Prepare release v3.3.7

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>

.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: traefik

.github/PULL_REQUEST_TEMPLATE.md

@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.
 
 Documentation fixes or enhancements:
 - for Traefik v2: use branch v2.11
-- for Traefik v3: use branch v3.2
+- for Traefik v3: use branch v3.3
 
 Bug fixes:
 - for Traefik v2: use branch v2.11
-- for Traefik v3: use branch v3.2
+- for Traefik v3: use branch v3.3
 
 Enhancements:
 - for Traefik v2: we only accept bug fixes

.github/workflows/build.yaml

@@ -61,6 +61,7 @@ jobs:
           ImageOS: ${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.goarm }}
         with:
           go-version: ${{ env.GO_VERSION }}
+          check-latest: true
 
       - name: Artifact webui
         uses: actions/download-artifact@v4

.github/workflows/experimental.yaml

@@ -33,6 +33,7 @@ jobs:
           ImageOS: ${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.goarm }}
         with:
           go-version: ${{ env.GO_VERSION }}
+          check-latest: true
 
       - name: Build
         run: make generate binary

.github/workflows/release.yaml

@@ -10,7 +10,7 @@ env:
   CGO_ENABLED: 0
   VERSION: ${{ github.ref_name }}
   TRAEFIKER_EMAIL: "traefiker@traefik.io"
-  CODENAME: munster
+  CODENAME: saintnectaire
 
 jobs:
 
@@ -41,6 +41,7 @@ jobs:
           ImageOS: ${{ matrix.os }}
         with:
           go-version: ${{ env.GO_VERSION }}
+          check-latest: true
 
       - name: Artifact webui
         uses: actions/download-artifact@v4

.github/workflows/test-integration.yaml

@@ -28,6 +28,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
+          check-latest: true
 
       - name: Avoid generating webui
         run: touch webui/static/index.html
@@ -55,6 +56,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
+          check-latest: true
 
       - name: Avoid generating webui
         run: touch webui/static/index.html

.github/workflows/test-unit.yaml

@@ -27,6 +27,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
+          check-latest: true
 
       - name: Avoid generating webui
         run: touch webui/static/index.html

.github/workflows/validate.yaml

@@ -7,7 +7,7 @@ on:
 
 env:
   GO_VERSION: '1.23'
-  GOLANGCI_LINT_VERSION: v1.63.3
+  GOLANGCI_LINT_VERSION: v2.0.2
   MISSPELL_VERSION: v0.6.0
 
 jobs:
@@ -25,9 +25,10 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
+          check-latest: true
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v7
         with:
           version: "${{ env.GOLANGCI_LINT_VERSION }}"
 
@@ -44,9 +45,10 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
+          check-latest: true
 
       - name: Install misspell ${{ env.MISSPELL_VERSION }}
-        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSPELL_VERSION}
+        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/HEAD/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSPELL_VERSION}
 
       - name: Avoid generating webui
         run: touch webui/static/index.html
@@ -67,6 +69,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
+          check-latest: true
 
       - name: go generate
         run: |

.golangci.yml

@@ -1,304 +1,324 @@
-run:
-  timeout: 10m
+version: "2"
 
-linters-settings:
-  govet:
-    enable-all: true
-    disable:
-      - shadow
-      - fieldalignment
-  gocyclo:
-    min-complexity: 14
-  goconst:
-    min-len: 3
-    min-occurrences: 4
-  misspell:
-    locale: US
-  funlen:
-    lines: -1
-    statements: 120
-  forbidigo:
-    forbid:
-      - ^print(ln)?$
-      - ^spew\.Print(f|ln)?$
-      - ^spew\.Dump$
-  depguard:
-    rules:
-      main:
-        deny:
-          - pkg: "github.com/instana/testify"
-            desc: not allowed
-          - pkg: "github.com/pkg/errors"
-            desc: Should be replaced by standard lib errors package
-          - pkg: "k8s.io/api/networking/v1beta1"
-            desc: This API is deprecated
-          - pkg: "k8s.io/api/extensions/v1beta1"
-            desc: This API is deprecated
-  godox:
-    keywords:
-      - FIXME
-  importas:
-    no-unaliased: true
-    alias:
-      - alias: composeapi
-        pkg: github.com/docker/compose/v2/pkg/api
+formatters:
+  enable:
+    - gci
+    - gofumpt
+  exclusions:
+    generated: lax
+    paths:
+      - pkg/provider/kubernetes/crd/generated/
 
