Merge current branch v2.11 into v3.2

Prepare release v2.11.15
Fix experimental build ci
2025-09-07 09:44:23 +03:00 · 2024-12-10 15:04:04 +01:00 · 2024-12-10 14:18:04 +01:00 · 2024-12-10 12:12:05 +01:00 · 2024-12-10 09:48:05 +01:00 · 2024-12-09 09:44:05 +01:00
391 changed files with 38628 additions and 18233 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.

 Documentation fixes or enhancements:
 - for Traefik v2: use branch v2.11
- for Traefik v3: use branch v3.1
+- for Traefik v3: use branch v3.2

 Bug fixes:
 - for Traefik v2: use branch v2.11
- for Traefik v3: use branch v3.1
+- for Traefik v3: use branch v3.2

 Enhancements:
 - for Traefik v2: we only accept bug fixes
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -10,48 +10,42 @@ on:
      - 'script/gcg/**'

 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
  CGO_ENABLED: 0

 jobs:

  build-webui:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup node
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: webui/.nvmrc
-          cache: yarn
-          cache-dependency-path: webui/yarn.lock
-
-      - name: Build webui
-        working-directory: ./webui
-        run: |
-          yarn install
-          yarn build
-
-      - name: Package webui
-        run: |
-          tar czvf webui.tar.gz ./webui/static/
-
-      - name: Artifact webui
-        uses: actions/upload-artifact@v4
-        with:
-          name: webui.tar.gz
-          path: webui.tar.gz
+    uses: ./.github/workflows/template-webui.yaml

  build:
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
+
    strategy:
      matrix:
-        os: [ ubuntu-latest, macos-latest, windows-latest ]
+        os: [ darwin, freebsd, linux, openbsd, windows ]
+        arch: [ amd64, arm64 ]
+        include:
+          - os: freebsd
+            arch: 386
+          - os: linux
+            arch: 386
+          - os: linux
+            arch: arm
+            goarm: 6
+          - os: linux
+            arch: arm
+            goarm: 7
+          - os: linux
+            arch: ppc64le
+          - os: linux
+            arch: riscv64
+          - os: linux
+            arch: s390x
+          - os: openbsd
+            arch: 386
+          - os: windows
+            arch: 386
    needs:
      - build-webui

@@ -63,6 +57,8 @@ jobs:

      - name: Set up Go ${{ env.GO_VERSION }}
        uses: actions/setup-go@v5
+        env:
+          ImageOS: ${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.goarm }}
        with:
          go-version: ${{ env.GO_VERSION }}

@@ -72,7 +68,13 @@ jobs:
          name: webui.tar.gz

      - name: Untar webui
-        run: tar xvf webui.tar.gz
+        run: |
+          tar xvf webui.tar.gz
+          rm webui.tar.gz

      - name: Build
+        env:
+          GOOS: ${{ matrix.os }}
+          GOARCH: ${{ matrix.arch }}
+          GOARM: ${{ matrix.goarm }}
        run: make binary
--- a/.github/workflows/experimental.yaml
+++ b/.github/workflows/experimental.yaml
@@ -7,39 +7,30 @@ on:
      - v*

 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
  CGO_ENABLED: 0

 jobs:

+  build-webui:
+    if: github.repository == 'traefik/traefik'
+    uses: ./.github/workflows/template-webui.yaml
+
  experimental:
    if: github.repository == 'traefik/traefik'
    name: Build experimental image on branch
    runs-on: ubuntu-latest

    steps:
-
-      # https://github.com/marketplace/actions/checkout
      - name: Check out code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

-      - name: Setup node
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: webui/.nvmrc
-          cache: yarn
-          cache-dependency-path: webui/yarn.lock
-
-      - name: Build webui
-        working-directory: ./webui
-        run: |
-          yarn install
-          yarn build
-
      - name: Set up Go ${{ env.GO_VERSION }}
        uses: actions/setup-go@v5
+        env:
+          ImageOS: ${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.goarm }}
        with:
          go-version: ${{ env.GO_VERSION }}

@@ -61,6 +52,16 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

+      - name: Artifact webui
+        uses: actions/download-artifact@v4
+        with:
+          name: webui.tar.gz
+
+      - name: Untar webui
+        run: |
+          tar xvf webui.tar.gz
+          rm webui.tar.gz
+
      - name: Build docker experimental image
        env:
          DOCKER_BUILDX_ARGS: "--push"
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,127 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+env:
+  GO_VERSION: '1.23'
+  CGO_ENABLED: 0
+  VERSION: ${{ github.ref_name }}
+  TRAEFIKER_EMAIL: "traefiker@traefik.io"
+  CODENAME: munster
+
+jobs:
+
+  build-webui:
+    if: github.ref_type == 'tag'
+    uses: ./.github/workflows/template-webui.yaml
+
+  build:
+    if: github.ref_type == 'tag'
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        os: [ linux-amd64, linux-386, linux-arm, linux-arm64, linux-ppc64le, linux-s390x, linux-riscv64, darwin, windows-amd64, windows-arm64, windows-386, freebsd, openbsd ]
+    needs:
+      - build-webui
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        env:
+          # Ensure cache consistency on Linux, see https://github.com/actions/setup-go/pull/383
+          ImageOS: ${{ matrix.os }}
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Artifact webui
+        uses: actions/download-artifact@v4
+        with:
+          name: webui.tar.gz
+
+      - name: Untar webui
+        run: |
+          tar xvf webui.tar.gz
+          rm webui.tar.gz
+
+      - name: Go generate
+        run: go generate
+
+
+      - name: Generate goreleaser file
+        run: |
+          GORELEASER_CONFIG_FILE_PATH=$(go run ./internal/release "${{ matrix.os }}")
+          echo "GORELEASER_CONFIG_FILE_PATH=$GORELEASER_CONFIG_FILE_PATH" >> $GITHUB_ENV
+
+      - name: Build with goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          # 'latest', 'nightly', or a semver
+          version: '~> v2'
+          args: release --clean --timeout="90m" --config "${{ env.GORELEASER_CONFIG_FILE_PATH }}"
+
+      - name: Artifact binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.os }}-binaries
+          path: |
+            dist/**/*_checksums.txt
+            dist/**/*.tar.gz
+            dist/**/*.zip
+          retention-days: 1
+
+  release:
+    if: github.ref_type == 'tag'
+    runs-on: ubuntu-latest
+
+    needs:
+      - build
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Retrieve the secret and decode it to a file
+        env:
+          TRAEFIKER_RSA: ${{ secrets.TRAEFIKER_RSA }}
+        run: |
+          mkdir -p ~/.ssh
+          echo "${TRAEFIKER_RSA}" | base64 --decode > ~/.ssh/traefiker_rsa
+
+      - name: Download All Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: dist/
+          pattern: "*-binaries"
+          merge-multiple: true
+
+      - name: Publish Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          cat dist/**/*_checksums.txt >> "dist/traefik_${VERSION}_checksums.txt"
+          rm dist/**/*_checksums.txt
+          tar cfz "dist/traefik-${VERSION}.src.tar.gz" \
+            --exclude-vcs \
+            --exclude .idea \
+            --exclude .travis \
+            --exclude .semaphoreci \
+            --exclude .github \
+            --exclude dist .
+          
+          chown -R "$(id -u)":"$(id -g)" dist/
+          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION}
+          
+          ./script/deploy.sh
+
--- a/.github/workflows/sync-docker-images.yaml
+++ b/.github/workflows/sync-docker-images.yaml
@@ -0,0 +1,26 @@
+name: Sync Docker Images
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *" # Run every day
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    if: github.repository == 'traefik/traefik'
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: imjasonh/setup-crane@v0.4
+      
+      - name: Sync
+        run: |
+          EXCLUDED_TAGS="1.7.9-alpine v1.0.0-beta.392 v1.0.0-beta.404 v1.0.0-beta.704 v1.0.0-rc1 v1.7.9-alpine"
+          EXCLUDED_REGEX=$(echo $EXCLUDED_TAGS | sed 's/ /|/g')
+          diff <(crane ls traefik) <(crane ls ghcr.io/traefik/traefik) | grep '^<' | awk '{print $2}' | while read -r tag; do [[ "$tag" =~ ^($EXCLUDED_REGEX)$ ]] || (echo "Processing image: traefik:$tag"; crane cp "traefik:$tag" "ghcr.io/traefik/traefik:$tag"); done
+          crane cp traefik:latest ghcr.io/traefik/traefik:latest
--- a/.github/workflows/template-webui.yaml
+++ b/.github/workflows/template-webui.yaml
@@ -0,0 +1,37 @@
+name: Build Web UI
+on:
+  workflow_call: {}
+jobs:
+
+  build-webui:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: webui/.nvmrc
+          cache: yarn
+          cache-dependency-path: webui/yarn.lock
+
+      - name: Build webui
+        working-directory: ./webui
+        run: |
+          yarn install
+          yarn build
+
+      - name: Package webui
+        run: |
+          tar czvf webui.tar.gz ./webui/static/
+
+      - name: Artifact webui
+        uses: actions/upload-artifact@v4
+        with:
+          name: webui.tar.gz
+          path: webui.tar.gz
+          retention-days: 1
--- a/.github/workflows/test-conformance.yaml
+++ b/.github/workflows/test-conformance.yaml
@@ -5,11 +5,13 @@ on:
    branches:
      - '*'
    paths:
+      - '.github/workflows/test-conformance.yaml'
      - 'pkg/provider/kubernetes/gateway/**'
+      - 'integration/fixtures/k8s-conformance/**'
      - 'integration/k8s_conformance_test.go'

 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
  CGO_ENABLED: 0

 jobs:
@@ -31,5 +33,7 @@ jobs:
      - name: Avoid generating webui
        run: touch webui/static/index.html

-      - name: K8s Gateway API conformance test
-        run: make test-gateway-api-conformance
+      - name: K8s Gateway API conformance test and report
+        run: |
+          make test-gateway-api-conformance
+          git diff --exit-code
--- a/.github/workflows/test-integration.yaml
+++ b/.github/workflows/test-integration.yaml
@@ -10,7 +10,7 @@ on:
      - 'script/gcg/**'

 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
  CGO_ENABLED: 0

 jobs:
--- a/.github/workflows/test-unit.yaml
+++ b/.github/workflows/test-unit.yaml
@@ -10,7 +10,7 @@ on:
      - 'script/gcg/**'

 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'

 jobs:

--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -6,12 +6,31 @@ on:
      - '*'

 env:
-  GO_VERSION: '1.22'
-  GOLANGCI_LINT_VERSION: v1.59.0
-  MISSSPELL_VERSION: v0.6.0
+  GO_VERSION: '1.23'
+  GOLANGCI_LINT_VERSION: v1.62.0
+  MISSPELL_VERSION: v0.6.0

 jobs:

+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: "${{ env.GOLANGCI_LINT_VERSION }}"
+
  validate:
    runs-on: ubuntu-latest

@@ -26,17 +45,14 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}

-      - name: Install golangci-lint ${{ env.GOLANGCI_LINT_VERSION }}
-        run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
-
-      - name: Install missspell ${{ env.MISSSPELL_VERSION }}
-        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSSPELL_VERSION}
+      - name: Install misspell ${{ env.MISSPELL_VERSION }}
+        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSPELL_VERSION}

      - name: Avoid generating webui
        run: touch webui/static/index.html

      - name: Validate
-        run: make validate
+        run: make validate-files

  validate-generate:
    runs-on: ubuntu-latest
--- a/.gitignore
+++ b/.gitignore
@@ -19,4 +19,4 @@ plugins-storage/
 plugins-local/
 traefik_changelog.md
 integration/tailscale.secret
-integration/conformance-reports/
+integration/conformance-reports/**/experimental-dev-default-report.yaml
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -162,8 +162,6 @@ linters-settings:
 linters:
  enable-all: true
  disable:
-    - execinquery # deprecated
-    - gomnd # deprecated
    - sqlclosecheck # not relevant (SQL)
    - rowserrcheck # not relevant (SQL)
    - cyclop # duplicate of gocyclo
@@ -200,8 +198,7 @@ linters:
    - maintidx # kind of duplicate of gocyclo
    - nonamedreturns # Too strict
    - gosmopolitan  # not relevant
-    - exportloopref # Useless with go1.22
-    - musttag
+    - exportloopref # Not relevant since go1.22

 issues:
  exclude-use-default: false
@@ -213,6 +210,7 @@ issues:
    - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked'
    - "should have a package comment, unless it's in another file for this package"
    - 'fmt.Sprintf can be replaced with string'
+    - 'SA1019: dockertypes.ContainerNode is deprecated'
  exclude-rules:
    - path: '(.+)_test.go'
      linters:
@@ -229,7 +227,7 @@ issues:
      text: 'struct-tag: unknown option ''inline'' in JSON tag'
      linters:
        - revive
-    - path: pkg/server/service/bufferpool.go
+    - path: pkg/proxy/httputil/bufferpool.go
      text: 'SA6002: argument should be pointer-like to avoid allocations'
    - path: pkg/server/middleware/middlewares.go
      text: "Function 'buildConstructor' has too many statements"
@@ -280,3 +278,24 @@ issues:
    - path: pkg/cli/loader_file.go
      linters:
        - goconst
+    - path: pkg/provider/acme/local_store.go
+      linters:
+        - musttag
+    - path: pkg/types/metrics.go
+      linters:
+        - goconst
+    - path: pkg/tls/certificate.go
+      text: 'the methods of "Certificates" use pointer receiver and non-pointer receiver.'
+      linters:
+        - recvcheck
+    - path: pkg/plugins/middlewarewasm.go
+      text: 'the methods of "wasmMiddlewareBuilder" use pointer receiver and non-pointer receiver.'
+      linters:
+        - recvcheck
+
+output:
+  show-stats: true
+  sort-results: true
+  sort-order:
+    - linter
+    - file
--- a/.goreleaser.yml.tmpl
+++ b/.goreleaser.yml.tmpl
@@ -1,12 +1,11 @@
 project_name: traefik
+version: 2

+[[if .GOARCH]]
+dist: "./dist/[[ .GOOS ]]-[[ .GOARCH ]]"
+[[else]]
 dist: "./dist/[[ .GOOS ]]"
-
-[[ if eq .GOOS "linux" ]]
-before:
-  hooks:
-    - go generate
-[[ end ]]
+[[end]]

