Prepare release v2.11.9

Co-authored-by: Romain <rtribotte@users.noreply.github.com>

.github/workflows/build.yaml

@@ -4,9 +4,13 @@ on:
   pull_request:
     branches:
       - '*'
+    paths-ignore:
+      - 'docs/**'
+      - '**.md'
+      - 'script/gcg/**'
 
 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
   CGO_ENABLED: 0
 
 jobs:
@@ -44,10 +48,33 @@ jobs:
           path: webui.tar.gz
 
   build:
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
+
     strategy:
       matrix:
-        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        os: [ darwin, freebsd, linux, openbsd, windows ]
+        arch: [ amd64, arm64 ]
+        include:
+          - os: freebsd
+            arch: 386
+          - os: linux
+            arch: 386
+          - os: linux
+            arch: arm
+            goarm: 6
+          - os: linux
+            arch: arm
+            goarm: 7
+          - os: linux
+            arch: ppc64le
+          - os: linux
+            arch: riscv64
+          - os: linux
+            arch: s390x
+          - os: openbsd
+            arch: 386
+          - os: windows
+            arch: 386
     needs:
       - build-webui
 
@@ -59,6 +86,8 @@ jobs:
 
       - name: Set up Go ${{ env.GO_VERSION }}
         uses: actions/setup-go@v5
+        env:
+          ImageOS: ${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.goarm }}
         with:
           go-version: ${{ env.GO_VERSION }}
 
@@ -71,4 +100,8 @@ jobs:
         run: tar xvf webui.tar.gz
 
       - name: Build
+        env:
+          GOOS: ${{ matrix.os }}
+          GOARCH: ${{ matrix.arch }}
+          GOARM: ${{ matrix.goarm }}
         run: make binary

.github/workflows/documentation.yml

@@ -24,7 +24,7 @@ jobs:
           fetch-depth: 0
 
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/experimental.yaml

@@ -7,7 +7,7 @@ on:
       - v*
 
 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
   CGO_ENABLED: 0
 
 jobs:
@@ -56,10 +56,10 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Build docker experimental image
         env:

.github/workflows/test-integration.yaml

@@ -4,12 +4,13 @@ on:
   pull_request:
     branches:
       - '*'
-  push:
-    branches:
-      - 'gh-actions'
+    paths-ignore:
+      - 'docs/**'
+      - '**.md'
+      - 'script/gcg/**'
 
 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
   CGO_ENABLED: 0
 
 jobs:
@@ -63,7 +64,7 @@ jobs:
 
       - name: Generate go test Slice
         id: test_split
-        uses: hashicorp-forge/go-test-split-action@v1
+        uses: hashicorp-forge/go-test-split-action@v2.0.0
         with:
           packages: ./integration
           total: ${{ matrix.parallel }}

.github/workflows/test-unit.yaml

@@ -4,9 +4,13 @@ on:
   pull_request:
     branches:
       - '*'
+    paths-ignore:
+      - 'docs/**'
+      - '**.md'
+      - 'script/gcg/**'
 
 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
 
 jobs:
 

.github/workflows/validate.yaml

@@ -6,9 +6,9 @@ on:
       - '*'
 
 env:
-  GO_VERSION: '1.22'
-  GOLANGCI_LINT_VERSION: v1.59.0
-  MISSSPELL_VERSION: v0.6.0
+  GO_VERSION: '1.23'
+  GOLANGCI_LINT_VERSION: v1.60.3
+  MISSPELL_VERSION: v0.6.0
 
 jobs:
 
@@ -29,8 +29,8 @@ jobs:
       - name: Install golangci-lint ${{ env.GOLANGCI_LINT_VERSION }}
         run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
 
-      - name: Install missspell ${{ env.MISSSPELL_VERSION }}
-        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSSPELL_VERSION}
+      - name: Install misspell ${{ env.MISSPELL_VERSION }}
+        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSPELL_VERSION}
 
       - name: Avoid generating webui
         run: touch webui/static/index.html

.golangci.yml

@@ -197,8 +197,7 @@ linters:
     - maintidx # kind of duplicate of gocyclo
     - nonamedreturns # Too strict
     - gosmopolitan  # not relevant
-    - exportloopref # Useless with go1.22
-    - musttag
+    - exportloopref # Not relevant since go1.22
 
 issues:
   exclude-use-default: false
@@ -219,6 +218,7 @@ issues:
     - 'SA1019: c.Providers.Consul.Namespace is deprecated'
     - 'SA1019: c.Providers.Nomad.Namespace is deprecated'
     - 'fmt.Sprintf can be replaced with string'
+    - 'SA1019: dockertypes.ContainerNode is deprecated'
   exclude-rules:
     - path: '(.+)_test.go'
       linters:
@@ -270,3 +270,6 @@ issues:
       text: 'unusedwrite: unused write to field'
       linters:
         - govet
+    - path: pkg/provider/acme/local_store.go
+      linters:
+        - musttag

.semaphore/semaphore.yml

@@ -19,13 +19,13 @@ global_job_config:
   prologue:
     commands:
       - curl -sSfL https://raw.githubusercontent.com/ldez/semgo/master/godownloader.sh | sudo sh -s -- -b "/usr/local/bin"
-      - sudo semgo go1.22
+      - sudo semgo go1.23
       - export "GOPATH=$(go env GOPATH)"
       - export "SEMAPHORE_GIT_DIR=${GOPATH}/src/github.com/traefik/${SEMAPHORE_PROJECT_NAME}"
       - export "PATH=${GOPATH}/bin:${PATH}"
       - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
       - export GOPROXY=https://proxy.golang.org,direct
-      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.59.0
+      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.60.3
       - curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
       - checkout
       - cache restore traefik-$(checksum go.sum)

CHANGELOG.md

@@ -1,3 +1,74 @@
+## [v2.11.9](https://github.com/traefik/traefik/tree/v2.11.9) (2024-09-16)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.8...v2.11.9)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.18.0 ([#11060](https://github.com/traefik/traefik/pull/11060) by [ldez](https://github.com/ldez))
+- **[acme]** Allow handling ACME challenges with custom routers ([#10981](https://github.com/traefik/traefik/pull/10981) by [rtribotte](https://github.com/rtribotte))
+- **[logs,middleware]** Make the keys of the accessLog.fields.names map case-insensitive ([#11040](https://github.com/traefik/traefik/pull/11040) by [SpecLad](https://github.com/SpecLad))
+- **[logs,middleware]** Ensure proper logs for aborted streaming responses ([#10819](https://github.com/traefik/traefik/pull/10819) by [hood](https://github.com/hood))
+- **[middleware,server]** Cleanup Connection headers before passing the middleware chain ([#11077](https://github.com/traefik/traefik/pull/11077) by [kevinpollet](https://github.com/kevinpollet))
+- **[plugins]** Upgrade paerser to v0.2.1 ([#11048](https://github.com/traefik/traefik/pull/11048) by [mmatur](https://github.com/mmatur))
+- **[server,tcp]** Prevent error logging when TCP WRR pool is empty ([#10989](https://github.com/traefik/traefik/pull/10989) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Upgrade webui dependencies ([#11031](https://github.com/traefik/traefik/pull/11031) by [mloiseleur](https://github.com/mloiseleur))
+
+**Documentation:**
+- **[acme]** Fix typo in multiple DNS challenge provider warning ([#11001](https://github.com/traefik/traefik/pull/11001) by [tired-engineer](https://github.com/tired-engineer))
+- **[k8s]** Update k8s quickstart permissions ([#11049](https://github.com/traefik/traefik/pull/11049) by [mmatur](https://github.com/mmatur))
+- **[metrics]** Remove documentation for unimplemented service retries metric  ([#10983](https://github.com/traefik/traefik/pull/10983) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Unify tab titles ([#11072](https://github.com/traefik/traefik/pull/11072) by [jsoref](https://github.com/jsoref))
+- Give valid examples for exposing dashboard with default Helm values ([#11015](https://github.com/traefik/traefik/pull/11015) by [holysoles](https://github.com/holysoles))
+
+## [v2.11.8](https://github.com/traefik/traefik/tree/v2.11.8) (2024-08-06)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.7...v2.11.8)
+
+**Bug fixes:**
+- **[docker]** Update to github.com/docker/docker v27.1.1 ([#10955](https://github.com/traefik/traefik/pull/10955) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Upgrade webui dependencies ([#10961](https://github.com/traefik/traefik/pull/10961) by [mmatur](https://github.com/mmatur))
+
+**Documentation:**
+- Fix embedded youtube video ([#10958](https://github.com/traefik/traefik/pull/10958) by [mmatur](https://github.com/mmatur))
+- Updated index.md to include video ([#10944](https://github.com/traefik/traefik/pull/10944) by [tomatokoolaid](https://github.com/tomatokoolaid))
+
+## [v2.11.7](https://github.com/traefik/traefik/tree/v2.11.7) (2024-07-30)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.6...v2.11.7)
+
+**Bug fixes:**
+- **[logs]** Make the log about new version more accurate ([#10903](https://github.com/traefik/traefik/pull/10903) by [jmcbri](https://github.com/jmcbri))
+- **[tls,k8s/crd,k8s]** Enforce default cipher suites list ([#10907](https://github.com/traefik/traefik/pull/10907) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[acme]** Modify certificatesDuration documentation ([#10920](https://github.com/traefik/traefik/pull/10920) by [peacewalker122](https://github.com/peacewalker122))
+- **[api]** Improve explanation on API exposition ([#10926](https://github.com/traefik/traefik/pull/10926) by [mloiseleur](https://github.com/mloiseleur))
+- **[docker,consul,rancher,ecs]** Improve doc on sensitive data stored into labels/tags ([#10873](https://github.com/traefik/traefik/pull/10873) by [emilevauge](https://github.com/emilevauge))
+- **[docker,logs]** Improve error and documentation on the needed link between router and service ([#10262](https://github.com/traefik/traefik/pull/10262) by [mloiseleur](https://github.com/mloiseleur))
+- **[docker]** Document Docker port selection on multiple exposed ports ([#10935](https://github.com/traefik/traefik/pull/10935) by [mbrodala](https://github.com/mbrodala))
+- Update the supported versions table for v3.1 release ([#10933](https://github.com/traefik/traefik/pull/10933) by [jnoordsij](https://github.com/jnoordsij))
+- Update PR approval process ([#10887](https://github.com/traefik/traefik/pull/10887) by [emilevauge](https://github.com/emilevauge))
+
+## [v2.11.6](https://github.com/traefik/traefik/tree/v2.11.6) (2024-07-02)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.5...v2.11.6)
+
+**Bug fixes:**
+- **[ecs]** Fix ECS config for OIDC + IRSA ([#10814](https://github.com/traefik/traefik/pull/10814) by [mmatur](https://github.com/mmatur))
+- **[http3]** Disable QUIC 0-RTT ([#10867](https://github.com/traefik/traefik/pull/10867) by [mmatur](https://github.com/mmatur))
+- **[middleware,server]** Remove interface names from IPv6 ([#10813](https://github.com/traefik/traefik/pull/10813) by [JeroenED](https://github.com/JeroenED))
+
+**Documentation:**
+- **[docker,acme]** Fix a typo in the ACME docker-compose docs ([#10866](https://github.com/traefik/traefik/pull/10866) by [ciacon](https://github.com/ciacon))
+- Update Advanced Capabilities Callout ([#10846](https://github.com/traefik/traefik/pull/10846) by [tomatokoolaid](https://github.com/tomatokoolaid))
+- Update maintainers ([#10834](https://github.com/traefik/traefik/pull/10834) by [emilevauge](https://github.com/emilevauge))
+- Fix readme badge for Semaphore CI ([#10830](https://github.com/traefik/traefik/pull/10830) by [mmatur](https://github.com/mmatur))
+- Fix typo in keepAliveMaxTime docs ([#10825](https://github.com/traefik/traefik/pull/10825) by [shochdoerfer](https://github.com/shochdoerfer))
+
+## [v2.11.5](https://github.com/traefik/traefik/tree/v2.11.5) (2024-06-18)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.4...v2.11.5)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.17.4 ([#10803](https://github.com/traefik/traefik/pull/10803) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- Update the supported versions table ([#10798](https://github.com/traefik/traefik/pull/10798) by [nmengin](https://github.com/nmengin))
+
 ## [v2.11.4](https://github.com/traefik/traefik/tree/v2.11.4) (2024-06-10)
 [All Commits](https://github.com/traefik/traefik/compare/v2.11.3...v2.11.4)
 

CODE_OF_CONDUCT.md

@@ -47,7 +47,7 @@ Further details of specific enforcement policies may be posted separately.
 
 Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
 
-When an inapropriate behavior is reported, maintainers will discuss on the Maintainer's Discord before marking the message as "abuse". 
+When an inappropriate behavior is reported, maintainers will discuss on the Maintainer's Discord before marking the message as "abuse". 
 This conversation beforehand avoids one-sided decisions.
 
 The first message will be edited and marked as abuse.

README.md

@@ -7,7 +7,7 @@
     </picture>
 </p>
 
-[![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
+[![Build Status SemaphoreCI](https://traefik-oss.semaphoreci.com/badges/traefik/branches/master.svg?style=shields)](https://traefik-oss.semaphoreci.com/projects/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
 [![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)

cmd/traefik/traefik.go

@@ -15,7 +15,7 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/coreos/go-systemd/daemon"
+	"github.com/coreos/go-systemd/v22/daemon"
 	"github.com/go-acme/lego/v4/challenge"
 	gokitmetrics "github.com/go-kit/kit/metrics"
 	"github.com/sirupsen/logrus"
@@ -316,7 +316,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 			}
 
 			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
-				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
+				log.WithoutContext().Errorf("Router %s uses a nonexistent resolver: %s", rtName, rt.TLS.CertResolver)
 			}
 		}
 	})

docs/content/contributing/maintainers.md

@@ -9,7 +9,6 @@ description: "Traefik Proxy is an open source software with a thriving community
 
 * Emile Vauge [@emilevauge](https://github.com/emilevauge)
 * Manuel Zapf [@SantoDE](https://github.com/SantoDE)
-* Ludovic Fernandez [@ldez](https://github.com/ldez)
 * Julien Salleyron [@juliens](https://github.com/juliens)
 * Nicolas Mengin [@nmengin](https://github.com/nmengin)
 * Michaël Matur [@mmatur](https://github.com/mmatur)
@@ -33,6 +32,7 @@ People who have had an incredibly positive impact on the project, and are now fo
 * Daniel Tomcej [@dtomcej](https://github.com/dtomcej)
 * Timo Reimann [@timoreimann](https://github.com/timoreimann)
 * Marco Jantke [@mjantke](https://github.com/mjeri)
+* Ludovic Fernandez [@ldez](https://github.com/ldez)
 
 ## Maintainer's Guidelines
 

docs/content/contributing/submitting-pull-requests.md

@@ -54,9 +54,10 @@ Merging a PR requires the following steps to be completed before it is merged au
     * Keep "allows edit from maintainer" checked.
     * Use semantic line breaks for documentation.
     * Ensure your PR is not a draft. We do not review drafts, but do answer questions and confer with developers on them as needed.
+    * Ensure that the dependencies in the `go.mod` file reference a tag. If referencing a tag is not possible, add a comment explaining why.
 * Pass the validation check.
 * Pass all tests.
-* Receive 3 approving reviews from maintainers.
+* Receive 2 approving reviews from maintainers.
 