-      # Standard Kubernetes rewrites:
-      - alias: corev1
-        pkg: "k8s.io/api/core/v1"
-      - alias: netv1
-        pkg: "k8s.io/api/networking/v1"
-      - alias: admv1
-        pkg: "k8s.io/api/admission/v1"
-      - alias: admv1beta1
-        pkg: "k8s.io/api/admission/v1beta1"
-      - alias: metav1
-        pkg: "k8s.io/apimachinery/pkg/apis/meta/v1"
-      - alias: ktypes
-        pkg: "k8s.io/apimachinery/pkg/types"
-      - alias: kerror
-        pkg: "k8s.io/apimachinery/pkg/api/errors"
-      - alias: kclientset
-        pkg: "k8s.io/client-go/kubernetes"
-      - alias: kinformers
-        pkg: "k8s.io/client-go/informers"
-      - alias: ktesting
-        pkg: "k8s.io/client-go/testing"
-      - alias: kschema
-        pkg: "k8s.io/apimachinery/pkg/runtime/schema"
-      - alias: kscheme
-        pkg: "k8s.io/client-go/kubernetes/scheme"
-      - alias: kversion
-        pkg: "k8s.io/apimachinery/pkg/version"
-      - alias: kubefake
-        pkg: "k8s.io/client-go/kubernetes/fake"
-      - alias: discoveryfake
-        pkg: "k8s.io/client-go/discovery/fake"
-
-      # Kubernetes Gateway rewrites:
-      - alias: gateclientset
-        pkg: "sigs.k8s.io/gateway-api/pkg/client/clientset/gateway/versioned"
-      - alias: gateinformers
-        pkg: "sigs.k8s.io/gateway-api/pkg/client/informers/gateway/externalversions"
-      - alias: gatev1alpha2
-        pkg: "sigs.k8s.io/gateway-api/apis/v1alpha2"
-
-      # Traefik Kubernetes rewrites:
-      - alias: traefikv1alpha1
-        pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/traefikio/v1alpha1"
-      - alias: traefikclientset
-        pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned"
-      - alias: traefikinformers
-        pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/informers/externalversions"
-      - alias: traefikscheme
-        pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme"
-      - alias: traefikcrdfake
-        pkg: "github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake"
-  tagalign:
-    align: false
-    sort: true
-    order:
-      - description
-      - json
-      - toml
-      - yaml
-      - yml
-      - label
-      - label-slice-as-struct
-      - file
-      - kv
-      - export
-  revive:
-    rules:
-      - name: struct-tag
-      - name: blank-imports
-      - name: context-as-argument
-      - name: context-keys-type
-      - name: dot-imports
-      - name: error-return
-      - name: error-strings
-      - name: error-naming
-      - name: exported
-        disabled: true
-      - name: if-return
-      - name: increment-decrement
-      - name: var-naming
-      - name: var-declaration
-      - name: package-comments
-        disabled: true
-      - name: range
-      - name: receiver-naming
-      - name: time-naming
-      - name: unexported-return
-      - name: indent-error-flow
-      - name: errorf
-      - name: empty-block
-      - name: superfluous-else
-      - name: unused-parameter
-        disabled: true
-      - name: unreachable-code
-      - name: redefines-builtin-id
-  gomoddirectives:
-    tool-forbidden: true
-    toolchain-pattern: 'go1\.\d+\.\d+$'
-    go-version-pattern: '^1\.\d+(\.0)?$'
-    replace-allow-list:
-      - github.com/abbot/go-http-auth
-      - github.com/gorilla/mux
-      - github.com/mailgun/minheap
-      - github.com/mailgun/multibuf
-      - github.com/jaguilar/vt100
-      - github.com/cucumber/godog
-      - github.com/http-wasm/http-wasm-host-go
-  testifylint:
-    disable:
-      - suite-dont-use-pkg
-      - require-error
-      - go-require
-  staticcheck:
-    checks:
-      - all
-      - -SA1019