 builds:
  - binary: traefik
@@ -21,6 +20,9 @@ builds:
    goos:
      - "[[ .GOOS ]]"
    goarch:
+      [[if .GOARCH]]
+      - "[[ .GOARCH ]]"
+      [[else]]
      - amd64
      - '386'
      - arm
@@ -28,6 +30,7 @@ builds:
      - ppc64le
      - s390x
      - riscv64
+      [[end]]
    goarm:
      - '7'
      - '6'
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -1,63 +1,13 @@
 version: v1.0
-name: Traefik
+name: Traefik Release - deprecated
 agent:
  machine:
-    type: e1-standard-4
-    os_image: ubuntu2004
-
-fail_fast:
-  stop:
-    when: "branch != 'master'"
-
-auto_cancel:
-  queued:
-    when: "branch != 'master'"
-  running:
-    when: "branch != 'master'"
-
-global_job_config:
-  prologue:
-    commands:
-      - curl -sSfL https://raw.githubusercontent.com/ldez/semgo/master/godownloader.sh | sudo sh -s -- -b "/usr/local/bin"
-      - sudo semgo go1.22
-      - export "GOPATH=$(go env GOPATH)"
-      - export "SEMAPHORE_GIT_DIR=${GOPATH}/src/github.com/traefik/${SEMAPHORE_PROJECT_NAME}"
-      - export "PATH=${GOPATH}/bin:${PATH}"
-      - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
-      - export GOPROXY=https://proxy.golang.org,direct
-      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.59.0
-      - curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
-      - checkout
-      - cache restore traefik-$(checksum go.sum)
-
+    type: f1-standard-2
+    os_image: ubuntu2204
 blocks:
-  - name: Release
-    dependencies: []
-    run:
-      when: "tag =~ '.*'"
+  - name: 'Do nothing'
    task:
-      agent:
-        machine:
-          type: e1-standard-8
-          os_image: ubuntu2004
-      secrets:
-        - name: traefik
-      env_vars:
-        - name: GH_VERSION
-          value: 2.32.1
-        - name: CODENAME
-          value: "comte"
-      prologue:
-        commands:
-          - export VERSION=${SEMAPHORE_GIT_TAG_NAME}
-          - curl -sSL -o /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz
-          - tar -zxvf /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz -C /tmp
-          - sudo mv /tmp/gh_${GH_VERSION}_linux_amd64/bin/gh /usr/local/bin/gh
-          - sudo rm -rf ~/.phpbrew ~/.kerl ~/.sbt ~/.nvm ~/.npm ~/.kiex /usr/lib/jvm /opt/az /opt/firefox /usr/lib/google-cloud-sdk ~/.rbenv ~/.pip_download_cache # Remove unnecessary data.
-          - sudo service docker stop && sudo umount /var/lib/docker && sudo service docker start # Unmounts the docker disk and the whole system disk is usable.
      jobs:
-        - name: Release
+        - name: 'Do nothing'
          commands:
-            - make release-packages
-            - gh release create ${SEMAPHORE_GIT_TAG_NAME} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${SEMAPHORE_GIT_TAG_NAME} --notes ${SEMAPHORE_GIT_TAG_NAME}
-            - ./script/deploy.sh
+            - echo "Do nothing"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,312 @@
+## [v2.11.15](https://github.com/traefik/traefik/tree/v2.11.15) (2024-12-06)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.14...v2.11.15)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.20.4 ([#11295](https://github.com/traefik/traefik/pull/11295) by [ldez](https://github.com/ldez))
+- **[http3]** Update github.com/quic-go/quic-go to v0.48.2 ([#11320](https://github.com/traefik/traefik/pull/11320) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v3.2.1](https://github.com/traefik/traefik/tree/v3.2.1) (2024-11-20)
+[All Commits](https://github.com/traefik/traefik/compare/v3.2.0...v3.2.1)
+
+**Bug fixes:**
+- **[k8s/ingress,k8s]** Fix HostRegexp config for rule syntax v2 ([#11288](https://github.com/traefik/traefik/pull/11288) by [kevinpollet](https://github.com/kevinpollet))
+- **[logs]** Change level of peeking first byte error log to DEBUG for Postgres ([#11270](https://github.com/traefik/traefik/pull/11270) by [rtribotte](https://github.com/rtribotte))
+- **[service,fastproxy]** Fix case problem for websocket upgrade ([#11246](https://github.com/traefik/traefik/pull/11246) by [juliens](https://github.com/juliens))
+
+**Documentation:**
+- **[acme,tls]** Document how to use Certificates of cert-manager ([#11053](https://github.com/traefik/traefik/pull/11053) by [mloiseleur](https://github.com/mloiseleur))
+- **[docker/swarm]** Add tips about the use of docker in dynamic configuration for swarm provider ([#11207](https://github.com/traefik/traefik/pull/11207) by [webash](https://github.com/webash))
+- **[middleware]** Add Compress middleware to migration guide ([#11229](https://github.com/traefik/traefik/pull/11229) by [logica0419](https://github.com/logica0419))
+
+**Misc:**
+- Merge branch v2.11 into v3.2 ([#11290](https://github.com/traefik/traefik/pull/11290) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.11 into v3.2 ([#11287](https://github.com/traefik/traefik/pull/11287) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.11 into v3.2 ([#11285](https://github.com/traefik/traefik/pull/11285) by [juliens](https://github.com/juliens))
+- Merge branch v2.11 into v3.2 ([#11268](https://github.com/traefik/traefik/pull/11268) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.11.14](https://github.com/traefik/traefik/tree/v2.11.14) (2024-11-20)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.13...v2.11.14)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.20.2 ([#11263](https://github.com/traefik/traefik/pull/11263) by [ldez](https://github.com/ldez))
+- **[logs,server]** Change level of peeking first byte error log to DEBUG ([#11254](https://github.com/traefik/traefik/pull/11254) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,server]** Drop untrusted X-Forwarded-Prefix header ([#11253](https://github.com/traefik/traefik/pull/11253) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Apply keepalive config to h2c entrypoints ([#11276](https://github.com/traefik/traefik/pull/11276) by [davefu113](https://github.com/davefu113))
+- **[service]** Fix internal handlers ServiceBuilder composition ([#11281](https://github.com/traefik/traefik/pull/11281) by [juliens](https://github.com/juliens))
+
+**Documentation:**
+- **[accesslogs]** Update access-logs.md, add examples for accesslog.format ([#11275](https://github.com/traefik/traefik/pull/11275) by [bluepuma77](https://github.com/bluepuma77))
+- Fix the defaultRule CLI examples ([#11282](https://github.com/traefik/traefik/pull/11282) by [kevinpollet](https://github.com/kevinpollet))
+- Fix spelling, grammar, and rephrase sections for clarity in some documentation pages ([#11280](https://github.com/traefik/traefik/pull/11280) by [AntoineDeveloper](https://github.com/AntoineDeveloper))
+- Fix absolute link in the migration guide ([#11269](https://github.com/traefik/traefik/pull/11269) by [kevinpollet](https://github.com/kevinpollet))
+- Add X-Forwarded-Prefix to the migration guide ([#11267](https://github.com/traefik/traefik/pull/11267) by [kevinpollet](https://github.com/kevinpollet))
+- Fix a small typo in entrypoints documentation ([#11261](https://github.com/traefik/traefik/pull/11261) by [quiode](https://github.com/quiode))
+- Add a warning about environment variables casing for static configuration ([#11226](https://github.com/traefik/traefik/pull/11226) by [anchal00](https://github.com/anchal00))
+- Improve documentation on dashboard ([#11220](https://github.com/traefik/traefik/pull/11220) by [mloiseleur](https://github.com/mloiseleur))
+
+## [v3.2.0](https://github.com/traefik/traefik/tree/v3.2.0) (2024-10-28)
+[All Commits](https://github.com/traefik/traefik/compare/v3.2.0-rc1...v3.2.0)
+
+**Enhancements:**
+- **[acme]** Remove same email requirement for certresolvers ([#11019](https://github.com/traefik/traefik/pull/11019) by [Emrio](https://github.com/Emrio))
+- **[acme]** Add support for custom CA certificates by certificate resolver ([#10816](https://github.com/traefik/traefik/pull/10816) by [ldez](https://github.com/ldez))
+- **[acme]** Add 30 day certificatesDuration step ([#10970](https://github.com/traefik/traefik/pull/10970) by [luker983](https://github.com/luker983))
+- **[docker]** Support HTTP BasicAuth for docker and swarm endpoint ([#10776](https://github.com/traefik/traefik/pull/10776) by [985492783](https://github.com/985492783))
+- **[k8s,k8s/gatewayapi]** Add supported features to the Gateway API GatewayClass status ([#11056](https://github.com/traefik/traefik/pull/11056) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Update sigs.k8s.io/gateway-api to v1.2.0-rc1 ([#11124](https://github.com/traefik/traefik/pull/11124) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Add support for backend protocol selection in HTTP and GRPC routes ([#11051](https://github.com/traefik/traefik/pull/11051) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Improve Kubernetes GatewayAPI TCPRoute and TLSRoute support ([#11042](https://github.com/traefik/traefik/pull/11042) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Support HTTPRoute destination port matching ([#11134](https://github.com/traefik/traefik/pull/11134) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Bump sigs.k8s.io/gateway-api to v1.2.0-rc2 ([#11131](https://github.com/traefik/traefik/pull/11131) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Add support for Gateway API BackendTLSPolicies ([#11009](https://github.com/traefik/traefik/pull/11009) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Support NativeLB option in GatewayAPI provider ([#11147](https://github.com/traefik/traefik/pull/11147) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Support ResponseHeaderModifier filter ([#10987](https://github.com/traefik/traefik/pull/10987) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Support GRPC routes ([#10975](https://github.com/traefik/traefik/pull/10975) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Bump sigs.k8s.io/gateway-api to v1.2.0 ([#11167](https://github.com/traefik/traefik/pull/11167) by [rtribotte](https://github.com/rtribotte))
+- **[metrics,otel]** Allow setting service.name for OTLP metrics ([#10917](https://github.com/traefik/traefik/pull/10917) by [cmartell-at-ocp](https://github.com/cmartell-at-ocp))
+- **[middleware,accesslogs]** Record trace id and EntryPoint span id into access log ([#10921](https://github.com/traefik/traefik/pull/10921) by [weijiany](https://github.com/weijiany))
+- **[middleware,authentication]** Support LogUserHeader with forwardAuth middleware ([#10833](https://github.com/traefik/traefik/pull/10833) by [GaleHuang](https://github.com/GaleHuang))
+- **[middleware]** Add encodings option to the compression middleware ([#10943](https://github.com/traefik/traefik/pull/10943) by [wollomatic](https://github.com/wollomatic))
+- **[middleware]** Add support for ipv6 subnet in ipStrategy ([#9747](https://github.com/traefik/traefik/pull/9747) by [michal-kralik](https://github.com/michal-kralik))
+- **[nomad]** Support for watching instead of polling Nomad ([#10997](https://github.com/traefik/traefik/pull/10997) by [deverton-godaddy](https://github.com/deverton-godaddy))
+- **[server,performance]** Introduce a fast proxy mode to improve HTTP/1.1 performances with backends ([#11122](https://github.com/traefik/traefik/pull/11122) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Configurable max request header size ([#10995](https://github.com/traefik/traefik/pull/10995) by [lucasrod16](https://github.com/lucasrod16))
+- **[service]** Add mirrorBody option to HTTP mirroring ([#11032](https://github.com/traefik/traefik/pull/11032) by [MatteoPaier](https://github.com/MatteoPaier))
+- **[service]** Add an option to preserve server path ([#11193](https://github.com/traefik/traefik/pull/11193) by [mmatur](https://github.com/mmatur))
+
+**Bug fixes:**
+- **[k8s,k8s/gatewayapi]** Ensuring Gateway API reflected Traefik resource name unicity ([#11222](https://github.com/traefik/traefik/pull/11222) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Preserve GRPCRoute filters order ([#11199](https://github.com/traefik/traefik/pull/11199) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Support http and https appProtocol for Kubernetes Service ([#11176](https://github.com/traefik/traefik/pull/11176) by [WillDaSilva](https://github.com/WillDaSilva))
+- **[k8s,k8s/gatewayapi]** Avoid updating Accepted status for routes matching no Gateways ([#11170](https://github.com/traefik/traefik/pull/11170) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Do not update gateway status when not selected by a gateway class ([#11169](https://github.com/traefik/traefik/pull/11169) by [kevinpollet](https://github.com/kevinpollet))
+- **[service]** Detect and drop broken conns in the fastproxy pool ([#11212](https://github.com/traefik/traefik/pull/11212) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[k8s,k8s/gatewayapi]** Document nativeLBByDefault annotation on Kubernetes Gateway provider ([#11209](https://github.com/traefik/traefik/pull/11209) by [mloiseleur](https://github.com/mloiseleur))
+- **[k8s/crd,k8s]** Detail CRD update with v3.2 in the migration guide ([#11164](https://github.com/traefik/traefik/pull/11164) by [mloiseleur](https://github.com/mloiseleur))
+- **[k8s/gatewayapi]** Add missing RBAC in the migration guide ([#11189](https://github.com/traefik/traefik/pull/11189) by [mloiseleur](https://github.com/mloiseleur))
+- **[k8s]** Fix instructions for downloading CRDs of Gateway API v1.2 ([#11191](https://github.com/traefik/traefik/pull/11191) by [mloiseleur](https://github.com/mloiseleur))
+- Prepare release v3.2.0-rc2 ([#11182](https://github.com/traefik/traefik/pull/11182) by [kevinpollet](https://github.com/kevinpollet))
+- Prepare Release v3.2.0-rc1 ([#11154](https://github.com/traefik/traefik/pull/11154) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- Merge branch v3.1 into v3.2 ([#11219](https://github.com/traefik/traefik/pull/11219) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.1 into v3.2 ([#11181](https://github.com/traefik/traefik/pull/11181) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.1 into master ([#11153](https://github.com/traefik/traefik/pull/11153) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.1 into master ([#11110](https://github.com/traefik/traefik/pull/11110) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.1 into master ([#11066](https://github.com/traefik/traefik/pull/11066) by [mmatur](https://github.com/mmatur))
+- Merge branch v3.1 into master ([#11047](https://github.com/traefik/traefik/pull/11047) by [mmatur](https://github.com/mmatur))
+- Merge branch v3.1 into master ([#10980](https://github.com/traefik/traefik/pull/10980) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.1 into master ([#10952](https://github.com/traefik/traefik/pull/10952) by [mmatur](https://github.com/mmatur))
+- Merge branch v3.1 into master ([#10906](https://github.com/traefik/traefik/pull/10906) by [rtribotte](https://github.com/rtribotte))
+
+## [v3.1.7](https://github.com/traefik/traefik/tree/v3.1.7) (2024-10-28)
+[All Commits](https://github.com/traefik/traefik/compare/v3.1.6...v3.1.7)
+
+**Bug fixes:**
+- **[k8s,k8s/gatewayapi]** Preserve HTTPRoute filters order ([#11198](https://github.com/traefik/traefik/pull/11198) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[k8s,k8s/gatewayapi]** Fix broken links in Kubernetes Gateway provider page ([#11188](https://github.com/traefik/traefik/pull/11188) by [mloiseleur](https://github.com/mloiseleur))
+
+**Misc:**
+- Merge branch v2.11 into v3.1 ([#11232](https://github.com/traefik/traefik/pull/11232) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.11 into v3.1 ([#11218](https://github.com/traefik/traefik/pull/11218) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.11.13](https://github.com/traefik/traefik/tree/v2.11.13) (2024-10-28)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.12...v2.11.13)
+
+**Bug fixes:**
+- **[middleware,service]** Panic on aborted requests to properly close the connection ([#11129](https://github.com/traefik/traefik/pull/11129) by [tonybart1337](https://github.com/tonybart1337))
+
+**Documentation:**
+- Update business callouts ([#11217](https://github.com/traefik/traefik/pull/11217) by [tomatokoolaid](https://github.com/tomatokoolaid))
+
+## [v3.2.0-rc2](https://github.com/traefik/traefik/tree/v3.2.0-rc2) (2024-10-09)
+[All Commits](https://github.com/traefik/traefik/compare/v3.2.0-rc1...v3.2.0-rc2)
+
+**Enhancements:**
+- **[k8s,k8s/gatewayapi]** Bump sigs.k8s.io/gateway-api to v1.2.0 ([#11167](https://github.com/traefik/traefik/pull/11167) by [rtribotte](https://github.com/rtribotte))
+
+**Bug fixes:**
+- **[k8s,k8s/gatewayapi]** Support http and https appProtocol for Kubernetes Service ([#11176](https://github.com/traefik/traefik/pull/11176) by [WillDaSilva](https://github.com/WillDaSilva))
+- **[k8s,k8s/gatewayapi]** Avoid updating Accepted status for routes matching no Gateways ([#11170](https://github.com/traefik/traefik/pull/11170) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Do not update gateway status when not selected by a gateway class ([#11169](https://github.com/traefik/traefik/pull/11169) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- Detail CRD update with v3.2 in the migration guide ([#11164](https://github.com/traefik/traefik/pull/11164) by [mloiseleur](https://github.com/mloiseleur))
+
+**Misc:**
+- Merge branch v3.1 into v3.2 ([#11181](https://github.com/traefik/traefik/pull/11181) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v3.1.6](https://github.com/traefik/traefik/tree/v3.1.6) (2024-10-09)
+[All Commits](https://github.com/traefik/traefik/compare/v3.1.5...v3.1.6)
+
+**Bug fixes:**
+- **[middleware]** Reuse compression writers ([#11168](https://github.com/traefik/traefik/pull/11168) by [michelheusschen](https://github.com/michelheusschen))
+- **[middleware]** Use correct default weight in Accept-Encoding ([#11084](https://github.com/traefik/traefik/pull/11084) by [michelheusschen](https://github.com/michelheusschen))
+- **[plugins]** Close wasm middleware to prevent memory leak ([#11151](https://github.com/traefik/traefik/pull/11151) by [ttys3](https://github.com/ttys3))
+
+**Misc:**
+- Merge branch v2.11 into v3.1 ([#11179](https://github.com/traefik/traefik/pull/11179) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.11 into v3.1 ([#11174](https://github.com/traefik/traefik/pull/11174) by [mmatur](https://github.com/mmatur))
+
+## [v2.11.12](https://github.com/traefik/traefik/tree/v2.11.12) (2024-10-09)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.11...v2.11.12)
+
+**Bug fixes:**
+- **[middleware]** Bump github.com/klauspost/compress to dbd6c381492a ([#11162](https://github.com/traefik/traefik/pull/11162) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Upgrade to node 22.9 and yarn lock to fix vulnerabilities ([#11173](https://github.com/traefik/traefik/pull/11173) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Adopt a layout for the large amount of entrypoint port numbers ([#11157](https://github.com/traefik/traefik/pull/11157) by [framebassman](https://github.com/framebassman))
+
+**Documentation:**
+- **[accesslogs]** Clarify that only header fields may be redacted in access-logs ([#11139](https://github.com/traefik/traefik/pull/11139) by [mattbnz](https://github.com/mattbnz))
+- Update business callout ([#11172](https://github.com/traefik/traefik/pull/11172) by [tomatokoolaid](https://github.com/tomatokoolaid))
+
+## [v3.2.0-rc1](https://github.com/traefik/traefik/tree/v3.2.0-rc1) (2024-10-02)
+[All Commits](https://github.com/traefik/traefik/compare/v3.1.0-rc1...v3.2.0-rc1)
+
+**Enhancements:**
+- **[acme]** Remove same email requirement for certresolvers ([#11019](https://github.com/traefik/traefik/pull/11019) by [Emrio](https://github.com/Emrio))
+- **[acme]** Add support for custom CA certificates by certificate resolver ([#10816](https://github.com/traefik/traefik/pull/10816) by [ldez](https://github.com/ldez))
+- **[acme]** Add 30 day certificatesDuration step ([#10970](https://github.com/traefik/traefik/pull/10970) by [luker983](https://github.com/luker983))
+- **[docker]** Support HTTP BasicAuth for docker and swarm endpoint ([#10776](https://github.com/traefik/traefik/pull/10776) by [985492783](https://github.com/985492783))
+- **[k8s,k8s/gatewayapi]** Add supported features to the Gateway API GatewayClass status ([#11056](https://github.com/traefik/traefik/pull/11056) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Update sigs.k8s.io/gateway-api to v1.2.0-rc1 ([#11124](https://github.com/traefik/traefik/pull/11124) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Add support for backend protocol selection in HTTP and GRPC routes ([#11051](https://github.com/traefik/traefik/pull/11051) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Improve Kubernetes GatewayAPI TCPRoute and TLSRoute support ([#11042](https://github.com/traefik/traefik/pull/11042) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Support HTTPRoute destination port matching ([#11134](https://github.com/traefik/traefik/pull/11134) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Bump sigs.k8s.io/gateway-api to v1.2.0-rc2 ([#11131](https://github.com/traefik/traefik/pull/11131) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Add support for Gateway API BackendTLSPolicies ([#11009](https://github.com/traefik/traefik/pull/11009) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Support NativeLB option in GatewayAPI provider ([#11147](https://github.com/traefik/traefik/pull/11147) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Support ResponseHeaderModifier filter ([#10987](https://github.com/traefik/traefik/pull/10987) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Support GRPC routes ([#10975](https://github.com/traefik/traefik/pull/10975) by [kevinpollet](https://github.com/kevinpollet))
+- **[metrics,otel]** Allow setting service.name for OTLP metrics ([#10917](https://github.com/traefik/traefik/pull/10917) by [cmartell-at-ocp](https://github.com/cmartell-at-ocp))
+- **[middleware,accesslogs]** Record trace id and EntryPoint span id into access log ([#10921](https://github.com/traefik/traefik/pull/10921) by [weijiany](https://github.com/weijiany))
+- **[middleware,authentication]** Support LogUserHeader with forwardAuth middleware ([#10833](https://github.com/traefik/traefik/pull/10833) by [GaleHuang](https://github.com/GaleHuang))
+- **[middleware]** Add encodings option to the compression middleware ([#10943](https://github.com/traefik/traefik/pull/10943) by [wollomatic](https://github.com/wollomatic))
+- **[middleware]** Add support for ipv6 subnet in ipStrategy ([#9747](https://github.com/traefik/traefik/pull/9747) by [michal-kralik](https://github.com/michal-kralik))
+- **[nomad]** Support for watching instead of polling Nomad ([#10997](https://github.com/traefik/traefik/pull/10997) by [deverton-godaddy](https://github.com/deverton-godaddy))
+- **[server,performance]** Introduce a fast proxy mode to improve HTTP/1.1 performances with backends ([#11122](https://github.com/traefik/traefik/pull/11122) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Configurable max request header size ([#10995](https://github.com/traefik/traefik/pull/10995) by [lucasrod16](https://github.com/lucasrod16))
+- **[service]** Add mirrorBody option to HTTP mirroring ([#11032](https://github.com/traefik/traefik/pull/11032) by [MatteoPaier](https://github.com/MatteoPaier))
+
+## [v3.1.5](https://github.com/traefik/traefik/tree/v3.1.5) (2024-10-02)
+[All Commits](https://github.com/traefik/traefik/compare/v3.1.4...v3.1.5)
+
+**Bug fixes:**
+- **[k8s/ingress,k8s]** Disable IngressClass lookup when disableClusterScopeResources is enabled ([#11111](https://github.com/traefik/traefik/pull/11111) by [jnoordsij](https://github.com/jnoordsij))
+- **[server]** Rework condition to not log on timeout ([#11132](https://github.com/traefik/traefik/pull/11132) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- Merge branch v2.11 into v3.1 ([#11149](https://github.com/traefik/traefik/pull/11149) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.11 into v3.1 ([#11142](https://github.com/traefik/traefik/pull/11142) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.11](https://github.com/traefik/traefik/tree/v2.11.11) (2024-10-02)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.10...v2.11.11)
+
+**Bug fixes:**
+- **[acme]** Ensure defaultGeneratedCert.main as Subject&#39;s CN ([#10581](https://github.com/traefik/traefik/pull/10581) by [Lamatte](https://github.com/Lamatte))
+- **[middleware,authentication]** Clean connection headers for forward auth request only ([#11095](https://github.com/traefik/traefik/pull/11095) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Bump github.com/klauspost/compress to 8e14b1b5a913 ([#11141](https://github.com/traefik/traefik/pull/11141) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Rework condition to not log on timeout ([#11133](https://github.com/traefik/traefik/pull/11133) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Remove unused boot files from webui ([#11109](https://github.com/traefik/traefik/pull/11109) by [michelheusschen](https://github.com/michelheusschen))
+
+**Documentation:**
+- **[accesslogs]** Specify default format value for access log ([#11130](https://github.com/traefik/traefik/pull/11130) by [darkweaver87](https://github.com/darkweaver87))
+- **[api]** Update API documentation to mention pagination ([#11115](https://github.com/traefik/traefik/pull/11115) by [lyrandy](https://github.com/lyrandy))
+
+## [v3.1.4](https://github.com/traefik/traefik/tree/v3.1.4) (2024-09-19)
+[All Commits](https://github.com/traefik/traefik/compare/v3.1.3...v3.1.4)
+
+**Bug fixes:**
+- **[metrics]** Guess Datadog socket type when prefix is unix ([#11102](https://github.com/traefik/traefik/pull/11102) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- Mention v3 in readme ([#11082](https://github.com/traefik/traefik/pull/11082) by [kabaluyot](https://github.com/kabaluyot))
+
+**Misc:**
+- Merge branch v2.11 into v3.1 ([#11107](https://github.com/traefik/traefik/pull/11107) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.10](https://github.com/traefik/traefik/tree/v2.11.10) (2024-09-19)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.9...v2.11.10)
+
+**Bug fixes:**
+- **[http3]** Bump github.com/quic-go/quic-go to v0.47.0 ([#11104](https://github.com/traefik/traefik/pull/11104) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Check if ACME certificate resolver is not nil ([#11103](https://github.com/traefik/traefik/pull/11103) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v3.1.3](https://github.com/traefik/traefik/tree/v3.1.3) (2024-09-16)
+[All Commits](https://github.com/traefik/traefik/compare/v3.1.2...v3.1.3)
+
+**Bug fixes:**
+- **[k8s/ingress,rules,k8s]** Allow configuring rule syntax with Kubernetes Ingress annotation ([#10985](https://github.com/traefik/traefik/pull/10985) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress]** Re-allow empty configuration for Kubernetes Ingress provider ([#11008](https://github.com/traefik/traefik/pull/11008) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,metrics]** Wrap capture for services used by pieces of middleware ([#11058](https://github.com/traefik/traefik/pull/11058) by [rtribotte](https://github.com/rtribotte))
+- **[plugins]** Removes goexport dependency and adds _initialize ([#11088](https://github.com/traefik/traefik/pull/11088) by [juliens](https://github.com/juliens))
+
+**Documentation:**
+- **[k8s/crd,k8s]** Remove mentions about APIVersion traefik.io/v1 ([#11020](https://github.com/traefik/traefik/pull/11020) by [rtribotte](https://github.com/rtribotte))
+- **[k8s]** Update quick-start-with-kubernetes.md to include required permissions ([#11010](https://github.com/traefik/traefik/pull/11010) by [eastmane](https://github.com/eastmane))
+- **[metrics]** Mention missing metrics removal in the migration guide ([#10982](https://github.com/traefik/traefik/pull/10982) by [rtribotte](https://github.com/rtribotte))
+- **[tracing]** Fix tracing documentation ([#11067](https://github.com/traefik/traefik/pull/11067) by [mmatur](https://github.com/mmatur))
+- **[tracing]** OTLP doc + potential panic ([#11052](https://github.com/traefik/traefik/pull/11052) by [mmatur](https://github.com/mmatur))
+
+**Misc:**
+- Merge v2.11 into v3.1 ([#11092](https://github.com/traefik/traefik/pull/11092) by [kevinpollet](https://github.com/kevinpollet))
+- Merge v2.11 into v3.1 ([#11065](https://github.com/traefik/traefik/pull/11065) by [mmatur](https://github.com/mmatur))
+- Merge v2.11 into v3.1 ([#11044](https://github.com/traefik/traefik/pull/11044) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.9](https://github.com/traefik/traefik/tree/v2.11.9) (2024-09-16)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.8...v2.11.9)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.18.0 ([#11060](https://github.com/traefik/traefik/pull/11060) by [ldez](https://github.com/ldez))
+- **[acme]** Allow handling ACME challenges with custom routers ([#10981](https://github.com/traefik/traefik/pull/10981) by [rtribotte](https://github.com/rtribotte))
+- **[logs,middleware]** Make the keys of the accessLog.fields.names map case-insensitive ([#11040](https://github.com/traefik/traefik/pull/11040) by [SpecLad](https://github.com/SpecLad))
+- **[logs,middleware]** Ensure proper logs for aborted streaming responses ([#10819](https://github.com/traefik/traefik/pull/10819) by [hood](https://github.com/hood))
+- **[middleware,server]** Cleanup Connection headers before passing the middleware chain ([#11077](https://github.com/traefik/traefik/pull/11077) by [kevinpollet](https://github.com/kevinpollet))
+- **[plugins]** Upgrade paerser to v0.2.1 ([#11048](https://github.com/traefik/traefik/pull/11048) by [mmatur](https://github.com/mmatur))
+- **[server,tcp]** Prevent error logging when TCP WRR pool is empty ([#10989](https://github.com/traefik/traefik/pull/10989) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Upgrade webui dependencies ([#11031](https://github.com/traefik/traefik/pull/11031) by [mloiseleur](https://github.com/mloiseleur))
+
+**Documentation:**
+- **[acme]** Fix typo in multiple DNS challenge provider warning ([#11001](https://github.com/traefik/traefik/pull/11001) by [tired-engineer](https://github.com/tired-engineer))
+- **[k8s]** Update k8s quickstart permissions ([#11049](https://github.com/traefik/traefik/pull/11049) by [mmatur](https://github.com/mmatur))
+- **[metrics]** Remove documentation for unimplemented service retries metric  ([#10983](https://github.com/traefik/traefik/pull/10983) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Unify tab titles ([#11072](https://github.com/traefik/traefik/pull/11072) by [jsoref](https://github.com/jsoref))
+- Give valid examples for exposing dashboard with default Helm values ([#11015](https://github.com/traefik/traefik/pull/11015) by [holysoles](https://github.com/holysoles))
+
+## [v3.1.2](https://github.com/traefik/traefik/tree/v3.1.2) (2024-08-06)
+[All Commits](https://github.com/traefik/traefik/compare/v3.1.1...v3.1.2)
+
+**Bug fixes:**
+- **[k8s,k8s/gatewayapi]** Include status addresses when comparing Gateway statuses ([#10972](https://github.com/traefik/traefik/pull/10972) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/ingress,k8s/crd,k8s]** Allow to disable Kubernetes cluster scope resources discovery ([#10946](https://github.com/traefik/traefik/pull/10946) by [rtribotte](https://github.com/rtribotte))
+- **[logs]** Change logs output from stderr to stdout ([#10973](https://github.com/traefik/traefik/pull/10973) by [rtribotte](https://github.com/rtribotte))
+- Fix grafana dashboard to work with scrape interval greater than 15s ([#10954](https://github.com/traefik/traefik/pull/10954) by [swiffer](https://github.com/swiffer))
+
+**Documentation:**
+- **[accesslogs]** Add Access logs section to the migration guide ([#10947](https://github.com/traefik/traefik/pull/10947) by [lbenguigui](https://github.com/lbenguigui))
+- **[http]** Fix missing codeblock ending in HTTP discover documentation ([#10967](https://github.com/traefik/traefik/pull/10967) by [djcode](https://github.com/djcode))
+- **[http]** Fix yaml config example for HTTP provider headers ([#10966](https://github.com/traefik/traefik/pull/10966) by [djcode](https://github.com/djcode))
+- **[k8s,k8s/gatewayapi]** Use Standard channel by default with Gateway API ([#10974](https://github.com/traefik/traefik/pull/10974) by [mloiseleur](https://github.com/mloiseleur))
+
+**Misc:**
+- Merge branch v2.11 into v3.1 ([#10978](https://github.com/traefik/traefik/pull/10978) by [rtribotte](https://github.com/rtribotte))
+- Merge v2.11 into v3.1 ([#10956](https://github.com/traefik/traefik/pull/10956) by [mmatur](https://github.com/mmatur))
+
+## [v2.11.8](https://github.com/traefik/traefik/tree/v2.11.8) (2024-08-06)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.7...v2.11.8)
+
+**Bug fixes:**
+- **[docker]** Update to github.com/docker/docker v27.1.1 ([#10955](https://github.com/traefik/traefik/pull/10955) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Upgrade webui dependencies ([#10961](https://github.com/traefik/traefik/pull/10961) by [mmatur](https://github.com/mmatur))
+
+**Documentation:**
+- Fix embedded youtube video ([#10958](https://github.com/traefik/traefik/pull/10958) by [mmatur](https://github.com/mmatur))
+- Updated index.md to include video ([#10944](https://github.com/traefik/traefik/pull/10944) by [tomatokoolaid](https://github.com/tomatokoolaid))
+
 ## [v3.1.1](https://github.com/traefik/traefik/tree/v3.1.1) (2024-07-30)
 [All Commits](https://github.com/traefik/traefik/compare/v3.1.0...v3.1.1)

--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -47,7 +47,7 @@ Further details of specific enforcement policies may be posted separately.

 Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.

-When an inapropriate behavior is reported, maintainers will discuss on the Maintainer's Discord before marking the message as "abuse". 
+When an inappropriate behavior is reported, maintainers will discuss on the Maintainer's Discord before marking the message as "abuse". 
 This conversation beforehand avoids one-sided decisions.

 The first message will be edited and marked as abuse.
--- a/18
+++ b/18
@@ -1,13 +1,10 @@
 SRCS = $(shell git ls-files '*.go' | grep -v '^vendor/')

-TAG_NAME := $(shell git tag -l --contains HEAD)
+TAG_NAME := $(shell git describe --abbrev=0 --tags --exact-match)
 SHA := $(shell git rev-parse HEAD)
 VERSION_GIT := $(if $(TAG_NAME),$(TAG_NAME),$(SHA))
 VERSION := $(if $(VERSION),$(VERSION),$(VERSION_GIT))

-GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
-
-REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
 BIN_NAME := traefik
 CODENAME ?= cheddar

@@ -103,7 +100,8 @@ test-integration: binary
 .PHONY: test-gateway-api-conformance
 #? test-gateway-api-conformance: Run the conformance tests
 test-gateway-api-conformance: build-image-dirty
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance $(TESTFLAGS)
+	# In case of a new Minor/Major version, the k8sConformanceTraefikVersion needs to be updated.
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.2" $(TESTFLAGS)

 .PHONY: test-ui-unit
 #? test-ui-unit: Run the unit tests for the webui
@@ -128,20 +126,16 @@ lint:

 .PHONY: validate-files
 #? validate-files: Validate code and docs
-validate-files: lint
+validate-files:
 	$(foreach exec,$(LINT_EXECUTABLES),\
            $(if $(shell which $(exec)),,$(error "No $(exec) in PATH")))
+	$(CURDIR)/script/validate-vendor.sh
 	$(CURDIR)/script/validate-misspell.sh
 	$(CURDIR)/script/validate-shell-script.sh

 .PHONY: validate
 #? validate: Validate code, docs, and vendor
-validate: lint
-	$(foreach exec,$(EXECUTABLES),\
-            $(if $(shell which $(exec)),,$(error "No $(exec) in PATH")))
-	$(CURDIR)/script/validate-vendor.sh
-	$(CURDIR)/script/validate-misspell.sh
-	$(CURDIR)/script/validate-shell-script.sh
+validate: lint validate-files

 # Target for building images for multiple architectures.
 .PHONY: multi-arch-image-%
--- a/README.md
+++ b/README.md
@@ -35,7 +35,8 @@ Pointing Traefik at your orchestrator should be the _only_ configuration step yo

 ---

-:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://doc.traefik.io/traefik/).
+:warning: When migrating to a new major version of Traefik, please refer to the [migration guide](https://doc.traefik.io/traefik/migration/v2-to-v3/) to ensure a smooth transition and to be aware of any breaking changes.
+

 ## Overview

@@ -61,7 +62,7 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 - Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org)  (wildcard certificates support)
 - Circuit breakers, retry
 - See the magic through its clean web UI
- Websocket, HTTP/2, gRPC ready
+- WebSocket, HTTP/2, gRPC ready
 - Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB 2.X)
 - Keeps access logs (JSON, CLF)
 - Fast
@@ -87,7 +88,7 @@ You can access the simple HTML frontend of Traefik.

 ## Documentation

-You can find the complete documentation of Traefik v2 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).
+You can find the complete documentation of Traefik v3 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).

 A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,7 +1,7 @@
 # Security Policy

 You can join our security mailing list to be aware of the latest announcements from our security team.
-You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+You can subscribe by sending an email to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).

 Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).