 ## Pull Request Review Cycle
 
@@ -89,6 +90,7 @@ in short, it looks like this:
 You must run these local verifications before you submit your pull request to predict the pass or failure of continuous integration.
 Your PR will not be reviewed until these are green on the CI.
 
+* `make generate`
 * `make validate`
 * `make pull-images`
 * `make test`
@@ -112,7 +114,7 @@ In such a situation, solve the conflicts/CI/... and then remove the label `bot/n
 
 To prevent the bot from automatically merging a PR, add the label `bot/no-merge`.
 
-The label `bot/light-review` decreases the number of required LGTM from 3 to 1.
+The label `bot/light-review` decreases the number of required LGTM from 2 to 1.
 
 This label can be used when:
 

docs/content/deprecation/releases.md

@@ -4,30 +4,27 @@
 
 Below is a non-exhaustive list of versions and their maintenance status:
 
-| Version | Release Date | Active Support     | Security Support | 
-|---------|--------------|--------------------|------------------|
-| 2.11    | Feb 12, 2024 | Yes                | Yes              |
-| 2.10    | Apr 24, 2023 | Ended Feb 12, 2024 | No               |
-| 2.9     | Oct 03, 2022 | Ended Apr 24, 2023 | No               |
-| 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 | No               |
-| 2.7     | May 24, 2022 | Ended Jun 29, 2022 | No               |
-| 2.6     | Jan 24, 2022 | Ended May 24, 2022 | No               |
-| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 | No               |
-| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 | No               |
-| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 | No               |
-| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 | No               |
-| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 | No               |
-| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 | No               |
-| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 | Contact Support  |
-
-??? example "Active Support / Security Support"
-
-    **Active support**: receives any bug fixes.
-    **Security support**: receives only critical bug and security fixes.
+| Version | Release Date | Community Support  |  
+|---------|--------------|--------------------|
+| 3.1     | Jul 15, 2024 | Yes                |
+| 3.0     | Apr 29, 2024 | Ended Jul 15, 2024 |
+| 2.11    | Feb 12, 2024 | Ends  Apr 29, 2025 |
+| 2.10    | Apr 24, 2023 | Ended Feb 12, 2024 |
+| 2.9     | Oct 03, 2022 | Ended Apr 24, 2023 |
+| 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 |
+| 2.7     | May 24, 2022 | Ended Jun 29, 2022 |
+| 2.6     | Jan 24, 2022 | Ended May 24, 2022 |
+| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 |
+| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 |
+| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 |
+| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 |
+| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 |
+| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 |
+| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 |
 
 This page is maintained and updated periodically to reflect our roadmap and any decisions affecting the end of support for Traefik Proxy.
 
-Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v1 to v2 migration guide](../migration/v1-to-v2.md).
+Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v2 to v3 migration guide](../migration/v2-to-v3.md).
 
 !!! important "All target dates for end of support or feature removal announcements may be subject to change."
 

docs/content/getting-started/install-traefik.md

@@ -99,38 +99,6 @@ helm install traefik traefik/traefik
       - "--log.level=DEBUG"
     ```
 
-### Exposing the Traefik dashboard
-
-This Helm chart does not expose the Traefik dashboard by default, for security concerns.
-Thus, there are multiple ways to expose the dashboard.
-For instance, the dashboard access could be achieved through a port-forward:
-
-```shell
-kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
-```
-
-It can then be reached at: `http://127.0.0.1:9000/dashboard/`
-
-Another way would be to apply your own configuration, for instance,
-by defining and applying an IngressRoute CRD (`kubectl apply -f dashboard.yaml`):
-
-```yaml
-# dashboard.yaml
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: dashboard
-spec:
-  entryPoints:
-    - web
-  routes:
-    - match: Host(`traefik.localhost`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
-      kind: Rule
-      services:
-        - name: api@internal
-          kind: TraefikService
-```
-
 ## Use the Binary Distribution
 
 Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page.

docs/content/getting-started/quick-start-with-kubernetes.md

@@ -58,6 +58,23 @@ rules:
       - ingresses/status
     verbs:
       - update
+  - apiGroups:
+      - traefik.io
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - middlewaretcps
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - ingressrouteudps
+      - tlsoptions
+      - tlsstores
+      - serverstransports
+    verbs:
+      - get
+      - list
+      - watch
 ```
 
 !!! info "You can find the reference for this file [there](../../reference/dynamic-configuration/kubernetes-crd/#rbac)."

docs/content/https/acme.md

@@ -11,7 +11,7 @@ Automatic HTTPS
 You can configure Traefik to use an ACME provider (like Let's Encrypt) for automatic certificate generation.
 
 !!! warning "Let's Encrypt and Rate Limiting"
-    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to **one week**, and can not be overridden.
+    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to **one week**, and cannot be overridden.
     
     When running Traefik in a container this file should be persisted across restarts. 
     If Traefik requests new certificates each time it starts up, a crash-looping container can quickly reach Let's Encrypt's ratelimits.
@@ -298,7 +298,7 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
     
     Multiple DNS challenge provider are not supported with Traefik, but you can use `CNAME` to handle that.
     For example, if you have `example.org` (account foo) and `example.com` (account bar) you can create a CNAME on `example.org` called `_acme-challenge.example.org` pointing to `challenge.example.com`.
-    This way, you can obtain certificates for `example.com` with the `foo` account.
+    This way, you can obtain certificates for `example.org` with the `bar` account.
 
 !!! important
     A `provider` is mandatory.
@@ -341,6 +341,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Derak Cloud](https://derak.cloud/)                                    | `derak`            | `DERAK_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/derak)            |
 | [deSEC](https://desec.io)                                              | `desec`            | `DESEC_TOKEN`                                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/desec)            |
 | [DigitalOcean](https://www.digitalocean.com)                           | `digitalocean`     | `DO_AUTH_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean)     |
+| [DirectAdmin](https://www.directadmin.com)                             | `directadmin`      | `DIRECTADMIN_API_URL` , `DIRECTADMIN_USERNAME`, `DIRECTADMIN_PASSWORD`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/directadmin)      |
 | [DNS Made Easy](https://dnsmadeeasy.com)                               | `dnsmadeeasy`      | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)      |
 | [dnsHome.de](https://www.dnshome.de)                                   | `dnsHomede`        | `DNSHOMEDE_CREDENTIALS`                                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnshomede)        |
 | [DNSimple](https://dnsimple.com)                                       | `dnsimple`         | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)         |
@@ -384,12 +385,15 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Joker.com](https://joker.com)                                         | `joker`            | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/joker)            |
 | [Liara](https://liara.ir)                                              | `liara`            | `LIARA_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/liara)            |
 | [Lightsail](https://aws.amazon.com/lightsail/)                         | `lightsail`        | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)        |
+| [Lima-City](https://www.lima-city.de)                                  | `limacity`         | `LIMACITY_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/limacity)         |
 | [Linode v4](https://www.linode.com)                                    | `linode`           | `LINODE_TOKEN`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/linode)           |
 | [Liquid Web](https://www.liquidweb.com/)                               | `liquidweb`        | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)        |
 | [Loopia](https://loopia.com/)                                          | `loopia`           | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER`                                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/loopia)           |
 | [LuaDNS](https://luadns.com)                                           | `luadns`           | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)           |
 | [Mail-in-a-Box](https://mailinabox.email)                              | `mailinabox`       | `MAILINABOX_EMAIL`, `MAILINABOX_PASSWORD`, `MAILINABOX_BASE_URL`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/mailinabox)       |
 | [Metaname](https://metaname.net)                                       | `metaname`         | `METANAME_ACCOUNT_REFERENCE`, `METANAME_API_KEY`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/metaname)         |
+| [mijn.host](https://mijn.host/)                                        | `mijnhost`         | `MIJNHOST_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/mijnhost)         |
+| [Mittwald](https://www.mittwald.de)                                    | `mittwald`         | `MITTWALD_TOKEN`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/mittwald)         |
 | [MyDNS.jp](https://www.mydns.jp/)                                      | `mydnsjp`          | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)          |
 | [Mythic Beasts](https://www.mythic-beasts.com)                         | `mythicbeasts`     | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts)     |
 | [name.com](https://www.name.com/)                                      | `namedotcom`       | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)       |
@@ -418,8 +422,8 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Route 53](https://aws.amazon.com/route53/)                            | `route53`          | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/route53)          |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                            | `sakuracloud`      | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)      |
 | [Scaleway](https://www.scaleway.com)                                   | `scaleway`         | `SCW_API_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
-| [Selectel](https://selectel.ru/en/)                                    | `selectel`         | `SELECTEL_API_TOKEN`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)         |
 | [Selectel v2](https://selectel.ru/en/)                                 | `selectelv2`       | `SELECTELV2_ACCOUNT_ID`, `SELECTELV2_PASSWORD`, `SELECTELV2_PROJECT_ID`, `SELECTELV2_USERNAME`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/selectelv2)       |
+| [Selectel](https://selectel.ru/en/)                                    | `selectel`         | `SELECTEL_API_TOKEN`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)         |
 | [Servercow](https://servercow.de)                                      | `servercow`        | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)        |
 | [Shellrent](https://www.shellrent.com)                                 | `shellrent`        | `SHELLRENT_USERNAME`, `SHELLRENT_TOKEN`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/shellrent)        |
 | [Simply.com](https://www.simply.com/en/domains/)                       | `simply`           | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/simply)           |
@@ -606,9 +610,21 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 
 _Optional, Default=2160_
 
-The `certificatesDuration` option defines the certificates' duration in hours.
+`certificatesDuration` is used to calculate two durations:
+
+- `Renew Period`: the period before the end of the certificate duration, during which the certificate should be renewed.
+- `Renew Interval`: the interval between renew attempts.
+
 It defaults to `2160` (90 days) to follow Let's Encrypt certificates' duration.
 
+| Certificate Duration | Renew Period      | Renew Interval          |
+|----------------------|-------------------|-------------------------|
+| >= 1 year            | 4 months          | 1 week                  |
+| >= 90 days           | 30 days           | 1 day                   |
+| >= 7 days            | 1 day             | 1 hour                  |
+| >= 24 hours          | 6 hours           | 10 min                  |
+| < 24 hours           | 20 min            | 1 min                   |
+
 !!! warning "Traefik cannot manage certificates with a duration lower than 1 hour."
 
 ```yaml tab="File (YAML)"
@@ -633,19 +649,6 @@ certificatesResolvers:
 # ...
 ```
 
-`certificatesDuration` is used to calculate two durations:
-
-- `Renew Period`: the period before the end of the certificate duration, during which the certificate should be renewed.
-- `Renew Interval`: the interval between renew attempts.
-
-| Certificate Duration | Renew Period      | Renew Interval          |
-|----------------------|-------------------|-------------------------|
-| >= 1 year            | 4 months          | 1 week                  |
-| >= 90 days           | 30 days           | 1 day                   |
-| >= 7 days            | 1 day             | 1 hour                  |
-| >= 24 hours          | 6 hours           | 10 min                  |
-| < 24 hours           | 20 min            | 1 min                   |
-
 ### `preferredChain`
 
 _Optional, Default=""_

docs/content/includes/traefik-for-business-applications.md

@@ -1,14 +1,10 @@
 ---
 
-!!! question "Using Traefik for Business Applications?"
+!!! question "Using Traefik OSS in Production? Consider Adding Advanced Capabilities."
 
-    If you are using Traefik in your organization, consider our enterprise-grade solutions:
+    Add API Gateway or API Management capabilities seamlessly to your existing Traefik deployments. 
+    No rip and replace. No learning curve.
 
-    - API Management  
-      [Explore](https://traefik.io/solutions/api-management/) // [Watch Demo Video](https://info.traefik.io/watch-traefik-hub-demo)
-    - API Gateway  
-      [Explore](https://traefik.io/solutions/api-gateway/) // [Watch Demo Video](https://info.traefik.io/watch-traefikee-demo)
-    - Ingress Controller  
-      [Kubernetes](https://traefik.io/solutions/kubernetes-ingress/) // [Docker Swarm](https://traefik.io/solutions/docker-swarm-ingress/)
-
-    These tools help businesses discover, deploy, secure, and manage microservices and APIs easily, at scale, across any environment.
+    - [Explore our API Gateway](https://traefik.io/traefik-hub-api-gateway/)
+    - [Explore our API Management](https://traefik.io/traefik-hub/)
+    - [Get 24/7/365 Commercial Support for Traefik OSS](https://info.traefik.io/request-commercial-support)

docs/content/index.md

@@ -7,16 +7,22 @@ description: "Traefik Proxy, an open source Edge Router, auto-discovers configur
 
 ![Architecture](assets/img/traefik-architecture.png)
 
-Traefik is an [open-source](https://github.com/traefik/traefik) *Edge Router* that makes publishing your services a fun and easy experience. 
-It receives requests on behalf of your system and finds out which components are responsible for handling them. 
+Traefik is an [open-source](https://github.com/traefik/traefik) *Application Proxy* that makes publishing your services a fun and easy experience. 
+It receives requests on behalf of your system and identifies which components are responsible for handling them, and routes them securely. 
 
 What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
 The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request. 
 
-Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker, Docker Swarm, AWS, Mesos, Marathon, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
+Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker Swarm, AWS, Mesos, Marathon, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
  
 With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions).
-With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.   
+With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.
+
+And if your needs change, you can add API gateway and API management capabilities seamlessly to your existing Traefik deployments. It takes less than a minute, there’s no rip-and-replace, and all your configurations are preserved. See how it works in this video:
+
+<div style="text-align: center;">
+    <iframe src="https://www.youtube.com/embed/zriUO5YPgFg?modestbranding=1&rel=0&controls=1" width="560" height="315" title="Upgrade Traefik Proxy to API Gateway and API Management in Seconds // Traefik Labs" frameborder="0" allowfullscreen></iframe>
+</div>
 
 Developing Traefik, our main goal is to make it effortless to use, and we're sure you'll enjoy it.
 
@@ -24,8 +30,6 @@ Developing Traefik, our main goal is to make it effortless to use, and we're sur
 
 !!! info
 
-    Join our user friendly and active [Community Forum](https://community.traefik.io "Link to Traefik Community Forum") to discuss, learn, and connect with the traefik community.
+    Join our user friendly and active [Community Forum](https://community.traefik.io "Link to Traefik Community Forum") to discuss, learn, and connect with the Traefik community.
 
-    Using Traefik in your organization? Consider [Traefik Enterprise](https://traefik.io/traefik-enterprise/ "Lino to Traefik Enterprise"), our unified API Gateway and Ingress that simplifies the discovery, security, and deployment of APIs and microservices across any environment.
-
-    See it in action in [this short video walkthrough](https://info.traefik.io/watch-traefikee-demo "Link to video walkthrough").
+    Using Traefik OSS in Production? Consider our enterprise-grade [API Gateway](https://traefik.io/traefik-hub-api-gateway/), [API Management](https://traefik.io/traefik-hub/), and [Commercial Support](https://info.traefik.io/request-commercial-support) solutions.

docs/content/middlewares/http/inflightreq.md

@@ -335,7 +335,7 @@ spec:
       requestHost: true
 ```
 
