.

-## Tracing
+### Tracing

 The Traefik tracing system allows developers to gain deep visibility into the flow of requests through their infrastructure.

-Traefik supports these tracing with OpenTelemetry.
+Traefik provides tracing information in the OpenTelemery format.

 Read the [Tracing documentation](./tracing/overview.md) to learn how to configure it.
--- a/docs/content/observability/tracing/opentelemetry.md
+++ b/docs/content/observability/tracing/opentelemetry.md
@@ -5,6 +5,8 @@ description: "Traefik supports several tracing backends, including OpenTelemetry

 # OpenTelemetry

+Traefik Proxy follows [official OpenTelemetry semantic conventions v1.26.0](https://github.com/open-telemetry/semantic-conventions/blob/v1.26.0/docs/http/http-spans.md).
+
 To enable the OpenTelemetry tracer:

 ```yaml tab="File (YAML)"
@@ -23,7 +25,7 @@ tracing:

 !!! info "Default protocol"

-    The OpenTelemetry trace exporter will export traces to the collector using HTTP by default to https://localhost:4318/v1/traces, see the [gRPC Section](#grpc-configuration) to use gRPC.
+    The OpenTelemetry trace exporter will export traces to the collector using HTTPS by default to https://localhost:4318/v1/traces, see the [gRPC Section](#grpc-configuration) to use gRPC.

 !!! info "Trace sampling"

@@ -70,25 +72,29 @@ tracing:

 #### `endpoint`

-_Required, Default="http://localhost:4318/v1/traces", Format="`<scheme>://<host>:<port><path>`"_
+_Optional, Default="https://localhost:4318/v1/traces", Format="`<scheme>://<host>:<port><path>`"_

 URL of the OpenTelemetry Collector to send spans to.

+!!! info "Insecure mode"
+
+    To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
+
 ```yaml tab="File (YAML)"
 tracing:
  otlp:
    http:
-      endpoint: http://localhost:4318/v1/traces
+      endpoint: https://collector:4318/v1/traces
 ```

 ```toml tab="File (TOML)"
 [tracing]
  [tracing.otlp.http]
-    endpoint = "http://localhost:4318/v1/traces"
+    endpoint = "https://collector:4318/v1/traces"
 ```

 ```bash tab="CLI"
--tracing.otlp.http.endpoint=http://localhost:4318/v1/traces
+--tracing.otlp.http.endpoint=https://collector:4318/v1/traces
 ```

 #### `headers`
--- a/docs/content/observability/tracing/overview.md
+++ b/docs/content/observability/tracing/overview.md
@@ -36,7 +36,7 @@ tracing: {}

 _Optional, Default="false"_

-Enables tracing for internal resources.
+Enables tracing for internal resources (e.g.: `ping@internal`).

 ```yaml tab="File (YAML)"
 tracing:
@@ -85,36 +85,36 @@ tracing:

 ```toml tab="File (TOML)"
 [tracing]
-    sampleRate = 0.2
+  sampleRate = 0.2
 ```

 ```bash tab="CLI"
 --tracing.sampleRate=0.2
 ```

-#### `globalAttributes`
+#### `resourceAttributes`

 _Optional, Default=empty_

-Applies a list of shared key:value attributes on all spans.
+Defines additional resource attributes to be sent to the collector.

 ```yaml tab="File (YAML)"
 tracing:
-  globalAttributes:
+  resourceAttributes:
    attr1: foo
    attr2: bar
 ```

 ```toml tab="File (TOML)"
 [tracing]
-    [tracing.globalAttributes]
-      attr1 = "foo"
-      attr2 = "bar"
+  [tracing.resourceAttributes]
+    attr1 = "foo"
+    attr2 = "bar"
 ```

 ```bash tab="CLI"
--tracing.globalAttributes.attr1=foo
--tracing.globalAttributes.attr2=bar
+--tracing.resourceAttributes.attr1=foo
+--tracing.resourceAttributes.attr2=bar
 ```

 #### `capturedRequestHeaders`
@@ -128,15 +128,16 @@ It applies to client and server kind spans.
 tracing:
  capturedRequestHeaders:
    - X-CustomHeader
+    - X-OtherHeader
 ```

 ```toml tab="File (TOML)"
 [tracing]
-    capturedRequestHeaders = ["X-CustomHeader"]
+  capturedRequestHeaders = ["X-CustomHeader", "X-OtherHeader"]
 ```