--- a/cmd/traefik/logger.go
+++ b/cmd/traefik/logger.go
@@ -46,7 +46,7 @@ func setupLogger(staticConfiguration *static.Configuration) {
 }

 func getLogWriter(staticConfiguration *static.Configuration) io.Writer {
-	var w io.Writer = os.Stderr
+	var w io.Writer = os.Stdout

 	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
 		_, _ = os.OpenFile(staticConfiguration.Log.FilePath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o666)
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -37,6 +37,8 @@ import (
 	"github.com/traefik/traefik/v3/pkg/provider/aggregator"
 	"github.com/traefik/traefik/v3/pkg/provider/tailscale"
 	"github.com/traefik/traefik/v3/pkg/provider/traefik"
+	"github.com/traefik/traefik/v3/pkg/proxy"
+	"github.com/traefik/traefik/v3/pkg/proxy/httputil"
 	"github.com/traefik/traefik/v3/pkg/safe"
 	"github.com/traefik/traefik/v3/pkg/server"
 	"github.com/traefik/traefik/v3/pkg/server/middleware"
@@ -187,11 +189,11 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}

-	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider)
+	acmeProviders := initACMEProvider(staticConfiguration, providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider)

 	// Tailscale

-	tsProviders := initTailscaleProviders(staticConfiguration, &providerAggregator)
+	tsProviders := initTailscaleProviders(staticConfiguration, providerAggregator)

 	// Observability

@@ -281,10 +283,16 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		log.Info().Msg("Successfully obtained SPIFFE SVID.")
 	}

-	roundTripperManager := service.NewRoundTripperManager(spiffeX509Source)
+	transportManager := service.NewTransportManager(spiffeX509Source)
+
+	var proxyBuilder service.ProxyBuilder = httputil.NewProxyBuilder(transportManager, semConvMetricRegistry)
+	if staticConfiguration.Experimental != nil && staticConfiguration.Experimental.FastProxy != nil {
+		proxyBuilder = proxy.NewSmartBuilder(transportManager, proxyBuilder, *staticConfiguration.Experimental.FastProxy)
+	}
+
 	dialerManager := tcp.NewDialerManager(spiffeX509Source)
 	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
-	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, observabilityMgr, roundTripperManager, acmeHTTPHandler)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, observabilityMgr, transportManager, proxyBuilder, acmeHTTPHandler)

 	// Router factory

@@ -318,7 +326,8 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	// Server Transports
 	watcher.AddListener(func(conf dynamic.Configuration) {
-		roundTripperManager.Update(conf.HTTP.ServersTransports)
+		transportManager.Update(conf.HTTP.ServersTransports)
+		proxyBuilder.Update(conf.HTTP.ServersTransports)
 		dialerManager.Update(conf.TCP.ServersTransports)
 	})

@@ -364,7 +373,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
 				log.Error().Err(err).Str(logs.RouterName, rtName).Str("certificateResolver", rt.TLS.CertResolver).
-					Msg("Router uses a non-existent certificate resolver")
+					Msg("Router uses a nonexistent certificate resolver")
 			}
 		}
 	})
--- a/contrib/grafana/traefik-kubernetes.json
+++ b/contrib/grafana/traefik-kubernetes.json
@@ -1028,7 +1028,7 @@
          "refId": "A"
        }
      ],
-      "title": "5xx over [$interval]",
+      "title": "5xx over $interval",
      "type": "timeseries"
    },
    {
@@ -1128,7 +1128,7 @@
          "refId": "A"
        }
      ],
-      "title": "Other codes over [$interval]",
+      "title": "Other codes over $interval",
      "type": "timeseries"
    },
    {
--- a/contrib/grafana/traefik.json
+++ b/contrib/grafana/traefik.json
@@ -242,7 +242,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "sum(rate(traefik_entrypoint_requests_total{entrypoint=~\"$entrypoint\"}[1m])) by (entrypoint)",
+          "expr": "sum(rate(traefik_entrypoint_requests_total{entrypoint=~\"$entrypoint\"}[$interval])) by (entrypoint)",
          "legendFormat": "{{entrypoint}}",
          "range": true,
          "refId": "A"
@@ -340,7 +340,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\",entrypoint=~\"$entrypoint\"}[5m])) by (method) + \n sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"1.2\",code=\"200\",entrypoint=~\"$entrypoint\"}[5m])) by (method)) / 2 / \n sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\",entrypoint=~\"$entrypoint\"}[5m])) by (method)\n",
+          "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\",entrypoint=~\"$entrypoint\"}[$interval])) by (method) + \n sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"1.2\",code=\"200\",entrypoint=~\"$entrypoint\"}[$interval])) by (method)) / 2 / \n sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\",entrypoint=~\"$entrypoint\"}[$interval])) by (method)\n",
          "legendFormat": "{{method}}",
          "range": true,
          "refId": "A"
@@ -408,7 +408,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "sum(rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[1m])) by (method, code)",
+          "expr": "sum(rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[$interval])) by (method, code)",
          "legendFormat": "{{method}}[{{code}}]",
          "range": true,
          "refId": "A"
@@ -606,7 +606,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        sum by (service,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+          "expr": "topk(15,\n    label_replace(\n        sum by (service,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
          "legendFormat": "[{{code}}] on {{service}}",
          "range": true,
          "refId": "A"
@@ -710,7 +710,7 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"1.2\",service=~\"$service.*\"}[5m])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[5m]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\"\n)",
+              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"1.2\",service=~\"$service.*\"}[$interval])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[$interval]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\"\n)",
              "legendFormat": "{{service}}",
              "range": true,
              "refId": "A"
@@ -804,7 +804,7 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",service=~\"$service.*\"}[5m])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[5m]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\"\n)",
+              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",service=~\"$service.*\"}[$interval])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[$interval]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\"\n)",
              "legendFormat": "{{service}}",
              "range": true,
              "refId": "A"
@@ -916,13 +916,13 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"2..\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+              "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"2..\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
              "legendFormat": "{{method}}[{{code}}] on {{service}}",
              "range": true,
              "refId": "A"
            }
          ],
-          "title": "2xx over 5 min",
+          "title": "2xx over $interval",
          "type": "timeseries"
        },
        {
@@ -1015,13 +1015,13 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"5..\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+              "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"5..\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
              "legendFormat": "{{method}}[{{code}}] on {{service}}",
              "range": true,
              "refId": "A"
            }
          ],
-          "title": "5xx over 5 min",
+          "title": "5xx over $interval",
          "type": "timeseries"
        },
        {
@@ -1114,13 +1114,13 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code!~\"2..|5..\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+              "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code!~\"2..|5..\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
              "legendFormat": "{{method}}[{{code}}] on {{service}}",
              "range": true,
              "refId": "A"
            }
          ],
-          "title": "Other codes over 5 min",
+          "title": "Other codes over $interval",
          "type": "timeseries"
        },
        {
@@ -1213,7 +1213,7 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_requests_bytes_total{service=~\"$service.*\",protocol=\"http\"}[1m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+              "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_requests_bytes_total{service=~\"$service.*\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
              "legendFormat": "{{method}} on {{service}}",
              "range": true,
              "refId": "A"
@@ -1312,7 +1312,7 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_responses_bytes_total{service=~\"$service.*\",protocol=\"http\"}[1m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+              "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_responses_bytes_total{service=~\"$service.*\",protocol=\"http\"}[$interval])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
              "legendFormat": "{{method}} on {{service}}",
              "range": true,
              "refId": "A"
@@ -1448,6 +1448,69 @@
        "skipUrlSync": false,
        "type": "datasource"
      },
+      {
+        "auto": true,
+        "auto_count": 30,
+        "auto_min": "1m",
+        "current": {
+          "selected": false,
+          "text": "auto",
+          "value": "$__auto_interval_interval"
+        },
+        "hide": 0,
+        "name": "interval",
+        "options": [
+          {
+            "selected": true,
+            "text": "auto",
+            "value": "$__auto_interval_interval"
+          },
+          {
+            "selected": false,
+            "text": "1m",
+            "value": "1m"
+          },
+          {
+            "selected": false,
+            "text": "5m",
+            "value": "5m"
+          },
+          {
+            "selected": false,
+            "text": "10m",
+            "value": "10m"
+          },
+          {
+            "selected": false,
+            "text": "30m",
+            "value": "30m"
+          },
+          {
+            "selected": false,
+            "text": "1h",
+            "value": "1h"
+          },
+          {
+            "selected": false,
+            "text": "2h",
+            "value": "2h"
+          },
+          {
+            "selected": false,
+            "text": "4h",
+            "value": "4h"
+          },
+          {
+            "selected": false,
+            "text": "8h",
+            "value": "8h"
+          }
+        ],
+        "query": "1m,5m,10m,30m,1h,2h,4h,8h",
+        "refresh": 2,
+        "skipUrlSync": false,
+        "type": "interval"
+      },
      {
        "current": {},
        "datasource": {
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@@ -92,7 +92,7 @@ For development purposes, you can specify which tests to run by using (only work

    Create `tailscale.secret` file in `integration` directory.
    
-    This file need to contains a [Tailscale auth key](https://tailscale.com/kb/1085/auth-keys) 
+    This file needs to contain a [Tailscale auth key](https://tailscale.com/kb/1085/auth-keys) 
    (an ephemeral, but reusable, one is recommended).

    Add this section to your tailscale ACLs to auto-approve the routes for the
--- a/docs/content/contributing/documentation.md
+++ b/docs/content/contributing/documentation.md
@@ -15,13 +15,13 @@ Let's see how.

 ### General

-This [documentation](../../ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to website of MkDocs").
+This [documentation](../../ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to the website of MkDocs").

 ### Method 1: `Docker` and `make`

 Please make sure you have the following requirements installed:

- [Docker](https://www.docker.com/ "Link to website of Docker")
+- [Docker](https://www.docker.com/ "Link to the website of Docker")

 You can build the documentation and test it locally (with live reloading), using the `docs-serve` target:

@@ -51,7 +51,7 @@ $ make docs-build

 Please make sure you have the following requirements installed:

- [Python](https://www.python.org/ "Link to website of Python")
+- [Python](https://www.python.org/ "Link to the website of Python")
 - [pip](https://pypi.org/project/pip/ "Link to the website of pip on PyPI")

 ```bash
--- a/docs/content/contributing/maintainers-guidelines.md
+++ b/docs/content/contributing/maintainers-guidelines.md
@@ -32,7 +32,7 @@ The contributor should also meet one or several of the following requirements:
  including those of other maintainers and contributors.

 - The contributor is active on Traefik Community forums
-  or other technical forums/boards such as K8S slack, Reddit, StackOverflow, hacker news.
+  or other technical forums/boards, such as K8S Slack, Reddit, StackOverflow, and Hacker News.

 Any existing active maintainer can create an issue to discuss promoting a contributor to maintainer. 
 Other maintainers can vote on the issue, and if the quorum is reached, the contributor is promoted to maintainer.
--- a/docs/content/contributing/submitting-pull-requests.md
+++ b/docs/content/contributing/submitting-pull-requests.md
@@ -17,7 +17,7 @@ or the list of [confirmed bugs](https://github.com/traefik/traefik/labels/kind%2

 ## How We Prioritize

-We wish we could review every pull request right away, but because it's a time consuming operation, it's not always possible.
+We wish we could review every pull request right away, but because it's a time-consuming operation, it's not always possible.

 The PRs we are able to handle the fastest are:

@@ -91,6 +91,8 @@ You must run these local verifications before you submit your pull request to pr
 Your PR will not be reviewed until these are green on the CI.

 * `make generate`
+* `make generate-crd`
+* `make test-gateway-api-conformance`
 * `make validate`
 * `make pull-images`
 * `make test`
@@ -128,7 +130,7 @@ This label can be used when:
 Traefik Proxy is made by the community for the community,
 as such the goal is to engage the community to make Traefik the best reverse proxy available.
 Part of this goal is maintaining a lean codebase and ensuring code velocity.
-unfortunately, this means that sometimes we will not be able to merge a pull request.
+Unfortunately, this means that sometimes we will not be able to merge a pull request.

 Because we respect the work you did, you will always be told why we are closing your pull request.
 If you do not agree with our decision, do not worry; closed pull requests are effortless to recreate,
--- a/docs/content/contributing/submitting-security-issues.md
+++ b/docs/content/contributing/submitting-security-issues.md
@@ -8,7 +8,7 @@ description: "Security is a key part of Traefik Proxy. Read the technical docume
 ## Security Advisories

 We strongly advise you to join our mailing list to be aware of the latest announcements from our security team.
-You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+You can subscribe by sending an email to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).

 ## CVE

--- a/docs/content/deprecation/features.md
+++ b/docs/content/deprecation/features.md
@@ -4,17 +4,11 @@ This page is maintained and updated periodically to reflect our roadmap and any

 | Feature                                                                                                              | Deprecated | End of Support | Removal |
 |----------------------------------------------------------------------------------------------------------------------|------------|----------------|---------|
-| [Kubernetes CRD Provider API Version `traefik.io/v1alpha1`](#kubernetes-crd-provider-api-version-traefikiov1alpha1)  | 3.0        | N/A            | 4.0     |
 | [Kubernetes Ingress API Version `networking.k8s.io/v1beta1`](#kubernetes-ingress-api-version-networkingk8siov1beta1) | N/A        | N/A            | 3.0     |
 | [CRD API Version `apiextensions.k8s.io/v1beta1`](#kubernetes-ingress-api-version-networkingk8siov1beta1)             | N/A        | N/A            | 3.0     |

 ## Impact

-### Kubernetes CRD Provider API Version `traefik.io/v1alpha1`
-
-The Kubernetes CRD provider API Version `traefik.io/v1alpha1` is deprecated in Traefik v3.
-Please use the API Group `traefik.io/v1` instead.
-
 ### Kubernetes Ingress API Version `networking.k8s.io/v1beta1`

 The Kubernetes Ingress API Version `networking.k8s.io/v1beta1` support is removed in v3. 
--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -79,7 +79,7 @@ traefik --help
 # or

 docker run traefik[:version] --help
-# ex: docker run traefik:v3.1 --help
+# ex: docker run traefik:v3.2 --help
 ```

 Check the [CLI reference](../reference/static-configuration/cli.md "Link to CLI reference overview") for an overview about all available arguments.
--- a/docs/content/getting-started/faq.md
+++ b/docs/content/getting-started/faq.md
@@ -251,3 +251,5 @@ In which case, you should make sure your infrastructure is properly set up for a
 ```shell
 LEGO_DISABLE_CNAME_SUPPORT=true
 ```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:

 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:

-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.1/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.1/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.2/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.2/traefik.sample.toml)

 ```shell
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.1
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.2
 ```

 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip

    * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v3.1`
+    ex: `traefik:v3.2`
    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
    * Any orchestrator using docker images can fetch the official Traefik docker image.

@@ -99,38 +99,6 @@ helm install traefik traefik/traefik
      - "--log.level=DEBUG"
    ```

-### Exposing the Traefik dashboard
-
-This Helm chart does not expose the Traefik dashboard by default, for security concerns.
-Thus, there are multiple ways to expose the dashboard.
-For instance, the dashboard access could be achieved through a port-forward:
-
-```shell
-kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
-```
-
-It can then be reached at: `http://127.0.0.1:9000/dashboard/`
-
-Another way would be to apply your own configuration, for instance,
-by defining and applying an IngressRoute CRD (`kubectl apply -f dashboard.yaml`):
-
-```yaml
-# dashboard.yaml
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: dashboard
-spec:
-  entryPoints:
-    - web
-  routes:
-    - match: Host(`traefik.localhost`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
-      kind: Rule
-      services:
-        - name: api@internal
-          kind: TraefikService
-```
-
 ## Use the Binary Distribution

 Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page.
--- a/docs/content/getting-started/quick-start-with-kubernetes.md
+++ b/docs/content/getting-started/quick-start-with-kubernetes.md
@@ -36,6 +36,7 @@ rules:
    resources:
      - services
      - secrets
+      - nodes
    verbs:
      - get
      - list
@@ -64,6 +65,23 @@ rules:
      - ingresses/status
    verbs:
      - update
+  - apiGroups:
+      - traefik.io
+    resources:
+      - middlewares
+      - middlewaretcps
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - ingressrouteudps
+      - tlsoptions
+      - tlsstores
+      - serverstransports
+      - serverstransporttcps
+    verbs:
+      - get
+      - list
+      - watch
 ```

 !!! info "You can find the reference for this file [there](../../reference/dynamic-configuration/kubernetes-crd/#rbac)."
@@ -136,7 +154,7 @@ spec:
      serviceAccountName: traefik-account
      containers:
        - name: traefik
-          image: traefik:v3.1
+          image: traefik:v3.2
          args:
            - --api.insecure
            - --providers.kubernetesingress
--- a/docs/content/getting-started/quick-start.md
+++ b/docs/content/getting-started/quick-start.md
@@ -20,7 +20,7 @@ version: '3'
 services:
  reverse-proxy:
    # The official v3 Traefik docker image
-    image: traefik:v3.1
+    image: traefik:v3.2
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -11,7 +11,7 @@ Automatic HTTPS
 You can configure Traefik to use an ACME provider (like Let's Encrypt) for automatic certificate generation.

 !!! warning "Let's Encrypt and Rate Limiting"
-    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to **one week**, and can not be overridden.
+    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to **one week**, and cannot be overridden.
    
    When running Traefik in a container this file should be persisted across restarts. 
    If Traefik requests new certificates each time it starts up, a crash-looping container can quickly reach Let's Encrypt's ratelimits.
@@ -298,7 +298,7 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
    
    Multiple DNS challenge provider are not supported with Traefik, but you can use `CNAME` to handle that.
    For example, if you have `example.org` (account foo) and `example.com` (account bar) you can create a CNAME on `example.org` called `_acme-challenge.example.org` pointing to `challenge.example.com`.
-    This way, you can obtain certificates for `example.com` with the `foo` account.
+    This way, you can obtain certificates for `example.org` with the `bar` account.

 !!! important
    A `provider` is mandatory.
@@ -322,11 +322,11 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [ArvanCloud](https://www.arvancloud.ir/en)                             | `arvancloud`       | `ARVANCLOUD_API_KEY`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)       |
 | [Auroradns](https://www.pcextreme.com/dns-health-checks)               | `auroradns`        | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)        |
 | [Autodns](https://www.internetx.com/domains/autodns/)                  | `autodns`          | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)          |
-| [Azure](https://azure.microsoft.com/services/dns/)  (DEPRECATED)       | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`                                        | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
+| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`                                        | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
 | [AzureDNS](https://azure.microsoft.com/services/dns/)                  | `azuredns`         | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_ENVIRONMENT]`, `[AZURE_PRIVATE_ZONE]`, `[AZURE_ZONE_NAME]` | [Additional configuration](https://go-acme.github.io/lego/dns/azuredns)         |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)             | `bindman`          | `BINDMAN_MANAGER_ADDRESS`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)          |
 | [Blue Cat](https://www.bluecatnetworks.com/)                           | `bluecat`          | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)          |
-| [Brandit](https://www.brandit.com)                                     | `brandit`          | `BRANDIT_API_USERNAME`, `BRANDIT_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
+| [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | `BRANDIT_API_USERNAME`, `BRANDIT_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
 | [Bunny](https://bunny.net)                                             | `bunny`            | `BUNNY_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/bunny)            |
 | [Checkdomain](https://www.checkdomain.de/)                             | `checkdomain`      | `CHECKDOMAIN_TOKEN`,                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/)     |
 | [Civo](https://www.civo.com/)                                          | `civo`             | `CIVO_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/civo)             |
@@ -334,13 +334,15 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [CloudDNS](https://vshosting.eu/)                                      | `clouddns`         | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)         |
 | [Cloudflare](https://www.cloudflare.com)                               | `cloudflare`       | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)       |
 | [ClouDNS](https://www.cloudns.net/)                                    | `cloudns`          | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)          |
-| [CloudXNS](https://www.cloudxns.net)                                   | `cloudxns`         | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [CloudXNS](https://www.cloudxns.net) (DEPRECATED)                      | `cloudxns`         | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
 | [ConoHa](https://www.conoha.jp)                                        | `conoha`           | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)           |
 | [Constellix](https://constellix.com)                                   | `constellix`       | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)       |
+| [Core-Networks](https://www.core-networks.de)                          | `corenetworks`     | `CORENETWORKS_LOGIN`, `CORENETWORKS_PASSWORD`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/corenetworks)     |
 | [CPanel and WHM](https://cpanel.net/)                                  | `cpanel`           | `CPANEL_MODE`, `CPANEL_USERNAME`, `CPANEL_TOKEN`, `CPANEL_BASE_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cpanel)           |
 | [Derak Cloud](https://derak.cloud/)                                    | `derak`            | `DERAK_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/derak)            |
 | [deSEC](https://desec.io)                                              | `desec`            | `DESEC_TOKEN`                                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/desec)            |
 | [DigitalOcean](https://www.digitalocean.com)                           | `digitalocean`     | `DO_AUTH_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean)     |
+| [DirectAdmin](https://www.directadmin.com)                             | `directadmin`      | `DIRECTADMIN_API_URL` , `DIRECTADMIN_USERNAME`, `DIRECTADMIN_PASSWORD`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/directadmin)      |
 | [DNS Made Easy](https://dnsmadeeasy.com)                               | `dnsmadeeasy`      | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)      |
 | [dnsHome.de](https://www.dnshome.de)                                   | `dnsHomede`        | `DNSHOMEDE_CREDENTIALS`                                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnshomede)        |
 | [DNSimple](https://dnsimple.com)                                       | `dnsimple`         | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)         |
@@ -369,6 +371,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [hosting.de](https://www.hosting.de)                                   | `hostingde`        | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)        |
 | [Hosttech](https://www.hosttech.eu)                                    | `hosttech`         | `HOSTTECH_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)         |
 | [http.net](https://www.http.net/)                                      | `httpnet`          | `HTTPNET_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/httpnet)          |
+| [Huawei Cloud](https://huaweicloud.com)                                | `huaweicloud`      | `HUAWEICLOUD_ACCESS_KEY_ID`, `HUAWEICLOUD_SECRET_ACCESS_KEY`, `HUAWEICLOUD_REGION`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/huaweicloud)      |
 | [Hurricane Electric](https://dns.he.net)                               | `hurricane`        | `HURRICANE_TOKENS` [^6]                                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/hurricane)        |
 | [HyperOne](https://www.hyperone.com)                                   | `hyperone`         | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)         |
 | [IBM Cloud (SoftLayer)](https://www.ibm.com/cloud/)                    | `ibmcloud`         | `SOFTLAYER_USERNAME`, `SOFTLAYER_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/ibmcloud)         |
@@ -384,12 +387,15 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Joker.com](https://joker.com)                                         | `joker`            | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/joker)            |
 | [Liara](https://liara.ir)                                              | `liara`            | `LIARA_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/liara)            |
 | [Lightsail](https://aws.amazon.com/lightsail/)                         | `lightsail`        | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)        |
+| [Lima-City](https://www.lima-city.de)                                  | `limacity`         | `LIMACITY_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/limacity)         |
 | [Linode v4](https://www.linode.com)                                    | `linode`           | `LINODE_TOKEN`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/linode)           |
 | [Liquid Web](https://www.liquidweb.com/)                               | `liquidweb`        | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)        |
 | [Loopia](https://loopia.com/)                                          | `loopia`           | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER`                                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/loopia)           |
 | [LuaDNS](https://luadns.com)                                           | `luadns`           | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)           |
 | [Mail-in-a-Box](https://mailinabox.email)                              | `mailinabox`       | `MAILINABOX_EMAIL`, `MAILINABOX_PASSWORD`, `MAILINABOX_BASE_URL`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/mailinabox)       |
 | [Metaname](https://metaname.net)                                       | `metaname`         | `METANAME_ACCOUNT_REFERENCE`, `METANAME_API_KEY`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/metaname)         |
+| [mijn.host](https://mijn.host/)                                        | `mijnhost`         | `MIJNHOST_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/mijnhost)         |
+| [Mittwald](https://www.mittwald.de)                                    | `mittwald`         | `MITTWALD_TOKEN`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/mittwald)         |
 | [MyDNS.jp](https://www.mydns.jp/)                                      | `mydnsjp`          | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)          |
 | [Mythic Beasts](https://www.mythic-beasts.com)                         | `mythicbeasts`     | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts)     |
 | [name.com](https://www.name.com/)                                      | `namedotcom`       | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)       |
@@ -413,19 +419,23 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Rackspace](https://www.rackspace.com/cloud/dns)                       | `rackspace`        | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)        |
 | [RcodeZero](https://www.rcodezero.at)                                  | `rcodezero`        | `RCODEZERO_API_TOKEN`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rcodezero)        |
 | [reg.ru](https://www.reg.ru)                                           | `regru`            | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/regru)            |
+| [Regfish](https://regfish.de)                                          | `regfish`          | `regfish`                                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/regfish)          |
 | [RFC2136](https://tools.ietf.org/html/rfc2136)                         | `rfc2136`          | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)          |
 | [RimuHosting](https://rimuhosting.com)                                 | `rimuhosting`      | `RIMUHOSTING_API_KEY`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)      |
 | [Route 53](https://aws.amazon.com/route53/)                            | `route53`          | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/route53)          |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                            | `sakuracloud`      | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)      |
 | [Scaleway](https://www.scaleway.com)                                   | `scaleway`         | `SCW_API_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
-| [Selectel](https://selectel.ru/en/)                                    | `selectel`         | `SELECTEL_API_TOKEN`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)         |
 | [Selectel v2](https://selectel.ru/en/)                                 | `selectelv2`       | `SELECTELV2_ACCOUNT_ID`, `SELECTELV2_PASSWORD`, `SELECTELV2_PROJECT_ID`, `SELECTELV2_USERNAME`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/selectelv2)       |
+| [Selectel](https://selectel.ru/en/)                                    | `selectel`         | `SELECTEL_API_TOKEN`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)         |
+| [SelfHost.(de/eu)](https://www.selfhost.de)                            | `selfhostde`       | `SELFHOSTDE_USERNAME`, `SELFHOSTDE_PASSWORD`, `SELFHOSTDE_RECORDS_MAPPING`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/selfhostde)       |
 | [Servercow](https://servercow.de)                                      | `servercow`        | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)        |
 | [Shellrent](https://www.shellrent.com)                                 | `shellrent`        | `SHELLRENT_USERNAME`, `SHELLRENT_TOKEN`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/shellrent)        |
 | [Simply.com](https://www.simply.com/en/domains/)                       | `simply`           | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/simply)           |
 | [Sonic](https://www.sonic.com/)                                        | `sonic`            | `SONIC_USER_ID`, `SONIC_API_KEY`                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/sonic)            |
 | [Stackpath](https://www.stackpath.com/)                                | `stackpath`        | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)        |
+| [Technitium](https://technitium.com)                                   | `technitium`       | `TECHNITIUM_SERVER_BASE_URL`, `TECHNITIUM_API_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/technitium)       |
 | [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)             | `tencentcloud`     | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud)     |
+| [Timeweb Cloud](https://timeweb.cloud)                                 | `timewebcloud`     | `TIMEWEBCLOUD_AUTH_TOKEN`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/timewebcloud)     |
 | [TransIP](https://www.transip.nl/)                                     | `transip`          | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/transip)          |
 | [UKFast SafeDNS](https://docs.ukfast.co.uk/domains/safedns/index.html) | `safedns`          | `SAFEDNS_AUTH_TOKEN`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/safedns)          |
 | [Ultradns](https://neustarsecurityservices.com/dns-services)           | `ultradns`         | `ULTRADNS_USERNAME`, `ULTRADNS_PASSWORD`                                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ultradns)         |
@@ -435,6 +445,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Versio](https://www.versio.nl/domeinnamen)                            | `versio`           | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/versio)           |
 | [VinylDNS](https://www.vinyldns.io)                                    | `vinyldns`         | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST`                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns)         |
 | [VK Cloud](https://mcs.mail.ru/)                                       | `vkcloud`          | `VK_CLOUD_PASSWORD`, `VK_CLOUD_PROJECT_ID`, `VK_CLOUD_USERNAME`                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/vkcloud)          |
+| [Volcano Engine](https://www.volcengine.com)                           | `volcengine`       | `VOLC_ACCESSKEY`, `VOLC_SECRETKEY`                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/volcengine)       |
 | [Vscale](https://vscale.io/)                                           | `vscale`           | `VSCALE_API_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)           |
 | [VULTR](https://www.vultr.com)                                         | `vultr`            | `VULTR_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)            |
 | [Webnames](https://www.webnames.ru/)                                   | `webnames`         | `WEBNAMES_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/webnames)         |
@@ -456,11 +467,6 @@ For complete details, refer to your provider's _Additional configuration_ link.
 [^5]: The `Global API Key` needs to be used, not the `Origin CA Key`.
 [^6]: As explained in the [LEGO hurricane configuration](https://go-acme.github.io/lego/dns/hurricane/#credentials), each domain or wildcard (record name) needs a token. So each update of record name must be followed by an update of the `HURRICANE_TOKENS` variable, and a restart of Traefik.

-!!! info "`delayBeforeCheck`"
-    By default, the `provider` verifies the TXT record _before_ letting ACME verify.
-    You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
-    This option is useful when internal networks block external DNS queries.
-
 #### `resolvers`

 Use custom DNS servers to resolve the FQDN authority.
@@ -490,6 +496,66 @@ certificatesResolvers:
 --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 ```

+#### `delayBeforeCheck`
+
+By default, the `provider` verifies the TXT record _before_ letting ACME verify.
+
+You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
+
+This option is useful when internal networks block external DNS queries.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      dnsChallenge:
+        # ...
+        delayBeforeCheck: 2s
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    delayBeforeCheck = "2s"
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.dnschallenge.delayBeforeCheck=2s
+```
+
+#### `disablePropagationCheck`
+
+**Not recommended**
+
+Disable the TXT records propagation checks before notifying ACME that the DNS challenge is ready. 
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      dnsChallenge:
+        # ...
+        disablePropagationCheck: true
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    disablePropagationCheck = true
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.dnschallenge.disablePropagationCheck=true
+```
+
 #### Wildcard Domains

 [ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
@@ -617,6 +683,7 @@ It defaults to `2160` (90 days) to follow Let's Encrypt certificates' duration.
 |----------------------|-------------------|-------------------------|
 | >= 1 year            | 4 months          | 1 week                  |
 | >= 90 days           | 30 days           | 1 day                   |
+| >= 30 days           | 10 days           | 12 hours                |
 | >= 7 days            | 1 day             | 1 hour                  |
 | >= 24 hours          | 6 hours           | 10 min                  |
 | < 24 hours           | 20 min            | 1 min                   |
@@ -704,6 +771,109 @@ certificatesResolvers:
 # ...
 ```

+### `caCertificates`
+
+_Optional, Default=[]_
+
+The `caCertificates` option specifies the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      caCertificates:
+        - path/certificates1.pem
+        - path/certificates2.pem
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  caCertificates = [ "path/certificates1.pem", "path/certificates2.pem" ]
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.caCertificates="path/certificates1.pem,path/certificates2.pem"
+# ...
+```
+
+??? note "LEGO Environment Variable"
+
+    It can be defined globally by using the environment variable `LEGO_CA_CERTIFICATES`.
+    This environment variable is neither a fallback nor an override of the configuration option.
+
+### `caSystemCertPool`
+
+_Optional, Default=false_
+
+The `caSystemCertPool` option defines if the certificates pool must use a copy of the system cert pool.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      caSystemCertPool: true
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  caSystemCertPool = true
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.caSystemCertPool=true
+# ...
+```
+
+??? note "LEGO Environment Variable"
+
+    It can be defined globally by using the environment variable `LEGO_CA_SYSTEM_CERT_POOL`.
+    `LEGO_CA_SYSTEM_CERT_POOL` is ignored if `LEGO_CA_CERTIFICATES` is not set or empty.
+    This environment variable is neither a fallback nor an override of the configuration option.
+
+### `caServerName`
+
+_Optional, Default=""_
+
+The `caServerName` option specifies the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      caServerName: "my-server"
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  caServerName = "my-server"
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.caServerName="my-server"
+# ...
+```
+
+??? note "LEGO Environment Variable"
+
+    It can be defined globally by using the environment variable `LEGO_CA_SERVER_NAME`.
+    `LEGO_CA_SERVER_NAME` is ignored if `LEGO_CA_CERTIFICATES` is not set or empty.
+    This environment variable is neither a fallback nor an override of the configuration option.
+
 ## Fallback

 If Let's Encrypt is not reachable, the following certificates will apply:
--- a/docs/content/includes/traefik-for-business-applications.md
+++ b/docs/content/includes/traefik-for-business-applications.md
@@ -1,10 +1,10 @@
 ---

-!!! question "Using Traefik OSS in Production? Consider Adding Advanced Capabilities."
+!!! question "Using Traefik OSS in Production?"