-```yaml tab="Cosul Catalog"
+```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```
 

docs/content/middlewares/http/overview.md

@@ -24,7 +24,7 @@ whoami:
     - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
 ```
 
-```yaml tab="Kubernetes IngressRoute"
+```yaml tab="IngressRoute"
 # As a Kubernetes Traefik IngressRoute
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition

docs/content/middlewares/overview.md

@@ -35,7 +35,7 @@ whoami:
     - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
 ```
 
-```yaml tab="Kubernetes IngressRoute"
+```yaml tab="IngressRoute"
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware

docs/content/middlewares/tcp/overview.md

@@ -24,7 +24,7 @@ whoami:
     - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@docker"
 ```
 
-```yaml tab="Kubernetes IngressRoute"
+```yaml tab="IngressRoute"
 # As a Kubernetes Traefik IngressRoute
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition

docs/content/migration/v1-to-v2.md

@@ -44,7 +44,7 @@ Then any router can refer to an instance of the wanted middleware.
       - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
     ```
 
-    ```yaml tab="K8s Ingress"
+    ```yaml tab="Ingress"
     apiVersion: networking.k8s.io/v1beta1
     kind: Ingress
     metadata:
@@ -107,7 +107,7 @@ Then any router can refer to an instance of the wanted middleware.
       - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
     ```
 
-    ```yaml tab="K8s IngressRoute"
+    ```yaml tab="IngressRoute"
     # The definitions below require the definitions for the Middleware and IngressRoute kinds.
     # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
     apiVersion: traefik.io/v1alpha1
@@ -278,7 +278,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
         ]
     ```
 
-    ```yaml tab="K8s IngressRoute"
+    ```yaml tab="IngressRoute"
     # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
     # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
     apiVersion: traefik.io/v1alpha1
@@ -442,7 +442,7 @@ To apply a redirection:
       traefik.http.middlewares.https_redirect.redirectscheme.permanent: true
     ```
 
-    ```yaml tab="K8s IngressRoute"
+    ```yaml tab="IngressRoute"
     apiVersion: traefik.io/v1alpha1
     kind: IngressRoute
     metadata:
@@ -561,7 +561,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
       - "traefik.frontend.rule=Host:example.org;PathPrefixStrip:/admin"
     ```
 
-    ```yaml tab="Kubernetes Ingress"
+    ```yaml tab="Ingress"
     apiVersion: networking.k8s.io/v1beta1
     kind: Ingress
     metadata:
@@ -595,7 +595,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
       - "traefik.http.middlewares.admin-stripprefix.stripprefix.prefixes=/admin"
     ```
 
-    ```yaml tab="Kubernetes IngressRoute"
+    ```yaml tab="IngressRoute"
     ---
     apiVersion: traefik.io/v1alpha1
     kind: IngressRoute

docs/content/migration/v2.md

@@ -429,7 +429,7 @@ For more advanced use cases, you can use either the [RedirectScheme middleware](
 
 Following up on the deprecation started [previously](#x509-commonname-deprecation),
 as the `x509ignoreCN=0` value for the `GODEBUG` is [deprecated in Go 1.17](https://tip.golang.org/doc/go1.17#crypto/x509),
-the legacy behavior related to the CommonName field can not be enabled at all anymore.
+the legacy behavior related to the CommonName field cannot be enabled at all anymore.
 
 ## v2.5.3 to v2.5.4
 

docs/content/observability/metrics/overview.md

@@ -150,7 +150,6 @@ traefik.router.responses.bytes.total
 | Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `service`  | The total count of HTTPS requests processed on a service.   |
 | Request duration      | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service.         |
 | Open connections      | Count     | `method`, `protocol`, `service`         | The current count of open connections on a service.         |
-| Retries total         | Count     | `service`                               | The count of requests retries on a service.                 |
 | Server UP             | Gauge     | `service`, `url`                        | Current service's server status, 0 for a down or 1 for up.  |
 | Requests bytes total  | Count     | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service.  |
 | Responses bytes total | Count     | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
@@ -160,7 +159,6 @@ traefik_service_requests_total
 traefik_service_requests_tls_total
 traefik_service_request_duration_seconds
 traefik_service_open_connections
-traefik_service_retries_total
 traefik_service_server_up
 traefik_service_requests_bytes_total
 traefik_service_responses_bytes_total
@@ -171,7 +169,6 @@ service.request.total
 router.service.tls.total
 service.request.duration
 service.connections.open
-service.retries.total
 service.server.up
 service.requests.bytes.total
 service.responses.bytes.total
@@ -182,7 +179,6 @@ traefik.service.requests.total
 traefik.service.requests.tls.total
 traefik.service.request.duration
 traefik.service.connections.open
-traefik.service.retries.total
 traefik.service.server.up
 traefik.service.requests.bytes.total
 traefik.service.responses.bytes.total
@@ -194,7 +190,6 @@ traefik.service.responses.bytes.total
 {prefix}.service.request.tls.total
 {prefix}.service.request.duration
 {prefix}.service.connections.open
-{prefix}.service.retries.total
 {prefix}.service.server.up
 {prefix}.service.requests.bytes.total
 {prefix}.service.responses.bytes.total

docs/content/operations/api.md

@@ -16,13 +16,9 @@ including sensitive data.
 
 In production, it should be at least secured by authentication and authorizations.
 
-A good sane default (non exhaustive) set of recommendations
-would be to apply the following protection mechanisms:
-
-* At the transport level:
-  NOT publicly exposing the API's port,
-  keeping it restricted to internal networks
-  (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).
+!!! info
+    It's recommended to NOT publicly exposing the API's port, keeping it restricted to internal networks
+    (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).
 
 ## Configuration
 

docs/content/operations/cli.md

@@ -33,7 +33,7 @@ traefik [--flag[=true|false| ]] [-f [true|false| ]]
 
 All flags are documented in the [(static configuration) CLI reference](../reference/static-configuration/cli.md).
 
-!!! info "Flags are case insensitive."
+!!! info "Flags are case-insensitive."
 
 ### `healthcheck`
 

docs/content/providers/docker.md

@@ -21,7 +21,7 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
 
 ## Configuration Examples
 
-??? example "Configuring Docker & Deploying / Exposing Services"
+??? example "Configuring Docker & Deploying / Exposing one Service"
 
     Enabling the docker provider
 
@@ -49,7 +49,7 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
           - traefik.http.routers.my-container.rule=Host(`example.com`)
     ```
 
-??? example "Configuring Docker Swarm & Deploying / Exposing Services"
+??? example "Configuring Docker Swarm & Deploying / Exposing one Service"
 
     Enabling the docker provider (Swarm Mode)
 
@@ -80,7 +80,9 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
     --providers.docker.swarmMode=true
     ```
 
-    Attach labels to services (not to containers) while in Swarm mode (in your docker compose file)
+    Attach labels to a single service (not containers) while in Swarm mode (in your Docker compose file).
+    When there is only one service, and the router does not specify a service,
+    then that service is automatically assigned to the router.
 
     ```yaml
     version: "3"
@@ -117,12 +119,14 @@ When using Docker Compose, labels are specified by the directive
 
 Traefik retrieves the private IP and port of containers from the Docker API.
 
-Port detection works as follows:
+Port detection for private communication works as follows:
 
 - If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) a single port,
-  then Traefik uses this port for private communication.
+  then Traefik uses this port.
 - If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) multiple ports,
-  or does not expose any port, then you must manually specify which port Traefik should use for communication
+  then Traefik uses the lowest port.  E.g. if `80` and `8080` are exposed, Traefik will use `80`.
+- If a container does not expose any port, or the selection from multiple ports does not fit,
+  then you must manually specify which port Traefik should use for communication
   by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
   (Read more on this label in the dedicated section in [routing](../routing/providers/docker.md#port)).
 
@@ -738,7 +742,7 @@ providers:
 _Optional, Default=false_
 
 If the parameter is set to `true`,
-any [servers load balancer](../routing/services/index.md#servers-load-balancer) defined for Docker containers is created 
+any [servers load balancer](../routing/services/index.md#servers-load-balancer) defined for Docker containers is created
 regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers.
 It also then stays alive and responsive even at times when it becomes empty,
 i.e. when all its children containers become unhealthy.

docs/content/providers/overview.md

@@ -81,7 +81,7 @@ For the list of the providers names, see the [supported providers](#supported-pr
         - "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
     ```
 
-    ```yaml tab="Kubernetes Ingress Route"
+    ```yaml tab="IngressRoute"
     apiVersion: traefik.io/v1alpha1
     kind: IngressRoute
     metadata:
@@ -103,7 +103,7 @@ For the list of the providers names, see the [supported providers](#supported-pr
             # when the cross-provider syntax is used.
     ```
 
-    ```yaml tab="Kubernetes Ingress"
+    ```yaml tab="Ingress"
     apiVersion: traefik.io/v1alpha1
     kind: Middleware
     metadata:

docs/content/reference/dynamic-configuration/consul-catalog.md

@@ -8,7 +8,7 @@ description: "View the reference for performing dynamic configurations with Trae
 Dynamic configuration with Consul Catalog
 {: .subtitle }
 
-The labels are case insensitive.
+The labels are case-insensitive.
 
 ```yaml
 --8<-- "content/reference/dynamic-configuration/consul-catalog.yml"

docs/content/reference/dynamic-configuration/docker.md

@@ -8,7 +8,7 @@ description: "Reference dynamic configuration with Docker labels in Traefik Prox
 Dynamic configuration with Docker Labels
 {: .subtitle }
 
-The labels are case insensitive.
+The labels are case-insensitive.
 
 ```yaml
 labels:

docs/content/reference/dynamic-configuration/ecs.md

@@ -8,7 +8,7 @@ description: "Learn how to do dynamic configuration in Traefik Proxy with AWS EC
 Dynamic configuration with ECS provider
 {: .subtitle }
 
-The labels are case insensitive.
+The labels are case-insensitive.
 
 ```yaml
 --8<-- "content/reference/dynamic-configuration/ecs.yml"

docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressroutes.traefik.io
 spec:
   group: traefik.io
@@ -290,7 +290,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressroutetcps.traefik.io
 spec:
   group: traefik.io
@@ -514,7 +514,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressrouteudps.traefik.io
 spec:
   group: traefik.io
@@ -618,7 +618,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: middlewares.traefik.io
 spec:
   group: traefik.io
@@ -1598,7 +1598,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: middlewaretcps.traefik.io
 spec:
   group: traefik.io
@@ -1685,7 +1685,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: serverstransports.traefik.io
 spec:
   group: traefik.io
@@ -1811,7 +1811,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: tlsoptions.traefik.io
 spec:
   group: traefik.io
@@ -1925,7 +1925,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: tlsstores.traefik.io
 spec:
   group: traefik.io
@@ -2022,7 +2022,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: traefikservices.traefik.io
 spec:
   group: traefik.io
@@ -2433,7 +2433,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressroutes.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -2720,7 +2720,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressroutetcps.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -2944,7 +2944,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressrouteudps.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -3048,7 +3048,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: middlewares.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -4028,7 +4028,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: middlewaretcps.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -4115,7 +4115,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: serverstransports.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -4241,7 +4241,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: tlsoptions.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -4355,7 +4355,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: tlsstores.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -4452,7 +4452,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: traefikservices.traefik.containo.us
 spec:
   group: traefik.containo.us

docs/content/reference/dynamic-configuration/nomad.md

@@ -8,7 +8,7 @@ description: "View the reference for performing dynamic configurations with Trae
 Dynamic configuration with Nomad Service Discovery
 {: .subtitle }
 
-The labels are case insensitive.
+The labels are case-insensitive.
 
 ```yaml
 --8<-- "content/reference/dynamic-configuration/nomad.yml"

docs/content/reference/dynamic-configuration/rancher.md

@@ -8,7 +8,7 @@ description: "Read the official Traefik documentation to learn more on dynamic c
 Dynamic configuration with Rancher Labels
 {: .subtitle }
 
-The labels are case insensitive.
+The labels are case-insensitive.
 
 ```yaml
 labels:

docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutes.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressroutes.traefik.containo.us
 spec:
   group: traefik.containo.us

docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressroutetcps.traefik.containo.us
 spec:
   group: traefik.containo.us

docs/content/reference/dynamic-configuration/traefik.containo.us_ingressrouteudps.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressrouteudps.traefik.containo.us
 spec:
   group: traefik.containo.us

docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: middlewares.traefik.containo.us
 spec:
   group: traefik.containo.us

docs/content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: middlewaretcps.traefik.containo.us
 spec:
   group: traefik.containo.us

docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: serverstransports.traefik.containo.us
 spec:
   group: traefik.containo.us

docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: tlsoptions.traefik.containo.us
 spec:
   group: traefik.containo.us

docs/content/reference/dynamic-configuration/traefik.containo.us_tlsstores.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: tlsstores.traefik.containo.us
 spec:
   group: traefik.containo.us

docs/content/reference/dynamic-configuration/traefik.containo.us_traefikservices.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: traefikservices.traefik.containo.us
 spec:
   group: traefik.containo.us

docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressroutes.traefik.io
 spec:
   group: traefik.io

docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressroutetcps.traefik.io
 spec:
   group: traefik.io

docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressrouteudps.traefik.io
 spec:
   group: traefik.io

docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: middlewares.traefik.io
 spec:
   group: traefik.io

docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: middlewaretcps.traefik.io
 spec:
   group: traefik.io

docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: serverstransports.traefik.io
 spec:
   group: traefik.io

docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: tlsoptions.traefik.io
 spec:
   group: traefik.io

docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: tlsstores.traefik.io
 spec:
   group: traefik.io

docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: traefikservices.traefik.io
 spec:
   group: traefik.io

docs/content/reference/static-configuration/cli-ref.md

@@ -108,6 +108,12 @@ Entry points definition. (Default: ```false```)
 `--entrypoints.<name>.address`:  
 Entry point address.
 
+`--entrypoints.<name>.allowacmebypass`:  
+Enables handling of ACME TLS and HTTP challenges with custom routers. (Default: ```false```)
+
+`--entrypoints.<name>.forwardedheaders.connection`:  
+List of Connection headers that are allowed to pass through the middleware chain before being removed.
+
 `--entrypoints.<name>.forwardedheaders.insecure`:  
 Trust all forwarded headers. (Default: ```false```)
 

docs/content/reference/static-configuration/env-ref.md

@@ -108,6 +108,12 @@ Entry points definition. (Default: ```false```)
 `TRAEFIK_ENTRYPOINTS_<NAME>_ADDRESS`:  
 Entry point address.
 