 ```bash tab="CLI"
--tracing.capturedRequestHeaders[0]=X-CustomHeader
+--tracing.capturedRequestHeaders="X-CustomHeader,X-OtherHeader"
 ```

 #### `capturedResponseHeaders`
@@ -150,13 +151,37 @@ It applies to client and server kind spans.
 tracing:
  capturedResponseHeaders:
    - X-CustomHeader
+    - X-OtherHeader
 ```

 ```toml tab="File (TOML)"
 [tracing]
-    capturedResponseHeaders = ["X-CustomHeader"]
+  capturedResponseHeaders = ["X-CustomHeader", "X-OtherHeader"]
 ```

 ```bash tab="CLI"
--tracing.capturedResponseHeaders[0]=X-CustomHeader
-```
+--tracing.capturedResponseHeaders="X-CustomHeader,X-OtherHeader"
+```
+
+#### `safeQueryParams`
+
+_Optional, Default=[]_
+
+By default, all query parameters are redacted.
+Defines the list of query parameters to not redact.
+
+```yaml tab="File (YAML)"
+tracing:
+  safeQueryParams:
+    - bar
+    - buz
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  safeQueryParams = ["bar", "buz"]
+```
+
+```bash tab="CLI"
+--tracing.safeQueryParams=bar,buz
+```
--- a/docs/content/operations/api.md
+++ b/docs/content/operations/api.md
@@ -16,13 +16,9 @@ including sensitive data.

 In production, it should be at least secured by authentication and authorizations.

-A good sane default (non exhaustive) set of recommendations
-would be to apply the following protection mechanisms:
-
-* At the transport level:
-  NOT publicly exposing the API's port,
-  keeping it restricted to internal networks
-  (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).
+!!! info
+    It's recommended to NOT publicly exposing the API's port, keeping it restricted to internal networks
+    (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).

 ## Configuration

@@ -74,7 +70,7 @@ And then define a routing configuration on Traefik itself with the

 ### `insecure`

-Enable the API in `insecure` mode, which means that the API will be available directly on the entryPoint named `traefik`.
+Enable the API in `insecure` mode, which means that the API will be available directly on the entryPoint named `traefik`, on path `/api`.

 !!! info
    If the entryPoint named `traefik` is not configured, it will be automatically created on port 8080.
@@ -140,32 +136,44 @@ api:

 All the following endpoints must be accessed with a `GET` HTTP request.

-| Path                           | Description                                                                                 |
-|--------------------------------|---------------------------------------------------------------------------------------------|
-| `/api/http/routers`            | Lists all the HTTP routers information.                                                     |
-| `/api/http/routers/{name}`     | Returns the information of the HTTP router specified by `name`.                             |
-| `/api/http/services`           | Lists all the HTTP services information.                                                    |
-| `/api/http/services/{name}`    | Returns the information of the HTTP service specified by `name`.                            |
-| `/api/http/middlewares`        | Lists all the HTTP middlewares information.                                                 |
-| `/api/http/middlewares/{name}` | Returns the information of the HTTP middleware specified by `name`.                         |
-| `/api/tcp/routers`             | Lists all the TCP routers information.                                                      |
-| `/api/tcp/routers/{name}`      | Returns the information of the TCP router specified by `name`.                              |
-| `/api/tcp/services`            | Lists all the TCP services information.                                                     |
-| `/api/tcp/services/{name}`     | Returns the information of the TCP service specified by `name`.                             |
-| `/api/tcp/middlewares`         | Lists all the TCP middlewares information.                                                  |
-| `/api/tcp/middlewares/{name}`  | Returns the information of the TCP middleware specified by `name`.                          |
-| `/api/udp/routers`             | Lists all the UDP routers information.                                                      |
-| `/api/udp/routers/{name}`      | Returns the information of the UDP router specified by `name`.                              |
-| `/api/udp/services`            | Lists all the UDP services information.                                                     |
-| `/api/udp/services/{name}`     | Returns the information of the UDP service specified by `name`.                             |
-| `/api/entrypoints`             | Lists all the entry points information.                                                     |
-| `/api/entrypoints/{name}`      | Returns the information of the entry point specified by `name`.                             |
-| `/api/overview`                | Returns statistic information about http and tcp as well as enabled features and providers. |
-| `/api/rawdata`                 | Returns information about dynamic configurations, errors, status and dependency relations.  |
-| `/api/version`                 | Returns information about Traefik version.                                                  |
-| `/debug/vars`                  | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                          |
-| `/debug/pprof/`                | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation.       |
-| `/debug/pprof/cmdline`         | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation.   |
-| `/debug/pprof/profile`         | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation.   |
-| `/debug/pprof/symbol`          | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation.     |
-| `/debug/pprof/trace`           | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation.       |
+!!! info "Pagination"
+
+    By default, up to 100 results are returned per page, and the next page can be checked using the `X-Next-Page` HTTP Header. 
+    To control pagination, use the `page` and `per_page` query parameters.
+
+    ```bash
+    curl https://traefik.example.com:8080/api/http/routers?page=2&per_page=20
+    ```
+
+| Path                           | Description                                                                                         |
+|--------------------------------|-----------------------------------------------------------------------------------------------------|
+| `/api/http/routers`            | Lists all the HTTP routers information.                                                             |
+| `/api/http/routers/{name}`     | Returns the information of the HTTP router specified by `name`.                                     |
+| `/api/http/services`           | Lists all the HTTP services information.                                                            |
+| `/api/http/services/{name}`    | Returns the information of the HTTP service specified by `name`.                                    |
+| `/api/http/middlewares`        | Lists all the HTTP middlewares information.                                                         |
+| `/api/http/middlewares/{name}` | Returns the information of the HTTP middleware specified by `name`.                                 |
+| `/api/tcp/routers`             | Lists all the TCP routers information.                                                              |
+| `/api/tcp/routers/{name}`      | Returns the information of the TCP router specified by `name`.                                      |
+| `/api/tcp/services`            | Lists all the TCP services information.                                                             |
+| `/api/tcp/services/{name}`     | Returns the information of the TCP service specified by `name`.                                     |
+| `/api/tcp/middlewares`         | Lists all the TCP middlewares information.                                                          |
+| `/api/tcp/middlewares/{name}`  | Returns the information of the TCP middleware specified by `name`.                                  |
+| `/api/udp/routers`             | Lists all the UDP routers information.                                                              |
+| `/api/udp/routers/{name}`      | Returns the information of the UDP router specified by `name`.                                      |
+| `/api/udp/services`            | Lists all the UDP services information.                                                             |
+| `/api/udp/services/{name}`     | Returns the information of the UDP service specified by `name`.                                     |
+| `/api/entrypoints`             | Lists all the entry points information.                                                             |
+| `/api/entrypoints/{name}`      | Returns the information of the entry point specified by `name`.                                     |
+| `/api/overview`                | Returns statistic information about http and tcp as well as enabled features and providers.         |
+| `/api/support-dump`            | Returns an archive that contains the anonymized static configuration and the runtime configuration. |
+| `/api/rawdata`                 | Returns information about dynamic configurations, errors, status and dependency relations.          |
+| `/api/version`                 | Returns information about Traefik version.                                                          |
+| `/debug/vars`                  | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                                  |
+| `/debug/pprof/`                | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation.               |
+| `/debug/pprof/cmdline`         | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation.           |
+| `/debug/pprof/profile`         | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation.           |
+| `/debug/pprof/symbol`          | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation.             |
+| `/debug/pprof/trace`           | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation.               |
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/operations/cli.md
+++ b/docs/content/operations/cli.md
@@ -33,7 +33,7 @@ traefik [--flag[=true|false| ]] [-f [true|false| ]]

 All flags are documented in the [(static configuration) CLI reference](../reference/static-configuration/cli.md).

-!!! info "Flags are case insensitive."
+!!! info "Flags are case-insensitive."

 ### `healthcheck`

--- a/docs/content/operations/dashboard.md
+++ b/docs/content/operations/dashboard.md
@@ -37,32 +37,15 @@ Start by enabling the dashboard by using the following option from [Traefik's AP
 on the [static configuration](../getting-started/configuration-overview.md#the-static-configuration):

 ```yaml tab="File (YAML)"
-api:
-  # Dashboard
-  #
-  # Optional
-  # Default: true
-  #
-  dashboard: true
+api: {}
 ```

 ```toml tab="File (TOML)"
 [api]
-  # Dashboard
-  #
-  # Optional
-  # Default: true
-  #
-  dashboard = true
 ```