-  errcheck:
-    exclude-functions:
-      - fmt.Fprintln
 linters:
-  enable-all: true
+  default: all
   disable:
-    - sqlclosecheck # not relevant (SQL)
-    - rowserrcheck # not relevant (SQL)
+    - bodyclose # too many false-positive
+    - containedctx # too many false-positive
+    - contextcheck # too many false-positive
     - cyclop # duplicate of gocyclo
-    - lll # Not relevant
-    - gocyclo # FIXME must be fixed
-    - gocognit # Too strict
-    - nestif # Too many false-positive.
-    - prealloc # Too many false-positive.
-    - makezero # Not relevant
     - dupl # Too strict
-    - gosec # Too strict
-    - gochecknoinits
-    - gochecknoglobals
-    - wsl # Too strict
-    - nlreturn # Not relevant
-    - mnd # Too strict
-    - stylecheck # skip because report issues related to some generated files.
-    - testpackage # Too strict
-    - tparallel # Not relevant
-    - paralleltest # Not relevant
+    - err113 # Too strict
     - exhaustive # Not relevant
     - exhaustruct # Not relevant
-    - err113 # Too strict
-    - wrapcheck # Too strict
-    - noctx # Too strict
-    - bodyclose # too many false-positive
     - forcetypeassert # Too strict
-    - tagliatelle # Too strict
-    - varnamelen # Not relevant
-    - nilnil # Not relevant
-    - ireturn # Not relevant
-    - contextcheck # too many false-positive
-    - containedctx # too many false-positive
-    - maintidx # kind of duplicate of gocyclo
-    - nonamedreturns # Too strict
+    - gochecknoglobals
+    - gochecknoinits
+    - gocognit # Too strict
+    - gocyclo # FIXME must be fixed
+    - gosec # Too strict
     - gosmopolitan  # not relevant
-    - exportloopref # Not relevant since go1.22
+    - ireturn # Not relevant
+    - lll # Not relevant
+    - maintidx # kind of duplicate of gocyclo
+    - makezero # Not relevant
+    - mnd # Too strict
+    - nestif # Too many false-positive.
+    - nilnil # Not relevant
+    - nlreturn # Not relevant
+    - noctx # Too strict
+    - nonamedreturns # Too strict
+    - paralleltest # Not relevant
+    - prealloc # Too many false-positive.
+    - rowserrcheck # not relevant (SQL)
+    - sqlclosecheck # not relevant (SQL)
+    - tagliatelle # Too strict
+    - testpackage # Too strict
+    - tparallel # Not relevant
+    - varnamelen # Not relevant
+    - wrapcheck # Too strict
+    - wsl # Too strict
+
+  settings:
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: github.com/instana/testify
+              desc: not allowed
+            - pkg: github.com/pkg/errors
+              desc: Should be replaced by standard lib errors package
+    errcheck:
+      exclude-functions:
+        - fmt.Fprintln
+    forbidigo:
+      forbid:
+        - pattern: ^print(ln)?$
+        - pattern: ^spew\.Print(f|ln)?$
+        - pattern: ^spew\.Dump$
+    funlen:
+      lines: -1
+      statements: 120
+    goconst:
+      min-len: 3
+      min-occurrences: 4
+    gocyclo:
+      min-complexity: 14
+    godox:
+      keywords:
+        - FIXME
+    gomoddirectives:
+      toolchain-pattern: go1\.\d+\.\d+$
+      tool-forbidden: true
+      go-version-pattern: ^1\.\d+(\.0)?$
+      replace-allow-list:
+        - github.com/abbot/go-http-auth
+        - github.com/gorilla/mux
+        - github.com/mailgun/minheap
+        - github.com/mailgun/multibuf
+        - github.com/jaguilar/vt100
+        - github.com/cucumber/godog
+    govet:
+      enable-all: true
+      disable:
+        - shadow
+        - fieldalignment
+    importas:
+      no-unaliased: true
+      alias:
+        - pkg: github.com/docker/compose/v2/pkg/api
+          alias: composeapi
+