+`TRAEFIK_ENTRYPOINTS_<NAME>_ALLOWACMEBYPASS`:  
+Enables handling of ACME TLS and HTTP challenges with custom routers. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_CONNECTION`:  
+List of Connection headers that are allowed to pass through the middleware chain before being removed.
+
 `TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_INSECURE`:  
 Trust all forwarded headers. (Default: ```false```)
 

docs/content/reference/static-configuration/file.toml

@@ -16,6 +16,7 @@
 [entryPoints]
   [entryPoints.EntryPoint0]
     address = "foobar"
+    allowACMEByPass = true
     [entryPoints.EntryPoint0.transport]
       keepAliveMaxTime = "42s"
       keepAliveMaxRequests = 42
@@ -32,6 +33,7 @@
     [entryPoints.EntryPoint0.forwardedHeaders]
       insecure = true
       trustedIPs = ["foobar", "foobar"]
+      connection = ["foobar", "foobar"]
     [entryPoints.EntryPoint0.http]
       middlewares = ["foobar", "foobar"]
       encodeQuerySemicolons = true

docs/content/reference/static-configuration/file.yaml

@@ -16,6 +16,7 @@ serversTransport:
 entryPoints:
   EntryPoint0:
     address: foobar
+    allowACMEByPass: true
     transport:
       lifeCycle:
         requestAcceptGraceTimeout: 42s
@@ -36,6 +37,9 @@ entryPoints:
       trustedIPs:
         - foobar
         - foobar
+      connection:
+        - foobar
+        - foobar
     http:
       redirections:
         entryPoint:

docs/content/routing/entrypoints.md

@@ -233,6 +233,35 @@ If both TCP and UDP are wanted for the same port, two entryPoints definitions ar
 
     Full details for how to specify `address` can be found in [net.Listen](https://golang.org/pkg/net/#Listen) (and [net.Dial](https://golang.org/pkg/net/#Dial)) of the doc for go.
 
+### AllowACMEByPass
+
+_Optional, Default=false_
+
+`allowACMEByPass` determines whether a user defined router can handle ACME TLS or HTTP challenges instead of the Traefik dedicated one.
+This option can be used when a Traefik instance has one or more certificate resolvers configured,
+but is also used to route challenges connections/requests to services that could also initiate their own ACME challenges.
+
+??? info "No Certificate Resolvers configured"
+
+    It is not necessary to use the `allowACMEByPass' option certificate option if no certificate resolver is defined.
+    In fact, Traefik will automatically allow ACME TLS or HTTP requests to be handled by custom routers in this case, since there can be no concurrency with its own challenge handlers.
+
+```yaml tab="File (YAML)"
+entryPoints:
+  foo:
+    allowACMEByPass: true
+```
+
+```toml tab="File (TOML)"
+[entryPoints.foo]
+  [entryPoints.foo.allowACMEByPass]
+    allowACMEByPass = true
+```
+
+```bash tab="CLI"
+--entryPoints.name.allowACMEByPass=true
+```
+
 ### HTTP/2
 
 #### `maxConcurrentStreams`
@@ -393,6 +422,40 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward
     --entryPoints.web.forwardedHeaders.insecure
     ```
 