 ```bash tab="CLI"
-# Dashboard
-#
-# Optional
-# Default: true
-#
--api.dashboard=true
+--api=true
 ```

 Then define a routing configuration on Traefik itself,
@@ -104,29 +87,85 @@ rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashb
 ??? example "Dashboard Dynamic Configuration Examples"
    --8<-- "content/operations/include-dashboard-examples.md"

-## Insecure Mode
+### Custom API Base Path

-This mode is not recommended because it does not allow the use of security features.
+As shown above, by default Traefik exposes its API and Dashboard under the `/` base path,
+which means that respectively the API is served under the `/api` path,
+and the dashboard under the `/dashboard` path.

-To enable the "insecure mode", use the following options from [Traefik's API](./api.md#insecure):
+However, it is possible to configure this base path:
+
+```yaml tab="File (YAML)"
+api:
+  # Customizes the base path:
+  # - Serving API under `/traefik/api`
+  # - Serving Dashboard under `/traefik/dashboard`
+  basePath: /traefik
+```
+
+```toml tab="File (TOML)"
+[api]
+  # Customizes the base path:
+  # - Serving API under `/traefik/api`
+  # - Serving Dashboard under `/traefik/dashboard`
+  basePath = "/traefik"
+```
+
+```bash tab="CLI"
+# Customizes the base path:
+# - Serving API under `/traefik/api`
+# - Serving Dashboard under `/traefik/dashboard`
+--api.basePath=/traefik
+```
+
+??? example "Dashboard Under Custom Path Dynamic Configuration Examples"
+    --8<-- "content/operations/include-dashboard-custom-path-examples.md"
+
+## Insecure Mode
+
+!!! warning "Please note that this mode is incompatible with the [custom API base path option](#custom-api-base-path)."
+
+When _insecure_ mode is enabled, one can access the dashboard on the `traefik` port (default: `8080`) of the Traefik instance,
+at the following URL: `http://<Traefik IP>:8080/dashboard/` (trailing slash is mandatory).
+
+This mode is **not** recommended because it does not allow security features.
+For example, it is not possible to add an authentication middleware with this mode.
+
+It should be used for testing purpose **only**.
+
+To enable the _insecure_ mode, use the following options from [Traefik's API](./api.md#insecure):

 ```yaml tab="File (YAML)"
 api:
-  dashboard: true
  insecure: true
 ```

 ```toml tab="File (TOML)"
 [api]
-  dashboard = true
  insecure = true
 ```

 ```bash tab="CLI"
--api.dashboard=true --api.insecure=true
+--api.insecure=true
 ```

-You can now access the dashboard on the port `8080` of the Traefik instance,
-at the following URL: `http://<Traefik IP>:8080/dashboard/` (trailing slash is mandatory).
+## Disable The Dashboard
+
+By default, the dashboard is enabled when the API is enabled.
+If necessary, the dashboard can be disabled by using the following option.
+
+```yaml tab="File (YAML)"
+api:
+  dashboard: false
+```
+
+```toml tab="File (TOML)"
+[api]
+  dashboard = false
+```
+
+```bash tab="CLI"
+--api.dashboard=false
+```

 {!traefik-for-business-applications.md!}
--- a/docs/content/operations/include-dashboard-custom-path-examples.md
+++ b/docs/content/operations/include-dashboard-custom-path-examples.md
@@ -0,0 +1,83 @@
+```yaml tab="Docker & Swarm"
+# Dynamic Configuration
+labels:
+  - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
+  - "traefik.http.routers.dashboard.service=api@internal"
+  - "traefik.http.routers.dashboard.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```yaml tab="Docker (Swarm)"
+# Dynamic Configuration
+deploy:
+  labels:
+    - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
+    - "traefik.http.routers.dashboard.service=api@internal"
+    - "traefik.http.routers.dashboard.middlewares=auth"
+    - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+    # Dummy service for Swarm port detection. The port can be any valid integer value.
+    - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
+```
+
+```yaml tab="Kubernetes CRD"
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+spec:
+  routes:
+  - match: Host(`traefik.example.com`) && PathPrefix(`/traefik`)
+    kind: Rule
+    services:
+    - name: api@internal
+      kind: TraefikService
+    middlewares:
+      - name: auth
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: auth
+spec:
+  basicAuth:
+    secret: secretName # Kubernetes secret named "secretName"
+```
+
+```yaml tab="Consul Catalog"
+# Dynamic Configuration
+- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
+- "traefik.http.routers.dashboard.service=api@internal"
+- "traefik.http.routers.dashboard.middlewares=auth"
+- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```yaml tab="File (YAML)"
+# Dynamic Configuration
+http:
+  routers:
+    dashboard:
+      rule: Host(`traefik.example.com`) && PathPrefix(`/traefik`)
+      service: api@internal
+      middlewares:
+        - auth
+  middlewares:
+    auth:
+      basicAuth:
+        users:
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+# Dynamic Configuration
+[http.routers.my-api]
+  rule = "Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
+  service = "api@internal"
+  middlewares = ["auth"]
+
+[http.middlewares.auth.basicAuth]
+  users = [
+    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+  ]
+```
--- a/docs/content/plugins/index.md
+++ b/docs/content/plugins/index.md
@@ -30,3 +30,5 @@ They need not be compiled, and no complex toolchain is necessary to build them.
 The experience of implementing a Traefik plugin is comparable to writing a web browser extension.

 To learn more about Traefik plugin creation, please refer to the [developer documentation](https://plugins.traefik.io/create).
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/providers/consul-catalog.md
+++ b/docs/content/providers/consul-catalog.md
@@ -525,7 +525,7 @@ providers:
 ```

 ```bash tab="CLI"
--providers.consulcatalog.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
+--providers.consulcatalog.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
 # ...
 ```

--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -20,7 +20,7 @@ This provider works with [Docker (standalone) Engine](https://docs.docker.com/en

 ## Configuration Examples

-??? example "Configuring Docker & Deploying / Exposing Services"
+??? example "Configuring Docker & Deploying / Exposing one Service"

    Enabling the docker provider

@@ -73,12 +73,14 @@ When using Docker Compose, labels are specified by the directive

 Traefik retrieves the private IP and port of containers from the Docker API.

-Port detection works as follows:
+Port detection for private communication works as follows:

 - If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) a single port,
-  then Traefik uses this port for private communication.
+  then Traefik uses this port.
 - If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) multiple ports,
-  or does not expose any port, then you must manually specify which port Traefik should use for communication
+  then Traefik uses the lowest port.  E.g. if `80` and `8080` are exposed, Traefik will use `80`.
+- If a container does not expose any port, or the selection from multiple ports does not fit,
+  then you must manually specify which port Traefik should use for communication
  by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
  (Read more on this label in the dedicated section in [routing](../routing/providers/docker.md#services)).

@@ -132,6 +134,7 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
        - Accounting at container level, by exposing the socket on a another container than Traefik's.
        - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
        - SSH public key authentication (SSH is supported with Docker > 18.09)
+        - Authentication using HTTP Basic authentication through an HTTP proxy that exposes the Docker daemon socket.