-    Add API Gateway or API Management capabilities seamlessly to your existing Traefik deployments. 
-    No rip and replace. No learning curve.
+    If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.

-    - [Explore our API Gateway](https://traefik.io/traefik-hub-api-gateway/)
-    - [Explore our API Management](https://traefik.io/traefik-hub/)
-    - [Get 24/7/365 Commercial Support for Traefik OSS](https://info.traefik.io/request-commercial-support)
+    - [Watch our API Gateway Demo Video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc)
+    - [Request 24/7/365 OSS Support](https://info.traefik.io/request-commercial-support?cta=doc)
+
+    Adding API Gateway capabilities to Traefik OSS is fast and seamless. There's no rip and replace and all configurations remain intact. See it in action via [this short video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc).
--- a/docs/content/index.md
+++ b/docs/content/index.md
@@ -7,16 +7,18 @@ description: "Traefik Proxy, an open source Edge Router, auto-discovers configur

 ![Architecture](assets/img/traefik-architecture.png)

-Traefik is an [open-source](https://github.com/traefik/traefik) *Edge Router* that makes publishing your services a fun and easy experience. 
-It receives requests on behalf of your system and finds out which components are responsible for handling them. 
+Traefik is an [open-source](https://github.com/traefik/traefik) *Application Proxy* that makes publishing your services a fun and easy experience. 
+It receives requests on behalf of your system and identifies which components are responsible for handling them, and routes them securely. 

 What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
 The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request. 

-Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker, Docker Swarm, AWS, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
+Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker Swarm, AWS, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
 
 With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions).
-With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.   
+With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.
+
+And if your needs change, you can add API gateway and API management capabilities seamlessly to your existing Traefik deployments. It takes less than a minute, there’s no rip-and-replace, and all your configurations are preserved. See this in action in [our API gateway demo video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=docs).

 Developing Traefik, our main goal is to make it effortless to use, and we're sure you'll enjoy it.

@@ -24,6 +26,8 @@ Developing Traefik, our main goal is to make it effortless to use, and we're sur

 !!! info

-    Join our user friendly and active [Community Forum](https://community.traefik.io "Link to Traefik Community Forum") to discuss, learn, and connect with the Traefik community.
+    Have a question? Join our [Community Forum](https://community.traefik.io "Link to Traefik Community Forum") to discuss, learn, and connect with the Traefik community.

-    Using Traefik OSS in Production? Add enterprise-grade API Gateway and API Management capabilities to your existing deployments seamlessly. No rip and replace. No learning curve. Learn more from [this short video](https://info.traefik.io/traefik-upgrade-walkthrough)
+    Using Traefik OSS in Production? Consider our enterprise-grade [API Gateway](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc) or our [24/7/365 OSS Support](https://info.traefik.io/request-commercial-support?cta=doc).
+
+    Explore our API Gateway upgrade via [this short demo video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc).
--- a/docs/content/middlewares/http/basicauth.md
+++ b/docs/content/middlewares/http/basicauth.md
@@ -341,3 +341,5 @@ http:
  [http.middlewares.test-auth.basicAuth]
    removeHeader = true
 ```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/compress.md
+++ b/docs/content/middlewares/http/compress.md
@@ -255,3 +255,48 @@ http:
  [http.middlewares.test-compress.compress]
    defaultEncoding = "gzip"
 ```
+
+### `encodings`
+
+_Optional, Default="zstd, br, gzip"_
+
+`encodings` specifies the list of supported compression encodings.
+At least one encoding value must be specified, and valid entries are `zstd` (Zstandard), `br` (Brotli), and `gzip` (Gzip).
+The order of the list also sets the priority, the top entry has the highest priority.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.encodings=zstd,br"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-compress
+spec:
+  compress:
+    encodings:
+      - zstd
+      - br
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-compress.compress.encodings=zstd,br"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-compress:
+      compress:
+        encodings:
+          - zstd
+          - br
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+    encodings = ["zstd","br"]
+```
--- a/docs/content/middlewares/http/forwardauth.md
+++ b/docs/content/middlewares/http/forwardauth.md
@@ -571,3 +571,46 @@ http:
    [http.middlewares.test-auth.forwardAuth.tls]
      insecureSkipVerify: true
 ```
+
+### `headerField`
+
+_Optional_
+
+You can define a header field to store the authenticated user using the `headerField`option.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.headerField=X-WebAuth-User"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    # ...
+    headerField: X-WebAuth-User
+```
+
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.headerField=X-WebAuth-User"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        # ...
+        headerField: "X-WebAuth-User"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares.test-auth.forwardAuth]
+  # ...
+  headerField = "X-WebAuth-User"
+```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/inflightreq.md
+++ b/docs/content/middlewares/http/inflightreq.md
@@ -101,7 +101,7 @@ If none are set, the default is to use the `requestHost`.

 #### `sourceCriterion.ipStrategy`

-The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.
+The `ipStrategy` option defines three parameters that configures how Traefik determines the client IP: `depth`, `excludedIPs` and `ipv6Subnet`.

 !!! important "As a middleware, InFlightReq happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through the middleware. Therefore, during InFlightReq, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be used and/or relied upon."

@@ -112,6 +112,9 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and select
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
 - `depth` is ignored if its value is less than or equal to 0.

+If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
+See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
+
 !!! example "Example of Depth & X-Forwarded-For"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
@@ -218,6 +221,63 @@ http:
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```

+##### `ipStrategy.ipv6Subnet`
+
+This strategy applies to `Depth` and `RemoteAddr` strategy only.
+If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
+
+This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
+
+- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
+
+!!! example "Example of ipv6Subnet"
+
+    If `ipv6Subnet` is provided, the IP is transformed in the following way.
+
+    | `IP`                      | `ipv6Subnet` | clientIP              |
+    |---------------------------|--------------|-----------------------|
+    | `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
+    | `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
+    | `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+    sourceCriterion:
+      ipStrategy:
+        ipv6Subnet: 64
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        sourceCriterion:
+          ipStrategy:
+            ipv6Subnet: 64
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inflightreq]
+    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
+      ipv6Subnet = 64
+```
+
 #### `sourceCriterion.requestHeaderName`

 Name of the header used to group incoming requests.
@@ -278,7 +338,7 @@ spec:
      requestHost: true
 ```

-```yaml tab="Cosul Catalog"
+```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```

--- a/docs/content/middlewares/http/ipallowlist.md
+++ b/docs/content/middlewares/http/ipallowlist.md
@@ -75,6 +75,9 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
 - `depth` is ignored if its value is less than or equal to 0.

+If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
+See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
+
 !!! example "Examples of Depth & X-Forwarded-For"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).
@@ -204,3 +207,60 @@ http:
    [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
+
+#### `ipStrategy.ipv6Subnet`
+
+This strategy applies to `Depth` and `RemoteAddr` strategy only.
+If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
+
+This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
+
+- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
+
+!!! example "Example of ipv6Subnet"
+
+    If `ipv6Subnet` is provided, the IP is transformed in the following way.
+
+    | `IP`                      | `ipv6Subnet` | clientIP              |
+    |---------------------------|--------------|-----------------------|
+    | `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
+    | `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
+    | `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ipallowlist
+spec:
+  ipallowlist:
+    sourceCriterion:
+      ipStrategy:
+        ipv6Subnet: 64
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ipallowlist:
+      ipallowlist:
+        sourceCriterion:
+          ipStrategy:
+            ipv6Subnet: 64
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ipallowlist.ipallowlist]
+    [http.middlewares.test-ipallowlist.ipallowlist.sourceCriterion.ipStrategy]
+      ipv6Subnet = 64
+```
--- a/docs/content/middlewares/http/ipwhitelist.md
+++ b/docs/content/middlewares/http/ipwhitelist.md
@@ -81,6 +81,9 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
 - `depth` is ignored if its value is less than or equal to 0.

+If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
+See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
+
 !!! example "Examples of Depth & X-Forwarded-For"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
@@ -210,3 +213,60 @@ http:
    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
+
+#### `ipStrategy.ipv6Subnet`
+
+This strategy applies to `Depth` and `RemoteAddr` strategy only.
+If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
+
+This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
+
+- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
+
+!!! example "Example of ipv6Subnet"
+
+    If `ipv6Subnet` is provided, the IP is transformed in the following way.
+
+    | `IP`                      | `ipv6Subnet` | clientIP              |
+    |---------------------------|--------------|-----------------------|
+    | `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
+    | `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
+    | `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-ipWhiteList.ipWhiteList.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ipWhiteList
+spec:
+  ipWhiteList:
+    sourceCriterion:
+      ipStrategy:
+        ipv6Subnet: 64
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ipWhiteList.ipWhiteList.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ipWhiteList:
+      ipWhiteList:
+        sourceCriterion:
+          ipStrategy:
+            ipv6Subnet: 64
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ipWhiteList.ipWhiteList]
+    [http.middlewares.test-ipWhiteList.ipWhiteList.sourceCriterion.ipStrategy]
+      ipv6Subnet = 64
+```
--- a/docs/content/middlewares/http/overview.md
+++ b/docs/content/middlewares/http/overview.md
@@ -24,7 +24,7 @@ whoami:
    - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
 ```

-```yaml tab="Kubernetes IngressRoute"
+```yaml tab="IngressRoute"
 # As a Kubernetes Traefik IngressRoute
 ---
 apiVersion: traefik.io/v1alpha1
--- a/docs/content/middlewares/http/ratelimit.md
+++ b/docs/content/middlewares/http/ratelimit.md
@@ -211,7 +211,7 @@ If none are set, the default is to use the request's remote address field (as an

 #### `sourceCriterion.ipStrategy`

-The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.
+The `ipStrategy` option defines three parameters that configures how Traefik determines the client IP: `depth`, `excludedIPs` and `ipv6Subnet`.

 !!! important "As a middleware, rate-limiting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through rate-limiting. Therefore, during rate-limiting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be found and/or relied upon."

@@ -222,6 +222,9 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and select
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
 - `depth` is ignored if its value is less than or equal to 0.

+If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
+See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
+
 !!! example "Example of Depth & X-Forwarded-For"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
@@ -355,6 +358,63 @@ http:
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```

+##### `ipStrategy.ipv6Subnet`
+
+This strategy applies to `Depth` and `RemoteAddr` strategy only.
+If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
+
+This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
+
+- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
+
+!!! example "Example of ipv6Subnet"
+
+    If `ipv6Subnet` is provided, the IP is transformed in the following way.
+
+    | `IP`                      | `ipv6Subnet` | clientIP              |
+    |---------------------------|--------------|-----------------------|
+    | `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
+    | `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
+    | `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  ratelimit:
+    sourceCriterion:
+      ipStrategy:
+        ipv6Subnet: 64
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.ipv6Subnet=64"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      ratelimit:
+        sourceCriterion:
+          ipStrategy:
+            ipv6Subnet: 64
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.ratelimit]
+    [http.middlewares.test-ratelimit.ratelimit.sourceCriterion.ipStrategy]
+      ipv6Subnet = 64
+```
+
 #### `sourceCriterion.requestHeaderName`

 Name of the header used to group incoming requests.
--- a/docs/content/middlewares/http/redirectregex.md
+++ b/docs/content/middlewares/http/redirectregex.md
@@ -84,3 +84,5 @@ The `replacement` option defines how to modify the URL to have the new target UR
 !!! warning

    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/stripprefix.md
+++ b/docs/content/middlewares/http/stripprefix.md
@@ -145,3 +145,5 @@ http:
    prefixes = ["/foobar"]
    forceSlash = false
 ```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/overview.md
+++ b/docs/content/middlewares/overview.md
@@ -35,7 +35,7 @@ whoami:
    - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
 ```

-```yaml tab="Kubernetes IngressRoute"
+```yaml tab="IngressRoute"
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
--- a/docs/content/middlewares/tcp/overview.md
+++ b/docs/content/middlewares/tcp/overview.md
@@ -24,7 +24,7 @@ whoami:
    - "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@docker"
 ```

-```yaml tab="Kubernetes IngressRoute"
+```yaml tab="IngressRoute"
 # As a Kubernetes Traefik IngressRoute
 ---
 apiVersion: traefik.io/v1alpha1
--- a/docs/content/migration/v1-to-v2.md
+++ b/docs/content/migration/v1-to-v2.md
@@ -44,7 +44,7 @@ Then any router can refer to an instance of the wanted middleware.
      - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
    ```

-    ```yaml tab="K8s Ingress"
+    ```yaml tab="Ingress"
    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
@@ -107,7 +107,7 @@ Then any router can refer to an instance of the wanted middleware.
      - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
    ```

-    ```yaml tab="K8s IngressRoute"
+    ```yaml tab="IngressRoute"
    # The definitions below require the definitions for the Middleware and IngressRoute kinds.
    # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
    apiVersion: traefik.io/v1alpha1
@@ -278,7 +278,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
        ]
    ```

-    ```yaml tab="K8s IngressRoute"
+    ```yaml tab="IngressRoute"
    # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
    # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
    apiVersion: traefik.io/v1alpha1
@@ -442,7 +442,7 @@ To apply a redirection:
      traefik.http.middlewares.https_redirect.redirectscheme.permanent: true
    ```

-    ```yaml tab="K8s IngressRoute"
+    ```yaml tab="IngressRoute"
    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
@@ -561,7 +561,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
      - "traefik.frontend.rule=Host:example.org;PathPrefixStrip:/admin"
    ```

-    ```yaml tab="Kubernetes Ingress"
+    ```yaml tab="Ingress"
    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
@@ -595,7 +595,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
      - "traefik.http.middlewares.admin-stripprefix.stripprefix.prefixes=/admin"
    ```

-    ```yaml tab="Kubernetes IngressRoute"
+    ```yaml tab="IngressRoute"
    ---
    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
--- a/docs/content/migration/v2-to-v3-details.md
+++ b/docs/content/migration/v2-to-v3-details.md
@@ -541,6 +541,19 @@ it is now unsupported and would prevent Traefik to start.

 All Pilot related configuration should be removed from the static configuration.

+### Kubernetes Ingress Path Matching
+
+In v3, the Kubernetes Ingress default path matching does not support regexes anymore.
+
+#### Remediation
+
+Two levels of remediation are possible:
+
+- Interpret the default path matcher `PathPrefix` with v2 syntax.
+This can done globally for all routers with the [static configuration](#configure-the-default-syntax-in-static-configuration) or on a per-router basis by using the [traefik.ingress.kubernetes.io/router.rulesyntax](../routing/providers/kubernetes-ingress.md#annotations) annotation.
+
+- Adapt the path regex to be compatible with the Go regex syntax and change the default path matcher to use the `PathRegexp` matcher with the [`traefik.ingress.kubernetes.io/router.pathmatcher`](../routing/providers/kubernetes-ingress.md#annotations) annotation.
+
 ## Operations Changes

 ### Traefik RBAC Update
@@ -555,6 +568,16 @@ One should use the `ContentType` middleware to enable the `Content-Type` header

 ### Observability

+#### Open Connections Metric
+
+In v3, the open connections metric has been replaced with a global one because it was erroneously at the HTTP level, and providing misleading information.
+While previously produced at the entryPoint, router, and service levels, it is now replaced with a global metric.
+The equivalent to `traefik_entrypoint_open_connections`, `traefik_router_open_connections` and `traefik_service_open_connections` is now `traefik_open_connections`.
+
+#### Configuration Reload Failures Metrics
+
+In v3, the `traefik_config_reloads_failure_total` and `traefik_config_last_reload_failure` metrics have been suppressed since they could not be implemented.
+
 #### gRPC Metrics

 In v3, the reported status code for gRPC requests is now the value of the `Grpc-Status` header.
@@ -591,6 +614,11 @@ Please take a look at the observability documentation for more information:
 - [Metrics](../observability/metrics/overview.md#addinternals)
 - [Tracing](../observability/tracing/overview.md#addinternals)

+#### Access logs
+
+In v3, the `ServiceURL` field is not an object anymore but a string representation.
+An update may be required if you index access logs.
+
 ## Dynamic Configuration Changes

 ### Router Rule Matchers
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@@ -432,7 +432,7 @@ For more advanced use cases, you can use either the [RedirectScheme middleware](

 Following up on the deprecation started [previously](#x509-commonname-deprecation),
 as the `x509ignoreCN=0` value for the `GODEBUG` is [deprecated in Go 1.17](https://tip.golang.org/doc/go1.17#crypto/x509),
-the legacy behavior related to the CommonName field can not be enabled at all anymore.
+the legacy behavior related to the CommonName field cannot be enabled at all anymore.

 ## v2.5.3 to v2.5.4

@@ -455,7 +455,7 @@ To enable HTTP/3 on an EntryPoint, please check out the [HTTP/3 configuration](.

 In `v2.6`, the [Kubernetes Gateway API provider](../providers/kubernetes-gateway.md) now only supports the version [v1alpha2](https://gateway-api.sigs.k8s.io/v1alpha2/guides/) of the specification and 
 [route namespaces](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.RouteNamespaces) selectors, which requires Traefik to fetch and watch the cluster namespaces.
-Therefore, the [RBAC](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-gateway.md#definitions) definitions must be updated.
+Therefore, the RBAC and CRD definitions must be updated.

 ## v2.6.0 to v2.6.1

@@ -640,3 +640,22 @@ Increasing the `readTimeout` value could be the solution notably if you are deal
 - TCP: `Error while handling TCP connection: readfrom tcp X.X.X.X:X->X.X.X.X:X: read tcp X.X.X.X:X->X.X.X.X:X: i/o timeout`
 - HTTP: `'499 Client Closed Request' caused by: context canceled`
 - HTTP: `ReverseProxy read error during body copy: read tcp X.X.X.X:X->X.X.X.X:X: use of closed network connection`
+
+## v2.11.3
+
+### Connection headers
+
+In `v2.11.3`, the handling of the request Connection headers directives has changed to prevent any abuse.
+Before, Traefik removed any header listed in the Connection header just before forwarding the request to the backends.
+Now, Traefik removes the headers listed in the Connection header as soon as the request is handled.
+As a consequence, middlewares do not have access to those Connection headers,
+and a new option has been introduced to specify which ones could go through the middleware chain before being removed: `<entrypoint>.forwardedHeaders.connection`.
+
+Please check out the [entrypoint forwarded headers connection option configuration](../routing/entrypoints.md#forwarded-headers) documentation.
+
+## v2.11.14
+
+### X-Forwarded-Prefix
+
+In `v2.11.14`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
+Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
--- a/docs/content/migration/v3.md
+++ b/docs/content/migration/v3.md
@@ -10,9 +10,11 @@ description: "Learn the steps needed to migrate to new Traefik Proxy v3 versions
 ### Kubernetes Provider RBACs

 Starting with v3.1, the Kubernetes Providers now use the [EndpointSlices API](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/) (Kubernetes >=v1.21) to discover service endpoint addresses.
+It also brings NodePort load-balancing which requires Nodes resources lookup.

-Therefore, in the corresponding RBACs (see [KubernetesIngress](../routing/providers/kubernetes-ingress.md#configuration-example), [KubernetesCRD](../reference/dynamic-configuration/kubernetes-crd.md#rbac), and [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) provider RBACs), 
-the `endpoints` right has to be removed and the following `endpointslices` right has to be added.
+Therefore, in the corresponding RBACs (see [KubernetesIngress](../routing/providers/kubernetes-ingress.md#configuration-example), [KubernetesCRD](../reference/dynamic-configuration/kubernetes-crd.md#rbac), and [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs):
+
+- the `endpoints` right has to be removed and the following `endpointslices` right has to be added:

 ```yaml
  ... 
@@ -26,6 +28,21 @@ the `endpoints` right has to be removed and the following `endpointslices` right
  ...
 ```

+- the `nodes` right has to be added:
+
+```yaml
+  ...
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  ...
+```
+
 #### Gateway API: KubernetesGateway Provider

 In v3.1, the KubernetesGateway Provider is no longer an experimental feature.
@@ -51,3 +68,102 @@ It can be enabled without the associated `experimental.kubernetesgateway` option

 The `kubernetesgateway` option should be removed from the experimental section of the static configuration.
 To configure `kubernetesgateway`, please check out the [KubernetesGateway Provider documentation](../providers/kubernetes-gateway.md).
+
+## v3.1.0 to v3.1.1
+
+### IngressClass Lookup
+
+The Kubernetes Ingress provider option `disableIngressClassLookup` has been deprecated in v3.1.1, and will be removed in the next major version.
+Please use the `disableClusterScopeResources` option instead to avoid cluster scope resources discovery (IngressClass, Nodes).
+
+## v3.1 to v3.2
+
+### Kubernetes CRD Provider
+
+Starting with v3.2, the CRDs has been updated on [TraefikService](../../routing/services#mirroring-service) (PR [#11032](https://github.com/traefik/traefik/pull/11032)), on [RateLimit](../../middlewares/http/ratelimit) & [InFlightReq](../../middlewares/http/inflightreq) middlewares (PR [#9747](https://github.com/traefik/traefik/pull/9747)) and on [Compress](../../middlewares/http/compress) middleware (PR [#10943](https://github.com/traefik/traefik/pull/10943)).
+
+This update adds only new optional fields.
+CRDs can be updated with this command:
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+```
+
+### Kubernetes Gateway Provider Standard Channel
+
+Starting with v3.2, the Kubernetes Gateway Provider now supports [GRPCRoute](https://gateway-api.sigs.k8s.io/api-types/grpcroute/).
+
+Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
+the `grcroutes` and `grpcroutes/status` rights have to be added.
+
+```yaml
+  ...
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - grpcroutes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - grpcroutes/status
+    verbs:
+      - update
+  ...
+```
+
+### Kubernetes Gateway Provider Experimental Channel
+
+!!! warning "Breaking changes"
+
+    Because of a breaking change introduced in Kubernetes Gateway [v1.2.0-rc1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0-rc1),
+    Traefik v3.2 only supports Kubernetes Gateway v1.2.x when experimental channel features are enabled.
+
+Starting with v3.2, the Kubernetes Gateway Provider now supports [BackendTLSPolicy](https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/).
+
+Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
+the `backendtlspolicies` and `backendtlspolicies/status` rights have to be added.
+
+```yaml
+  ...
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - backendtlspolicies
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - backendtlspolicies/status
+    verbs:
+      - update
+  ...
+```
+
+## v3.2.1
+
+### X-Forwarded-Prefix
+
+In `v3.2.1`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
+Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
+
+## v3.2.2
+
+### Swarm Provider
+
+In `v3.2.2`, the `traefik.docker.network` and `traefik.docker.lbswarm` labels have been deprecated,
+please use the `traefik.swarm.network` and `traefik.swarm.lbswarm` labels instead.
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -67,6 +67,8 @@ accessLog:

 ### `format`

+_Optional, Default="common"_
+
 By default, logs are written using the Common Log Format (CLF).
 To write logs in JSON, use `json` in the `format` option.
 If the given format is unsupported, the default (CLF) is used instead.
@@ -77,6 +79,20 @@ If the given format is unsupported, the default (CLF) is used instead.
    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
    ```

+```yaml tab="File (YAML)"
+accessLog:
+  format: "json"
+```
+
+```toml tab="File (TOML)"
+[accessLog]
+  format = "json"
+```
+
+```bash tab="CLI"
+--accesslog.format=json
+```
+
 ### `bufferingSize`

 To write the logs in an asynchronous fashion, specify a  `bufferingSize` option.
@@ -156,7 +172,8 @@ Each field can be set to:

 - `keep` to keep the value
 - `drop` to drop the value
- `redact` to replace the value with "redacted"
+
+Header fields may also optionally be set to `redact` to replace the value with "REDACTED".

 The `defaultMode` for `fields.names` is `keep`.

@@ -250,6 +267,8 @@ accessLog:
    | `TLSVersion`            | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS).                                                                                         |
    | `TLSCipher`             | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS)                                                           |
    | `TLSClientSubject`      | The string representation of the TLS client certificate's Subject (e.g. `CN=username,O=organization`)                                                               |
+    | `TraceId`               | A consistent identifier for tracking requests across services, including upstream ones managed by Traefik, shown as a 32-hex digit string                           |
+    | `SpanId`                | A unique identifier for Traefik’s root span (EntryPoint) within a request trace, formatted as a 16-hex digit string.                                                |

 ## Log Rotation

@@ -275,7 +294,7 @@ version: "3.7"

 services:
  traefik:
-    image: traefik:v3.1
+    image: traefik:v3.2
    environment:
      - TZ=US/Alaska
    command:
@@ -286,3 +305,5 @@ services:
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
 ```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/observability/logs.md
+++ b/docs/content/observability/logs.md
@@ -180,3 +180,5 @@ log:
 ```bash tab="CLI"
 --log.compress=true
 ```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/observability/metrics/datadog.md
+++ b/docs/content/observability/metrics/datadog.md
@@ -27,7 +27,9 @@ _Required, Default="127.0.0.1:8125"_

 Address instructs exporter to send metrics to datadog-agent at this address.

-This address can be a Unix Domain Socket (UDS) address with the following form: `unix:///path/to/datadog.socket`.  
+This address can be a Unix Domain Socket (UDS) in the following format: `unix:///path/to/datadog.socket`.
+When the prefix is set to `unix`, the socket type will be automatically determined. 
+To explicitly define the socket type and avoid automatic detection, you can use the prefixes `unixgram` for `SOCK_DGRAM` (datagram sockets) and `unixstream` for `SOCK_STREAM` (stream sockets), respectively.

 ```yaml tab="File (YAML)"
 metrics:
--- a/docs/content/observability/metrics/opentelemetry.md
+++ b/docs/content/observability/metrics/opentelemetry.md
@@ -139,6 +139,28 @@ metrics:
 --metrics.otlp.pushInterval=10s
 ```

+#### `serviceName`
+
+_Optional, Default="traefik"_
+
+OTEL service name to use.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    serviceName: name
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp]
+    serviceName = "name"
+```
+
+```bash tab="CLI"
+--metrics.otlp.serviceName=name
+```
+
 ### HTTP configuration

 _Optional_
--- a/docs/content/observability/tracing/overview.md
+++ b/docs/content/observability/tracing/overview.md
@@ -85,7 +85,7 @@ tracing:

 ```toml tab="File (TOML)"
 [tracing]
-    sampleRate = 0.2
+  sampleRate = 0.2
 ```

 ```bash tab="CLI"
@@ -107,9 +107,9 @@ tracing:

 ```toml tab="File (TOML)"
 [tracing]
-    [tracing.globalAttributes]
-      attr1 = "foo"
-      attr2 = "bar"
+  [tracing.globalAttributes]
+    attr1 = "foo"
+    attr2 = "bar"
 ```

 ```bash tab="CLI"
@@ -132,7 +132,7 @@ tracing:

 ```toml tab="File (TOML)"
 [tracing]
-    capturedRequestHeaders = ["X-CustomHeader"]
+  capturedRequestHeaders = ["X-CustomHeader"]
 ```

 ```bash tab="CLI"
@@ -154,7 +154,7 @@ tracing:

 ```toml tab="File (TOML)"
 [tracing]
-    capturedResponseHeaders = ["X-CustomHeader"]
+  capturedResponseHeaders = ["X-CustomHeader"]
 ```

 ```bash tab="CLI"
@@ -170,18 +170,16 @@ Defines the list of query parameters to not redact.