+??? info "`forwardedHeaders.connection`"
+    
+    As per RFC7230, Traefik respects the Connection options from the client request.
+    By doing so, it removes any header field(s) listed in the request Connection header and the Connection header field itself when empty.
+    The removal happens as soon as the request is handled by Traefik,
+    thus the removed headers are not available when the request passes through the middleware chain.
+    The `connection` option lists the Connection headers allowed to passthrough the middleware chain before their removal.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        forwardedHeaders:
+          connection:
+            - foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.forwardedHeaders]
+          connection = ["foobar"]
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.forwardedHeaders.connection=foobar
+    ```
+
 ### Transport
 
 #### `respondingTimeouts`
@@ -641,7 +704,7 @@ entryPoints:
   [entryPoints.name]
     address = ":8888"
     [entryPoints.name.transport]
-      keepAliveMaxTime = 42s
+      keepAliveMaxTime = "42s"
 ```
 
 ```bash tab="CLI"

docs/content/routing/providers/consul-catalog.md

@@ -12,11 +12,19 @@ A Story of Tags, Services & Instances
 
 Attach tags to your services and let Traefik do the rest!
 
+One of the best feature of Traefik is to delegate the routing configuration to the application level.
+With Consul Catalog, Traefik can leverage tags attached to a service to generate routing rules.
+
+!!! warning "Tags & sensitive data"
+
+    We recommend to *not* use tags to store sensitive data (certificates, credentials, etc).
+    Instead, we recommend to store sensitive data in a safer storage (secrets, file, etc).
+
 ## Routing Configuration
 
 !!! info "tags"
     
-    - tags are case insensitive.
+    - tags are case-insensitive.
     - The complete list of tags can be found [the reference page](../../reference/dynamic-configuration/consul-catalog.md)
 
 ### General

docs/content/routing/providers/docker.md

@@ -12,9 +12,17 @@ A Story of Labels & Containers
 
 Attach labels to your containers and let Traefik do the rest!
 
+One of the best feature of Traefik is to delegate the routing configuration to the application level.
+With Docker, Traefik can leverage labels attached to a container to generate routing rules.
+
+!!! warning "Labels & sensitive data"
+
+    We recommend to *not* use labels to store sensitive data (certificates, credentials, etc).
+    Instead, we recommend to store sensitive data in a safer storage (secrets, file, etc).
+
 ## Configuration Examples
 
-??? example "Configuring Docker & Deploying / Exposing Services"
+??? example "Configuring Docker & Deploying / Exposing one Service"
 
     Enabling the docker provider
 
@@ -42,48 +50,7 @@ Attach labels to your containers and let Traefik do the rest!
           - traefik.http.routers.my-container.rule=Host(`example.com`)
     ```
 
-??? example "Specify a Custom Port for the Container"
-
-    Forward requests for `http://example.com` to `http://<private IP of container>:12345`:
-
-    ```yaml
-    version: "3"
-    services:
-      my-container:
-        # ...
-        labels:
-          - traefik.http.routers.my-container.rule=Host(`example.com`)
-          # Tell Traefik to use the port 12345 to connect to `my-container`
-          - traefik.http.services.my-service.loadbalancer.server.port=12345
-    ```
-
-    !!! important "Traefik Connecting to the Wrong Port: `HTTP/502 Gateway Error`"
-        By default, Traefik uses the first exposed port of a container.
-
-        Setting the label `traefik.http.services.xxx.loadbalancer.server.port`
-        overrides that behavior.
-
-??? example "Specifying more than one router and service per container"
-
-    Forwarding requests to more than one port on a container requires referencing the service loadbalancer port definition using the service parameter on the router.
-
-    In this example, requests are forwarded for `http://example-a.com` to `http://<private IP of container>:8000` in addition to `http://example-b.com` forwarding to `http://<private IP of container>:9000`:
-
-    ```yaml
-    version: "3"
-    services:
-      my-container:
-        # ...
-        labels:
-          - traefik.http.routers.www-router.rule=Host(`example-a.com`)
-          - traefik.http.routers.www-router.service=www-service
-          - traefik.http.services.www-service.loadbalancer.server.port=8000
-          - traefik.http.routers.admin-router.rule=Host(`example-b.com`)
-          - traefik.http.routers.admin-router.service=admin-service
-          - traefik.http.services.admin-service.loadbalancer.server.port=9000
-    ```
-
-??? example "Configuring Docker Swarm & Deploying / Exposing Services"
+??? example "Configuring Docker Swarm & Deploying / Exposing one Service"
 
     Enabling the docker provider (Swarm Mode)
 
@@ -114,7 +81,9 @@ Attach labels to your containers and let Traefik do the rest!
     --providers.docker.swarmMode=true
     ```
 
-    Attach labels to services (not to containers) while in Swarm mode (in your docker compose file)
+    Attach labels to services (not containers) while in Swarm mode (in your Docker compose file).
+    When there is only one service, and the router does not specify a service,
+    then that service is automatically assigned to the router.
 
     ```yaml
     version: "3"
@@ -131,11 +100,54 @@ Attach labels to your containers and let Traefik do the rest!
         Therefore, if you use a compose file with Swarm Mode, labels should be defined in the `deploy` part of your service.
         This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/compose-file-v3/#labels-1)).
 
+??? example "Specify a Custom Port for the Container"
+
+    Forward requests for `http://example.com` to `http://<private IP of container>:12345`:
+
+    ```yaml
+    version: "3"
+    services:
+      my-container:
+        # ...
+        labels:
+          - traefik.http.routers.my-container.rule=Host(`example.com`)
+          - traefik.http.routers.my-container.service=my-service"
+          # Tell Traefik to use the port 12345 to connect to `my-container`
+          - traefik.http.services.my-service.loadbalancer.server.port=12345
+    ```
+
+    !!! important "Traefik Connecting to the Wrong Port: `HTTP/502 Gateway Error`"
+        By default, Traefik uses the lowest exposed port of a container as detailed in
+        [Port Detection](../providers/docker.md#port-detection) of the Docker provider.
+
+        Setting the label `traefik.http.services.xxx.loadbalancer.server.port`
+        overrides this behavior.
+
+??? example "Specifying more than one router and service per container"
+
+    Forwarding requests to more than one port on a container requires referencing the service loadbalancer port definition using the service parameter on the router.
+
+    In this example, requests are forwarded for `http://example-a.com` to `http://<private IP of container>:8000` in addition to `http://example-b.com` forwarding to `http://<private IP of container>:9000`:
+
+    ```yaml
+    version: "3"
+    services:
+      my-container:
+        # ...
+        labels:
+          - traefik.http.routers.www-router.rule=Host(`example-a.com`)
+          - traefik.http.routers.www-router.service=www-service
+          - traefik.http.services.www-service.loadbalancer.server.port=8000
+          - traefik.http.routers.admin-router.rule=Host(`example-b.com`)
+          - traefik.http.routers.admin-router.service=admin-service
+          - traefik.http.services.admin-service.loadbalancer.server.port=9000
+    ```
+
 ## Routing Configuration
 
 !!! info "Labels"
 
-    - Labels are case insensitive.
+    - Labels are case-insensitive.
     - The complete list of labels can be found in [the reference page](../../reference/dynamic-configuration/docker.md).
 
 ### General
@@ -149,7 +161,7 @@ and the router automatically gets a rule defined by `defaultRule` (if no rule fo
 
 --8<-- "content/routing/providers/service-by-label.md"
 
-??? example "Automatic service assignment with labels"
+??? example "Automatic assignment with one Service"
 
     With labels in a compose file
 
@@ -160,7 +172,7 @@ and the router automatically gets a rule defined by `defaultRule` (if no rule fo
       - "traefik.http.services.myservice.loadbalancer.server.port=80"
     ```
 
-??? example "Automatic service creation and assignment with labels"
+??? example "Automatic service creation with one Router"
 
     With labels in a compose file
 
@@ -171,6 +183,18 @@ and the router automatically gets a rule defined by `defaultRule` (if no rule fo
       - "traefik.http.routers.myproxy.rule=Host(`example.net`)"
     ```
 
+??? example "Explicit definition with one Service"
+
+    With labels in a compose file
+
+    ```yaml
+    labels:
+      - traefik.http.routers.www-router.rule=Host(`example-a.com`)
+      # Explicit link between the router and the service
+      - traefik.http.routers.www-router.service=www-service
+      - traefik.http.services.www-service.loadbalancer.server.port=8000
+    ```
+
 ### Routers
 
 To update the configuration of the Router automatically attached to the container,
@@ -460,7 +484,7 @@ More information about available middlewares in the dedicated [middlewares secti
 
 You can declare TCP Routers and/or Services using labels.
 
-??? example "Declaring TCP Routers and Services"
+??? example "Declaring TCP Routers with one Service"
 
     ```yaml
        services:
@@ -589,7 +613,7 @@ You can declare TCP Routers and/or Services using labels.
 
 You can declare UDP Routers and/or Services using labels.
 
-??? example "Declaring UDP Routers and Services"
+??? example "Declaring UDP Routers with one Service"
 
     ```yaml
        services:

docs/content/routing/providers/ecs.md

@@ -10,11 +10,19 @@ A Story of Labels & Elastic Containers
 
 Attach labels to your containers and let Traefik do the rest!
 
+One of the best feature of Traefik is to delegate the routing configuration to the application level.
+With ECS, Traefik can leverage labels attached to a container to generate routing rules.
+
+!!! warning "Labels & sensitive data"
+
+    We recommend to *not* use labels to store sensitive data (certificates, credentials, etc).
+    Instead, we recommend to store sensitive data in a safer storage (secrets, file, etc).
+
 ## Routing Configuration
 
 !!! info "labels"
     
-    - labels are case insensitive.
+    - labels are case-insensitive.
     - The complete list of labels can be found in [the reference page](../../reference/dynamic-configuration/ecs.md).
 
 ### General

docs/content/routing/providers/kv.md

@@ -12,7 +12,7 @@ A Story of key & values
 
 !!! info "Keys"
 
-    - Keys are case insensitive.
+    - Keys are case-insensitive.
     - The complete list of keys can be found in [the reference page](../../reference/dynamic-configuration/kv.md).
 
 ### Routers

docs/content/routing/providers/marathon.md

@@ -14,7 +14,7 @@ See also [Marathon user guide](../../user-guides/marathon.md).
 
 !!! info "Labels"
     
-    - Labels are case insensitive.
+    - Labels are case-insensitive.
     - The complete list of labels can be found in [the reference page](../../reference/dynamic-configuration/marathon.md).
 
 ### General

docs/content/routing/providers/nomad.md

@@ -12,11 +12,19 @@ A story of Tags, Services & Nomads
 
 Attach tags to your Nomad services and let Traefik do the rest!
 
+One of the best feature of Traefik is to delegate the routing configuration to the application level.
+With Nomad, Traefik can leverage tags attached to a service to generate routing rules.
+
+!!! warning "Tags & sensitive data"
+
+    We recommend to *not* use tags to store sensitive data (certificates, credentials, etc).
+    Instead, we recommend to store sensitive data in a safer storage (secrets, file, etc).
+
 ## Routing Configuration
 
 !!! info "tags"
 
-    - tags are case insensitive.
+    - tags are case-insensitive.
     - The complete list of tags can be found [the reference page](../../reference/dynamic-configuration/nomad.md)
 
 ### General

docs/content/routing/providers/rancher.md

@@ -12,6 +12,14 @@ A Story of Labels, Services & Containers
 
 Attach labels to your services and let Traefik do the rest!
 
+One of the best feature of Traefik is to delegate the routing configuration to the application level.
+With Rancher, Traefik can leverage labels attached to a service to generate routing rules.
+
+!!! warning "Labels & sensitive data"
+
+    We recommend to *not* use labels to store sensitive data (certificates, credentials, etc).
+    Instead, we recommend to store sensitive data in a safer storage (secrets, file, etc).
+
 !!! important "This provider is specific to Rancher 1.x."
     
     Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
@@ -21,7 +29,7 @@ Attach labels to your services and let Traefik do the rest!
 
 !!! info "Labels"
     
-    - Labels are case insensitive.
+    - Labels are case-insensitive.
     - The complete list of labels can be found in [the reference page](../../reference/dynamic-configuration/rancher.md).
 
 ### General

docs/content/routing/routers/index.md

@@ -259,7 +259,7 @@ The table below lists all the available matchers:
     The regexp name (`name` in the above example) is an arbitrary value, that exists only for historical reasons.
 
     Any `regexp` supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used.
-    For example, here is a case insensitive path matcher syntax: ```Path(`/{path:(?i:Products)}`)```.
+    For example, here is a case-insensitive path matcher syntax: ```Path(`/{path:(?i:Products)}`)```.
 
 !!! info "Combining Matchers Using Operators and Parenthesis"
 
@@ -946,7 +946,7 @@ A value of `0` for the priority is ignored: `priority = 0` means that the defaul
     | Router-2 | ```ClientIP(`192.168.0.0/24`)```                            | 26       |
 
     Which means that requests from `192.168.0.12` would go to Router-2 even though Router-1 is intended to specifically handle them.
-    To achieve this intention, a priority (higher than 26) should be set on Router-1.
+    To achieve this intention, a priority (greater than 26) should be set on Router-1.
 
 ??? example "Setting priorities -- using the [File Provider](../../providers/file.md)"
 

docs/content/user-guides/docker-compose/acme-dns/index.md

@@ -1,11 +1,11 @@
 ---
 title: "Traefik Docker DNS Challenge Documentation"
-description: "Learn how to create a certificate with the Let's Encrypt DNS challenge to use HTTPS on a Service exposed with Traefik Proxy. Read the tehnical documentation."
+description: "Learn how to create a certificate with the Let's Encrypt DNS challenge to use HTTPS on a Service exposed with Traefik Proxy. Read the technical documentation."
 ---
 
 # Docker-compose with Let's Encrypt: DNS Challenge
 
-This guide aim to demonstrate how to create a certificate with the Let's Encrypt DNS challenge to use https on a simple service exposed with Traefik.  
+This guide aims to demonstrate how to create a certificate with the Let's Encrypt DNS challenge to use https on a simple service exposed with Traefik.  
 Please also read the [basic example](../basic-example) for details on how to expose such a service.  
 
 ## Prerequisite

docs/content/user-guides/docker-compose/acme-http/index.md

@@ -5,7 +5,7 @@ description: "Learn how to create a certificate with the Let's Encrypt HTTP chal
 
 # Docker-compose with Let's Encrypt : HTTP Challenge
 
-This guide aim to demonstrate how to create a certificate with the Let's Encrypt HTTP challenge to use https on a simple service exposed with Traefik.  
+This guide aims to demonstrate how to create a certificate with the Let's Encrypt HTTP challenge to use https on a simple service exposed with Traefik.  
 Please also read the [basic example](../basic-example) for details on how to expose such a service.  
 
 ## Prerequisite

docs/content/user-guides/docker-compose/acme-tls/index.md

@@ -5,7 +5,7 @@ description: "Learn how to create a certificate with the Let's Encrypt TLS chall
 
 # Docker-compose with Let's Encrypt: TLS Challenge
 
-This guide aim to demonstrate how to create a certificate with the Let's Encrypt TLS challenge to use https on a simple service exposed with Traefik.  
+This guide aims to demonstrate how to create a certificate with the Let's Encrypt TLS challenge to use https on a simple service exposed with Traefik.  
 Please also read the [basic example](../basic-example) for details on how to expose such a service.  
 
 ## Prerequisite

go.mod

@@ -1,77 +1,78 @@
 module github.com/traefik/traefik/v2
 
-go 1.22
+go 1.23.0
 
 require (
-	github.com/BurntSushi/toml v1.3.2
-	github.com/ExpediaDotCom/haystack-client-go v0.0.0-20190315171017-e7edbdf53a61
+	github.com/BurntSushi/toml v1.4.0
+	github.com/ExpediaDotCom/haystack-client-go v0.0.0-20190315171017-e7edbdf53a61 // No tag on the repo.
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/abbot/go-http-auth v0.0.0-00010101000000-000000000000
 	github.com/aws/aws-sdk-go v1.44.327
 	github.com/cenkalti/backoff/v4 v4.3.0
-	github.com/containous/alice v0.0.0-20181107144136-d83ebdd94cbd
-	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
-	github.com/docker/cli v24.0.9+incompatible
-	github.com/docker/docker v24.0.9+incompatible
-	github.com/docker/go-connections v0.4.0