    ??? info "More Resources and Examples"

@@ -163,7 +166,7 @@ See the [Docker API Access](#docker-api-access) section for more information.

    services:
      traefik:
-         image: traefik:v3.0 # The official v3 Traefik docker image
+         image: traefik:v3.3 # The official v3 Traefik docker image
         ports:
           - "80:80"
         volumes:
@@ -214,6 +217,50 @@ See the [Docker API Access](#docker-api-access) section for more information.
    # ...
    ```

+??? example "Using HTTP"
+
+    Using Docker Engine API you can connect Traefik to remote daemon using HTTP.
+
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        endpoint: "http://127.0.0.1:2375"
+         # ...
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.docker]
+      endpoint = "http://127.0.0.1:2375"
+      # ...
+    ```
+
+    ```bash tab="CLI"
+    --providers.docker.endpoint=http://127.0.0.1:2375
+    # ...
+    ```
+
+??? example "Using TCP"
+
+    Using Docker Engine API you can connect Traefik to remote daemon using TCP.
+
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        endpoint: "tcp://127.0.0.1:2375"
+         # ...
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.docker]
+      endpoint = "tcp://127.0.0.1:2375"
+      # ...
+    ```
+
+    ```bash tab="CLI"
+    --providers.docker.endpoint=tcp://127.0.0.1:2375
+    # ...
+    ```
+
 ```yaml tab="File (YAML)"
 providers:
  docker:
@@ -229,6 +276,56 @@ providers:
 --providers.docker.endpoint=unix:///var/run/docker.sock
 ```

+### `username`
+
+_Optional, Default=""_
+
+Defines the username for Basic HTTP authentication.
+This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    username: foo
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.docker]
+  username = "foo"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.docker.username="foo"
+# ...
+```
+
+### `password`
+
+_Optional, Default=""_
+
+Defines the password for Basic HTTP authentication.
+This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    password: foo
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.docker]
+  password = "foo"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.docker.password="foo"
+# ...
+```
+
 ### `useBindPortIP`

 _Optional, Default=false_
@@ -358,7 +455,7 @@ providers:
 ```

 ```bash tab="CLI"
--providers.docker.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
+--providers.docker.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
 # ...
 ```

@@ -586,7 +683,7 @@ providers:
 _Optional, Default=false_

 If the parameter is set to `true`,
-any [servers load balancer](../routing/services/index.md#servers-load-balancer) defined for Docker containers is created 
+any [servers load balancer](../routing/services/index.md#servers-load-balancer) defined for Docker containers is created
 regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers.
 It also then stays alive and responsive even at times when it becomes empty,
 i.e. when all its children containers become unhealthy.
--- a/docs/content/providers/ecs.md
+++ b/docs/content/providers/ecs.md
@@ -283,7 +283,7 @@ providers:
 ```

 ```bash tab="CLI"
--providers.ecs.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
+--providers.ecs.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
 # ...
 ```

@@ -325,7 +325,8 @@ _Optional_
 If `region` is not provided, it is resolved from the EC2 metadata endpoint for EC2 tasks.
 In a FARGATE context it is resolved from the `AWS_REGION` environment variable.

-If `accessKeyID` and `secretAccessKey` are not provided, credentials are resolved in the following order:
+If `accessKeyID` and `secretAccessKey` are not provided, credentials are resolved in the order specified by the
+[default credential chain of AWS SDK for Go V2](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/configure-gosdk.html#specifying-credentials):

 - Using the environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
 - Using shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to `default` and `~/.aws/credentials`.
--- a/docs/content/providers/http.md
+++ b/docs/content/providers/http.md
@@ -84,8 +84,9 @@ Defines custom headers to be sent to the endpoint.

 ```yaml tab="File (YAML)"
 providers:
-  headers:
-    name: value
+  http:
+    headers:
+      name: value
 ```

 ```toml tab="File (TOML)"
@@ -95,6 +96,7 @@ providers:

 ```bash tab="CLI"
 --providers.http.headers.name=value
+```

 ### `tls`

--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -31,10 +31,10 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku

    ```bash
    # Install Traefik Resource Definitions:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
    
    # Install RBAC for Traefik:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
    ```

 ## Resource Configuration
@@ -58,7 +58,7 @@ For this reason, users can run multiple instances of Traefik at the same time to

 When using a single instance of Traefik with Let's Encrypt, you should encounter no issues. However, this could be a single point of failure.
 Unfortunately, it is not possible to run multiple instances of Traefik Proxy 2.0 with Let's Encrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request and subsequent responses.
-Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance that feature was dropped in 2.0.
+Early versions (v1.x) of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance that feature was dropped in 2.0.

 If you need Let's Encrypt with HA in a Kubernetes environment, we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/), which includes distributed Let's Encrypt as a supported feature.

@@ -183,7 +183,7 @@ _Optional, Default: ""_

 A label selector can be defined to filter on specific resource objects only,
 this applies only to Traefik [Custom Resources](../routing/providers/kubernetes-crd.md#custom-resource-definition-crd)
-and has no effect on Kubernetes `Secrets`, `Endpoints` and `Services`.
+and has no effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.
 If left empty, Traefik processes all resource objects in the configured namespaces.

 See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
@@ -337,6 +337,30 @@ providers:
 --providers.kubernetescrd.allowexternalnameservices=true
 ```

+### `nativeLBByDefault`
+
+_Optional, Default: false_
+
+Defines whether to use Native Kubernetes load-balancing mode by default.
+For more information, please check out the IngressRoute `nativeLB` option [documentation](../routing/providers/kubernetes-crd.md#load-balancing).
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    nativeLBByDefault: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  nativeLBByDefault = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetescrd.nativeLBByDefault=true
+```
+
 ## Full Example

 For additional information, refer to the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.
--- a/docs/content/providers/kubernetes-gateway.md
+++ b/docs/content/providers/kubernetes-gateway.md
@@ -5,103 +5,58 @@ description: "Learn how to use the Kubernetes Gateway API as a provider for conf

 # Traefik & Kubernetes with Gateway API

-The Kubernetes Gateway API, The Experimental Way.
-{: .subtitle }
-
-Gateway API is the evolution of Kubernetes APIs that relate to `Services`, such as `Ingress`.
-The Gateway API project is part of Kubernetes, working under SIG-NETWORK.
-
 The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
-specifications from the Kubernetes Special Interest Groups (SIGs).
+specification from the Kubernetes Special Interest Groups (SIGs).

-This provider is proposed as an experimental feature and partially supports Gateway API [v1.0.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.0.0) specification.
+This provider supports Standard version [v1.2.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.1) of the Gateway API specification. 

-!!! warning "Enabling The Experimental Kubernetes Gateway Provider"
+It fully supports all HTTP core and some extended features, as well as the `TCPRoute` and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).

-    Since this provider is still experimental, it needs to be activated in the experimental section of the static configuration.
-
-    ```yaml tab="File (YAML)"
-    experimental:
-      kubernetesGateway: true
-
-    providers:
-      kubernetesGateway: {}
-      #...
-    ```
-
-    ```toml tab="File (TOML)"
-    [experimental]
-      kubernetesGateway = true
-
-    [providers.kubernetesGateway]
-    #...
-    ```
-
-    ```bash tab="CLI"
-    --experimental.kubernetesgateway=true --providers.kubernetesgateway=true #...
-    ```
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.2.1/traefik-traefik).

 ## Requirements

 {!kubernetes-requirements.md!}

-!!! tip "All Steps for a Successful Deployment"
+!!! info "Helm Chart"

-    * Add/update the Kubernetes Gateway API [definitions](../reference/dynamic-configuration/kubernetes-gateway.md#definitions).
-    * Add/update the [RBAC](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) for the Traefik custom resources.
-    * Add all needed Kubernetes Gateway API [resources](../reference/dynamic-configuration/kubernetes-gateway.md#resources).
+    When using the Traefik [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart), the CRDs (Custom Resource Definitions) and RBAC (Role-Based Access Control) are automatically managed for you.
+    The only remaining task is to enable the `kubernetesGateway` in the chart [values](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L130).

-## Examples
+1. Install/update the Kubernetes Gateway API CRDs.

-??? example "Kubernetes Gateway Provider Basic Example"
-
-    ```yaml tab="Gateway API"
-    --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml"
+    ```bash
+    # Install Gateway API CRDs from the Standard channel.
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml
    ```