 ```yaml tab="File (YAML)"
 tracing:
-  otlp:
-    safeQueryParams:
-      - bar
-      - buz
+  safeQueryParams:
+    - bar
+    - buz
 ```

 ```toml tab="File (TOML)"
 [tracing]
-  [tracing.otlp]
-    safeQueryParams = ["bar", "buz"]
+  safeQueryParams = ["bar", "buz"]
 ```

 ```bash tab="CLI"
--tracing.otlp.safeQueryParams=bar,buz
+--tracing.safeQueryParams=bar,buz
 ```
--- a/docs/content/operations/api.md
+++ b/docs/content/operations/api.md
@@ -70,7 +70,7 @@ And then define a routing configuration on Traefik itself with the

 ### `insecure`

-Enable the API in `insecure` mode, which means that the API will be available directly on the entryPoint named `traefik`.
+Enable the API in `insecure` mode, which means that the API will be available directly on the entryPoint named `traefik`, on path `/api`.

 !!! info
    If the entryPoint named `traefik` is not configured, it will be automatically created on port 8080.
@@ -136,6 +136,15 @@ api:

 All the following endpoints must be accessed with a `GET` HTTP request.

+!!! info "Pagination"
+
+    By default, up to 100 results are returned per page, and the next page can be checked using the `X-Next-Page` HTTP Header. 
+    To control pagination, use the `page` and `per_page` query parameters.
+
+    ```bash
+    curl https://traefik.example.com:8080/api/http/routers?page=2&per_page=20
+    ```
+
 | Path                           | Description                                                                                 |
 |--------------------------------|---------------------------------------------------------------------------------------------|
 | `/api/http/routers`            | Lists all the HTTP routers information.                                                     |
@@ -165,3 +174,5 @@ All the following endpoints must be accessed with a `GET` HTTP request.
 | `/debug/pprof/profile`         | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation.   |
 | `/debug/pprof/symbol`          | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation.     |
 | `/debug/pprof/trace`           | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation.       |
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/operations/cli.md
+++ b/docs/content/operations/cli.md
@@ -33,7 +33,7 @@ traefik [--flag[=true|false| ]] [-f [true|false| ]]

 All flags are documented in the [(static configuration) CLI reference](../reference/static-configuration/cli.md).

-!!! info "Flags are case insensitive."
+!!! info "Flags are case-insensitive."

 ### `healthcheck`

--- a/docs/content/operations/dashboard.md
+++ b/docs/content/operations/dashboard.md
@@ -37,32 +37,15 @@ Start by enabling the dashboard by using the following option from [Traefik's AP
 on the [static configuration](../getting-started/configuration-overview.md#the-static-configuration):

 ```yaml tab="File (YAML)"
-api:
-  # Dashboard
-  #
-  # Optional
-  # Default: true
-  #
-  dashboard: true
+api: {}
 ```

 ```toml tab="File (TOML)"
 [api]
-  # Dashboard
-  #
-  # Optional
-  # Default: true
-  #
-  dashboard = true
 ```

 ```bash tab="CLI"
-# Dashboard
-#
-# Optional
-# Default: true
-#
--api.dashboard=true
+--api=true
 ```

 Then define a routing configuration on Traefik itself,
@@ -106,27 +89,47 @@ rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashb

 ## Insecure Mode

-This mode is not recommended because it does not allow the use of security features.
+When _insecure_ mode is enabled, one can access the dashboard on the `traefik` port (default: `8080`) of the Traefik instance,
+at the following URL: `http://<Traefik IP>:8080/dashboard/` (trailing slash is mandatory).

-To enable the "insecure mode", use the following options from [Traefik's API](./api.md#insecure):
+This mode is **not** recommended because it does not allow security features.
+For example, it is not possible to add an authentication middleware with this mode.
+
+It should be used for testing purpose **only**.
+
+To enable the _insecure_ mode, use the following options from [Traefik's API](./api.md#insecure):

 ```yaml tab="File (YAML)"
 api:
-  dashboard: true
  insecure: true
 ```

 ```toml tab="File (TOML)"
 [api]
-  dashboard = true
  insecure = true
 ```

 ```bash tab="CLI"
--api.dashboard=true --api.insecure=true
+--api.insecure=true
 ```

-You can now access the dashboard on the port `8080` of the Traefik instance,
-at the following URL: `http://<Traefik IP>:8080/dashboard/` (trailing slash is mandatory).
+## Disable The Dashboard
+
+By default, the dashboard is enabled when the API is enabled.
+If necessary, the dashboard can be disabled by using the following option.
+
+```yaml tab="File (YAML)"
+api:
+  dashboard: false
+```
+
+```toml tab="File (TOML)"
+[api]
+  dashboard = false
+```
+
+```bash tab="CLI"
+--api.dashboard=false
+```

 {!traefik-for-business-applications.md!}
--- a/docs/content/plugins/index.md
+++ b/docs/content/plugins/index.md
@@ -30,3 +30,5 @@ They need not be compiled, and no complex toolchain is necessary to build them.
 The experience of implementing a Traefik plugin is comparable to writing a web browser extension.

 To learn more about Traefik plugin creation, please refer to the [developer documentation](https://plugins.traefik.io/create).
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/providers/consul-catalog.md
+++ b/docs/content/providers/consul-catalog.md
@@ -525,7 +525,7 @@ providers:
 ```

 ```bash tab="CLI"
--providers.consulcatalog.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
+--providers.consulcatalog.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
 # ...
 ```

--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -134,6 +134,7 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
        - Accounting at container level, by exposing the socket on a another container than Traefik's.
        - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
        - SSH public key authentication (SSH is supported with Docker > 18.09)
+        - Authentication using HTTP Basic authentication through an HTTP proxy that exposes the Docker daemon socket.

    ??? info "More Resources and Examples"

@@ -165,7 +166,7 @@ See the [Docker API Access](#docker-api-access) section for more information.

    services:
      traefik:
-         image: traefik:v3.1 # The official v3 Traefik docker image
+         image: traefik:v3.2 # The official v3 Traefik docker image
         ports:
           - "80:80"
         volumes:
@@ -216,6 +217,50 @@ See the [Docker API Access](#docker-api-access) section for more information.
    # ...
    ```

+??? example "Using HTTP"
+
+    Using Docker Engine API you can connect Traefik to remote daemon using HTTP.
+
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        endpoint: "http://127.0.0.1:2375"
+         # ...
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.docker]
+      endpoint = "http://127.0.0.1:2375"
+      # ...
+    ```
+
+    ```bash tab="CLI"
+    --providers.docker.endpoint=http://127.0.0.1:2375
+    # ...
+    ```
+
+??? example "Using TCP"
+
+    Using Docker Engine API you can connect Traefik to remote daemon using TCP.
+
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        endpoint: "tcp://127.0.0.1:2375"
+         # ...
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.docker]
+      endpoint = "tcp://127.0.0.1:2375"
+      # ...
+    ```
+
+    ```bash tab="CLI"
+    --providers.docker.endpoint=tcp://127.0.0.1:2375
+    # ...
+    ```
+
 ```yaml tab="File (YAML)"
 providers:
  docker:
@@ -231,6 +276,56 @@ providers:
 --providers.docker.endpoint=unix:///var/run/docker.sock
 ```

+### `username`
+
+_Optional, Default=""_
+
+Defines the username for Basic HTTP authentication.
+This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    username: foo
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.docker]
+  username = "foo"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.docker.username="foo"
+# ...
+```
+
+### `password`
+
+_Optional, Default=""_
+
+Defines the password for Basic HTTP authentication.
+This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    password: foo
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.docker]
+  password = "foo"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.docker.password="foo"
+# ...
+```
+
 ### `useBindPortIP`

 _Optional, Default=false_
@@ -360,7 +455,7 @@ providers:
 ```

 ```bash tab="CLI"
--providers.docker.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
+--providers.docker.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
 # ...
 ```

--- a/docs/content/providers/ecs.md
+++ b/docs/content/providers/ecs.md
@@ -283,7 +283,7 @@ providers:
 ```

 ```bash tab="CLI"
--providers.ecs.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
+--providers.ecs.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
 # ...
 ```

--- a/docs/content/providers/http.md
+++ b/docs/content/providers/http.md
@@ -84,8 +84,9 @@ Defines custom headers to be sent to the endpoint.

 ```yaml tab="File (YAML)"
 providers:
-  headers:
-    name: value
+  http:
+    headers:
+      name: value
 ```

 ```toml tab="File (TOML)"
@@ -95,6 +96,7 @@ providers:

 ```bash tab="CLI"
 --providers.http.headers.name=value
+```

 ### `tls`

--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -31,10 +31,10 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku

    ```bash
    # Install Traefik Resource Definitions:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
    
    # Install RBAC for Traefik:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
    ```

 ## Resource Configuration
--- a/docs/content/providers/kubernetes-gateway.md
+++ b/docs/content/providers/kubernetes-gateway.md
@@ -5,14 +5,14 @@ description: "Learn how to use the Kubernetes Gateway API as a provider for conf

 # Traefik & Kubernetes with Gateway API

-The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/) 
+The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
 specification from the Kubernetes Special Interest Groups (SIGs).

-This provider supports version [v1.1.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.1.0) of the Gateway API specification. 
+This provider supports Standard version [v1.2.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0) of the Gateway API specification. 

 It fully supports all HTTP core and some extended features, as well as the `TCPRoute` and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).

-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.1.0/traefik-traefik).
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.2.0/traefik-traefik).

 ## Requirements

@@ -20,21 +20,21 @@ For more details, check out the conformance [report](https://github.com/kubernet

 !!! info "Helm Chart"

-    When using the Traefik [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart), the CRDs (Custom Resource Definitions) and RBAC (Role-Based Access Control) are automatically managed for you. 
+    When using the Traefik [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart), the CRDs (Custom Resource Definitions) and RBAC (Role-Based Access Control) are automatically managed for you.
    The only remaining task is to enable the `kubernetesGateway` in the chart [values](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L130).

 1. Install/update the Kubernetes Gateway API CRDs.

    ```bash
-    # Install Gateway API CRDs from the Experimental channel.
-    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/experimental-install.yaml
+    # Install Gateway API CRDs from the Standard channel.
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml
    ```
-    
-2. Install/update the Traefik [RBAC](../reference/dynamic-configuration/kubernetes-gateway.md#rbac).
+
+2. Install the additional Traefik RBAC required for Gateway API.

    ```bash
    # Install Traefik RBACs.
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
    ```

 3. Deploy Traefik and enable the `kubernetesGateway` provider in the static configuration as detailed below:
@@ -54,9 +54,9 @@ For more details, check out the conformance [report](https://github.com/kubernet

 ## Routing Configuration

-When using the Kubernetes Gateway API provider, Traefik uses the Gateway API CRDs to retrieve its routing configuration. 
-Check out the Gateway API concepts [documentation](https://gateway-api.sigs.k8s.io/concepts/api-overview/), 
-and the dedicated [routing section](../routing/providers/kubernetes-gateway.md) in the Traefik documentation. 
+When using the Kubernetes Gateway API provider, Traefik uses the Gateway API CRDs to retrieve its routing configuration.
+Check out the Gateway API concepts [documentation](https://gateway-api.sigs.k8s.io/concepts/api-overview/),
+and the dedicated [routing section](../routing/providers/kubernetes-gateway.md) in the Traefik documentation.

 ## Provider Configuration

@@ -269,6 +269,15 @@ providers:
 --providers.kubernetesgateway.experimentalchannel=true
 ```

+!!! info "Experimental Channel"
+
+    When enabling experimental channel resources support, the experimental CRDs (Custom Resource Definitions) needs to be deployed too.
+
+    ```bash
+    # Install Gateway API CRDs from the Experimental channel.
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/experimental-install.yaml
+    ```
+
 ### `labelselector`

 _Optional, Default: ""_
@@ -295,6 +304,30 @@ providers:
 --providers.kubernetesgateway.labelselector="app=traefik"
 ```

+### `nativeLBByDefault`
+
+_Optional, Default: false_
+
+Defines whether to use Native Kubernetes load-balancing mode by default.
+For more information, please check out the `traefik.io/service.nativelb` [service annotation documentation](../routing/providers/kubernetes-gateway.md#native-load-balancing).
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    nativeLBByDefault: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  nativeLBByDefault = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.nativeLBByDefault=true
+```
+
 ### `throttleDuration`

 _Optional, Default: 0_
--- a/docs/content/providers/kubernetes-ingress.md
+++ b/docs/content/providers/kubernetes-ingress.md
@@ -287,6 +287,11 @@ providers:

 _Optional, Default: false_

+??? warning "Deprecated"
+
+    The Kubernetes Ingress provider option `disableIngressClassLookup` has been deprecated in v3.1, and will be removed in the next major version.
+	Please use the `disableClusterScopeResources` option instead.
+
 If the parameter is set to `true`,
 Traefik will not discover IngressClasses in the cluster.
 By doing so, it alleviates the requirement of giving Traefik the rights to look IngressClasses up.
@@ -312,6 +317,33 @@ providers:
 --providers.kubernetesingress.disableingressclasslookup=true
 ```

+### `disableClusterScopeResources`
+
+_Optional, Default: false_
+
+When this parameter is set to `true`,
+Traefik will not discover cluster scope resources (`IngressClass` and `Nodes`).
+By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.
+Furthermore, Traefik will not handle Ingresses with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).
+This will also prevent from using the `NodePortLB` options on services.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    disableClusterScopeResources: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  disableClusterScopeResources = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.disableClusterScopeResources=true
+```
+
 ### `ingressEndpoint`

 #### `hostname`
@@ -494,6 +526,6 @@ providers:
 ### Further

 To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.1/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.2/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.

 {!traefik-for-business-applications.md!}
--- a/docs/content/providers/nomad.md
+++ b/docs/content/providers/nomad.md
@@ -56,6 +56,8 @@ _Optional, Default=15s_

 Defines the polling interval.

+!!! note "This option is ignored when the [watch](#watch) mode is enabled."
+
 ```yaml tab="File (YAML)"
 providers:
  nomad:
@@ -74,6 +76,62 @@ providers:
 # ...
 ```

+### `watch`
+
+_Optional, Default=false_
+
+Enables the watch mode to refresh the configuration on a per-event basis.
+
+```yaml tab="File (YAML)"
+providers:
+  nomad:
+    watch: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.nomad]
+  watch = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.nomad.watch
+# ...
+```
+
+### `throttleDuration`
+
+_Optional, Default=0s_
+
+The `throttleDuration` option defines how often the provider is allowed to handle service events from Nomad.
+This prevents a Nomad cluster that updates many times per second from continuously changing your Traefik configuration.
+
+If left empty, the provider does not apply any throttling and does not drop any Nomad service events.
+
+The value of `throttleDuration` should be provided in seconds or as a valid duration format,
+see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
+
+!!! warning "This option is only compatible with the [watch](#watch) mode."
+
+```yaml tab="File (YAML)"
+providers:
+  nomad:
+    throttleDuration: 2s
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.nomad]
+  throttleDuration = "2s"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.nomad.throttleDuration=2s
+# ...
+```
+
 ### `prefix`

 _required, Default="traefik"_
@@ -374,7 +432,7 @@ providers:
 ```

 ```bash tab="CLI"
--providers.nomad.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
+--providers.nomad.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
 # ...
 ```

--- a/docs/content/providers/overview.md
+++ b/docs/content/providers/overview.md
@@ -81,7 +81,7 @@ For the list of the providers names, see the [supported providers](#supported-pr
        - "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
    ```

-    ```yaml tab="Kubernetes Ingress Route"
+    ```yaml tab="IngressRoute"
    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
@@ -103,7 +103,7 @@ For the list of the providers names, see the [supported providers](#supported-pr
            # when the cross-provider syntax is used.
    ```

-    ```yaml tab="Kubernetes Ingress"
+    ```yaml tab="Ingress"
    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
--- a/docs/content/providers/swarm.md
+++ b/docs/content/providers/swarm.md
@@ -151,6 +151,7 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
          It allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
        - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
        - SSH public key authentication (SSH is supported with Docker > 18.09)
+        - Authentication using HTTP Basic authentication through an HTTP proxy that exposes the Docker daemon socket.

    ??? info "More Resources and Examples"

@@ -211,7 +212,7 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati

    services:
      traefik:
-         image: traefik:v3.1 # The official v3 Traefik docker image
+         image: traefik:v3.2 # The official v3 Traefik docker image
         ports:
           - "80:80"
         volumes:
@@ -246,7 +247,7 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati

    ```yaml tab="File (YAML)"
    providers:
-      docker:
+      swarm:
        endpoint: "ssh://traefik@192.168.2.5:2022"
         # ...
    ```
@@ -262,6 +263,50 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati
    # ...
    ```

+??? example "Using HTTP"
+
+    Using Docker Engine API you can connect Traefik to remote daemon using HTTP.
+
+    ```yaml tab="File (YAML)"
+    providers:
+      swarm:
+        endpoint: "http://127.0.0.1:2375"
+         # ...
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.swarm]
+      swarm = "http://127.0.0.1:2375"
+      # ...
+    ```
+
+    ```bash tab="CLI"
+    --providers.swarm.endpoint=http://127.0.0.1:2375
+    # ...
+    ```
+
+??? example "Using TCP"
+
+    Using Docker Engine API you can connect Traefik to remote daemon using TCP.
+
+    ```yaml tab="File (YAML)"
+    providers:
+      swarm:
+        endpoint: "tcp://127.0.0.1:2375"
+         # ...
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.swarm]
+      swarm = "tcp://127.0.0.1:2375"
+      # ...
+    ```
+
+    ```bash tab="CLI"
+    --providers.swarm.endpoint=tcp://127.0.0.1:2375
+    # ...
+    ```
+
 ```yaml tab="File (YAML)"
 providers:
  swarm:
@@ -277,6 +322,56 @@ providers:
 --providers.swarm.endpoint=unix:///var/run/docker.sock
 ```

+### `username`
+
+_Optional, Default=""_
+
+Defines the username for Basic HTTP authentication.
+This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
+
+```yaml tab="File (YAML)"
+providers:
+  swarm:
+    username: foo
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.swarm]
+  username = "foo"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.swarm.username="foo"
+# ...
+```
+
+### `password`
+
+_Optional, Default=""_
+
+Defines the password for Basic HTTP authentication.
+This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
+
+```yaml tab="File (YAML)"
+providers:
+  swarm:
+    password: foo
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.swarm]
+  password = "foo"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.swarm.password="foo"
+# ...
+```
+
 ### `useBindPortIP`

 _Optional, Default=false_
@@ -360,7 +455,10 @@ _Optional, Default=""_

 Defines a default docker network to use for connections to all containers.

-This option can be overridden on a per-container basis with the `traefik.docker.network` label.
+This option can be overridden on a per-container basis with the `traefik.docker.network` [routing label](../routing/providers/swarm.md#traefikdockernetwork).
+
+!!! warning
+    The Docker Swarm provider still uses the same per-container mechanism as the Docker provider, so therefore the label still uses the `docker` keyword intentionally.

 ```yaml tab="File (YAML)"
 providers:
@@ -405,7 +503,7 @@ providers:
 ```

 ```bash tab="CLI"
--providers.swarm.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
+--providers.swarm.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
 # ...
 ```

--- a/docs/content/reference/dynamic-configuration/consul-catalog.md
+++ b/docs/content/reference/dynamic-configuration/consul-catalog.md
@@ -8,7 +8,7 @@ description: "View the reference for performing dynamic configurations with Trae
 Dynamic configuration with Consul Catalog
 {: .subtitle }

-The labels are case insensitive.
+The labels are case-insensitive.

 ```yaml
 --8<-- "content/reference/dynamic-configuration/consul-catalog.yml"
--- a/docs/content/reference/dynamic-configuration/docker-labels.yml
+++ b/docs/content/reference/dynamic-configuration/docker-labels.yml
@@ -19,6 +19,7 @@
 - "traefik.http.middlewares.middleware05.circuitbreaker.responsecode=42"
 - "traefik.http.middlewares.middleware06.compress=true"
 - "traefik.http.middlewares.middleware06.compress.defaultencoding=foobar"
+- "traefik.http.middlewares.middleware06.compress.encodings=foobar, foobar"
 - "traefik.http.middlewares.middleware06.compress.excludedcontenttypes=foobar, foobar"
 - "traefik.http.middlewares.middleware06.compress.includedcontenttypes=foobar, foobar"
 - "traefik.http.middlewares.middleware06.compress.minresponsebodybytes=42"
@@ -37,6 +38,7 @@
 - "traefik.http.middlewares.middleware10.forwardauth.authrequestheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.authresponseheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.authresponseheadersregex=foobar"
+- "traefik.http.middlewares.middleware10.forwardauth.headerfield=foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.ca=foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.caoptional=true"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.cert=foobar"
@@ -83,15 +85,18 @@
 - "traefik.http.middlewares.middleware13.ipallowlist.ipstrategy=true"
 - "traefik.http.middlewares.middleware13.ipallowlist.ipstrategy.depth=42"
 - "traefik.http.middlewares.middleware13.ipallowlist.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware13.ipallowlist.ipstrategy.ipv6subnet=42"
 - "traefik.http.middlewares.middleware13.ipallowlist.rejectstatuscode=42"
 - "traefik.http.middlewares.middleware13.ipallowlist.sourcerange=foobar, foobar"
 - "traefik.http.middlewares.middleware14.ipwhitelist.ipstrategy=true"
 - "traefik.http.middlewares.middleware14.ipwhitelist.ipstrategy.depth=42"
 - "traefik.http.middlewares.middleware14.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware14.ipwhitelist.ipstrategy.ipv6subnet=42"
 - "traefik.http.middlewares.middleware14.ipwhitelist.sourcerange=foobar, foobar"
 - "traefik.http.middlewares.middleware15.inflightreq.amount=42"
 - "traefik.http.middlewares.middleware15.inflightreq.sourcecriterion.ipstrategy.depth=42"
 - "traefik.http.middlewares.middleware15.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware15.inflightreq.sourcecriterion.ipstrategy.ipv6subnet=42"
 - "traefik.http.middlewares.middleware15.inflightreq.sourcecriterion.requestheadername=foobar"
 - "traefik.http.middlewares.middleware15.inflightreq.sourcecriterion.requesthost=true"
 - "traefik.http.middlewares.middleware16.passtlsclientcert.info.issuer.commonname=true"
@@ -123,6 +128,7 @@
 - "traefik.http.middlewares.middleware18.ratelimit.period=42s"
 - "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.ipstrategy.depth=42"
 - "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.ipstrategy.ipv6subnet=42"
 - "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.requestheadername=foobar"
 - "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.requesthost=true"
 - "traefik.http.middlewares.middleware19.redirectregex.permanent=true"
--- a/docs/content/reference/dynamic-configuration/ecs.md
+++ b/docs/content/reference/dynamic-configuration/ecs.md
@@ -8,7 +8,7 @@ description: "Learn how to do dynamic configuration in Traefik Proxy with AWS EC
 Dynamic configuration with ECS provider
 {: .subtitle }

-The labels are case insensitive.
+The labels are case-insensitive.