+	github.com/containous/alice v0.0.0-20181107144136-d83ebdd94cbd // No tag on the repo.
+	github.com/coreos/go-systemd/v22 v22.5.0
+	github.com/docker/cli v27.1.1+incompatible
+	github.com/docker/docker v27.1.1+incompatible
+	github.com/docker/go-connections v0.5.0
 	github.com/fatih/structs v1.1.0
 	github.com/fsnotify/fsnotify v1.7.0
-	github.com/gambol99/go-marathon v0.0.0-20180614232016-99a156b96fb2
-	github.com/go-acme/lego/v4 v4.17.3
-	github.com/go-kit/kit v0.10.1-0.20200915143503-439c4d2ed3ea
+	github.com/gambol99/go-marathon v0.0.0-20180614232016-99a156b96fb2 // No tag on the repo.
+	github.com/go-acme/lego/v4 v4.18.0
+	github.com/go-kit/kit v0.13.0
+	github.com/go-kit/log v0.2.1
 	github.com/golang/protobuf v1.5.4
 	github.com/google/go-github/v28 v28.1.1
-	github.com/gorilla/mux v1.8.0
+	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.0
 	github.com/hashicorp/consul/api v1.26.1
-	github.com/hashicorp/go-hclog v1.5.0
+	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-version v1.6.0
-	github.com/hashicorp/nomad/api v0.0.0-20231213195942-64e3dca9274b
+	github.com/hashicorp/nomad/api v0.0.0-20231213195942-64e3dca9274b // No tag on the repo.
 	github.com/influxdata/influxdb-client-go/v2 v2.7.0
-	github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d
+	github.com/influxdata/influxdb1-client v0.0.0-20200827194710-b269163b24ab // No tag on the repo.
 	github.com/instana/go-sensor v1.38.3
-	github.com/klauspost/compress v1.17.2
+	github.com/klauspost/compress v1.17.9
 	github.com/kvtools/consul v1.0.2
 	github.com/kvtools/etcdv3 v1.0.2
 	github.com/kvtools/redis v1.1.0
 	github.com/kvtools/valkeyrie v1.0.0
 	github.com/kvtools/zookeeper v1.0.2
-	github.com/mailgun/ttlmap v0.0.0-20170619185759-c1c17f74874f
-	github.com/miekg/dns v1.1.58
-	github.com/mitchellh/copystructure v1.0.0
+	github.com/mailgun/ttlmap v0.0.0-20170619185759-c1c17f74874f // No tag on the repo.
+	github.com/miekg/dns v1.1.59
+	github.com/mitchellh/copystructure v1.2.0
 	github.com/mitchellh/hashstructure v1.0.0
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // No tag on the repo.
 	github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5
-	github.com/openzipkin/zipkin-go v0.2.2
+	github.com/openzipkin/zipkin-go v0.2.5
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/pires/go-proxyproto v0.6.1
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
-	github.com/prometheus/client_golang v1.14.0
-	github.com/prometheus/client_model v0.3.0
-	github.com/quic-go/quic-go v0.42.0
-	github.com/rancher/go-rancher-metadata v0.0.0-20200311180630-7f4c936a06ac
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // No tag on the repo.
+	github.com/prometheus/client_golang v1.19.1
+	github.com/prometheus/client_model v0.5.0
+	github.com/quic-go/quic-go v0.45.1
+	github.com/rancher/go-rancher-metadata v0.0.0-20200311180630-7f4c936a06ac // No tag on the repo.
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.9.0
-	github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154
-	github.com/testcontainers/testcontainers-go v0.27.0
-	github.com/traefik/paerser v0.2.0
+	github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154 // No tag on the repo.
+	github.com/testcontainers/testcontainers-go v0.32.0
+	github.com/traefik/paerser v0.2.1
 	github.com/traefik/yaegi v0.16.1
 	github.com/uber/jaeger-client-go v2.30.0+incompatible
 	github.com/uber/jaeger-lib v2.4.1+incompatible
 	github.com/unrolled/render v1.0.2
 	github.com/unrolled/secure v1.0.9
-	github.com/vulcand/oxy/v2 v2.0.0-20230427132221-be5cf38f3c1c
+	github.com/vulcand/oxy/v2 v2.0.0
 	github.com/vulcand/predicate v1.2.0
 	go.elastic.co/apm/module/apmot/v2 v2.4.8
 	go.elastic.co/apm/v2 v2.4.8
-	golang.org/x/mod v0.17.0
-	golang.org/x/net v0.25.0
-	golang.org/x/text v0.15.0
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // No tag on the repo.
+	golang.org/x/mod v0.18.0
+	golang.org/x/net v0.26.0
+	golang.org/x/text v0.17.0
 	golang.org/x/time v0.5.0
-	golang.org/x/tools v0.21.0
+	golang.org/x/tools v0.22.0
 	google.golang.org/grpc v1.63.1
 	gopkg.in/DataDog/dd-trace-go.v1 v1.56.1
 	gopkg.in/yaml.v3 v3.0.1
@@ -79,20 +80,19 @@ require (
 	k8s.io/apiextensions-apiserver v0.26.3
 	k8s.io/apimachinery v0.26.3
 	k8s.io/client-go v0.26.3
-	k8s.io/utils v0.0.0-20230313181309-38a27ef9d749
+	k8s.io/utils v0.0.0-20230313181309-38a27ef9d749 // No tag on the repo.
 	mvdan.cc/xurls/v2 v2.5.0
 	sigs.k8s.io/gateway-api v0.4.0
 )
 
 require (
-	cloud.google.com/go/compute v1.24.0 // indirect
-	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
 	dario.cat/mergo v1.0.0 // indirect
 	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
@@ -100,8 +100,8 @@ require (
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
-	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
@@ -117,46 +117,47 @@ require (
 	github.com/HdrHistogram/hdrhistogram-go v1.1.2 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/Microsoft/hcsshim v0.11.4 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/Microsoft/hcsshim v0.11.7 // indirect
 	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
 	github.com/VividCortex/gohistogram v1.0.0 // indirect
 	github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.2 // indirect
 	github.com/aliyun/alibaba-cloud-sdk-go v1.62.712 // indirect
 	github.com/armon/go-metrics v0.4.1 // indirect
 	github.com/armon/go-radix v1.0.1-0.20221118154546-54df44f2176c // indirect
-	github.com/aws/aws-sdk-go-v2 v1.26.1 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.27.11 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.11 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.27.2 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.18 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.18 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/lightsail v1.37.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/route53 v1.40.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lightsail v1.38.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.40.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 // indirect
 	github.com/aws/smithy-go v1.20.2 // indirect
 	github.com/benbjohnson/clock v1.3.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/civo/civogo v0.3.11 // indirect
-	github.com/cloudflare/cloudflare-go v0.93.0 // indirect
-	github.com/containerd/containerd v1.7.11 // indirect
+	github.com/cloudflare/cloudflare-go v0.97.0 // indirect
+	github.com/containerd/containerd v1.7.20 // indirect
 	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/coreos/go-semver v0.3.0 // indirect
-	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/cpu/goacmedns v0.1.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/deepmap/oapi-codegen v1.9.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dnsimple/dnsimple-go v1.7.0 // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/donovanhide/eventsource v0.0.0-20170630084216-b8f31a59085e // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
@@ -166,11 +167,11 @@ require (
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/exoscale/egoscale v0.102.3 // indirect
-	github.com/fatih/color v1.15.0 // indirect
+	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -180,10 +181,10 @@ require (
 	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/go-resty/resty/v2 v2.11.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
-	github.com/go-viper/mapstructure/v2 v2.0.0-alpha.1 // indirect
+	github.com/go-viper/mapstructure/v2 v2.0.0 // indirect
 	github.com/go-zookeeper/zk v1.0.3 // indirect
-	github.com/goccy/go-json v0.10.2 // indirect
-	github.com/gofrs/flock v0.8.1 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/gofrs/flock v0.12.0 // indirect
 	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
@@ -198,19 +199,19 @@ require (
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.3 // indirect
-	github.com/gophercloud/gophercloud v1.11.0 // indirect
+	github.com/gophercloud/gophercloud v1.12.0 // indirect
 	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
 	github.com/gravitational/trace v1.1.16-0.20220114165159-14a9a7dd6aaf // indirect
 	github.com/hashicorp/cronexpr v1.1.2 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
 	github.com/hashicorp/serf v0.10.1 // indirect
-	github.com/huandu/xstrings v1.4.0 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839 // indirect
@@ -222,7 +223,6 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
 	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
-	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
 	github.com/labbsr0x/goh v1.0.1 // indirect
@@ -238,12 +238,13 @@ require (
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/reflectwalk v1.0.1 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/moby/sys/user v0.2.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -264,8 +265,7 @@ require (
 	github.com/onsi/ginkgo v1.16.5 // indirect
 	github.com/onsi/ginkgo/v2 v2.17.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
-	github.com/opencontainers/runc v1.1.7 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492 // indirect
 	github.com/oracle/oci-go-sdk/v65 v65.63.1 // indirect
 	github.com/outcaste-io/ristretto v0.2.3 // indirect
@@ -275,27 +275,27 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/pquerna/otp v1.4.0 // indirect
-	github.com/prometheus/common v0.42.0 // indirect
-	github.com/prometheus/procfs v0.9.0 // indirect
+	github.com/prometheus/common v0.48.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/redis/go-redis/v9 v9.2.1 // indirect
 	github.com/sacloud/api-client-go v0.2.10 // indirect
 	github.com/sacloud/go-http v0.1.8 // indirect
 	github.com/sacloud/iaas-api-go v1.12.0 // indirect
 	github.com/sacloud/packages-go v0.0.10 // indirect
-	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.25 // indirect
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.27 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.7.0 // indirect
 	github.com/segmentio/fasthash v1.0.3 // indirect
-	github.com/selectel/domains-go v1.0.2 // indirect
+	github.com/selectel/domains-go v1.1.0 // indirect
 	github.com/selectel/go-selvpcclient/v3 v3.1.1 // indirect
-	github.com/shirou/gopsutil/v3 v3.23.11 // indirect
+	github.com/shirou/gopsutil/v3 v3.23.12 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
-	github.com/shopspring/decimal v1.3.1 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
-	github.com/softlayer/softlayer-go v1.1.3 // indirect
+	github.com/softlayer/softlayer-go v1.1.5 // indirect
 	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
 	github.com/sony/gobreaker v0.5.0 // indirect
-	github.com/spf13/cast v1.5.0 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.898 // indirect
@@ -306,7 +306,7 @@ require (
 	github.com/transip/gotransip/v6 v6.23.0 // indirect
 	github.com/ultradns/ultradns-go-sdk v1.6.1-20231103022937-8589b6a // indirect
 	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
-	github.com/vultr/govultr/v2 v2.17.2 // indirect
+	github.com/vultr/govultr/v3 v3.9.0 // indirect
 	github.com/yandex-cloud/go-genproto v0.0.0-20240318083951-4fe6125f286e // indirect
 	github.com/yandex-cloud/go-sdk v0.0.0-20240318084659-dfa50323a0b4 // indirect
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
@@ -328,12 +328,11 @@ require (
 	go.uber.org/zap v1.21.0 // indirect
 	go4.org/intern v0.0.0-20230525184215-6c62f75575cb // indirect
 	go4.org/unsafe/assume-no-moving-gc v0.0.0-20230525183740-e7c30c78aeb2 // indirect
-	golang.org/x/crypto v0.23.0 // indirect
-	golang.org/x/exp v0.0.0-20240404231335-c0f41cb1a7a0 // indirect
-	golang.org/x/oauth2 v0.19.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/term v0.20.0 // indirect
+	golang.org/x/crypto v0.26.0 // indirect
+	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.23.0 // indirect
+	golang.org/x/term v0.23.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	google.golang.org/api v0.172.0 // indirect
 	google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect

integration/fixtures/headers/connection_hop_by_hop_headers.toml

@@ -0,0 +1,37 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[log]
+  level = "DEBUG"
+
+# Limiting the Logs to Specific Fields
+[accessLog]
+  format = "json"
+  filePath = "access.log"
+
+  [accessLog.fields.headers.names]
+    "Foo" = "keep"
+    "Bar" = "keep"
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8000"
+  [entryPoints.web.forwardedHeaders]
+    insecure = true
+    connection = ["Foo"]
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[http.routers]
+  [http.routers.router1]
+    rule = "Host(`test.localhost`)"
+    service = "service1"
+
+[http.services]
+  [http.services.service1.loadBalancer]
+    [[http.services.service1.loadBalancer.servers]]
+      url = "http://127.0.0.1:9000"

integration/fixtures/https/clientca/README.md

@@ -48,7 +48,7 @@ openssl genrsa -out client3.key 2048
 # Locality Name (eg, city) []:.
 # Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
 # Organizational Unit Name (eg, section) []:.
-# Common Name (e.g. server FQDN or YOUR name) []:clien1.example.com
+# Common Name (e.g. server FQDN or YOUR name) []:client1.example.com
 # Email Address []:.
 # 
 # Please enter the following 'extra' attributes
@@ -58,7 +58,7 @@ openssl genrsa -out client3.key 2048
 # Issuer
 #   CN = ca1.example.com
 # Subject
-#   CN = clien1.example.com
+#   CN = client1.example.com
 openssl req -key client1.key -new -out client1.csr
 
 # Country Name (2 letter code) [AU]:.

integration/fixtures/k8s/01-traefik-crd.yml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressroutes.traefik.io
 spec:
   group: traefik.io
@@ -290,7 +290,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressroutetcps.traefik.io
 spec:
   group: traefik.io
@@ -514,7 +514,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressrouteudps.traefik.io
 spec:
   group: traefik.io
@@ -618,7 +618,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: middlewares.traefik.io
 spec:
   group: traefik.io
@@ -1598,7 +1598,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: middlewaretcps.traefik.io
 spec:
   group: traefik.io
@@ -1685,7 +1685,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: serverstransports.traefik.io
 spec:
   group: traefik.io
@@ -1811,7 +1811,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: tlsoptions.traefik.io
 spec:
   group: traefik.io
@@ -1925,7 +1925,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: tlsstores.traefik.io
 spec:
   group: traefik.io
@@ -2022,7 +2022,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: traefikservices.traefik.io
 spec:
   group: traefik.io
@@ -2433,7 +2433,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressroutes.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -2720,7 +2720,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressroutetcps.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -2944,7 +2944,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ingressrouteudps.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -3048,7 +3048,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: middlewares.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -4028,7 +4028,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: middlewaretcps.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -4115,7 +4115,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: serverstransports.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -4241,7 +4241,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: tlsoptions.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -4355,7 +4355,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: tlsstores.traefik.containo.us
 spec:
   group: traefik.containo.us
@@ -4452,7 +4452,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: traefikservices.traefik.containo.us
 spec:
   group: traefik.containo.us

integration/headers_test.go

@@ -4,6 +4,7 @@ import (
 	"net"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"testing"
 	"time"
 
@@ -20,6 +21,11 @@ func TestHeadersSuite(t *testing.T) {
 	suite.Run(t, new(HeadersSuite))
 }
 
+func (s *HeadersSuite) TearDownTest() {
+	s.displayTraefikLogFile(traefikTestLogFile)
+	_ = os.Remove(traefikTestAccessLogFile)
+}
+
 func (s *HeadersSuite) TestSimpleConfiguration() {
 	s.traefikCmd(withConfigFile("fixtures/headers/basic.toml"))
 
@@ -62,6 +68,53 @@ func (s *HeadersSuite) TestReverseProxyHeaderRemoved() {
 	require.NoError(s.T(), err)
 }
 
+func (s *HeadersSuite) TestConnectionHopByHop() {
+	file := s.adaptFile("fixtures/headers/connection_hop_by_hop_headers.toml", struct{}{})
+	s.traefikCmd(withConfigFile(file))
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_, found := r.Header["X-Forwarded-For"]
+		assert.True(s.T(), found)
+		xHost, found := r.Header["X-Forwarded-Host"]
+		assert.True(s.T(), found)
+		assert.Equal(s.T(), "localhost", xHost[0])
+
+		_, found = r.Header["Foo"]
+		assert.False(s.T(), found)
+		_, found = r.Header["Bar"]
+		assert.False(s.T(), found)
+	})
+
+	listener, err := net.Listen("tcp", "127.0.0.1:9000")
+	require.NoError(s.T(), err)
+
+	ts := &httptest.Server{
+		Listener: listener,
+		Config:   &http.Server{Handler: handler},
+	}
+	ts.Start()
+	defer ts.Close()
+
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
+	require.NoError(s.T(), err)
+	req.Host = "test.localhost"
+	req.Header = http.Header{
+		"Connection":       {"Foo,Bar,X-Forwarded-For,X-Forwarded-Host"},
+		"Foo":              {"bar"},
+		"Bar":              {"foo"},
+		"X-Forwarded-Host": {"localhost"},
+	}
+