-    ```yaml tab="Whoami Service"
-    --8<-- "content/reference/dynamic-configuration/kubernetes-whoami-svc.yml"
+2. Install the additional Traefik RBAC required for Gateway API.
+
+    ```bash
+    # Install Traefik RBACs.
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
    ```

-    ```yaml tab="Traefik Service"
-    --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml"
-    ```
+3. Deploy Traefik and enable the `kubernetesGateway` provider in the static configuration as detailed below:
+       
+       ```yaml tab="File (YAML)"
+       providers:
+         kubernetesGateway: {}
+       ```

-    ```yaml tab="Gateway API CRDs"
-    # All resources definition must be declared
-    --8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_gatewayclasses.yaml"
-    --8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_gateways.yaml"
-    --8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_httproutes.yaml"
-    ```
+       ```toml tab="File (TOML)"
+       [providers.kubernetesGateway]
+       ```

-    ```yaml tab="RBAC"
-    --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml"
-    ```
+       ```bash tab="CLI"
+       --providers.kubernetesgateway=true
+       ```

-The Kubernetes Gateway API project provides several guides on how to use the APIs.
-These guides can help you to go further than the example above.
-The [getting started guide](https://gateway-api.sigs.k8s.io/guides/) details how to install the CRDs from their repository.
+## Routing Configuration

-For now, the Traefik Gateway Provider can be used while following the below guides:
-
-* [Simple Gateway](https://gateway-api.sigs.k8s.io/guides/simple-gateway/)
-* [HTTP routing](https://gateway-api.sigs.k8s.io/guides/http-routing/)
-* [TLS](https://gateway-api.sigs.k8s.io/guides/tls/)
-
-## Resource Configuration
-
-When using Kubernetes Gateway API as a provider, Traefik uses Kubernetes
-[Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
-to retrieve its routing configuration.
-
-All concepts can be found in the official API concepts [documentation](https://gateway-api.sigs.k8s.io/concepts/api-overview/).
-Traefik implements the following resources:
-
-* `GatewayClass` defines a set of Gateways that share a common configuration and behaviour.
-* `Gateway` describes how traffic can be translated to Services within the cluster.
-* `HTTPRoute` defines HTTP rules for mapping requests from a Gateway to Kubernetes Services.
-* `TCPRoute` defines TCP rules for mapping requests from a Gateway to Kubernetes Services.
-* `TLSRoute` defines TLS rules for mapping requests from a Gateway to Kubernetes Services.
+When using the Kubernetes Gateway API provider, Traefik uses the Gateway API CRDs to retrieve its routing configuration.
+Check out the Gateway API concepts [documentation](https://gateway-api.sigs.k8s.io/concepts/api-overview/),
+and the dedicated [routing section](../routing/providers/kubernetes-gateway.md) in the Traefik documentation.

 ## Provider Configuration

@@ -212,6 +167,117 @@ providers:
 --providers.kubernetesgateway.namespaces=default,production
 ```

+### `statusAddress`
+
+#### `ip`
+
+_Optional, Default: ""_
+
+This IP will get copied to the Gateway `status.addresses`, and currently only supports one IP value (IPv4 or IPv6).
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    statusAddress:
+      ip: "1.2.3.4"
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway.statusAddress]
+  ip = "1.2.3.4"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.statusaddress.ip=1.2.3.4
+```
+
+#### `hostname`
+
+_Optional, Default: ""_
+
+This Hostname will get copied to the Gateway `status.addresses`.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    statusAddress:
+      hostname: "example.net"
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway.statusAddress]
+  hostname = "example.net"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.statusaddress.hostname=example.net
+```
+
+#### `service`
+
+_Optional_
+
+The Kubernetes service to copy status addresses from.
+When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the gateways.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    statusAddress:
+      service:
+        namespace: default
+        name: foo
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway.statusAddress.service]
+  namespace = "default"
+  name = "foo"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.statusaddress.service.namespace=default
+--providers.kubernetesgateway.statusaddress.service.name=foo
+```
+
+### `experimentalChannel`
+
+_Optional, Default: false_
+
+Toggles support for the Experimental Channel resources ([Gateway API release channels documentation](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels)).
+This option currently enables support for `TCPRoute` and `TLSRoute`.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    experimentalChannel: true
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+    experimentalChannel = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.experimentalchannel=true
+```
+
+!!! info "Experimental Channel"
+
+    When enabling experimental channel resources support, the experimental CRDs (Custom Resource Definitions) needs to be deployed too.
+
+    ```bash
+    # Install Gateway API CRDs from the Experimental channel.
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/experimental-install.yaml
+    ```
+
 ### `labelselector`

 _Optional, Default: ""_
@@ -238,6 +304,30 @@ providers:
 --providers.kubernetesgateway.labelselector="app=traefik"
 ```

+### `nativeLBByDefault`
+
+_Optional, Default: false_
+
+Defines whether to use Native Kubernetes load-balancing mode by default.
+For more information, please check out the `traefik.io/service.nativelb` [service annotation documentation](../routing/providers/kubernetes-gateway.md#native-load-balancing).
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    nativeLBByDefault: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  nativeLBByDefault = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.nativeLBByDefault=true
+```
+
 ### `throttleDuration`

 _Optional, Default: 0_
--- a/docs/content/providers/kubernetes-ingress.md
+++ b/docs/content/providers/kubernetes-ingress.md
@@ -80,7 +80,7 @@ When using a single instance of Traefik Proxy with Let's Encrypt, you should enc
 However, this could be a single point of failure.
 Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with Let's Encrypt enabled,
 because there is no way to ensure that the correct instance of Traefik receives the challenge request, and subsequent responses.
-Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this,
+Early versions (v1.x) of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this,
 but due to sub-optimal performance that feature was dropped in 2.0.

 If you need Let's Encrypt with high availability in a Kubernetes environment,
@@ -287,6 +287,11 @@ providers:

 _Optional, Default: false_

+??? warning "Deprecated"
+
+    The Kubernetes Ingress provider option `disableIngressClassLookup` has been deprecated in v3.1, and will be removed in the next major version.
+	Please use the `disableClusterScopeResources` option instead.
+
 If the parameter is set to `true`,
 Traefik will not discover IngressClasses in the cluster.
 By doing so, it alleviates the requirement of giving Traefik the rights to look IngressClasses up.
@@ -312,6 +317,33 @@ providers:
 --providers.kubernetesingress.disableingressclasslookup=true
 ```