 ```yaml
 --8<-- "content/reference/dynamic-configuration/ecs.yml"
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@@ -59,10 +59,12 @@
        [[http.services.Service02.loadBalancer.servers]]
          url = "foobar"
          weight = 42
+          preservePath = true

        [[http.services.Service02.loadBalancer.servers]]
          url = "foobar"
          weight = 42
+          preservePath = true
        [http.services.Service02.loadBalancer.healthCheck]
          scheme = "foobar"
          mode = "foobar"
@@ -82,6 +84,7 @@
    [http.services.Service03]
      [http.services.Service03.mirroring]
        service = "foobar"
+        mirrorBody = true
        maxBodySize = 42

        [[http.services.Service03.mirroring.mirrors]]
@@ -143,6 +146,7 @@
        excludedContentTypes = ["foobar", "foobar"]
        includedContentTypes = ["foobar", "foobar"]
        minResponseBodyBytes = 42
+        encodings = ["foobar", "foobar"]
        defaultEncoding = "foobar"
    [http.middlewares.Middleware07]
      [http.middlewares.Middleware07.contentType]
@@ -167,6 +171,7 @@
        authResponseHeadersRegex = "foobar"
        authRequestHeaders = ["foobar", "foobar"]
        addAuthCookiesToResponse = ["foobar", "foobar"]
+        headerField = "foobar"
        [http.middlewares.Middleware10.forwardAuth.tls]
          ca = "foobar"
          cert = "foobar"
@@ -224,12 +229,14 @@
        [http.middlewares.Middleware13.ipAllowList.ipStrategy]
          depth = 42
          excludedIPs = ["foobar", "foobar"]
+          ipv6Subnet = 42
    [http.middlewares.Middleware14]
      [http.middlewares.Middleware14.ipWhiteList]
        sourceRange = ["foobar", "foobar"]
        [http.middlewares.Middleware14.ipWhiteList.ipStrategy]
          depth = 42
          excludedIPs = ["foobar", "foobar"]
+          ipv6Subnet = 42
    [http.middlewares.Middleware15]
      [http.middlewares.Middleware15.inFlightReq]
        amount = 42
@@ -239,6 +246,7 @@
          [http.middlewares.Middleware15.inFlightReq.sourceCriterion.ipStrategy]
            depth = 42
            excludedIPs = ["foobar", "foobar"]
+            ipv6Subnet = 42
    [http.middlewares.Middleware16]
      [http.middlewares.Middleware16.passTLSClientCert]
        pem = true
@@ -283,6 +291,7 @@
          [http.middlewares.Middleware18.rateLimit.sourceCriterion.ipStrategy]
            depth = 42
            excludedIPs = ["foobar", "foobar"]
+            ipv6Subnet = 42
    [http.middlewares.Middleware19]
      [http.middlewares.Middleware19.redirectRegex]
        regex = "foobar"
--- a/docs/content/reference/dynamic-configuration/file.yaml
+++ b/docs/content/reference/dynamic-configuration/file.yaml
@@ -66,8 +66,10 @@ http:
        servers:
          - url: foobar
            weight: 42
+            preservePath: true
          - url: foobar
            weight: 42
+            preservePath: true
        healthCheck:
          scheme: foobar
          mode: foobar
@@ -89,6 +91,7 @@ http:
    Service03:
      mirroring:
        service: foobar
+        mirrorBody: true
        maxBodySize: 42
        mirrors:
          - name: foobar
@@ -152,6 +155,9 @@ http:
          - foobar
          - foobar
        minResponseBodyBytes: 42
+        encodings:
+          - foobar
+          - foobar
        defaultEncoding: foobar
    Middleware07:
      contentType:
@@ -192,6 +198,7 @@ http:
        addAuthCookiesToResponse:
          - foobar
          - foobar
+        headerField: foobar
    Middleware11:
      grpcWeb:
        allowOrigins:
@@ -262,6 +269,7 @@ http:
          excludedIPs:
            - foobar
            - foobar
+          ipv6Subnet: 42
        rejectStatusCode: 42
    Middleware14:
      ipWhiteList:
@@ -273,6 +281,7 @@ http:
          excludedIPs:
            - foobar
            - foobar
+          ipv6Subnet: 42
    Middleware15:
      inFlightReq:
        amount: 42
@@ -282,6 +291,7 @@ http:
            excludedIPs:
              - foobar
              - foobar
+            ipv6Subnet: 42
          requestHeaderName: foobar
          requestHost: true
    Middleware16:
@@ -328,6 +338,7 @@ http:
            excludedIPs:
              - foobar
              - foobar
+            ipv6Subnet: 42
          requestHeaderName: foobar
          requestHost: true
    Middleware19:
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: ingressroutes.traefik.io
 spec:
  group: traefik.io
@@ -43,7 +43,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -63,12 +63,12 @@ spec:
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rule
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule
                      type: string
                    middlewares:
                      description: |-
                        Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-middleware
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-middleware
                      items:
                        description: MiddlewareRef is a reference to a Middleware
                          resource.
@@ -88,7 +88,7 @@ spec:
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#priority
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority
                      type: integer
                    services:
                      description: |-
@@ -229,7 +229,7 @@ spec:
                          sticky:
                            description: |-
                              Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
                            properties:
                              cookie:
                                description: Cookie defines the sticky cookie configuration.
@@ -277,7 +277,7 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax
                      type: string
                  required:
                  - kind
@@ -287,18 +287,18 @@ spec:
              tls:
                description: |-
                  TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#tls
+                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.1/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -317,17 +317,17 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
                    properties:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
                        type: string
                    required:
                    - name
@@ -344,12 +344,12 @@ spec:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
                        type: string
                    required:
                    - name
@@ -369,7 +369,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: ingressroutetcps.traefik.io
 spec:
  group: traefik.io
@@ -409,7 +409,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -422,7 +422,7 @@ spec:
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rule_1
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule_1
                      type: string
                    middlewares:
                      description: Middlewares defines the list of references to MiddlewareTCP
@@ -446,7 +446,7 @@ spec:
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#priority_1
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority_1
                      type: integer
                    services:
                      description: Services defines the list of TCP services.
@@ -487,7 +487,7 @@ spec:
                          proxyProtocol:
                            description: |-
                              ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.1/routing/services/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#proxy-protocol
                            properties:
                              version:
                                description: Version defines the PROXY Protocol version
@@ -507,7 +507,7 @@ spec:
                              hence fully terminating the connection.
                              It is a duration in milliseconds, defaulting to 100.
                              A negative value means an infinite deadline (i.e. the reading capability is never closed).
-                              Deprecated: TerminationDelay is not supported APIVersion traefik.io/v1, please use ServersTransport to configure the TerminationDelay instead.
+                              Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead.
                            type: integer
                          tls:
                            description: TLS determines whether to use TLS when dialing
@@ -525,7 +525,7 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rulesyntax_1
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax_1
                      type: string
                  required:
                  - match
@@ -534,18 +534,18 @@ spec:
              tls:
                description: |-
                  TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#tls_1
+                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls_1
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.1/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -564,7 +564,7 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
                    properties:
                      name:
                        description: Name defines the name of the referenced Traefik
@@ -616,7 +616,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: ingressrouteudps.traefik.io
 spec:
  group: traefik.io
@@ -656,7 +656,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -727,7 +727,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: middlewares.traefik.io
 spec:
  group: traefik.io
@@ -743,7 +743,7 @@ spec:
      openAPIV3Schema:
        description: |-
          Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/overview/
+          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/overview/
        properties:
          apiVersion:
            description: |-
@@ -769,7 +769,7 @@ spec:
                description: |-
                  AddPrefix holds the add prefix middleware configuration.
                  This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/addprefix/
                properties:
                  prefix:
                    description: |-
@@ -781,12 +781,12 @@ spec:
                description: |-
                  BasicAuth holds the basic auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -807,7 +807,7 @@ spec:
                description: |-
                  Buffering holds the buffering middleware configuration.
                  This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#maxrequestbodybytes
                properties:
                  maxRequestBodyBytes:
                    description: |-
@@ -839,14 +839,14 @@ spec:
                    description: |-
                      RetryExpression defines the retry conditions.
                      It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#retryexpression
                    type: string
                type: object
              chain:
                description: |-
                  Chain holds the configuration of the chain middleware.
                  This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/chain/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/chain/
                properties:
                  middlewares:
                    description: Middlewares is the list of MiddlewareRef which composes
@@ -904,14 +904,20 @@ spec:
              compress:
                description: |-
                  Compress holds the compress middleware configuration.
-                  This middleware compresses responses before sending them to the client, using gzip compression.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/compress/
+                  This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/compress/
                properties:
                  defaultEncoding:
                    description: DefaultEncoding specifies the default encoding if
                      the `Accept-Encoding` header is not in the request or contains
                      a wildcard (`*`).
                    type: string
+                  encodings:
+                    description: Encodings defines the list of supported compression
+                      algorithms.
+                    items:
+                      type: string
+                    type: array
                  excludedContentTypes:
                    description: |-
                      ExcludedContentTypes defines the list of content types to compare the Content-Type header of the incoming requests and responses before compressing.
@@ -948,12 +954,12 @@ spec:
                description: |-
                  DigestAuth holds the digest auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/digestauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -973,7 +979,7 @@ spec:
                description: |-
                  ErrorPage holds the custom error middleware configuration.
                  This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/
                properties:
                  query:
                    description: |-
@@ -983,7 +989,7 @@ spec:
                  service:
                    description: |-
                      Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/#service
                    properties:
                      healthCheck:
                        description: Healthcheck defines health checks for ExternalName
@@ -1116,7 +1122,7 @@ spec:
                      sticky:
                        description: |-
                          Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
                        properties:
                          cookie:
                            description: Cookie defines the sticky cookie configuration.
@@ -1174,7 +1180,7 @@ spec:
                description: |-
                  ForwardAuth holds the forward auth middleware configuration.
                  This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/
                properties:
                  addAuthCookiesToResponse:
                    description: AddAuthCookiesToResponse defines the list of cookies
@@ -1202,7 +1208,7 @@ spec:
                  authResponseHeadersRegex:
                    description: |-
                      AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/#authresponseheadersregex
                    type: string
                  tls:
                    description: TLS defines the configuration used to secure the
@@ -1249,7 +1255,7 @@ spec:
                description: |-
                  Headers holds the headers middleware configuration.
                  This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/headers/#customrequestheaders
                properties:
                  accessControlAllowCredentials:
                    description: AccessControlAllowCredentials defines whether the
@@ -1420,7 +1426,7 @@ spec:
                description: |-
                  InFlightReq holds the in-flight request middleware configuration.
                  This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/
                properties:
                  amount:
                    description: |-
@@ -1433,12 +1439,12 @@ spec:
                      SourceCriterion defines what criterion is used to group requests as originating from a common source.
                      If several strategies are defined at the same time, an error will be raised.
                      If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/#sourcecriterion
                    properties:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -1452,6 +1458,12 @@ spec:
                            items:
                              type: string
                            type: array
+                          ipv6Subnet:
+                            description: IPv6Subnet configures Traefik to consider
+                              all IPv6 addresses from the defined subnet as originating
+                              from the same IP. Applies to RemoteAddrStrategy and
+                              DepthStrategy.
+                            type: integer
                        type: object
                      requestHeaderName:
                        description: RequestHeaderName defines the name of the header
@@ -1467,12 +1479,12 @@ spec:
                description: |-
                  IPAllowList holds the IP allowlist middleware configuration.
                  This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/
                properties:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -1485,6 +1497,11 @@ spec:
                        items:
                          type: string
                        type: array
+                      ipv6Subnet:
+                        description: IPv6Subnet configures Traefik to consider all
+                          IPv6 addresses from the defined subnet as originating from
+                          the same IP. Applies to RemoteAddrStrategy and DepthStrategy.
+                        type: integer
                    type: object
                  rejectStatusCode:
                    description: |-
@@ -1504,7 +1521,7 @@ spec:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -1517,6 +1534,11 @@ spec:
                        items:
                          type: string
                        type: array
+                      ipv6Subnet:
+                        description: IPv6Subnet configures Traefik to consider all
+                          IPv6 addresses from the defined subnet as originating from
+                          the same IP. Applies to RemoteAddrStrategy and DepthStrategy.
+                        type: integer
                    type: object
                  sourceRange:
                    description: SourceRange defines the set of allowed IPs (or ranges
@@ -1529,7 +1551,7 @@ spec:
                description: |-
                  PassTLSClientCert holds the pass TLS client cert middleware configuration.
                  This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/passtlsclientcert/
                properties:
                  info:
                    description: Info selects the specific client certificate details
@@ -1638,7 +1660,7 @@ spec:
                description: |-
                  RateLimit holds the rate limit configuration.
                  This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ratelimit/
                properties:
                  average:
                    description: |-
@@ -1671,7 +1693,7 @@ spec:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -1685,6 +1707,12 @@ spec:
                            items:
                              type: string
                            type: array
+                          ipv6Subnet:
+                            description: IPv6Subnet configures Traefik to consider
+                              all IPv6 addresses from the defined subnet as originating
+                              from the same IP. Applies to RemoteAddrStrategy and
+                              DepthStrategy.
+                            type: integer
                        type: object
                      requestHeaderName:
                        description: RequestHeaderName defines the name of the header
@@ -1700,7 +1728,7 @@ spec:
                description: |-
                  RedirectRegex holds the redirect regex middleware configuration.
                  This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectregex/#regex
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1719,7 +1747,7 @@ spec:
                description: |-
                  RedirectScheme holds the redirect scheme middleware configuration.
                  This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectscheme/
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1736,7 +1764,7 @@ spec:
                description: |-
                  ReplacePath holds the replace path middleware configuration.
                  This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepath/
                properties:
                  path:
                    description: Path defines the path to use as replacement in the
@@ -1747,7 +1775,7 @@ spec:
                description: |-
                  ReplacePathRegex holds the replace path regex middleware configuration.
                  This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepathregex/
                properties:
                  regex:
                    description: Regex defines the regular expression used to match
@@ -1763,7 +1791,7 @@ spec:
                  Retry holds the retry middleware configuration.
                  This middleware reissues requests a given number of times to a backend server if that server does not reply.
                  As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/retry/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/retry/
                properties:
                  attempts:
                    description: Attempts defines how many times the request should
@@ -1785,7 +1813,7 @@ spec:
                description: |-
                  StripPrefix holds the strip prefix middleware configuration.
                  This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefix/
                properties:
                  forceSlash:
                    description: |-
@@ -1804,7 +1832,7 @@ spec:
                description: |-
                  StripPrefixRegex holds the strip prefix regex middleware configuration.
                  This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefixregex/
                properties:
                  regex:
                    description: Regex defines the regular expression to match the
@@ -1825,7 +1853,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: middlewaretcps.traefik.io
 spec:
  group: traefik.io
@@ -1841,7 +1869,7 @@ spec:
      openAPIV3Schema:
        description: |-
          MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.1/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.2/middlewares/overview/
        properties:
          apiVersion:
            description: |-
@@ -1877,7 +1905,7 @@ spec:
                description: |-
                  IPAllowList defines the IPAllowList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/tcp/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipallowlist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -1891,7 +1919,7 @@ spec:
                  IPWhiteList defines the IPWhiteList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
                  Deprecated: please use IPAllowList instead.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/tcp/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipwhitelist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -1912,7 +1940,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: serverstransports.traefik.io
 spec:
  group: traefik.io
@@ -1930,7 +1958,7 @@ spec:
          ServersTransport is the CRD implementation of a ServersTransport.
          If no serversTransport is specified, the default@internal will be used.
          The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.1/routing/services/#serverstransport_1
+          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_1
        properties:
          apiVersion:
            description: |-
@@ -2051,7 +2079,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: serverstransporttcps.traefik.io
 spec:
  group: traefik.io
@@ -2069,7 +2097,7 @@ spec:
          ServersTransportTCP is the CRD implementation of a TCPServersTransport.
          If no tcpServersTransport is specified, a default one named default@internal will be used.
          The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.1/routing/services/#serverstransport_3
+          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_3
        properties:
          apiVersion:
            description: |-
@@ -2171,7 +2199,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: tlsoptions.traefik.io
 spec:
  group: traefik.io
@@ -2187,7 +2215,7 @@ spec:
      openAPIV3Schema:
        description: |-
          TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options
+          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
        properties:
          apiVersion:
            description: |-
@@ -2212,14 +2240,14 @@ spec:
              alpnProtocols:
                description: |-
                  ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.1/https/tls/#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#alpn-protocols
                items:
                  type: string
                type: array
              cipherSuites:
                description: |-
                  CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.1/https/tls/#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#cipher-suites
                items:
                  type: string
                type: array
@@ -2247,7 +2275,7 @@ spec:
              curvePreferences:
                description: |-
                  CurvePreferences defines the preferred elliptic curves in a specific order.
-                  More info: https://doc.traefik.io/traefik/v3.1/https/tls/#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#curve-preferences
                items:
                  type: string
                type: array
@@ -2285,7 +2313,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: tlsstores.traefik.io
 spec:
  group: traefik.io
@@ -2303,7 +2331,7 @@ spec:
          TLSStore is the CRD implementation of a Traefik TLS Store.
          For the time being, only the TLSStore named default is supported.
          This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.1/https/tls/#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#certificates-stores
        properties:
          apiVersion:
            description: |-
@@ -2382,7 +2410,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: traefikservices.traefik.io
 spec:
  group: traefik.io
@@ -2401,7 +2429,7 @@ spec:
          TraefikService object allows to:
          - Apply weight to Services on load-balancing
          - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-traefikservice
+          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-traefikservice
        properties:
          apiVersion:
            description: |-
@@ -2500,6 +2528,11 @@ spec:
                      Default value is -1, which means unlimited size.
                    format: int64
                    type: integer
+                  mirrorBody:
+                    description: |-
+                      MirrorBody defines whether the body of the request should be mirrored.
+                      Default value is true.
+                    type: boolean
                  mirrors:
                    description: Mirrors defines the list of mirrors where Traefik
                      will duplicate the traffic.
@@ -2642,7 +2675,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -2749,7 +2782,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -2932,7 +2965,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -2979,7 +3012,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml
@@ -63,6 +63,7 @@ spec:
  mirroring:
    name: wrr2
    kind: TraefikService
+    mirrorBody: true
    # Optional
    maxBodySize: 2000000000
    mirrors:
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
@@ -16,6 +16,7 @@ rules:
    resources:
      - services
      - secrets
+      - configmaps
    verbs:
      - get
      - list
@@ -33,9 +34,11 @@ rules:
      - gatewayclasses
      - gateways
      - httproutes
-      - referencegrants
+      - grpcroutes
      - tcproutes
      - tlsroutes
+      - referencegrants
+      - backendtlspolicies
    verbs:
      - get
      - list
@@ -46,8 +49,11 @@ rules:
      - gatewayclasses/status
      - gateways/status
      - httproutes/status
+      - grpcroutes/status
      - tcproutes/status
      - tlsroutes/status
+      - referencegrants/status
+      - backendtlspolicies/status
    verbs:
      - update

--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
@@ -25,7 +25,7 @@ spec:
      serviceAccountName: traefik-controller
      containers:
        - name: traefik
-          image: traefik:v3.1
+          image: traefik:v3.2
          args:
            - --entryPoints.web.address=:80
            - --entryPoints.websecure.address=:443
--- a/docs/content/reference/dynamic-configuration/kv-ref.md
+++ b/docs/content/reference/dynamic-configuration/kv-ref.md
@@ -22,6 +22,8 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware05/circuitBreaker/recoveryDuration` | `42s` |
 | `traefik/http/middlewares/Middleware05/circuitBreaker/responseCode` | `42` |
 | `traefik/http/middlewares/Middleware06/compress/defaultEncoding` | `foobar` |
+| `traefik/http/middlewares/Middleware06/compress/encodings/0` | `foobar` |
+| `traefik/http/middlewares/Middleware06/compress/encodings/1` | `foobar` |
 | `traefik/http/middlewares/Middleware06/compress/excludedContentTypes/0` | `foobar` |
 | `traefik/http/middlewares/Middleware06/compress/excludedContentTypes/1` | `foobar` |
 | `traefik/http/middlewares/Middleware06/compress/includedContentTypes/0` | `foobar` |
@@ -46,6 +48,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeadersRegex` | `foobar` |
+| `traefik/http/middlewares/Middleware10/forwardAuth/headerField` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/ca` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/caOptional` | `true` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/cert` | `foobar` |
@@ -100,18 +103,21 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/depth` | `42` |
 | `traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/excludedIPs/0` | `foobar` |
 | `traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/excludedIPs/1` | `foobar` |
+| `traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/ipv6Subnet` | `42` |
 | `traefik/http/middlewares/Middleware13/ipAllowList/rejectStatusCode` | `42` |
 | `traefik/http/middlewares/Middleware13/ipAllowList/sourceRange/0` | `foobar` |
 | `traefik/http/middlewares/Middleware13/ipAllowList/sourceRange/1` | `foobar` |
 | `traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/depth` | `42` |
 | `traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/excludedIPs/0` | `foobar` |
 | `traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/excludedIPs/1` | `foobar` |
+| `traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/ipv6Subnet` | `42` |
 | `traefik/http/middlewares/Middleware14/ipWhiteList/sourceRange/0` | `foobar` |
 | `traefik/http/middlewares/Middleware14/ipWhiteList/sourceRange/1` | `foobar` |
 | `traefik/http/middlewares/Middleware15/inFlightReq/amount` | `42` |
 | `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/depth` | `42` |
 | `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
 | `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/1` | `foobar` |
+| `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/ipv6Subnet` | `42` |
 | `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/requestHeaderName` | `foobar` |
 | `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/requestHost` | `true` |
 | `traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/commonName` | `true` |
@@ -144,6 +150,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/depth` | `42` |
 | `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
 | `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/excludedIPs/1` | `foobar` |
+| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/ipv6Subnet` | `42` |
 | `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/requestHeaderName` | `foobar` |
 | `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/requestHost` | `true` |
 | `traefik/http/middlewares/Middleware19/redirectRegex/permanent` | `true` |
@@ -249,8 +256,10 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/services/Service02/loadBalancer/healthCheck/timeout` | `42s` |
 | `traefik/http/services/Service02/loadBalancer/passHostHeader` | `true` |
 | `traefik/http/services/Service02/loadBalancer/responseForwarding/flushInterval` | `42s` |
+| `traefik/http/services/Service02/loadBalancer/servers/0/preservePath` | `true` |
 | `traefik/http/services/Service02/loadBalancer/servers/0/url` | `foobar` |
 | `traefik/http/services/Service02/loadBalancer/servers/0/weight` | `42` |
+| `traefik/http/services/Service02/loadBalancer/servers/1/preservePath` | `true` |
 | `traefik/http/services/Service02/loadBalancer/servers/1/url` | `foobar` |
 | `traefik/http/services/Service02/loadBalancer/servers/1/weight` | `42` |
 | `traefik/http/services/Service02/loadBalancer/serversTransport` | `foobar` |
@@ -261,6 +270,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/secure` | `true` |
 | `traefik/http/services/Service03/mirroring/healthCheck` | `` |
 | `traefik/http/services/Service03/mirroring/maxBodySize` | `42` |
+| `traefik/http/services/Service03/mirroring/mirrorBody` | `true` |
 | `traefik/http/services/Service03/mirroring/mirrors/0/name` | `foobar` |
 | `traefik/http/services/Service03/mirroring/mirrors/0/percent` | `42` |
 | `traefik/http/services/Service03/mirroring/mirrors/1/name` | `foobar` |
--- a/docs/content/reference/dynamic-configuration/nomad.md
+++ b/docs/content/reference/dynamic-configuration/nomad.md
@@ -8,7 +8,7 @@ description: "View the reference for performing dynamic configurations with Trae
 Dynamic configuration with Nomad Service Discovery
 {: .subtitle }