+	err = try.Request(req, time.Second, try.StatusCodeIs(http.StatusOK))
+	require.NoError(s.T(), err)
+
+	accessLog, err := os.ReadFile(traefikTestAccessLogFile)
+	require.NoError(s.T(), err)
+
+	assert.Contains(s.T(), string(accessLog), "\"request_Foo\":\"bar\"")
+	assert.NotContains(s.T(), string(accessLog), "\"request_Bar\":\"\"")
+}
+
 func (s *HeadersSuite) TestCorsResponses() {
 	file := s.adaptFile("fixtures/headers/cors.toml", struct{}{})
 	s.traefikCmd(withConfigFile(file))

integration/log_rotation_test.go

@@ -27,7 +27,7 @@ const (
 // Log rotation integration test suite.
 type LogRotationSuite struct{ BaseSuite }
 
-func TestLogRorationSuite(t *testing.T) {
+func TestLogRotationSuite(t *testing.T) {
 	suite.Run(t, new(LogRotationSuite))
 }
 

integration/resources/compose/etcd.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   etcd:
-    image: quay.io/coreos/etcd:v3.3.18
+    image: quay.io/coreos/etcd:v3.5.14
     command:
       - etcd
       - --listen-client-urls

integration/simple_test.go

@@ -1288,7 +1288,7 @@ func (s *SimpleSuite) TestDebugLog() {
 
 	req, err := http.NewRequest(http.MethodGet, "http://localhost:8000/whoami", http.NoBody)
 	require.NoError(s.T(), err)
-	req.Header.Set("Autorization", "Bearer ThisIsABearerToken")
+	req.Header.Set("Authorization", "Bearer ThisIsABearerToken")
 
 	response, err := http.DefaultClient.Do(req)
 	require.NoError(s.T(), err)

integration/try/try.go

@@ -19,7 +19,7 @@ const (
 type timedAction func(timeout time.Duration, operation DoCondition) error
 
 // Sleep pauses the current goroutine for at least the duration d.
-// Deprecated: Use only when use an other Try[...] functions is not possible.
+// Deprecated: Use only when use another Try[...] functions is not possible.
 func Sleep(d time.Duration) {
 	d = applyCIMultiplier(d)
 	time.Sleep(d)

pkg/api/criterion.go

@@ -56,7 +56,7 @@ func (c *searchCriterion) searchIn(values ...string) bool {
 	})
 }
 
-func pagination(request *http.Request, max int) (pageInfo, error) {
+func pagination(request *http.Request, maximum int) (pageInfo, error) {
 	perPage, err := getIntParam(request, "per_page", defaultPerPage)
 	if err != nil {
 		return pageInfo{}, err
@@ -68,17 +68,17 @@ func pagination(request *http.Request, max int) (pageInfo, error) {
 	}
 
 	startIndex := (page - 1) * perPage
-	if startIndex != 0 && startIndex >= max {
+	if startIndex != 0 && startIndex >= maximum {
 		return pageInfo{}, fmt.Errorf("invalid request: page: %d, per_page: %d", page, perPage)
 	}
 
 	endIndex := startIndex + perPage
-	if endIndex >= max {
-		endIndex = max
+	if endIndex >= maximum {
+		endIndex = maximum
 	}
 
 	nextPage := 1
-	if page*perPage < max {
+	if page*perPage < maximum {
 		nextPage = page + 1
 	}
 

pkg/collector/collector.go

@@ -21,11 +21,11 @@ const collectorURL = "https://collect.traefik.io/9vxmmkcdmalbdi635d4jgc5p5rx0h7h
 
 // Collected data.
 type data struct {
-	Version       string
-	Codename      string
-	BuildDate     string
-	Configuration string
-	Hash          string
+	Version       string `json:"version"`
+	Codename      string `json:"codename"`
+	BuildDate     string `json:"buildDate"`
+	Configuration string `json:"configuration"`
+	Hash          string `json:"hash"`
 }
 
 // Collect anonymous data.

pkg/config/kv/kv_node_test.go

@@ -70,8 +70,8 @@ func TestDecodeToNode(t *testing.T) {
 		{
 			desc: "several entries, level 0",
 			in: map[string]string{
-				"traefik": "bar",
-				"traefic": "bur",
+				"traefik":  "bar",
+				"traefik_": "bur",
 			},
 			expected: expected{error: true},
 		},
@@ -120,7 +120,7 @@ func TestDecodeToNode(t *testing.T) {
 			}},
 		},
 		{
-			desc: "several entries, level 2, case insensitive",
+			desc: "several entries, level 2, case-insensitive",
 			in: map[string]string{
 				"traefik/foo/aaa": "bar",
 				"traefik/Foo/bbb": "bur",

pkg/config/static/entrypoints.go

@@ -12,6 +12,7 @@ import (
 // EntryPoint holds the entry point configuration.
 type EntryPoint struct {
 	Address          string                `description:"Entry point address." json:"address,omitempty" toml:"address,omitempty" yaml:"address,omitempty"`
+	AllowACMEByPass  bool                  `description:"Enables handling of ACME TLS and HTTP challenges with custom routers." json:"allowACMEByPass,omitempty" toml:"allowACMEByPass,omitempty" yaml:"allowACMEByPass,omitempty"`
 	Transport        *EntryPointsTransport `description:"Configures communication between clients and Traefik." json:"transport,omitempty" toml:"transport,omitempty" yaml:"transport,omitempty" export:"true"`
 	ProxyProtocol    *ProxyProtocol        `description:"Proxy-Protocol configuration." json:"proxyProtocol,omitempty" toml:"proxyProtocol,omitempty" yaml:"proxyProtocol,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
 	ForwardedHeaders *ForwardedHeaders     `description:"Trust client forwarding headers." json:"forwardedHeaders,omitempty" toml:"forwardedHeaders,omitempty" yaml:"forwardedHeaders,omitempty" export:"true"`
@@ -109,6 +110,7 @@ type TLSConfig struct {
 type ForwardedHeaders struct {
 	Insecure   bool     `description:"Trust all forwarded headers." json:"insecure,omitempty" toml:"insecure,omitempty" yaml:"insecure,omitempty" export:"true"`
 	TrustedIPs []string `description:"Trust only forwarded headers from selected IPs." json:"trustedIPs,omitempty" toml:"trustedIPs,omitempty" yaml:"trustedIPs,omitempty"`
+	Connection []string `description:"List of Connection headers that are allowed to pass through the middleware chain before being removed." json:"connection,omitempty" toml:"connection,omitempty" yaml:"connection,omitempty"`
 }
 
 // ProxyProtocol contains Proxy-Protocol configuration.

pkg/ip/checker.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"net/netip"
 	"strings"
 )
 
@@ -91,10 +92,11 @@ func (ip *Checker) ContainsIP(addr net.IP) bool {
 }
 
 func parseIP(addr string) (net.IP, error) {
-	userIP := net.ParseIP(addr)
-	if userIP == nil {
+	parsedAddr, err := netip.ParseAddr(addr)
+	if err != nil {
 		return nil, fmt.Errorf("can't parse IP from address %s", addr)
 	}
 
-	return userIP, nil
+	ip := parsedAddr.As16()
+	return ip[:], nil
 }

pkg/ip/checker_test.go

@@ -258,6 +258,7 @@ func TestContainsIsAllowed(t *testing.T) {
 				"2a03:4000:6:d080::42",
 				"fe80::1",
 				"fe80:aa00:00bb:4232:ff00:eeee:00ff:1111",
+				"fe80:aa00:00bb:4232:ff00:eeee:00ff:1111%vEthernet",
 				"fe80::fe80",
 				"1.2.3.1",
 				"1.2.3.32",
@@ -271,6 +272,7 @@ func TestContainsIsAllowed(t *testing.T) {
 			rejectIPs: []string{
 				"2a03:4000:7:d080::",
 				"2a03:4000:7:d080::1",
+				"2a03:4000:7:d080::1%vmnet1",
 				"4242::1",
 				"1.2.16.1",
 				"1.2.32.1",

pkg/ip/strategy_test.go

@@ -46,7 +46,7 @@ func TestDepthStrategy_GetIP(t *testing.T) {
 			expected:      "10.0.0.3",
 		},
 		{
-			desc:          "Use non existing depth in XForwardedFor",
+			desc:          "Use nonexistent depth in XForwardedFor",
 			depth:         2,
 			xForwardedFor: "",
 			expected:      "",

pkg/metrics/datadog.go

@@ -4,8 +4,8 @@ import (
 	"context"
 	"time"
 
-	kitlog "github.com/go-kit/kit/log"
 	"github.com/go-kit/kit/metrics/dogstatsd"
+	kitlog "github.com/go-kit/log"
 	"github.com/traefik/traefik/v2/pkg/log"
 	"github.com/traefik/traefik/v2/pkg/safe"
 	"github.com/traefik/traefik/v2/pkg/types"

pkg/metrics/influxdb.go

@@ -8,8 +8,8 @@ import (
 	"regexp"
 	"time"
 
-	kitlog "github.com/go-kit/kit/log"
 	"github.com/go-kit/kit/metrics/influx"
+	kitlog "github.com/go-kit/log"
 	influxdb "github.com/influxdata/influxdb1-client/v2"
 	"github.com/traefik/traefik/v2/pkg/log"
 	"github.com/traefik/traefik/v2/pkg/safe"

pkg/metrics/influxdb2.go

@@ -5,8 +5,8 @@ import (
 	"errors"
 	"time"
 
-	kitlog "github.com/go-kit/kit/log"
 	"github.com/go-kit/kit/metrics/influx"
+	kitlog "github.com/go-kit/log"
 	influxdb2 "github.com/influxdata/influxdb-client-go/v2"
 	influxdb2api "github.com/influxdata/influxdb-client-go/v2/api"
 	"github.com/influxdata/influxdb-client-go/v2/api/write"

pkg/metrics/statsd.go

@@ -4,8 +4,8 @@ import (
 	"context"
 	"time"
 
-	kitlog "github.com/go-kit/kit/log"
 	"github.com/go-kit/kit/metrics/statsd"
+	kitlog "github.com/go-kit/log"
 	"github.com/traefik/traefik/v2/pkg/log"
 	"github.com/traefik/traefik/v2/pkg/safe"
 	"github.com/traefik/traefik/v2/pkg/types"

pkg/middlewares/accesslog/logger.go

@@ -105,15 +105,28 @@ func NewHandler(config *types.AccessLog) (*Handler, error) {
 		Level:     logrus.InfoLevel,
 	}
 
-	// Transform headers names in config to a canonical form, to be used as is without further transformations.
-	if config.Fields != nil && config.Fields.Headers != nil && len(config.Fields.Headers.Names) > 0 {
-		fields := map[string]string{}
+	// Transform header names to a canonical form, to be used as is without further transformations,
+	// and transform field names to lower case, to enable case-insensitive lookup.
+	if config.Fields != nil {
+		if len(config.Fields.Names) > 0 {
+			fields := map[string]string{}
 
-		for h, v := range config.Fields.Headers.Names {
-			fields[textproto.CanonicalMIMEHeaderKey(h)] = v
+			for h, v := range config.Fields.Names {
+				fields[strings.ToLower(h)] = v
+			}
+
+			config.Fields.Names = fields
 		}
 
-		config.Fields.Headers.Names = fields
+		if config.Fields.Headers != nil && len(config.Fields.Headers.Names) > 0 {
+			fields := map[string]string{}
+
+			for h, v := range config.Fields.Headers.Names {
+				fields[textproto.CanonicalMIMEHeaderKey(h)] = v
+			}
+
+			config.Fields.Headers.Names = fields
+		}
 	}
 
 	logHandler := &Handler{
@@ -183,16 +196,6 @@ func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request, next http
 		},
 	}
 
-	defer func() {
-		if h.config.BufferingSize > 0 {
-			h.logHandlerChan <- handlerParams{
-				logDataTable: logDataTable,
-			}
-			return
-		}
-		h.logTheRoundTrip(logDataTable)
-	}()
-
 	reqWithDataTable := req.WithContext(context.WithValue(req.Context(), DataTableKey, logDataTable))
 
 	core[RequestCount] = nextRequestCount()
@@ -236,19 +239,30 @@ func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request, next http
 		return
 	}
 
+	defer func() {
+		logDataTable.DownstreamResponse = downstreamResponse{
+			headers: rw.Header().Clone(),
+		}
+
+		logDataTable.DownstreamResponse.status = capt.StatusCode()
+		logDataTable.DownstreamResponse.size = capt.ResponseSize()
+		logDataTable.Request.size = capt.RequestSize()
+
+		if _, ok := core[ClientUsername]; !ok {
+			core[ClientUsername] = usernameIfPresent(reqWithDataTable.URL)
+		}
+
+		if h.config.BufferingSize > 0 {
+			h.logHandlerChan <- handlerParams{
+				logDataTable: logDataTable,
+			}
+			return
+		}
+
+		h.logTheRoundTrip(logDataTable)
+	}()
+
 	next.ServeHTTP(rw, reqWithDataTable)
-
-	if _, ok := core[ClientUsername]; !ok {
-		core[ClientUsername] = usernameIfPresent(reqWithDataTable.URL)
-	}
-
-	logDataTable.DownstreamResponse = downstreamResponse{
-		headers: rw.Header().Clone(),
-	}
-
-	logDataTable.DownstreamResponse.status = capt.StatusCode()
-	logDataTable.DownstreamResponse.size = capt.ResponseSize()
-	logDataTable.Request.size = capt.RequestSize()
 }
 
 // Close closes the Logger (i.e. the file, drain logHandlerChan, etc).
@@ -332,7 +346,7 @@ func (h *Handler) logTheRoundTrip(logDataTable *LogData) {
 		fields := logrus.Fields{}
 
 		for k, v := range logDataTable.Core {
-			if h.config.Fields.Keep(k) {
+			if h.config.Fields.Keep(strings.ToLower(k)) {
 				fields[k] = v
 			}
 		}

pkg/middlewares/accesslog/logger_test.go

@@ -2,6 +2,7 @@ package accesslog
 
 import (
 	"bytes"
+	"context"
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
@@ -22,6 +23,7 @@ import (
 	"github.com/stretchr/testify/require"
 	ptypes "github.com/traefik/paerser/types"
 	"github.com/traefik/traefik/v2/pkg/middlewares/capture"
+	"github.com/traefik/traefik/v2/pkg/middlewares/recovery"
 	"github.com/traefik/traefik/v2/pkg/types"
 )
 
@@ -162,7 +164,7 @@ func TestLoggerHeaderFields(t *testing.T) {
 			},
 		},
 		{
-			desc:     "with case insensitive match on header name",
+			desc:     "with case-insensitive match on header name",
 			header:   "User-Agent",
 			expected: types.AccessLogKeep,
 			accessLogFields: types.AccessLogFields{
@@ -197,7 +199,7 @@ func TestLoggerHeaderFields(t *testing.T) {
 
 			if config.FilePath != "" {
 				_, err = os.Stat(config.FilePath)
-				require.NoError(t, err, fmt.Sprintf("logger should create %s", config.FilePath))
+				require.NoErrorf(t, err, "logger should create %s", config.FilePath)
 			}
 
 			req := &http.Request{
@@ -462,6 +464,32 @@ func TestLoggerJSON(t *testing.T) {
 				RequestRefererHeader: assertString(testReferer),
 			},
 		},
+		{
+			desc: "fields and headers with unconventional letter case",
+			config: &types.AccessLog{
+				FilePath: "",
+				Format:   JSONFormat,
+				Fields: &types.AccessLogFields{
+					DefaultMode: "drop",
+					Names: map[string]string{
+						"rEqUeStHoSt": "keep",
+					},
+					Headers: &types.FieldHeaders{
+						DefaultMode: "drop",
+						Names: map[string]string{
+							"ReFeReR": "keep",
+						},
+					},
+				},
+			},
+			expected: map[string]func(t *testing.T, value interface{}){
+				RequestHost:          assertString(testHostname),
+				"level":              assertString("info"),
+				"msg":                assertString(""),
+				"time":               assertNotEmpty(),
+				RequestRefererHeader: assertString(testReferer),
+			},
+		},
 	}
 
 	for _, test := range testCases {
@@ -493,6 +521,64 @@ func TestLoggerJSON(t *testing.T) {
 	}
 }
 
+func TestLogger_AbortedRequest(t *testing.T) {
+	expected := map[string]func(t *testing.T, value interface{}){
+		RequestContentSize:             assertFloat64(0),
+		RequestHost:                    assertString(testHostname),
+		RequestAddr:                    assertString(testHostname),
+		RequestMethod:                  assertString(testMethod),
+		RequestPath:                    assertString(""),
+		RequestProtocol:                assertString(testProto),
+		RequestScheme:                  assertString(testScheme),
+		RequestPort:                    assertString("-"),
+		DownstreamStatus:               assertFloat64(float64(200)),
+		DownstreamContentSize:          assertFloat64(float64(40)),
+		RequestRefererHeader:           assertString(testReferer),
+		RequestUserAgentHeader:         assertString(testUserAgent),
+		ServiceURL:                     assertString("http://stream"),
+		ServiceAddr:                    assertString("127.0.0.1"),
+		ServiceName:                    assertString("stream"),
+		ClientUsername:                 assertString(testUsername),
+		ClientHost:                     assertString(testHostname),
+		ClientPort:                     assertString(strconv.Itoa(testPort)),
+		ClientAddr:                     assertString(fmt.Sprintf("%s:%d", testHostname, testPort)),
+		"level":                        assertString("info"),
+		"msg":                          assertString(""),
+		RequestCount:                   assertFloat64NotZero(),
+		Duration:                       assertFloat64NotZero(),
+		Overhead:                       assertFloat64NotZero(),
+		RetryAttempts:                  assertFloat64(float64(0)),
+		"time":                         assertNotEmpty(),
+		StartLocal:                     assertNotEmpty(),
+		StartUTC:                       assertNotEmpty(),
+		"downstream_Content-Type":      assertString("text/plain"),
+		"downstream_Transfer-Encoding": assertString("chunked"),
+		"downstream_Cache-Control":     assertString("no-cache"),
+	}
+
+	config := &types.AccessLog{
+		FilePath: filepath.Join(t.TempDir(), logFileNameSuffix),
+		Format:   JSONFormat,
+	}
+	doLoggingWithAbortedStream(t, config)
+
+	logData, err := os.ReadFile(config.FilePath)
+	require.NoError(t, err)
+
+	jsonData := make(map[string]interface{})
+	err = json.Unmarshal(logData, &jsonData)
+	require.NoError(t, err)
+
+	assert.Equal(t, len(expected), len(jsonData))
+
+	for field, assertion := range expected {
+		assertion(t, jsonData[field])
+		if t.Failed() {
+			return
+		}
+	}
+}
+
 func TestNewLogHandlerOutputStdout(t *testing.T) {
 	testCases := []struct {
 		desc        string
@@ -701,7 +787,7 @@ func assertValidLogData(t *testing.T, expected string, logData []byte) {
 	t.Helper()
 
 	if len(expected) == 0 {
-		assert.Zero(t, len(logData))
+		assert.Empty(t, logData)
 		t.Log(string(logData))
 		return
 	}
@@ -758,7 +844,7 @@ func doLoggingTLSOpt(t *testing.T, config *types.AccessLog, enableTLS bool) {
 
 	if config.FilePath != "" {
 		_, err = os.Stat(config.FilePath)
-		require.NoError(t, err, fmt.Sprintf("logger should create %s", config.FilePath))
+		require.NoErrorf(t, err, "logger should create %s", config.FilePath)
 	}
 
 	req := &http.Request{
@@ -826,3 +912,89 @@ func logWriterTestHandlerFunc(rw http.ResponseWriter, r *http.Request) {
 
 	rw.WriteHeader(testStatus)
 }
+
+func doLoggingWithAbortedStream(t *testing.T, config *types.AccessLog) {
+	t.Helper()
+
+	logger, err := NewHandler(config)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		err := logger.Close()
+		require.NoError(t, err)
+	})
+
+	if config.FilePath != "" {
+		_, err = os.Stat(config.FilePath)
+		require.NoError(t, err, "logger should create "+config.FilePath)
+	}
+
+	reqContext, cancelRequest := context.WithCancel(context.Background())
+
+	req := &http.Request{
+		Header: map[string][]string{
+			"User-Agent": {testUserAgent},
+			"Referer":    {testReferer},