+### `disableClusterScopeResources`
+
+_Optional, Default: false_
+
+When this parameter is set to `true`,
+Traefik will not discover cluster scope resources (`IngressClass` and `Nodes`).
+By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.
+Furthermore, Traefik will not handle Ingresses with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).
+This will also prevent from using the `NodePortLB` options on services.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    disableClusterScopeResources: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  disableClusterScopeResources = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.disableClusterScopeResources=true
+```
+
 ### `ingressEndpoint`

 #### `hostname`
@@ -467,9 +499,33 @@ providers:
 --providers.kubernetesingress.allowexternalnameservices=true
 ```

+### `nativeLBByDefault`
+
+_Optional, Default: false_
+
+Defines whether to use Native Kubernetes load-balancing mode by default.
+For more information, please check out the `traefik.ingress.kubernetes.io/service.nativelb` [service annotation documentation](../routing/providers/kubernetes-ingress.md#on-service).
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    nativeLBByDefault: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  nativeLBByDefault = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.nativeLBByDefault=true
+```
+
 ### Further

 To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.0/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.3/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.

 {!traefik-for-business-applications.md!}
--- a/docs/content/providers/nomad.md
+++ b/docs/content/providers/nomad.md
@@ -56,6 +56,8 @@ _Optional, Default=15s_

 Defines the polling interval.

+!!! note "This option is ignored when the [watch](#watch) mode is enabled."
+
 ```yaml tab="File (YAML)"
 providers:
  nomad:
@@ -74,6 +76,62 @@ providers:
 # ...
 ```

+### `watch`
+
+_Optional, Default=false_
+
+Enables the watch mode to refresh the configuration on a per-event basis.
+
+```yaml tab="File (YAML)"
+providers:
+  nomad:
+    watch: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.nomad]
+  watch = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.nomad.watch
+# ...
+```
+
+### `throttleDuration`
+
+_Optional, Default=0s_
+
+The `throttleDuration` option defines how often the provider is allowed to handle service events from Nomad.
+This prevents a Nomad cluster that updates many times per second from continuously changing your Traefik configuration.
+
+If left empty, the provider does not apply any throttling and does not drop any Nomad service events.
+
+The value of `throttleDuration` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
+
+!!! warning "This option is only compatible with the [watch](#watch) mode."
+
+```yaml tab="File (YAML)"
+providers:
+  nomad:
+    throttleDuration: 2s
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.nomad]
+  throttleDuration = "2s"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.nomad.throttleDuration=2s
+# ...
+```
+
 ### `prefix`

 _required, Default="traefik"_
@@ -163,6 +221,7 @@ providers:
 _Optional, Default=""_

 Token is used to provide a per-request ACL token, if Nomad ACLs are enabled.
+The appropriate ACL privilege for this token is 'read-job', as outlined in the [Nomad documentation on ACL](https://developer.hashicorp.com/nomad/tutorials/access-control/access-control-policies).

 ```yaml tab="File (YAML)"
 providers:
@@ -373,7 +432,7 @@ providers:
 ```

 ```bash tab="CLI"
--providers.nomad.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+--providers.nomad.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
 # ...
 ```

@@ -511,3 +570,27 @@ providers:
 --providers.nomad.namespaces=ns1,ns2
 # ...
 ```
+
+### `allowEmptyServices`
+
+_Optional, Default: false_
+
+If the parameter is set to `true`,
+it allows the creation of an empty [servers load balancer](../routing/services/index.md#servers-load-balancer) if the targeted Nomad service has no endpoints available. This results in a `503` HTTP response instead of a `404`.
+
+```yaml tab="File (YAML)"
+providers:
+  nomad:
+    allowEmptyServices: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.nomad]
+  allowEmptyServices = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.nomad.allowEmptyServices=true
+```
--- a/docs/content/providers/overview.md
+++ b/docs/content/providers/overview.md
@@ -81,7 +81,7 @@ For the list of the providers names, see the [supported providers](#supported-pr
        - "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
    ```

-    ```yaml tab="Kubernetes Ingress Route"
+    ```yaml tab="IngressRoute"
    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
@@ -103,7 +103,7 @@ For the list of the providers names, see the [supported providers](#supported-pr
            # when the cross-provider syntax is used.
    ```

-    ```yaml tab="Kubernetes Ingress"
+    ```yaml tab="Ingress"
    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
@@ -150,8 +150,8 @@ Below is the list of the currently supported providers in Traefik.

 !!! info "More Providers"

-    The current version of Traefik does not yet support every provider that Traefik v1.7 did.
-    See the [previous version (v1.7)](https://doc.traefik.io/traefik/v1.7/) for more providers.
+    The current version of Traefik does not yet support every provider that Traefik v2.11 did.
+    See the [previous version (v2.11)](https://doc.traefik.io/traefik/v2.11/) for more information.

 ### Configuration Reload Frequency

--- a/docs/content/providers/redis.md
+++ b/docs/content/providers/redis.md
@@ -10,6 +10,12 @@ A Story of KV store & Containers

 Store your configuration in Redis and let Traefik do the rest!

+!!! tip "Dynamic configuration updates"
+
+    Dynamic configuration updates require Redis [keyspace notifications](https://redis.io/docs/latest/develop/use/keyspace-notifications) to be enabled.
+    Cloud-managed Redis services (e.g., GCP Memorystore, AWS ElastiCache) may disable this by default due to CPU performance issues.
+    For more information, see the [Redis](https://redis.io/docs/latest/develop/use/keyspace-notifications/) documentation or refer to your cloud provider's documentation for specific configuration steps.
+
 ## Routing Configuration

 See the dedicated section in [routing](../routing/providers/kv.md).
--- a/docs/content/providers/swarm.md
+++ b/docs/content/providers/swarm.md
@@ -20,7 +20,7 @@ This provider works with [Docker Swarm Mode](https://docs.docker.com/engine/swar

 ## Configuration Examples

-??? example "Configuring Docker Swarm & Deploying / Exposing Services"
+??? example "Configuring Docker Swarm & Deploying / Exposing one Service"

    Enabling the Swarm provider

@@ -48,7 +48,9 @@ This provider works with [Docker Swarm Mode](https://docs.docker.com/engine/swar
    --providers.swarm.endpoint=tcp://127.0.0.1:2377
    ```

-    Attach labels to services (not to containers) while in Swarm mode (in your docker compose file)
+    Attach labels to a single service (not containers) while in Swarm mode (in your Docker compose file).
+    When there is only one service, and the router does not specify a service,
+    then that service is automatically assigned to the router.

    ```yaml
    version: "3"
@@ -149,6 +151,7 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
          It allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
        - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
        - SSH public key authentication (SSH is supported with Docker > 18.09)
+        - Authentication using HTTP Basic authentication through an HTTP proxy that exposes the Docker daemon socket.