-The labels are case insensitive.
+The labels are case-insensitive.

 ```yaml
 --8<-- "content/reference/dynamic-configuration/nomad.yml"
--- a/docs/content/reference/dynamic-configuration/rancher.md
+++ b/docs/content/reference/dynamic-configuration/rancher.md
--- a/docs/content/reference/dynamic-configuration/swarm.yml
+++ b/docs/content/reference/dynamic-configuration/swarm.yml
@@ -1,3 +1,3 @@
 - "traefik.enable=true"
- "traefik.docker.network=foobar"
- "traefik.docker.lbswarm=true"
+- "traefik.swarm.network=foobar"
+- "traefik.swarm.lbswarm=true"
--- a/docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: ingressroutes.traefik.io
 spec:
  group: traefik.io
@@ -43,7 +43,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -63,12 +63,12 @@ spec:
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rule
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule
                      type: string
                    middlewares:
                      description: |-
                        Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-middleware
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-middleware
                      items:
                        description: MiddlewareRef is a reference to a Middleware
                          resource.
@@ -88,7 +88,7 @@ spec:
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#priority
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority
                      type: integer
                    services:
                      description: |-
@@ -229,7 +229,7 @@ spec:
                          sticky:
                            description: |-
                              Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
                            properties:
                              cookie:
                                description: Cookie defines the sticky cookie configuration.
@@ -277,7 +277,7 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax
                      type: string
                  required:
                  - kind
@@ -287,18 +287,18 @@ spec:
              tls:
                description: |-
                  TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#tls
+                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.1/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -317,17 +317,17 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
                    properties:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
                        type: string
                    required:
                    - name
@@ -344,12 +344,12 @@ spec:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
                        type: string
                    required:
                    - name
--- a/docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: ingressroutetcps.traefik.io
 spec:
  group: traefik.io
@@ -43,7 +43,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -56,7 +56,7 @@ spec:
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rule_1
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule_1
                      type: string
                    middlewares:
                      description: Middlewares defines the list of references to MiddlewareTCP
@@ -80,7 +80,7 @@ spec:
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#priority_1
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority_1
                      type: integer
                    services:
                      description: Services defines the list of TCP services.
@@ -121,7 +121,7 @@ spec:
                          proxyProtocol:
                            description: |-
                              ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.1/routing/services/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#proxy-protocol
                            properties:
                              version:
                                description: Version defines the PROXY Protocol version
@@ -141,7 +141,7 @@ spec:
                              hence fully terminating the connection.
                              It is a duration in milliseconds, defaulting to 100.
                              A negative value means an infinite deadline (i.e. the reading capability is never closed).
-                              Deprecated: TerminationDelay is not supported APIVersion traefik.io/v1, please use ServersTransport to configure the TerminationDelay instead.
+                              Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead.
                            type: integer
                          tls:
                            description: TLS determines whether to use TLS when dialing
@@ -159,7 +159,7 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rulesyntax_1
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax_1
                      type: string
                  required:
                  - match
@@ -168,18 +168,18 @@ spec:
              tls:
                description: |-
                  TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#tls_1
+                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls_1
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.1/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -198,7 +198,7 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
                    properties:
                      name:
                        description: Name defines the name of the referenced Traefik
--- a/docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: ingressrouteudps.traefik.io
 spec:
  group: traefik.io
@@ -43,7 +43,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
                  Default: all.
                items:
                  type: string
--- a/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: middlewares.traefik.io
 spec:
  group: traefik.io
@@ -19,7 +19,7 @@ spec:
      openAPIV3Schema:
        description: |-
          Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/overview/
+          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/overview/
        properties:
          apiVersion:
            description: |-
@@ -45,7 +45,7 @@ spec:
                description: |-
                  AddPrefix holds the add prefix middleware configuration.
                  This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/addprefix/
                properties:
                  prefix:
                    description: |-
@@ -57,12 +57,12 @@ spec:
                description: |-
                  BasicAuth holds the basic auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -83,7 +83,7 @@ spec:
                description: |-
                  Buffering holds the buffering middleware configuration.
                  This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#maxrequestbodybytes
                properties:
                  maxRequestBodyBytes:
                    description: |-
@@ -115,14 +115,14 @@ spec:
                    description: |-
                      RetryExpression defines the retry conditions.
                      It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#retryexpression
                    type: string
                type: object
              chain:
                description: |-
                  Chain holds the configuration of the chain middleware.
                  This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/chain/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/chain/
                properties:
                  middlewares:
                    description: Middlewares is the list of MiddlewareRef which composes
@@ -180,14 +180,20 @@ spec:
              compress:
                description: |-
                  Compress holds the compress middleware configuration.
-                  This middleware compresses responses before sending them to the client, using gzip compression.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/compress/
+                  This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/compress/
                properties:
                  defaultEncoding:
                    description: DefaultEncoding specifies the default encoding if
                      the `Accept-Encoding` header is not in the request or contains
                      a wildcard (`*`).
                    type: string
+                  encodings:
+                    description: Encodings defines the list of supported compression
+                      algorithms.
+                    items:
+                      type: string
+                    type: array
                  excludedContentTypes:
                    description: |-
                      ExcludedContentTypes defines the list of content types to compare the Content-Type header of the incoming requests and responses before compressing.
@@ -224,12 +230,12 @@ spec:
                description: |-
                  DigestAuth holds the digest auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/digestauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -249,7 +255,7 @@ spec:
                description: |-
                  ErrorPage holds the custom error middleware configuration.
                  This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/
                properties:
                  query:
                    description: |-
@@ -259,7 +265,7 @@ spec:
                  service:
                    description: |-
                      Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/#service
                    properties:
                      healthCheck:
                        description: Healthcheck defines health checks for ExternalName
@@ -392,7 +398,7 @@ spec:
                      sticky:
                        description: |-
                          Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
                        properties:
                          cookie:
                            description: Cookie defines the sticky cookie configuration.
@@ -450,7 +456,7 @@ spec:
                description: |-
                  ForwardAuth holds the forward auth middleware configuration.
                  This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/
                properties:
                  addAuthCookiesToResponse:
                    description: AddAuthCookiesToResponse defines the list of cookies
@@ -478,7 +484,7 @@ spec:
                  authResponseHeadersRegex:
                    description: |-
                      AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/#authresponseheadersregex
                    type: string
                  tls:
                    description: TLS defines the configuration used to secure the
@@ -525,7 +531,7 @@ spec:
                description: |-
                  Headers holds the headers middleware configuration.
                  This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/headers/#customrequestheaders
                properties:
                  accessControlAllowCredentials:
                    description: AccessControlAllowCredentials defines whether the
@@ -696,7 +702,7 @@ spec:
                description: |-
                  InFlightReq holds the in-flight request middleware configuration.
                  This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/
                properties:
                  amount:
                    description: |-
@@ -709,12 +715,12 @@ spec:
                      SourceCriterion defines what criterion is used to group requests as originating from a common source.
                      If several strategies are defined at the same time, an error will be raised.
                      If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/#sourcecriterion
                    properties:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -728,6 +734,12 @@ spec:
                            items:
                              type: string
                            type: array
+                          ipv6Subnet:
+                            description: IPv6Subnet configures Traefik to consider
+                              all IPv6 addresses from the defined subnet as originating
+                              from the same IP. Applies to RemoteAddrStrategy and
+                              DepthStrategy.
+                            type: integer
                        type: object
                      requestHeaderName:
                        description: RequestHeaderName defines the name of the header
@@ -743,12 +755,12 @@ spec:
                description: |-
                  IPAllowList holds the IP allowlist middleware configuration.
                  This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/
                properties:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -761,6 +773,11 @@ spec:
                        items:
                          type: string
                        type: array
+                      ipv6Subnet:
+                        description: IPv6Subnet configures Traefik to consider all
+                          IPv6 addresses from the defined subnet as originating from
+                          the same IP. Applies to RemoteAddrStrategy and DepthStrategy.
+                        type: integer
                    type: object
                  rejectStatusCode:
                    description: |-
@@ -780,7 +797,7 @@ spec:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -793,6 +810,11 @@ spec:
                        items:
                          type: string
                        type: array
+                      ipv6Subnet:
+                        description: IPv6Subnet configures Traefik to consider all
+                          IPv6 addresses from the defined subnet as originating from
+                          the same IP. Applies to RemoteAddrStrategy and DepthStrategy.
+                        type: integer
                    type: object
                  sourceRange:
                    description: SourceRange defines the set of allowed IPs (or ranges
@@ -805,7 +827,7 @@ spec:
                description: |-
                  PassTLSClientCert holds the pass TLS client cert middleware configuration.
                  This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/passtlsclientcert/
                properties:
                  info:
                    description: Info selects the specific client certificate details
@@ -914,7 +936,7 @@ spec:
                description: |-
                  RateLimit holds the rate limit configuration.
                  This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ratelimit/
                properties:
                  average:
                    description: |-
@@ -947,7 +969,7 @@ spec:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -961,6 +983,12 @@ spec:
                            items:
                              type: string
                            type: array
+                          ipv6Subnet:
+                            description: IPv6Subnet configures Traefik to consider
+                              all IPv6 addresses from the defined subnet as originating
+                              from the same IP. Applies to RemoteAddrStrategy and
+                              DepthStrategy.
+                            type: integer
                        type: object
                      requestHeaderName:
                        description: RequestHeaderName defines the name of the header
@@ -976,7 +1004,7 @@ spec:
                description: |-
                  RedirectRegex holds the redirect regex middleware configuration.
                  This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectregex/#regex
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -995,7 +1023,7 @@ spec:
                description: |-
                  RedirectScheme holds the redirect scheme middleware configuration.
                  This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectscheme/
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1012,7 +1040,7 @@ spec:
                description: |-
                  ReplacePath holds the replace path middleware configuration.
                  This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepath/
                properties:
                  path:
                    description: Path defines the path to use as replacement in the
@@ -1023,7 +1051,7 @@ spec:
                description: |-
                  ReplacePathRegex holds the replace path regex middleware configuration.
                  This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepathregex/
                properties:
                  regex:
                    description: Regex defines the regular expression used to match
@@ -1039,7 +1067,7 @@ spec:
                  Retry holds the retry middleware configuration.
                  This middleware reissues requests a given number of times to a backend server if that server does not reply.
                  As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/retry/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/retry/
                properties:
                  attempts:
                    description: Attempts defines how many times the request should
@@ -1061,7 +1089,7 @@ spec:
                description: |-
                  StripPrefix holds the strip prefix middleware configuration.
                  This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefix/
                properties:
                  forceSlash:
                    description: |-
@@ -1080,7 +1108,7 @@ spec:
                description: |-
                  StripPrefixRegex holds the strip prefix regex middleware configuration.
                  This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefixregex/
                properties:
                  regex:
                    description: Regex defines the regular expression to match the
--- a/docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: middlewaretcps.traefik.io
 spec:
  group: traefik.io
@@ -19,7 +19,7 @@ spec:
      openAPIV3Schema:
        description: |-
          MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.1/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.2/middlewares/overview/
        properties:
          apiVersion:
            description: |-
@@ -55,7 +55,7 @@ spec:
                description: |-
                  IPAllowList defines the IPAllowList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/tcp/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipallowlist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -69,7 +69,7 @@ spec:
                  IPWhiteList defines the IPWhiteList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
                  Deprecated: please use IPAllowList instead.
-                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/tcp/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipwhitelist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
--- a/docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: serverstransports.traefik.io
 spec:
  group: traefik.io
@@ -21,7 +21,7 @@ spec:
          ServersTransport is the CRD implementation of a ServersTransport.
          If no serversTransport is specified, the default@internal will be used.
          The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.1/routing/services/#serverstransport_1
+          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_1
        properties:
          apiVersion:
            description: |-
--- a/docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: serverstransporttcps.traefik.io
 spec:
  group: traefik.io
@@ -21,7 +21,7 @@ spec:
          ServersTransportTCP is the CRD implementation of a TCPServersTransport.
          If no tcpServersTransport is specified, a default one named default@internal will be used.
          The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.1/routing/services/#serverstransport_3
+          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_3
        properties:
          apiVersion:
            description: |-
--- a/docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: tlsoptions.traefik.io
 spec:
  group: traefik.io
@@ -19,7 +19,7 @@ spec:
      openAPIV3Schema:
        description: |-
          TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options
+          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
        properties:
          apiVersion:
            description: |-
@@ -44,14 +44,14 @@ spec:
              alpnProtocols:
                description: |-
                  ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.1/https/tls/#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#alpn-protocols
                items:
                  type: string
                type: array
              cipherSuites:
                description: |-
                  CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.1/https/tls/#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#cipher-suites
                items:
                  type: string
                type: array
@@ -79,7 +79,7 @@ spec:
              curvePreferences:
                description: |-
                  CurvePreferences defines the preferred elliptic curves in a specific order.
-                  More info: https://doc.traefik.io/traefik/v3.1/https/tls/#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#curve-preferences
                items:
                  type: string
                type: array
--- a/docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: tlsstores.traefik.io
 spec:
  group: traefik.io
@@ -21,7 +21,7 @@ spec:
          TLSStore is the CRD implementation of a Traefik TLS Store.
          For the time being, only the TLSStore named default is supported.
          This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.1/https/tls/#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#certificates-stores
        properties:
          apiVersion:
            description: |-
--- a/docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.16.1
  name: traefikservices.traefik.io
 spec:
  group: traefik.io
@@ -22,7 +22,7 @@ spec:
          TraefikService object allows to:
          - Apply weight to Services on load-balancing
          - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-traefikservice
+          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-traefikservice
        properties:
          apiVersion:
            description: |-
@@ -121,6 +121,11 @@ spec:
                      Default value is -1, which means unlimited size.
                    format: int64
                    type: integer
+                  mirrorBody:
+                    description: |-
+                      MirrorBody defines whether the body of the request should be mirrored.
+                      Default value is true.
+                    type: boolean
                  mirrors:
                    description: Mirrors defines the list of mirrors where Traefik
                      will duplicate the traffic.
@@ -263,7 +268,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -370,7 +375,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -553,7 +558,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -600,7 +605,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
--- a/docs/content/reference/install-configuration/api-dashboard.md
+++ b/docs/content/reference/install-configuration/api-dashboard.md
@@ -0,0 +1,235 @@
+---
+title: "Traefik API & Dashboard Documentation"
+description: "Traefik Proxy exposes information through API handlers and showcase them on the Dashboard. Learn about the security, configuration, and endpoints of the APIs and Dashboard. Read the technical documentation."
+---
+
+The dashboard is the central place that shows you the current active routes handled by Traefik.
+
+<figure>
+    <img src="../../../assets/img/webui-dashboard.png" alt="Dashboard - Providers" />
+    <figcaption>The dashboard in action</figcaption>
+</figure>
+
+## Configuration Example
+
+Enable the dashboard:
+
+```yaml tab="File(YAML)"
+api: {}
+```
+
+```toml tab="File(TOML)"
+[api]
+```
+
+```cli tab="CLI"
+--api=true
+```
+
+Expose the dashboard:
+
+```yaml tab="Kubernetes CRD"
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+spec:
+  routes:
+  - match: Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
+    kind: Rule
+    services:
+    - name: api@internal
+      kind: TraefikService
+    middlewares:
+      - name: auth
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: auth
+spec:
+  basicAuth:
+    secret: secretName # Kubernetes secret named "secretName"
+```
+
+```yaml tab="Helm Chart Values (values.yaml)"
+# Create an IngressRoute for the dashboard
+ingressRoute:
+  dashboard:
+    enabled: true
+    # Custom match rule with host domain
+    matchRule: Host(`traefik.example.com`)
+    entryPoints: ["websecure"]
+    # Add custom middlewares : authentication and redirection
+    middlewares:
+      - name: traefik-dashboard-auth
+
+# Create the custom middlewares used by the IngressRoute dashboard (can also be created in another way).
+# /!\ Yes, you need to replace "changeme" password with a better one. /!\
+extraObjects:
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      name: traefik-dashboard-auth-secret
+    type: kubernetes.io/basic-auth
+    stringData:
+      username: admin
+      password: changeme
+
+  - apiVersion: traefik.io/v1alpha1
+    kind: Middleware
+    metadata:
+      name: traefik-dashboard-auth
+    spec:
+      basicAuth:
+        secret: traefik-dashboard-auth-secret
+```
+
+```yaml tab="Docker"
+# Dynamic Configuration
+labels:
+  - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+  - "traefik.http.routers.dashboard.service=api@internal"
+  - "traefik.http.routers.dashboard.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```yaml tab="Swarm"
+# Dynamic Configuration
+deploy:
+  labels:
+    - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+    - "traefik.http.routers.dashboard.service=api@internal"
+    - "traefik.http.routers.dashboard.middlewares=auth"
+    - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+    # Dummy service for Swarm port detection. The port can be any valid integer value.
+    - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
+```
+
+```yaml tab="Consul Catalog"
+# Dynamic Configuration
+- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+- "traefik.http.routers.dashboard.service=api@internal"
+- "traefik.http.routers.dashboard.middlewares=auth"
+- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```yaml tab="File (YAML)"
+# Dynamic Configuration
+http:
+  routers:
+    dashboard:
+      rule: Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
+      service: api@internal
+      middlewares:
+        - auth
+  middlewares:
+    auth:
+      basicAuth:
+        users:
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+# Dynamic Configuration
+[http.routers.my-api]
+  rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+  service = "api@internal"
+  middlewares = ["auth"]
+
+[http.middlewares.auth.basicAuth]
+  users = [
+    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+  ]
+```
+
+## Configuration Options
+
+The API and the dashboard can be configured:
+
+- In the Helm Chart: You can find the options to customize the Traefik installation
+enabing the dashboard [here](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L155).
+- In the Traefik Static Configuration as described below.
+
+| Field      | Description  | Default | Required |
+|:-----------|:---------------------------------|:--------|:---------|
+| `api` | Enable api/dashboard. When set to `true`, its sub option `api.dashboard` is also set to true.| false     | No      |
+| `api.dashboard` | Enable dashboard. | false      | No      |
+| `api.debug` | Enable additional endpoints for debugging and profiling. | false      | No      |
+| `api.disabledashboardad` | Disable the advertisement from the dashboard. | false      | No      |
+| `api.insecure` | Enable the API and the dashboard on the entryPoint named traefik.| false      | No      |
+
+## Endpoints
+
+All the following endpoints must be accessed with a `GET` HTTP request.
+
+| Path                           | Description                                                                                 |
+|--------------------------------|---------------------------------------------------------------------------------------------|
+| `/api/http/routers`            | Lists all the HTTP routers information.                                                     |
+| `/api/http/routers/{name}`     | Returns the information of the HTTP router specified by `name`.                             |
+| `/api/http/services`           | Lists all the HTTP services information.                                                    |
+| `/api/http/services/{name}`    | Returns the information of the HTTP service specified by `name`.                            |
+| `/api/http/middlewares`        | Lists all the HTTP middlewares information.                                                 |
+| `/api/http/middlewares/{name}` | Returns the information of the HTTP middleware specified by `name`.                         |
+| `/api/tcp/routers`             | Lists all the TCP routers information.                                                      |
+| `/api/tcp/routers/{name}`      | Returns the information of the TCP router specified by `name`.                              |
+| `/api/tcp/services`            | Lists all the TCP services information.                                                     |
+| `/api/tcp/services/{name}`     | Returns the information of the TCP service specified by `name`.                             |
+| `/api/tcp/middlewares`         | Lists all the TCP middlewares information.                                                  |
+| `/api/tcp/middlewares/{name}`  | Returns the information of the TCP middleware specified by `name`.                          |
+| `/api/udp/routers`             | Lists all the UDP routers information.                                                      |
+| `/api/udp/routers/{name}`      | Returns the information of the UDP router specified by `name`.                              |
+| `/api/udp/services`            | Lists all the UDP services information.                                                     |
+| `/api/udp/services/{name}`     | Returns the information of the UDP service specified by `name`.                             |
+| `/api/entrypoints`             | Lists all the entry points information.                                                     |
+| `/api/entrypoints/{name}`      | Returns the information of the entry point specified by `name`.                             |
+| `/api/overview`                | Returns statistic information about HTTP, TCP and about enabled features and providers. |
+| `/api/rawdata`                 | Returns information about dynamic configurations, errors, status and dependency relations.  |
+| `/api/version`                 | Returns information about Traefik version.                                                  |
+| `/debug/vars`                  | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                          |
+| `/debug/pprof/`                | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation.       |
+| `/debug/pprof/cmdline`         | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation.   |
+| `/debug/pprof/profile`         | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation.   |
+| `/debug/pprof/symbol`          | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation.     |
+| `/debug/pprof/trace`           | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation.       |
+
+## Dashboard
+
+The dashboard is available at the same location as the [API](../../operations/api.md), but by default on the path  `/dashboard/`.
+
+!!! note
+
+    - The trailing slash `/` in `/dashboard/` is mandatory. This limitation can be mitigated using the the [RedirectRegex Middleware](../../middlewares/http/redirectregex.md).
+	  - There is also a redirect from the path `/` to `/dashboard/`, but you should not rely on this behavior, as it is subject to change and may complicate routing rules.
+
+To securely access the dashboard, you need to define a routing configuration within Traefik. This involves setting up a router attached to the service `api@internal`, which allows you to:
+
+- Implement security features using [middlewares](../../middlewares/overview.md), such as authentication ([basicAuth](../../middlewares/http/basicauth.md), [digestAuth](../../middlewares/http/digestauth.md),
+  [forwardAuth](../../middlewares/http/forwardauth.md)) or [allowlisting](../../middlewares/http/ipallowlist.md).
+
+- Define a [router rule](#dashboard-router-rule) for accessing the dashboard through Traefik.
+
+### Dashboard Router Rule
+
+To ensure proper access to the dashboard, the [router rule](../../routing/routers/index.md#rule) you define must match requests intended for the `/api` and `/dashboard` paths. 
+We recommend using either a *Host-based rule* to match all requests on the desired domain or explicitly defining a rule that includes both path prefixes. 
+Here are some examples:
+
+```bash tab="Host Rule"
+# The dashboard can be accessed on http://traefik.example.com/dashboard/
+rule = "Host(`traefik.example.com`)"
+```
+
+```bash tab="Path Prefix Rule"
+# The dashboard can be accessed on http://example.com/dashboard/ or http://traefik.example.com/dashboard/
+rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+```
+
+```bash tab="Combination of Rules"
+# The dashboard can be accessed on http://traefik.example.com/dashboard/
+rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/reference/install-configuration/boot-environment.md
+++ b/docs/content/reference/install-configuration/boot-environment.md
@@ -0,0 +1,134 @@
+---
+title: "Traefik Configuration Overview"
+description: "Read the official Traefik documentation to get started with configuring the Traefik Proxy."
+---
+
+# Boot Environment
+
+Traefik Proxy’s configuration is divided into two main categories:
+
+- **Static Configuration**: Defines parameters that require Traefik to restart when changed. This includes entry points, providers, API/dashboard settings, and logging levels.
+- **Dynamic Configuration**: Involves elements that can be updated without restarting Traefik, such as routers, services, and middlewares.
+
+This section focuses on setting up the static configuration, which is essential for Traefik’s initial boot.
+
+## Configuration Methods
+
+Traefik offers multiple methods to define static configuration. 
+
+!!! warning "Note"
+    It’s crucial to choose one method and stick to it, as mixing different configuration options is not supported and can lead to unexpected behavior.
+
+Here are the methods available for configuring the Traefik proxy:
+
+- [File](#file) 
+- [CLI](#cli)
+- [Environment Variables](#environment-variables)
+- [Helm](#helm)
+
+## File
+
+You can define the static configuration in a file using formats like YAML or TOML.
+
+### Configuration Example
+
+```yaml tab="traefik.yml (YAML)"
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":443"
+
+providers:
+  docker: {}
+
+api:
+  dashboard: true
+
+log:
+  level: INFO
+```
+
+```toml tab="traefik.toml (TOML)"