+		},
+		Proto:      testProto,
+		Host:       testHostname,
+		Method:     testMethod,
+		RemoteAddr: fmt.Sprintf("%s:%d", testHostname, testPort),
+		URL: &url.URL{
+			User: url.UserPassword(testUsername, ""),
+		},
+		Body: nil,
+	}
+
+	req = req.WithContext(reqContext)
+
+	chain := alice.New()
+	chain = chain.Append(func(next http.Handler) (http.Handler, error) {
+		return recovery.New(context.Background(), next)
+	})
+	chain = chain.Append(capture.Wrap)
+	chain = chain.Append(WrapHandler(logger))
+
+	service := NewFieldHandler(http.HandlerFunc(streamBackend), ServiceURL, "http://stream", nil)
+	service = NewFieldHandler(service, ServiceAddr, "127.0.0.1", nil)
+	service = NewFieldHandler(service, ServiceName, "stream", AddServiceFields)
+
+	handler, err := chain.Then(service)
+	require.NoError(t, err)
+
+	go func() {
+		time.Sleep(499 * time.Millisecond)
+		cancelRequest()
+	}()
+
+	handler.ServeHTTP(httptest.NewRecorder(), req)
+}
+
+func streamBackend(rw http.ResponseWriter, r *http.Request) {
+	// Get the Flusher to flush the response to the client
+	flusher, ok := rw.(http.Flusher)
+	if !ok {
+		http.Error(rw, "Streaming unsupported!", http.StatusInternalServerError)
+		return
+	}
+
+	// Set the headers for streaming
+	rw.Header().Set("Content-Type", "text/plain")
+	rw.Header().Set("Transfer-Encoding", "chunked")
+	rw.Header().Set("Cache-Control", "no-cache")
+
+	for {
+		time.Sleep(100 * time.Millisecond)
+
+		select {
+		case <-r.Context().Done():
+			panic(http.ErrAbortHandler)
+
+		default:
+			if _, err := fmt.Fprint(rw, "FOOBAR!!!!"); err != nil {
+				http.Error(rw, err.Error(), http.StatusInternalServerError)
+				return
+			}
+			flusher.Flush()
+		}
+	}
+}

pkg/middlewares/auth/connectionheader.go

@@ -1,4 +1,4 @@
-package connectionheader
+package auth
 
 import (
 	"net/http"

pkg/middlewares/auth/connectionheader_test.go

@@ -1,4 +1,4 @@
-package connectionheader
+package auth
 
 import (
 	"net/http"

pkg/middlewares/auth/forward.go

@@ -15,7 +15,6 @@ import (
 	"github.com/traefik/traefik/v2/pkg/config/dynamic"
 	"github.com/traefik/traefik/v2/pkg/log"
 	"github.com/traefik/traefik/v2/pkg/middlewares"
-	"github.com/traefik/traefik/v2/pkg/middlewares/connectionheader"
 	"github.com/traefik/traefik/v2/pkg/tracing"
 	"github.com/vulcand/oxy/v2/forward"
 	"github.com/vulcand/oxy/v2/utils"
@@ -90,7 +89,7 @@ func NewForward(ctx context.Context, next http.Handler, config dynamic.ForwardAu
 		fa.authResponseHeadersRegex = re
 	}
 
-	return connectionheader.Remover(fa), nil
+	return Remover(fa), nil
 }
 
 func (fa *forwardAuth) GetTracingInformation() (string, ext.SpanKindEnum) {
@@ -103,9 +102,8 @@ func (fa *forwardAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	forwardReq, err := http.NewRequest(http.MethodGet, fa.address, nil)
 	tracing.LogRequest(tracing.GetSpan(req), forwardReq)
 	if err != nil {
-		logMessage := fmt.Sprintf("Error calling %s. Cause %s", fa.address, err)
-		logger.Debug(logMessage)
-		tracing.SetErrorWithEvent(req, logMessage)
+		logger.Debugf("Error calling %s. Cause %s", fa.address, err)
+		tracing.SetErrorWithEvent(req, "Error calling %s. Cause %s", fa.address, err)
 
 		rw.WriteHeader(http.StatusInternalServerError)
 		return
@@ -119,9 +117,8 @@ func (fa *forwardAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 	forwardResponse, forwardErr := fa.client.Do(forwardReq)
 	if forwardErr != nil {
-		logMessage := fmt.Sprintf("Error calling %s. Cause: %s", fa.address, forwardErr)
-		logger.Debug(logMessage)
-		tracing.SetErrorWithEvent(req, logMessage)
+		logger.Debugf("Error calling %s. Cause: %s", fa.address, forwardErr)
+		tracing.SetErrorWithEvent(req, "Error calling %s. Cause: %s", fa.address, forwardErr)
 
 		rw.WriteHeader(http.StatusInternalServerError)
 		return
@@ -130,9 +127,8 @@ func (fa *forwardAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 	body, readError := io.ReadAll(forwardResponse.Body)
 	if readError != nil {
-		logMessage := fmt.Sprintf("Error reading body %s. Cause: %s", fa.address, readError)
-		logger.Debug(logMessage)
-		tracing.SetErrorWithEvent(req, logMessage)
+		logger.Debugf("Error reading body %s. Cause: %s", fa.address, readError)
+		tracing.SetErrorWithEvent(req, "Error reading body %s. Cause: %s", fa.address, readError)
 
 		rw.WriteHeader(http.StatusInternalServerError)
 		return
@@ -151,9 +147,8 @@ func (fa *forwardAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 		if err != nil {
 			if !errors.Is(err, http.ErrNoLocation) {
-				logMessage := fmt.Sprintf("Error reading response location header %s. Cause: %s", fa.address, err)
-				logger.Debug(logMessage)
-				tracing.SetErrorWithEvent(req, logMessage)
+				logger.Debugf("Error reading response location header %s. Cause: %s", fa.address, err)
+				tracing.SetErrorWithEvent(req, "Error reading response location header %s. Cause: %s", fa.address, err)
 
 				rw.WriteHeader(http.StatusInternalServerError)
 				return

pkg/middlewares/customerrors/custom_errors.go

@@ -249,7 +249,7 @@ func (cc *codeCatcher) Flush() {
 	// since we want to serve the ones from the error page,
 	// so we just don't flush.
 	// (e.g., To prevent superfluous WriteHeader on request with a
-	// `Transfert-Encoding: chunked` header).
+	// `Transfer-Encoding: chunked` header).
 	if cc.caughtFilteredCode {
 		return
 	}

pkg/middlewares/forwardedheaders/forwarded_header.go

@@ -3,10 +3,13 @@ package forwardedheaders
 import (
 	"net"
 	"net/http"
+	"net/textproto"
 	"os"
+	"slices"
 	"strings"
 
 	"github.com/traefik/traefik/v2/pkg/ip"
+	"golang.org/x/net/http/httpguts"
 )
 
 const (
@@ -42,19 +45,20 @@ var xHeaders = []string{
 // Unless insecure is set,
 // it first removes all the existing values for those headers if the remote address is not one of the trusted ones.
 type XForwarded struct {
-	insecure   bool
-	trustedIps []string
-	ipChecker  *ip.Checker
-	next       http.Handler
-	hostname   string
+	insecure          bool
+	trustedIPs        []string
+	connectionHeaders []string
+	ipChecker         *ip.Checker
+	next              http.Handler
+	hostname          string
 }
 
 // NewXForwarded creates a new XForwarded.
-func NewXForwarded(insecure bool, trustedIps []string, next http.Handler) (*XForwarded, error) {
+func NewXForwarded(insecure bool, trustedIPs []string, connectionHeaders []string, next http.Handler) (*XForwarded, error) {
 	var ipChecker *ip.Checker
-	if len(trustedIps) > 0 {
+	if len(trustedIPs) > 0 {
 		var err error
-		ipChecker, err = ip.NewChecker(trustedIps)
+		ipChecker, err = ip.NewChecker(trustedIPs)
 		if err != nil {
 			return nil, err
 		}
@@ -66,11 +70,12 @@ func NewXForwarded(insecure bool, trustedIps []string, next http.Handler) (*XFor
 	}
 
 	return &XForwarded{
-		insecure:   insecure,
-		trustedIps: trustedIps,
-		ipChecker:  ipChecker,
-		next:       next,
-		hostname:   hostname,
+		insecure:          insecure,
+		trustedIPs:        trustedIPs,
+		connectionHeaders: connectionHeaders,
+		ipChecker:         ipChecker,
+		next:              next,
+		hostname:          hostname,
 	}, nil
 }
 
@@ -189,9 +194,53 @@ func (x *XForwarded) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	x.rewrite(r)
 
+	x.removeConnectionHeaders(r)
+
 	x.next.ServeHTTP(w, r)
 }
 
+func (x *XForwarded) removeConnectionHeaders(req *http.Request) {
+	var reqUpType string
+	if httpguts.HeaderValuesContainsToken(req.Header[connection], upgrade) {
+		reqUpType = unsafeHeader(req.Header).Get(upgrade)
+	}
+
+	var connectionHopByHopHeaders []string
+	for _, f := range req.Header[connection] {
+		for _, sf := range strings.Split(f, ",") {
+			if sf = textproto.TrimString(sf); sf != "" {
+				// Connection header cannot dictate to remove X- headers managed by Traefik,
+				// as per rfc7230 https://datatracker.ietf.org/doc/html/rfc7230#section-6.1,
+				// A proxy or gateway MUST ... and then remove the Connection header field itself
+				// (or replace it with the intermediary's own connection options for the forwarded message).
+				if slices.Contains(xHeaders, sf) {
+					continue
+				}
+
+				// Keep headers allowed through the middleware chain.
+				if slices.Contains(x.connectionHeaders, sf) {
+					connectionHopByHopHeaders = append(connectionHopByHopHeaders, sf)
+					continue
+				}
+
+				// Apply Connection header option.
+				req.Header.Del(sf)
+			}
+		}
+	}
+
+	if reqUpType != "" {
+		connectionHopByHopHeaders = append(connectionHopByHopHeaders, upgrade)
+		unsafeHeader(req.Header).Set(upgrade, reqUpType)
+	}
+	if len(connectionHopByHopHeaders) > 0 {
+		unsafeHeader(req.Header).Set(connection, strings.Join(connectionHopByHopHeaders, ","))
+		return
+	}
+
+	unsafeHeader(req.Header).Del(connection)
+}
+
 // unsafeHeader allows to manage Header values.
 // Must be used only when the header name is already a canonical key.
 type unsafeHeader map[string][]string

pkg/middlewares/forwardedheaders/forwarded_header_test.go

@@ -12,15 +12,16 @@ import (
 
 func TestServeHTTP(t *testing.T) {
 	testCases := []struct {
-		desc            string
-		insecure        bool
-		trustedIps      []string
-		incomingHeaders map[string][]string
-		remoteAddr      string
-		expectedHeaders map[string]string
-		tls             bool
-		websocket       bool
-		host            string
+		desc              string
+		insecure          bool
+		trustedIps        []string
+		connectionHeaders []string
+		incomingHeaders   map[string][]string
+		remoteAddr        string
+		expectedHeaders   map[string]string
+		tls               bool
+		websocket         bool
+		host              string
 	}{
 		{
 			desc:            "all Empty",
@@ -269,6 +270,196 @@ func TestServeHTTP(t *testing.T) {
 				xForwardedServer: "foo.com:8080",
 			},
 		},
+		{
+			desc:     "Untrusted: Connection header has no effect on X- forwarded headers",
+			insecure: false,
+			incomingHeaders: map[string][]string{
+				connection: {
+					xForwardedProto,
+					xForwardedFor,
+					xForwardedURI,
+					xForwardedMethod,
+					xForwardedHost,
+					xForwardedPort,
+					xForwardedTLSClientCert,
+					xForwardedTLSClientCertInfo,
+					xRealIP,
+				},
+				xForwardedProto:             {"foo"},
+				xForwardedFor:               {"foo"},
+				xForwardedURI:               {"foo"},
+				xForwardedMethod:            {"foo"},
+				xForwardedHost:              {"foo"},
+				xForwardedPort:              {"foo"},
+				xForwardedTLSClientCert:     {"foo"},
+				xForwardedTLSClientCertInfo: {"foo"},
+				xRealIP:                     {"foo"},
+			},
+			expectedHeaders: map[string]string{
+				xForwardedProto:             "http",
+				xForwardedFor:               "",
+				xForwardedURI:               "",
+				xForwardedMethod:            "",
+				xForwardedHost:              "",
+				xForwardedPort:              "80",
+				xForwardedTLSClientCert:     "",
+				xForwardedTLSClientCertInfo: "",
+				xRealIP:                     "",
+				connection:                  "",
+			},
+		},
+		{
+			desc:     "Trusted (insecure): Connection header has no effect on X- forwarded headers",
+			insecure: true,
+			incomingHeaders: map[string][]string{
+				connection: {
+					xForwardedProto,
+					xForwardedFor,
+					xForwardedURI,
+					xForwardedMethod,
+					xForwardedHost,
+					xForwardedPort,
+					xForwardedTLSClientCert,
+					xForwardedTLSClientCertInfo,
+					xRealIP,
+				},
+				xForwardedProto:             {"foo"},
+				xForwardedFor:               {"foo"},
+				xForwardedURI:               {"foo"},
+				xForwardedMethod:            {"foo"},
+				xForwardedHost:              {"foo"},
+				xForwardedPort:              {"foo"},
+				xForwardedTLSClientCert:     {"foo"},
+				xForwardedTLSClientCertInfo: {"foo"},
+				xRealIP:                     {"foo"},
+			},
+			expectedHeaders: map[string]string{
+				xForwardedProto:             "foo",
+				xForwardedFor:               "foo",
+				xForwardedURI:               "foo",
+				xForwardedMethod:            "foo",
+				xForwardedHost:              "foo",
+				xForwardedPort:              "foo",
+				xForwardedTLSClientCert:     "foo",
+				xForwardedTLSClientCertInfo: "foo",
+				xRealIP:                     "foo",
+				connection:                  "",
+			},
+		},
+		{
+			desc:     "Untrusted and Connection: Connection header has no effect on X- forwarded headers",
+			insecure: false,
+			connectionHeaders: []string{
+				xForwardedProto,
+				xForwardedFor,
+				xForwardedURI,
+				xForwardedMethod,
+				xForwardedHost,
+				xForwardedPort,
+				xForwardedTLSClientCert,
+				xForwardedTLSClientCertInfo,
+				xRealIP,
+			},
+			incomingHeaders: map[string][]string{
+				connection: {
+					xForwardedProto,
+					xForwardedFor,
+					xForwardedURI,
+					xForwardedMethod,
+					xForwardedHost,
+					xForwardedPort,
+					xForwardedTLSClientCert,
+					xForwardedTLSClientCertInfo,
+					xRealIP,
+				},
+				xForwardedProto:             {"foo"},
+				xForwardedFor:               {"foo"},
+				xForwardedURI:               {"foo"},
+				xForwardedMethod:            {"foo"},
+				xForwardedHost:              {"foo"},
+				xForwardedPort:              {"foo"},
+				xForwardedTLSClientCert:     {"foo"},
+				xForwardedTLSClientCertInfo: {"foo"},
+				xRealIP:                     {"foo"},
+			},
+			expectedHeaders: map[string]string{
+				xForwardedProto:             "http",
+				xForwardedFor:               "",
+				xForwardedURI:               "",
+				xForwardedMethod:            "",
+				xForwardedHost:              "",
+				xForwardedPort:              "80",
+				xForwardedTLSClientCert:     "",
+				xForwardedTLSClientCertInfo: "",
+				xRealIP:                     "",
+				connection:                  "",
+			},
+		},
+		{
+			desc:     "Trusted (insecure) and Connection: Connection header has no effect on X- forwarded headers",
+			insecure: true,
+			connectionHeaders: []string{
+				xForwardedProto,
+				xForwardedFor,
+				xForwardedURI,
+				xForwardedMethod,
+				xForwardedHost,
+				xForwardedPort,
+				xForwardedTLSClientCert,
+				xForwardedTLSClientCertInfo,
+				xRealIP,
+			},
+			incomingHeaders: map[string][]string{
+				connection: {
+					xForwardedProto,
+					xForwardedFor,
+					xForwardedURI,
+					xForwardedMethod,
+					xForwardedHost,
+					xForwardedPort,
+					xForwardedTLSClientCert,
+					xForwardedTLSClientCertInfo,
+					xRealIP,
+				},
+				xForwardedProto:             {"foo"},
+				xForwardedFor:               {"foo"},
+				xForwardedURI:               {"foo"},
+				xForwardedMethod:            {"foo"},
+				xForwardedHost:              {"foo"},
+				xForwardedPort:              {"foo"},
+				xForwardedTLSClientCert:     {"foo"},
+				xForwardedTLSClientCertInfo: {"foo"},
+				xRealIP:                     {"foo"},
+			},
+			expectedHeaders: map[string]string{
+				xForwardedProto:             "foo",
+				xForwardedFor:               "foo",
+				xForwardedURI:               "foo",
+				xForwardedMethod:            "foo",
+				xForwardedHost:              "foo",
+				xForwardedPort:              "foo",
+				xForwardedTLSClientCert:     "foo",
+				xForwardedTLSClientCertInfo: "foo",
+				xRealIP:                     "foo",
+				connection:                  "",
+			},
+		},
+		{
+			desc: "Connection: one remove, and one passthrough header",
+			connectionHeaders: []string{
+				"foo",
+			},
+			incomingHeaders: map[string][]string{
+				connection: {
+					"foo",
+				},
+				"Foo": {"bar"},
+				"Bar": {"foo"},
+			},
+			expectedHeaders: map[string]string{
+				"Bar": "foo",
+			},
+		},
 	}
 
 	for _, test := range testCases {
@@ -299,7 +490,7 @@ func TestServeHTTP(t *testing.T) {
 				}
 			}
 
-			m, err := NewXForwarded(test.insecure, test.trustedIps,
+			m, err := NewXForwarded(test.insecure, test.trustedIps, test.connectionHeaders,
 				http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {}))
 			require.NoError(t, err)
 
@@ -382,3 +573,74 @@ func Test_isWebsocketRequest(t *testing.T) {
 		})
 	}
 }
+
+func TestConnection(t *testing.T) {
+	testCases := []struct {
+		desc              string
+		reqHeaders        map[string]string
+		connectionHeaders []string
+		expected          http.Header
+	}{
+		{
+			desc: "simple remove",
+			reqHeaders: map[string]string{
+				"Foo":      "bar",
+				connection: "foo",
+			},
+			expected: http.Header{},
+		},
+		{
+			desc: "remove and upgrade",
+			reqHeaders: map[string]string{
+				upgrade:    "test",
+				"Foo":      "bar",
+				connection: "upgrade,foo",
+			},
+			expected: http.Header{
+				upgrade:    []string{"test"},
+				connection: []string{"Upgrade"},
+			},
+		},
+		{
+			desc: "no remove",
+			reqHeaders: map[string]string{
+				"Foo":      "bar",
+				connection: "fii",
+			},
+			expected: http.Header{
+				"Foo": []string{"bar"},
+			},
+		},
+		{
+			desc: "no remove because connection header pass through",
+			reqHeaders: map[string]string{
+				"Foo":      "bar",
+				connection: "Foo",
+			},
+			connectionHeaders: []string{"Foo"},
+			expected: http.Header{
+				"Foo":      []string{"bar"},
+				connection: []string{"Foo"},
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			forwarded, err := NewXForwarded(true, nil, test.connectionHeaders, nil)
+			require.NoError(t, err)
+
+			req := httptest.NewRequest(http.MethodGet, "https://localhost", nil)
+
+			for k, v := range test.reqHeaders {
+				req.Header.Set(k, v)
+			}
+
+			forwarded.removeConnectionHeaders(req)
+
+			assert.Equal(t, test.expected, req.Header)
+		})
+	}
+}