    ??? info "More Resources and Examples"

@@ -209,7 +212,7 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati

    services:
      traefik:
-         image: traefik:v3.0 # The official v3 Traefik docker image
+         image: traefik:v3.3 # The official v3 Traefik docker image
         ports:
           - "80:80"
         volumes:
@@ -244,7 +247,7 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati

    ```yaml tab="File (YAML)"
    providers:
-      docker:
+      swarm:
        endpoint: "ssh://traefik@192.168.2.5:2022"
         # ...
    ```
@@ -260,6 +263,50 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati
    # ...
    ```

+??? example "Using HTTP"
+
+    Using Docker Engine API you can connect Traefik to remote daemon using HTTP.
+
+    ```yaml tab="File (YAML)"
+    providers:
+      swarm:
+        endpoint: "http://127.0.0.1:2375"
+         # ...
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.swarm]
+      swarm = "http://127.0.0.1:2375"
+      # ...
+    ```
+
+    ```bash tab="CLI"
+    --providers.swarm.endpoint=http://127.0.0.1:2375
+    # ...
+    ```
+
+??? example "Using TCP"
+
+    Using Docker Engine API you can connect Traefik to remote daemon using TCP.
+
+    ```yaml tab="File (YAML)"
+    providers:
+      swarm:
+        endpoint: "tcp://127.0.0.1:2375"
+         # ...
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.swarm]
+      swarm = "tcp://127.0.0.1:2375"
+      # ...
+    ```
+
+    ```bash tab="CLI"
+    --providers.swarm.endpoint=tcp://127.0.0.1:2375
+    # ...
+    ```
+
 ```yaml tab="File (YAML)"
 providers:
  swarm:
@@ -275,6 +322,56 @@ providers:
 --providers.swarm.endpoint=unix:///var/run/docker.sock
 ```

+### `username`
+
+_Optional, Default=""_
+
+Defines the username for Basic HTTP authentication.
+This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
+
+```yaml tab="File (YAML)"
+providers:
+  swarm:
+    username: foo
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.swarm]
+  username = "foo"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.swarm.username="foo"
+# ...
+```
+
+### `password`
+
+_Optional, Default=""_
+
+Defines the password for Basic HTTP authentication.
+This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
+
+```yaml tab="File (YAML)"
+providers:
+  swarm:
+    password: foo
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.swarm]
+  password = "foo"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.swarm.password="foo"
+# ...
+```
+
 ### `useBindPortIP`

 _Optional, Default=false_
@@ -358,7 +455,10 @@ _Optional, Default=""_

 Defines a default docker network to use for connections to all containers.

-This option can be overridden on a per-container basis with the `traefik.docker.network` label.
+This option can be overridden on a per-container basis with the `traefik.docker.network` [routing label](../routing/providers/swarm.md#traefikdockernetwork).
+
+!!! warning
+    The Docker Swarm provider still uses the same per-container mechanism as the Docker provider, so therefore the label still uses the `docker` keyword intentionally.

 ```yaml tab="File (YAML)"
 providers:
@@ -403,7 +503,7 @@ providers:
 ```

 ```bash tab="CLI"
--providers.swarm.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
+--providers.swarm.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
 # ...
 ```

--- a/docs/content/reference/dynamic-configuration/consul-catalog.md
+++ b/docs/content/reference/dynamic-configuration/consul-catalog.md
@@ -8,7 +8,7 @@ description: "View the reference for performing dynamic configurations with Trae
 Dynamic configuration with Consul Catalog
 {: .subtitle }

-The labels are case insensitive.
+The labels are case-insensitive.

 ```yaml
 --8<-- "content/reference/dynamic-configuration/consul-catalog.yml"
--- a/docs/content/reference/dynamic-configuration/docker-labels.yml
+++ b/docs/content/reference/dynamic-configuration/docker-labels.yml
@@ -18,6 +18,8 @@
 - "traefik.http.middlewares.middleware05.circuitbreaker.recoveryduration=42s"
 - "traefik.http.middlewares.middleware05.circuitbreaker.responsecode=42"
 - "traefik.http.middlewares.middleware06.compress=true"
+- "traefik.http.middlewares.middleware06.compress.defaultencoding=foobar"
+- "traefik.http.middlewares.middleware06.compress.encodings=foobar, foobar"
 - "traefik.http.middlewares.middleware06.compress.excludedcontenttypes=foobar, foobar"
 - "traefik.http.middlewares.middleware06.compress.includedcontenttypes=foobar, foobar"
 - "traefik.http.middlewares.middleware06.compress.minresponsebodybytes=42"
@@ -36,6 +38,10 @@
 - "traefik.http.middlewares.middleware10.forwardauth.authrequestheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.authresponseheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.authresponseheadersregex=foobar"
+- "traefik.http.middlewares.middleware10.forwardauth.forwardbody=true"
+- "traefik.http.middlewares.middleware10.forwardauth.headerfield=foobar"
+- "traefik.http.middlewares.middleware10.forwardauth.maxbodysize=42"
+- "traefik.http.middlewares.middleware10.forwardauth.preservelocationheader=true"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.ca=foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.caoptional=true"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.cert=foobar"
@@ -54,6 +60,7 @@
 - "traefik.http.middlewares.middleware12.headers.allowedhosts=foobar, foobar"
 - "traefik.http.middlewares.middleware12.headers.browserxssfilter=true"
 - "traefik.http.middlewares.middleware12.headers.contentsecuritypolicy=foobar"
+- "traefik.http.middlewares.middleware12.headers.contentsecuritypolicyreportonly=foobar"
 - "traefik.http.middlewares.middleware12.headers.contenttypenosniff=true"
 - "traefik.http.middlewares.middleware12.headers.custombrowserxssvalue=foobar"
 - "traefik.http.middlewares.middleware12.headers.customframeoptionsvalue=foobar"
@@ -81,15 +88,18 @@
 - "traefik.http.middlewares.middleware13.ipallowlist.ipstrategy=true"
 - "traefik.http.middlewares.middleware13.ipallowlist.ipstrategy.depth=42"
 - "traefik.http.middlewares.middleware13.ipallowlist.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware13.ipallowlist.ipstrategy.ipv6subnet=42"
 - "traefik.http.middlewares.middleware13.ipallowlist.rejectstatuscode=42"
 - "traefik.http.middlewares.middleware13.ipallowlist.sourcerange=foobar, foobar"
 - "traefik.http.middlewares.middleware14.ipwhitelist.ipstrategy=true"
 - "traefik.http.middlewares.middleware14.ipwhitelist.ipstrategy.depth=42"
 - "traefik.http.middlewares.middleware14.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware14.ipwhitelist.ipstrategy.ipv6subnet=42"
 - "traefik.http.middlewares.middleware14.ipwhitelist.sourcerange=foobar, foobar"
 - "traefik.http.middlewares.middleware15.inflightreq.amount=42"
 - "traefik.http.middlewares.middleware15.inflightreq.sourcecriterion.ipstrategy.depth=42"
 - "traefik.http.middlewares.middleware15.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware15.inflightreq.sourcecriterion.ipstrategy.ipv6subnet=42"
 - "traefik.http.middlewares.middleware15.inflightreq.sourcecriterion.requestheadername=foobar"
 - "traefik.http.middlewares.middleware15.inflightreq.sourcecriterion.requesthost=true"
 - "traefik.http.middlewares.middleware16.passtlsclientcert.info.issuer.commonname=true"
@@ -121,6 +131,7 @@
 - "traefik.http.middlewares.middleware18.ratelimit.period=42s"
 - "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.ipstrategy.depth=42"
 - "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.ipstrategy.ipv6subnet=42"
 - "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.requestheadername=foobar"
 - "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.requesthost=true"
 - "traefik.http.middlewares.middleware19.redirectregex.permanent=true"
@@ -139,6 +150,9 @@
 - "traefik.http.middlewares.middleware25.stripprefixregex.regex=foobar, foobar"
 - "traefik.http.routers.router0.entrypoints=foobar, foobar"
 - "traefik.http.routers.router0.middlewares=foobar, foobar"
+- "traefik.http.routers.router0.observability.accesslogs=true"
+- "traefik.http.routers.router0.observability.metrics=true"
+- "traefik.http.routers.router0.observability.tracing=true"
 - "traefik.http.routers.router0.priority=42"
 - "traefik.http.routers.router0.rule=foobar"
 - "traefik.http.routers.router0.rulesyntax=foobar"
@@ -152,6 +166,9 @@
 - "traefik.http.routers.router0.tls.options=foobar"
 - "traefik.http.routers.router1.entrypoints=foobar, foobar"
 - "traefik.http.routers.router1.middlewares=foobar, foobar"
+- "traefik.http.routers.router1.observability.accesslogs=true"
+- "traefik.http.routers.router1.observability.metrics=true"
+- "traefik.http.routers.router1.observability.tracing=true"
 - "traefik.http.routers.router1.priority=42"
 - "traefik.http.routers.router1.rule=foobar"
 - "traefik.http.routers.router1.rulesyntax=foobar"
@@ -183,6 +200,7 @@
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.httponly=true"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.maxage=42"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.name=foobar"
+- "traefik.http.services.service02.loadbalancer.sticky.cookie.path=foobar"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.samesite=foobar"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.secure=true"
 - "traefik.http.services.service02.loadbalancer.server.port=foobar"
--- a/docs/content/reference/dynamic-configuration/ecs.md
+++ b/docs/content/reference/dynamic-configuration/ecs.md
@@ -8,7 +8,7 @@ description: "Learn how to do dynamic configuration in Traefik Proxy with AWS EC
 Dynamic configuration with ECS provider
 {: .subtitle }

-The labels are case insensitive.
+The labels are case-insensitive.