+[entryPoints]
+  [entryPoints.web]
+    address = ":80"
+
+  [entryPoints.websecure]
+    address = ":443"
+
+[providers]
+  [providers.docker]
+
+[api]
+  dashboard = true
+
+[log]
+  level = "INFO"
+```
+
+### Configuration File
+
+At startup, Traefik searches for static configuration in a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in the following directories:
+
+- `/etc/traefik/`
+- `$XDG_CONFIG_HOME/`
+- `$HOME/.config/`
+- `.` (the current working directory).
+
+You can override this behavior using the `configFile` argument like this:
+
+```bash
+traefik --configFile=foo/bar/myconfigfile.yml
+```
+
+## CLI
+
+Using the CLI, you can pass static configuration directly as command-line arguments when starting Traefik. 
+
+### Configuration Example
+
+```sh tab="CLI"
+traefik \
+  --entryPoints.web.address=":80" \
+  --entryPoints.websecure.address=":443" \
+  --providers.docker \
+  --api.dashboard \
+  --log.level=INFO
+```
+
+## Environment Variables
+
+You can also set the static configuration using environment variables. Each option corresponds to an environment variable prefixed with `TRAEFIK_`.
+
+### Configuration Example
+
+```sh tab="ENV"
+TRAEFIK_ENTRYPOINTS_WEB_ADDRESS=":80" TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS=":443" TRAEFIK_PROVIDERS_DOCKER=true TRAEFIK_API_DASHBOARD=true TRAEFIK_LOG_LEVEL="INFO" traefik
+```
+
+## Helm
+
+When deploying Traefik Proxy using Helm in a Kubernetes cluster, the static configuration is defined in a `values.yaml` file. 
+
+You can find the official Traefik Helm chart on [GitHub](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/VALUES.md)
+
+### Configuration Example
+
+```yaml tab="values.yaml"
+ports:
+  web:
+    exposedPort: 80
+  websecure:
+    exposedPort: 443
+
+additionalArguments:
+  - "--providers.kubernetescrd.ingressClass"
+  - "--log.level=INFO"
+```
+
+```sh tab="Helm Commands"
+helm repo add traefik https://traefik.github.io/charts
+helm repo update
+helm install traefik traefik/traefik -f values.yaml
+```
--- a/docs/content/reference/install-configuration/cli-options-list.md
+++ b/docs/content/reference/install-configuration/cli-options-list.md
--- a/docs/content/reference/install-configuration/entrypoints.md
+++ b/docs/content/reference/install-configuration/entrypoints.md
@@ -0,0 +1,213 @@
+---
+title: "Traefik EntryPoints Documentation"
+description: "For routing and load balancing in Traefik Proxy, EntryPoints define which port will receive packets and whether they are TCP or UDP. Read the technical documentation."
+---
+
+Listening for Incoming Connections/Requests
+{: .subtitle }
+
+### Configuration Example
+
+```yaml tab="File (YAML)"
+entryPoints:
+  web:
+    address: :80
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+
+  websecure:
+    address: :443
+    tls: {}
+    middlewares:
+      - auth@kubernetescrd
+      - strip@kubernetescrd
+```
+
+```yaml tab="Helm Chart Values"
+## Values file
+ports:
+  web:
+    port: :80
+  websecure:
+    port: :443
+    tls:
+      enabled: true
+    middlewares:
+      - auth@kubernetescrd
+      - strip@kubernetescrd
+additionalArguments:
+  - --entryPoints.web.http.redirections.to=websecure
+  - --entryPoints.web.http.redirections.scheme=https
+  - --entryPoints.web.http.redirections.permanent=true
+```
+
+!!! tip 
+
+      In the Helm Chart, the entryPoints `web` (port 80), `websecure` (port 443), `traefik` (port 9000) and `metrics` (port 9100) are created by default.
+      The entryPoints `web`, `websecure` are exposed by default using a Service.
+
+      The default behaviors can be overridden in the Helm Chart.
+
+## Configuration Options
+
+| Field | Description | Default | Required |
+|:------|:------------|:--------|:---------|
+| `address` | Define the port, and optionally the hostname, on which to listen for incoming connections and packets.<br /> It also defines the protocol to use (TCP or UDP).<br /> If no protocol is specified, the default is TCP. The format is:`[host]:port[/tcp\|/udp]`. | - | Yes |
+| `asDefault` | Mark the `entryPoint` to be in the list of default `entryPoints`.<br /> `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br /> More information [here](#asdefault).  | false | No |
+| `forwardedHeaders.trustedIPs` | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`). | - | No |
+| `forwardedHeaders.insecure` | Set the insecure mode to always trust the forwarded headers information (`X-Forwarded-*`).<br />We recommend to use this option only for tests purposes, not in production. | false | No |
+| `http.redirections.`<br />`entryPoint.to` | The target element to enable (permanent) redirecting of all incoming requests on an entry point to another one. <br /> The target element can be an entry point name (ex: `websecure`), or a port (`:443`). | - | Yes |
+| `http.redirections.`<br />`entryPoint.scheme` | The target scheme to use for (permanent) redirection of all incoming requests.  | https | No |
+| `http.redirections.`<br />`entryPoint.permanent` | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`). | false | No |
+| `http.redirections.`<br />`entryPoint.priority` | Default priority applied to the routers attached to the `entryPoint`. | MaxInt32-1 (2147483646) | No |
+| `http.encodeQuerySemicolons` | Enable query semicolons encoding. <br /> Use this option to avoid non-encoded semicolons to be interpreted as query parameter separators by Traefik. <br /> When using this option, the non-encoded semicolons characters in query will be transmitted encoded to the backend.<br /> More information [here](#encodequerysemicolons). | false | No |
+| `http.middlewares` | Set the list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point. <br />More information [here](#httpmiddlewares). | - | No |
+| `http.tls` | Enable TLS on every router attached to the `entryPoint`. <br /> If no certificate are set, a default self-signed certificate is generates by Traefik. <br /> We recommend to not use self signed certificates in production. | - | No |
+| `http.tls.options` | Apply TLS options on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../../routing/providers/kubernetes-crd.md#kind-tlsoption). | - | No |
+| `http.tls.certResolver` | Apply a certificate resolver on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../install-configuration/tls/certificate-resolvers/overview.md). | - | No |
+| `http2.maxConcurrentStreams` | Set the number of concurrent streams per connection that each client is allowed to initiate. <br /> The value must be greater than zero. | 250 | No |
+| `http3` | Enable HTTP/3 protocol on the `entryPoint`. <br /> HTTP/3 requires a TCP `entryPoint`. as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP. In most scenarios, this `entryPoint` is the same as the one used for TLS traffic.<br /> More information [here](#http3. | - | No |
+| `http3.advertisedPort` | Set the UDP port to advertise as the HTTP/3 authority. <br /> It defaults to the entryPoint's address port. <br /> It can be used to override the authority in the `alt-svc` header, for example if the public facing port is different from where Traefik is listening. | - | No |
+| `proxyProtocol.trustedIPs` | Enable PROXY protocol with Trusted IPs. <br /> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br /> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br /> If the PROXY protocol header is passed, then the version is determined automatically.<br /> More information [here](#proxyprotocol-and-load-balancers).| - | No |
+| `proxyProtocol.insecure` | Enable PROXY protocol trusting every incoming connection. <br /> Every remote client address will be replaced (`trustedIPs`) won't have any effect). <br /> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br /> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br /> If the PROXY protocol header is passed, then the version is determined automatically.<br />We recommend to use this option only for tests purposes, not in production.<br /> More information [here](#proxyprotocol-and-load-balancers). | - | No |
+| `reusePort` | Enable `entryPoints` from the same or different processes listening on the same TCP/UDP port by utilizing the `SO_REUSEPORT` socket option. <br /> It also allows the kernel to act like a load balancer to distribute incoming connections between entry points..<br /> More information [here](#reuseport). | false | No |
+| `transport.`<br />`respondingTimeouts.`<br />`readTimeout` | Set the timeouts for incoming requests to the Traefik instance. This is the maximum duration for reading the entire request, including the body. Setting them has no effect for UDP `entryPoints`.<br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds. | 60s (seconds) | No |
+| `transport.`<br />`respondingTimeouts.`<br />`writeTimeout` | Maximum duration before timing out writes of the response. <br /> It covers the time from the end of the request header read to the end of the response write. <br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds. | 0s (seconds) | No |
+| `transport.`<br />`respondingTimeouts.`<br />`idleTimeout` | Maximum duration an idle (keep-alive) connection will remain idle before closing itself. <br /> If zero, no timeout exists <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds| 180s (seconds) | No |
+| `transport.`<br />`lifeCycle.`<br />`graceTimeOut` | Set the duration to give active requests a chance to finish before Traefik stops. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds <br /> In this time frame no new requests are accepted.| 10s (seconds) | No |
+| `transport.`<br />`lifeCycle.`<br />`requestAcceptGraceTimeout` | Set the duration to keep accepting requests prior to initiating the graceful termination period (as defined by the `transportlifeCycle.graceTimeOut` option). <br /> This option is meant to give downstream load-balancers sufficient time to take Traefik out of rotation. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds| 0s (seconds) | No |
+| `transport.`<br />`keepAliveMaxRequests` | Set the maximum number of requests Traefik can handle before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). <br /> Zero means no limit. | 0 | No |
+| `transport.`<br />`keepAliveMaxTime` | Set the maximum duration Traefik can handle requests before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). Zero means no limit. | 0s (seconds) | No |
+| `udp.timeout` | Define how long to wait on an idle session before releasing the related resources. <br />The Timeout value must be greater than zero.| 3s (seconds)| No |
+
+### asDefault
+
+If there is no entryPoint with the `asDefault` option set to `true`, then the 
+list of default entryPoints includes all HTTP/TCP entryPoints.
+
+If at least one entryPoint has the `asDefault` option set to `true`,
+then the list of default entryPoints includes only entryPoints that have the
+`asDefault` option set to `true`.
+
+Some built-in entryPoints are always excluded from the list, namely: `traefik`.
+
+The `asDefault` option has no effect on UDP entryPoints.
+When a UDP router does not define the entryPoints option, it is attached to all
+available UDP entryPoints.
+
+### http.middlewares
+
+- You can attach a list of [middlewares](../../middlewares/http/overview.md)
+to each entryPoint.
+- The middlewares will take effect only if the rule matches, and before forwarding
+the request to the service.
+- Middlewares are applied in the same order as their declaration.
+- Middlewares are applied by default to every router exposed through the EntryPoint
+(the Middlewares declared on the [IngressRoute](../../routing/routers/index.md#middlewares)
+or the [Ingress](../../routing/providers/kubernetes-ingress.md#on-ingress)
+are applied after the ones declared on the Entrypoint)
+- The option allows attaching a list of middleware using the format 
+`middlewarename@providername` as described in the example below:
+
+```yaml tab="File (YAML)"
+entryPoints:
+  web:
+    address: :80
+    middlewares:
+      - auth@kubernetescrd
+      - strip@file
+```
+
+```yaml tab="Helm Chart Values"
+ports:
+  web:
+    port: :80
+    middlewares:
+      - auth@kubernetescrd
+      - strip@file
+```
+
+### encodeQuerySemicolons
+
+Behavior examples:
+
+| EncodeQuerySemicolons | Request Query       | Resulting Request Query |
+|-----------------------|---------------------|-------------------------|
+| false                 | foo=bar;baz=bar     | foo=bar&baz=bar         |
+| true                  | foo=bar;baz=bar     | foo=bar%3Bbaz=bar       |
+| false                 | foo=bar&baz=bar;foo | foo=bar&baz=bar&foo     |
+| true                  | foo=bar&baz=bar;foo | foo=bar&baz=bar%3Bfoo   |
+
+### HTTP3
+
+As HTTP/3 actually uses UDP, when Traefik is configured with a TCP `entryPoint`
+on port N with HTTP/3 enabled, the underlying HTTP/3 server that is started 
+automatically listens on UDP port N too. As a consequence,
+it means port N cannot be used by another UDP `entryPoint`.
+Since HTTP/3 requires the use of TLS,
+only routers with TLS enabled will be usable with HTTP/3.
+
+### ProxyProtocol and Load-Balancers
+
+The replacement of the remote client address will occur only for IP addresses listed in `trustedIPs`. This is where yoåu specify your load balancer IPs or CIDR ranges.
+
+When queuing Traefik behind another load-balancer, make sure to configure 
+PROXY protocol on both sides.
+Not doing so could introduce a security risk in your system (enabling request forgery).
+
+### reusePort
+
+#### Examples
+
+Many processes on the same EntryPoint:
+
+```yaml tab="File (YAML)"
+  entryPoints:
+    web:
+      address: ":80"
+      reusePort: true
+```
+
+```yaml tab="Helm Chart Values"
+  ## Values file
+  additionalArguments:
+    - --entryPoints.web.reusePort=true
+```
+
+Many processes on the same EntryPoint on another host:
+
+```yaml tab="File (YAML)"
+entryPoints:
+  web:
+    address: ":80"
+    reusePort: true
+  privateWeb:
+    address: "192.168.1.2:80"
+    reusePort: true
+```
+
+```yaml tab="Helm Chart Values"
+additionalArguments:
+  - --entryPoints.web.reusePort=true
+  - --entryPoints.privateWeb.address=192.168.1.2:80
+  - --entryPoints.privateWeb.reusePort=true
+```
+
+#### Supported platforms
+
+The `reusePort` option currently works only on Linux, FreeBSD, OpenBSD and Darwin.
+It will be ignored on other platforms.
+
+There is a known bug in the Linux kernel that may cause unintended TCP connection
+failures when using the `reusePort` option. For more details, see [here](https://lwn.net/Articles/853637/).
+
+#### Canary deployment
+
+Use the `reusePort` option with the other option `transport.lifeCycle.gracetimeout`
+to do
+canary deployments against Traefik itself. Like upgrading Traefik version
+or reloading the static configuration without any service downtime.
--- a/docs/content/reference/install-configuration/observability/healthcheck.md
+++ b/docs/content/reference/install-configuration/observability/healthcheck.md
@@ -0,0 +1,87 @@
+---
+title: "Traefik Health Check Documentation"
+description: "In Traefik Proxy, CLI & Ping lets you check the health of your Traefik instances. Read the technical documentation for configuration examples and options."
+---
+
+# CLI & Ping
+
+Checking the Health of your Traefik Instances
+{: .subtitle }
+
+## CLI
+
+The CLI can be used to make a request to the `/ping` endpoint to check the health of Traefik. Its exit status is `0` if Traefik is healthy and `1` otherwise.
+
+This can be used with [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction or any other health check orchestration mechanism.
+
+### Usage 
+
+```sh
+traefik healthcheck [command] [flags] [arguments]
+```
+
+Example:
+
+```sh
+$ traefik healthcheck
+OK: http://:8082/ping
+```
+
+## Ping
+
+The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
+
+The entryPoint where the `/ping` is active can be customized with the `entryPoint` option,
+whose default value is `traefik` (port `8080`).
+
+| Path    | Method        | Description                                                                                         |
+|---------|---------------|-----------------------------------------------------------------------------------------------------|
+| `/ping` | `GET`, `HEAD` | An endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |
+
+### Configuration Example
+
+To enable the API handler:
+
+```yaml tab="File (YAML)"
+ping: {}
+```
+
+```toml tab="File (TOML)"
+[ping]
+```
+
+```bash tab="CLI"
+--ping=true
+```
+
+### Configuration Options
+
+| Field | Description                                               | Default              | Required |
+|:------|:----------------------------------------------------------|:---------------------|:---------|
+| `ping.entryPoint` | Enables `/ping` on a dedicated EntryPoint. | traefik  | No   |
+| `ping.manualRouting` | Disables the default internal router in order to allow one to create a custom router for the `ping@internal` service when set to `true`. | false | No   |
+| `ping.terminatingStatusCode` | Defines the status code for the ping handler during a graceful shut down. See more information [here](#terminatingstatuscode) | 503 | No   |
+
+#### `terminatingStatusCode`
+
+During the period in which Traefik is gracefully shutting down, the ping handler
+returns a `503` status code by default.  
+If Traefik is behind, for example a load-balancer
+doing health checks (such as the Kubernetes LivenessProbe), another code might
+be expected as the signal for graceful termination.  
+In that case, the terminatingStatusCode can be used to set the code returned by the ping
+handler during termination.
+
+```yaml tab="File (YAML)"
+ping:
+  terminatingStatusCode: 204
+```
+
+```toml tab="File (TOML)"
+[ping]
+  terminatingStatusCode = 204
+```
+
+```bash tab="CLI"
+--ping.terminatingStatusCode=204
+```
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
romain	8eb12795d7	Merge current branch v2.11 into v3.2	2024-12-10 15:04:04 +01:00
Kevin Pollet	cc14c165c0	Prepare release v2.11.15	2024-12-10 14:18:04 +01:00
Michael	f2ba4353b2	Fix experimental build ci	2024-12-10 12:12:05 +01:00
Anchal Sharma	514914639a	Rename traefik.docker.* labels for Docker Swarm to traefik.swarm.*	2024-12-10 09:48:05 +01:00
Kevin Pollet	f547f1b22b	Update sigs.k8s.io/gateway-api to v1.2.1	2024-12-09 09:44:05 +01:00
Michael	42df9afeaf	Fix release by using github action	2024-12-06 16:56:06 +01:00
Julien Salleyron	c8b0285c91	Fix WASM settings	2024-12-06 16:38:05 +01:00
Kevin Pollet	2df655cefe	Update github.com/quic-go/quic-go to v0.48.2	2024-12-06 16:36:05 +01:00
Sheddy	47b4df71bf	New Install Reference Documentation	2024-12-06 10:14:07 +01:00
Romain	2b35c7e205	Fix models mechanism for default rule syntax Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-11-29 10:52:05 +01:00
Kevin Pollet	536e11d949	Move callout to the entrypoint page footer	2024-11-25 17:22:04 +01:00
Ludovic Fernandez	c120b70483	Update go-acme/lego to v4.20.4	2024-11-22 09:54:04 +01:00
Kevin Pollet	ab0713d587	Fix incorrect links in v3 migration sections	2024-11-22 09:44:04 +01:00
Kevin Pollet	5cfc11fe68	Prepare release v3.2.1	2024-11-20 17:28:04 +01:00
Kevin Pollet	8a0c1e614f	Fix HostRegexp config for rule syntax v2 Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-11-20 17:04:04 +01:00
kevinpollet	394f97bc48	Merge branch v2.11 into v3.2	2024-11-20 15:37:27 +01:00
Kevin Pollet	8eadfbb990	Prepare release v2.11.14	2024-11-20 15:26:04 +01:00
romain	ca5b70e196	Merge branch v2.11 into v3.2	2024-11-20 14:21:43 +01:00
Julien Salleyron	cc80568d9e	Fix internal handlers ServiceBuilder composition	2024-11-19 14:52:04 +01:00
Kevin Pollet	8ffd1854db	Fix the defaultRule CLI examples	2024-11-18 14:40:05 +01:00
bluepuma77	6baa110adb	Update access-logs.md, add examples for accesslog.format	2024-11-18 11:58:04 +01:00
Antoine	5658c8ac06	Fix spelling, grammar, and rephrase sections for clarity in some documentation pages	2024-11-18 11:42:04 +01:00
davefu113	1c80f12bc2	Apply keepalive config to h2c entrypoints	2024-11-18 09:56:04 +01:00
Michel Loiseleur	ef5f1b1508	Improve documentation on dashboard	2024-11-14 11:14:04 +01:00
Romain	fdce8c604a	Change level of peeking first byte error log to DEBUG for Postgres	2024-11-12 17:34:04 +01:00
Kevin Pollet	8c19652361	Fix absolute link in the migration guide	2024-11-12 17:06:03 +01:00
kevinpollet	b7b4dd9554	Merge branch v2.11 into v3.2	2024-11-12 16:24:22 +01:00
Kevin Pollet	e5c80637fc	Add X-Forwarded-Prefix to the migration guide Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-11-12 15:04:04 +01:00
Ludovic Fernandez	f437fb4230	chore: update linter	2024-11-12 10:56:06 +01:00
Ludovic Fernandez	9c50129520	Update go-acme/lego to v4.20.2	2024-11-12 10:32:09 +01:00
Dominik Schwaiger	00a5f4c401	Fix a small typo in entrypoints documentation	2024-11-12 10:14:04 +01:00
Romain	a79cdd1dfa	Change level of peeking first byte error log to DEBUG Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-11-08 14:28:08 +01:00
Romain	2096fd7081	Drop untrusted X-Forwarded-Prefix header Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-11-08 12:12:35 +01:00
Julien Salleyron	f70949e3fa	Fix case problem for websocket upgrade	2024-11-06 09:56:04 +01:00
Ashley	7f4ff359a2	Add tips about the use of docker in dynamic configuration for swarm provider	2024-11-04 16:00:05 +01:00
Michel Loiseleur	47466a456e	Document how to use Certificates of cert-manager	2024-10-30 15:54:04 +01:00
Anchal Sharma	6f18344c56	Add a warning about environment variables casing for static configuration	2024-10-30 10:54:04 +01:00
Takuto Nagami	8527369797	Add Compress middleware to migration guide	2024-10-29 12:12:04 +01:00
Kevin Pollet	25caa72c09	Prepare release v3.2.0	2024-10-28 15:46:04 +01:00
kevinpollet	8beba9f278	Merge branch v3.1 into v3.2	2024-10-28 11:38:08 +01:00
Kevin Pollet	e90f4a7cb4	Prepare release v3.1.7	2024-10-28 11:34:03 +01:00
kevinpollet	20cdbdbf31	Merge branch v2.11 into v3.1	2024-10-28 10:32:18 +01:00
Kevin Pollet	08fe27ce5f	Prepare release v2.11.13	2024-10-28 10:22:04 +01:00
Romain	0dc36379cf	Ensuring Gateway API reflected Traefik resource name unicity Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-10-28 10:08:05 +01:00
Anton Bartsits	27948493aa	Panic on aborted requests to properly close the connection	2024-10-25 15:44:04 +02:00
Kevin Pollet	e3ed52ba7c	Detect and drop broken conns in the fastproxy pool Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-10-25 14:26:04 +02:00
kevinpollet	b22e081c7c	Merge branch v3.1 into v3.2	2024-10-24 11:47:38 +02:00
kevinpollet	62fa5f1a8e	Merge branch v2.11 into v3.1	2024-10-24 10:55:59 +02:00
Dylan Rodgers	edc0a52b5a	Updates to Business Callouts in Docs	2024-10-24 09:52:04 +02:00
Michael	3d2336bc83	Use golangci-lint action	2024-10-23 17:06:04 +02:00
Michel Loiseleur	0605f8bf09	Document nativeLBByDefault annotation on Kubernetes Gateway provider	2024-10-23 11:10:04 +02:00
Kevin Pollet	f18fcf3688	Preserve GRPCRoute filters order	2024-10-21 10:10:04 +02:00
Kevin Pollet	eeb99c3536	Preserve HTTPRoute filters order	2024-10-21 09:54:04 +02:00
Michael	83871f27dd	Add an option to preserve server path	2024-10-17 09:12:04 +02:00
Michel Loiseleur	6e1f5dc071	Fix instructions for downloading CRDs of Gateway API v1.2	2024-10-11 15:24:03 +02:00
Michel Loiseleur	ef5aa129c7	Fix broken links in Kubernetes Gateway provider page	2024-10-11 12:12:05 +02:00
Michel Loiseleur	f54f28921b	Add missing RBAC in the migration guide	2024-10-11 12:10:04 +02:00
Kevin Pollet	ef168b801c	Refactor compress handler to make it generic Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-10-10 16:04:04 +02:00
Romain	be156f6071	Ignore garbage collector flaky test	2024-10-10 10:48:04 +02:00
Kevin Pollet	b46665c620	Prepare release v3.2.0-rc2	2024-10-09 17:16:04 +02:00
kevinpollet	be13b5b55d	Merge branch v3.1 into v3.2	2024-10-09 16:47:13 +02:00
Will Da Silva	e9d677f8cb	Support http and https appProtocol for Kubernetes Service	2024-10-09 16:26:04 +02:00
Ludovic Fernandez	7edb9a2101	Bump github.com/go-acme/lego to v4.19.2	2024-10-09 16:04:04 +02:00
Kevin Pollet	4613ddd757	Prepare release v3.1.6	2024-10-09 15:54:05 +02:00
Romain	c441d04788	Avoid updating Accepted status for routes matching no Gateways Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-10-09 15:50:04 +02:00
kevinpollet	5d5dd9dd30	Merge branch v2.11 into v3.1	2024-10-09 15:19:14 +02:00
Kevin Pollet	1508a2c221	Do not update gateway status when not selected by a gateway class Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-10-09 15:14:05 +02:00
Kevin Pollet	934ca5fd22	Prepare release v2.11.12	2024-10-09 14:32:04 +02:00
Michel Heusschen	f16d14cfa6	Reuse compression writers	2024-10-09 14:14:03 +02:00
mmatur	4625bdf5cb	Merge current v2.11 into v3.1	2024-10-08 17:54:23 +02:00
Kevin Pollet	7b477f762a	Upgrade to node 22.9 and yarn lock to fix vulnerabilities Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-10-08 17:52:04 +02:00
Dylan Rodgers	157cf75e38	Update business callout in docs	2024-10-08 12:06:04 +02:00
Jesper Noordsij	ab35b3266a	Ensure shellcheck failure exit code is reflected in GH job result	2024-10-08 11:58:05 +02:00
Michel Heusschen	d339bfc8d2	Use correct default weight in Accept-Encoding	2024-10-08 11:48:04 +02:00
Romain	7b08ecfa5e	Bump sigs.k8s.io/gateway-api to v1.2.0 Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-10-08 10:46:04 +02:00
Dmitry Romashov	0a6b8780f0	Adopt a layout for the large amount of entrypoint port numbers	2024-10-08 10:44:04 +02:00
Michel Loiseleur	45292148e7	Detail CRD update with v3.2 in the migration guide	2024-10-07 09:54:04 +02:00
Kevin Pollet	fc563d3f6e	Fix the resolved TAG_NAME for commit in multiple tags	2024-10-07 09:32:05 +02:00
ttys3	a762cce430	Close wasm middleware to prevent memory leak	2024-10-04 16:36:04 +02:00
Kevin Pollet	306d3f277d	Bump github.com/klauspost/compress to dbd6c381492a	2024-10-04 10:48:04 +02:00
Ludovic Fernandez	6f7649fccc	Bump golangci-lint to 1.61.0	2024-10-04 09:38:04 +02:00
Matt Brown	e8ab3af74d	Clarify only header fields may be redacted in access-logs	2024-10-03 16:28:04 +02:00
Romain	a7502c8700	Prepare Release v3.2.0-rc1	2024-10-02 16:24:04 +02:00
kevinpollet	54c3afd760	Merge branch v3.1 into master	2024-10-02 15:32:09 +02:00
Kevin Pollet	a2ab3e534d	Prepare release v3.1.5	2024-10-02 14:42:05 +02:00
kevinpollet	8cfa68a8e1	Merge branch v2.11 into v3.1	2024-10-02 11:25:30 +02:00
Kevin Pollet	518caa79f9	Prepare release v2.11.11	2024-10-02 11:10:04 +02:00
Romain	373095f1a8	Support NativeLB option in GatewayAPI provider Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-10-02 10:34:04 +02:00
romain	b641d5cf2a	Merge current v2.11 into v3.1	2024-09-30 14:59:38 +02:00
Mathieu	4d6cb6af03	Ensure defaultGeneratedCert.main as Subject's CN	2024-09-30 12:10:05 +02:00
Kevin Pollet	9eb804a689	Bump github.com/klauspost/compress to 8e14b1b5a913	2024-09-30 11:56:04 +02:00
Jesper Noordsij	c02b72ca51	Disable IngressClass lookup when disableClusterScopeResources is enabled	2024-09-27 16:24:04 +02:00
Rémi BUISSON	2bb712135d	Specify default format value for access log	2024-09-27 15:34:04 +02:00
Michel Heusschen	14e5d4b4b3	Remove unused boot files from webui	2024-09-27 15:22:04 +02:00
lyrandy	e485edbe9f	Update API documentation to mention pagination	2024-09-27 15:00:06 +02:00
Kevin Pollet	d317cd90fc	Support HTTPRoute destination port matching	2024-09-27 12:12:05 +02:00
Carlos Martell	eccfcc0924	feat: allow setting service.name for OTLP metrics	2024-09-27 11:58:05 +02:00
Romain	61bb3ab991	Rework condition to not log on timeout	2024-09-27 11:34:05 +02:00
Romain	e62f8af23b	Rework condition to not log on timeout	2024-09-27 11:20:04 +02:00
Romain	a42d396ed2	Clean connection headers for forward auth request only Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-09-27 11:18:05 +02:00
Kevin Pollet	7bb181dfa0	Bump sigs.k8s.io/gateway-api to v1.2.0-rc2	2024-09-27 11:02:04 +02:00
Dan Everton	fbf6757ce9	Support for watching instead of polling Nomad	2024-09-26 15:56:04 +02:00
Kevin Pollet	f8a78b3b25	Introduce a fast proxy mode to improve HTTP/1.1 performances with backends Co-authored-by: Romain <rtribotte@users.noreply.github.com> Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2024-09-26 11:00:05 +02:00
Romain	a6db1cac37	Update sigs.k8s.io/gateway-api to v1.2.0-rc1 Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-09-26 09:12:04 +02:00
Michal Kralik	312ebb17ab	Add support for ipv6 subnet in ipStrategy	2024-09-24 18:04:05 +02:00
kevinpollet	a398536688	Merge branch v3.1 into master	2024-09-20 09:51:54 +02:00
Kevin Pollet	0be01cc067	Prepare release v3.1.4	2024-09-19 15:44:04 +02:00
Kevin Pollet	f3eba8d3a2	Guess Datadog socket type when prefix is unix	2024-09-19 15:30:05 +02:00
romain	7e75dc0819	Merge current v2.11 into v3.1	2024-09-19 14:16:19 +02:00
Romain	b00f640d72	Prepare release v2.11.10	2024-09-19 12:08:04 +02:00
Kevin Pollet	ac42dd8f83	Check if ACME certificate resolver is not nil	2024-09-19 11:50:04 +02:00
Romain	4b5968e0cc	Bump github.com/quic-go/quic-go to v0.47.0	2024-09-19 11:36:04 +02:00
Romain	42e1f2c9b1	Add supported features to the Gateway API GatewayClass status	2024-09-17 16:40:04 +02:00
Karl Anthony Baluyot	bbeceba580	Mention v3 in readme	2024-09-17 15:20:04 +02:00
Romain	1ebd12ff82	Add support for Gateway API BackendTLSPolicies	2024-09-17 10:50:04 +02:00
Kevin Pollet	89f3b272c3	Prepare release v3.1.3	2024-09-16 17:06:03 +02:00
kevinpollet	093989fc14	Merge branch v2.11 into v3.1	2024-09-16 16:41:57 +02:00
Kevin Pollet	06d7fab820	Prepare release v2.11.9	2024-09-16 15:26:12 +02:00
Andrea Cappuccio	f90f9df1db	Ensure proper logs for aborted streaming responses	2024-09-16 12:06:03 +02:00
Lucas Rodriguez	9750bbc353	Configurable max request header size	2024-09-16 11:30:04 +02:00
Julien Salleyron	8c977b8f8c	Removes goexport dependency and adds _initialize	2024-09-16 11:12:04 +02:00
Kevin Pollet	5841441005	Cleanup Connection headers before passing the middleware chain Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-09-16 11:10:04 +02:00
Romain	0cf2032c15	Allow handling ACME challenges with custom routers	2024-09-13 15:54:04 +02:00
Josh Soref	d547b943df	Spelling	2024-09-13 11:40:04 +02:00
Roman Donchenko	71d4b3b13c	Make the keys of the `accessLog.fields.names` map case-insensitive	2024-09-13 10:04:07 +02:00
Ludovic Fernandez	ac1dad3d14	Add support for custom CA certificates by certificate resolver	2024-09-09 17:24:04 +02:00
Josh Soref	be5c429825	Unify tab titles	2024-09-09 10:10:06 +02:00
Romain	e222d5cb2f	Add support for backend protocol selection in HTTP and GRPC routes	2024-09-09 10:08:08 +02:00
Michael	9dc2155e63	Fix sync docker images latest tag	2024-09-06 09:56:03 +02:00
Michael	c2cb4fac10	Sync docker images from docker hub to ghcr	2024-09-05 10:02:04 +02:00
weijiany	e8335a94a4	Record trace id and EntryPoint span id into access log	2024-09-03 16:40:04 +02:00
Michael	3d92f1645f	Fix Go version to 1.23 when running Gateway API conformance tests	2024-09-03 15:12:04 +02:00
tired-engineer	3f74993f4a	Fix typo in multiple DNS challenge provider warning	2024-09-03 14:40:04 +02:00
Michael	533c102d4f	Fix tracing documentation	2024-09-03 14:02:03 +02:00
Romain	3eb7ecce19	Improve Kubernetes GatewayAPI TCPRoute and TLSRoute support	2024-09-03 12:10:04 +02:00
mmatur	0b34e0cdcb	Merge current v3.1 into master	2024-09-03 10:31:10 +02:00
Romain	cf2869407d	Wrap capture for services used by pieces of middleware	2024-09-03 10:30:08 +02:00
mmatur	8ca27b4a1d	Merge current v2.11 into v3.1	2024-09-03 10:00:38 +02:00
Michael	6009aaed87	Improve CI speed	2024-09-03 09:44:04 +02:00
Matteo Paier	eb99c8c785	Add mirrorBody option to HTTP mirroring	2024-09-02 16:36:06 +02:00
Ludovic Fernandez	bf71560515	Update go-acme/lego to v4.18.0	2024-09-02 15:42:05 +02:00
Romain	51f7f610c9	Add versioning for Gateway API Conformance Test Report	2024-08-30 17:14:03 +02:00
Kevin Pollet	5ed972ccd8	Support GRPC routes Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-08-30 10:36:06 +02:00
Michael	2714831a4e	fix: otlp doc + potential panic	2024-08-29 14:30:05 +02:00
Emrio	6b3167d03e	Remove same email requirement for certresolvers	2024-08-29 11:36:05 +02:00
Michael	1417da4a21	Update k8s quickstart permissions	2024-08-29 11:08:09 +02:00
Michael	3040f2659a	Upgrade paerser to v0.2.1	2024-08-29 10:54:05 +02:00
Edward Eastman	6b1a584c2b	Update quick-start-with-kubernetes.md to include required permissions	2024-08-29 10:50:06 +02:00
Patrick Evans	3a80aa172c	Give valid examples for exposing dashboard with default Helm values	2024-08-29 10:40:05 +02:00
mmatur	8dc9607db7	Merge current v3.1 into master	2024-08-29 10:09:18 +02:00
romain	85f4fd0979	Merge current v2.11 into v3.1	2024-08-28 16:35:55 +02:00
Michel Loiseleur	e56ae1a766	Update to go1.23	2024-08-28 15:00:06 +02:00
Michel Loiseleur	d2030a5835	Upgrade webui dependencies	2024-08-27 18:08:03 +02:00
Romain	58bbc0cf0f	Remove mentions about APIVersion traefik.io/v1	2024-08-26 09:44:04 +02:00
Romain	7056eeff6a	Re-allow empty configuration for Kubernetes Ingress provider	2024-08-19 14:38:33 +02:00
Romain	ad613e58cd	Allow configuring rule syntax with Kubernetes Ingress annotation	2024-08-12 14:28:04 +02:00
Kevin Pollet	e7dc097901	Prevent error logging when TCP WRR pool is empty	2024-08-12 14:08:05 +02:00
Kevin Pollet	12a37346a4	Support ResponseHeaderModifier filter	2024-08-12 11:34:04 +02:00
Luke Rindels	78079377e8	Add 30 day certificatesDuration step	2024-08-08 10:22:05 +02:00
Wolfgang Ellsässer	75881359ab	Add encodings option to the compression middleware	2024-08-07 16:20:04 +02:00
Romain	0eb0a15aa1	Remove documention for unimplemented service retries metric	2024-08-07 09:52:08 +02:00
Romain	8d9ff0c441	Mention missing metrics removal in the migration guide	2024-08-07 09:44:03 +02:00
kevinpollet	b611f967b7	Merge branch v3.1 into master	2024-08-06 16:38:39 +02:00
Kevin Pollet	4c4780f886	Prepare release v3.1.2	2024-08-06 15:34:03 +02:00
romain	926a8e88e9	Merge current v2.11 into v3.1	2024-08-06 14:54:50 +02:00
Romain	6b1adabeb5	Prepare release v2.11.8	2024-08-06 14:50:04 +02:00
Michel Loiseleur	4eedcabbb3	Use Standard channel by default with Gateway API	2024-08-06 11:36:04 +02:00
Romain	5bf4b536e2	Change logs output from stderr to stdout	2024-08-05 16:56:34 +02:00
Kevin Pollet	5380e48747	Include status addresses when comparing Gateway statuses	2024-08-05 12:22:04 +02:00
Daniel Jolly	ccc11a69f1	Fix yaml config example for HTTP provider headers	2024-08-05 11:26:04 +02:00
Daniel Jolly	0f57f108ae	Fix missing codeblock ending in HTTP discover documentation	2024-08-05 11:14:03 +02:00
Matthias Wirtz	c0b704e1b0	Fix grafana dashboard to work with scrape interval greater than 15s	2024-08-02 10:18:04 +02:00
Romain	a50345bf8d	Allow to disable Kubernetes cluster scope resources discovery Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-08-01 15:50:04 +02:00
July	bd93e224de	Support HTTP BasicAuth for docker and swarm endpoint	2024-08-01 14:26:04 +02:00
Michael	ea019be133	Upgrade webui dependencies	2024-08-01 11:00:06 +02:00
Michael	02de683b94	Fix embedded youtube video	2024-08-01 09:30:04 +02:00
mmatur	930f84850b	Merge current v2.11 intov3.1	2024-07-31 17:14:45 +02:00
Romain	8970ae9199	Update to github.com/docker/docker v27.1.1	2024-07-31 16:20:04 +02:00
Landry Benguigui	de732ba53c	Add Access logs section to the migration guide Co-authored-by: Simon Delicata <simon.delicata@free.fr>	2024-07-31 10:20:04 +02:00
Dylan Rodgers	0f7af2b4e7	Updated index.md to include video	2024-07-31 10:00:05 +02:00
mmatur	e8324132f9	Merge current v3.1 into master	2024-07-30 15:54:24 +02:00
GaleHuang	957a5f5e73	feat: forwardAuth support LogUserHeader	2024-07-29 14:30:05 +02:00
romain	87db3300d3	Merge current v3.1 into master	2024-07-16 09:38:17 +02:00