 ```yaml
 --8<-- "content/reference/dynamic-configuration/ecs.yml"
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@@ -20,6 +20,10 @@
        [[http.routers.Router0.tls.domains]]
          main = "foobar"
          sans = ["foobar", "foobar"]
+      [http.routers.Router0.observability]
+        accessLogs = true
+        tracing = true
+        metrics = true
    [http.routers.Router1]
      entryPoints = ["foobar", "foobar"]
      middlewares = ["foobar", "foobar"]
@@ -38,6 +42,10 @@
        [[http.routers.Router1.tls.domains]]
          main = "foobar"
          sans = ["foobar", "foobar"]
+      [http.routers.Router1.observability]
+        accessLogs = true
+        tracing = true
+        metrics = true
  [http.services]
    [http.services.Service01]
      [http.services.Service01.failover]
@@ -55,14 +63,17 @@
            httpOnly = true
            sameSite = "foobar"
            maxAge = 42
+            path = "foobar"

        [[http.services.Service02.loadBalancer.servers]]
          url = "foobar"
          weight = 42
+          preservePath = true

        [[http.services.Service02.loadBalancer.servers]]
          url = "foobar"
          weight = 42
+          preservePath = true
        [http.services.Service02.loadBalancer.healthCheck]
          scheme = "foobar"
          mode = "foobar"
@@ -82,6 +93,7 @@
    [http.services.Service03]
      [http.services.Service03.mirroring]
        service = "foobar"
+        mirrorBody = true
        maxBodySize = 42

        [[http.services.Service03.mirroring.mirrors]]
@@ -109,6 +121,7 @@
            httpOnly = true
            sameSite = "foobar"
            maxAge = 42
+            path = "foobar"
        [http.services.Service04.weighted.healthCheck]
  [http.middlewares]
    [http.middlewares.Middleware01]
@@ -143,6 +156,8 @@
        excludedContentTypes = ["foobar", "foobar"]
        includedContentTypes = ["foobar", "foobar"]
        minResponseBodyBytes = 42
+        encodings = ["foobar", "foobar"]
+        defaultEncoding = "foobar"
    [http.middlewares.Middleware07]
      [http.middlewares.Middleware07.contentType]
        autoDetect = true
@@ -166,6 +181,10 @@
        authResponseHeadersRegex = "foobar"
        authRequestHeaders = ["foobar", "foobar"]
        addAuthCookiesToResponse = ["foobar", "foobar"]
+        headerField = "foobar"
+        forwardBody = true
+        maxBodySize = 42
+        preserveLocationHeader = true
        [http.middlewares.Middleware10.forwardAuth.tls]
          ca = "foobar"
          cert = "foobar"
@@ -197,6 +216,7 @@
        browserXssFilter = true
        customBrowserXSSValue = "foobar"
        contentSecurityPolicy = "foobar"
+        contentSecurityPolicyReportOnly = "foobar"
        publicKey = "foobar"
        referrerPolicy = "foobar"
        permissionsPolicy = "foobar"
@@ -222,12 +242,14 @@
        [http.middlewares.Middleware13.ipAllowList.ipStrategy]
          depth = 42
          excludedIPs = ["foobar", "foobar"]
+          ipv6Subnet = 42
    [http.middlewares.Middleware14]
      [http.middlewares.Middleware14.ipWhiteList]
        sourceRange = ["foobar", "foobar"]
        [http.middlewares.Middleware14.ipWhiteList.ipStrategy]
          depth = 42
          excludedIPs = ["foobar", "foobar"]
+          ipv6Subnet = 42
    [http.middlewares.Middleware15]
      [http.middlewares.Middleware15.inFlightReq]
        amount = 42
@@ -237,6 +259,7 @@
          [http.middlewares.Middleware15.inFlightReq.sourceCriterion.ipStrategy]
            depth = 42
            excludedIPs = ["foobar", "foobar"]
+            ipv6Subnet = 42
    [http.middlewares.Middleware16]
      [http.middlewares.Middleware16.passTLSClientCert]
        pem = true
@@ -281,6 +304,7 @@
          [http.middlewares.Middleware18.rateLimit.sourceCriterion.ipStrategy]
            depth = 42
            excludedIPs = ["foobar", "foobar"]
+            ipv6Subnet = 42
    [http.middlewares.Middleware19]
      [http.middlewares.Middleware19.redirectRegex]
        regex = "foobar"
--- a/Show More
+++ b/Show More