+        # Standard Kubernetes rewrites:
+        - pkg: k8s.io/api/core/v1
+          alias: corev1
+        - pkg: k8s.io/api/networking/v1
+          alias: netv1
+        - pkg: k8s.io/api/networking/v1beta1
+          alias: netv1beta1
+        - pkg: k8s.io/api/admission/v1
+          alias: admv1
+        - pkg: k8s.io/api/admission/v1beta1
+          alias: admv1beta1
+        - pkg: k8s.io/api/extensions/v1beta1
+          alias: extv1beta1
+        - pkg: k8s.io/apimachinery/pkg/apis/meta/v1
+          alias: metav1
+        - pkg: k8s.io/apimachinery/pkg/types
+          alias: ktypes
+        - pkg: k8s.io/apimachinery/pkg/api/errors
+          alias: kerror
+        - pkg: k8s.io/client-go/kubernetes
+          alias: kclientset
+        - pkg: k8s.io/client-go/informers
+          alias: kinformers
+        - pkg: k8s.io/client-go/testing
+          alias: ktesting
+        - pkg: k8s.io/apimachinery/pkg/runtime/schema
+          alias: kschema
+        - pkg: k8s.io/client-go/kubernetes/scheme
+          alias: kscheme
+        - pkg: k8s.io/apimachinery/pkg/version
+          alias: kversion
+        - pkg: k8s.io/client-go/kubernetes/fake
+          alias: kubefake
+        - pkg: k8s.io/client-go/discovery/fake
+          alias: discoveryfake
+
+        # Kubernetes Gateway rewrites:
+        - pkg: sigs.k8s.io/gateway-api/pkg/client/clientset/gateway/versioned
+          alias: gateclientset
+        - pkg: sigs.k8s.io/gateway-api/pkg/client/informers/gateway/externalversions
+          alias: gateinformers
+        - pkg: sigs.k8s.io/gateway-api/apis/v1alpha2
+          alias: gatev1alpha2
+
+        # Traefik Kubernetes rewrites:
+        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/traefikio/v1alpha1
+          alias: traefikv1alpha1
+        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned
+          alias: traefikclientset
+        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/informers/externalversions
+          alias: traefikinformers
+        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme
+          alias: traefikscheme
+        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake
+          alias: traefikcrdfake
+    misspell:
+      locale: US
+    revive:
+      rules:
+        - name: struct-tag
+        - name: blank-imports
+        - name: context-as-argument
+        - name: context-keys-type
+        - name: dot-imports
+        - name: error-return
+        - name: error-strings
+        - name: error-naming
+        - name: exported
+          disabled: true
+        - name: if-return
+        - name: increment-decrement
+        - name: var-naming
+        - name: var-declaration
+        - name: package-comments
+          disabled: true
+        - name: range
+        - name: receiver-naming
+        - name: time-naming
+        - name: unexported-return
+        - name: indent-error-flow
+        - name: errorf
+        - name: empty-block
+        - name: superfluous-else
+        - name: unused-parameter
+          disabled: true
+        - name: unreachable-code
+        - name: redefines-builtin-id
+    tagalign:
+      align: false
+      sort: true
+      order:
+        - description
+        - json
+        - toml
+        - yaml
+        - yml
+        - label
+        - label-slice-as-struct
+        - file
+        - kv
+        - export
+    testifylint:
+      disable:
+        - suite-dont-use-pkg
+        - require-error
+        - go-require
+    perfsprint:
+      err-error: true
+      errorf: true
+      sprintf1: true
+      strconcat: false
+    staticcheck:
+      checks:
+        - all
+        - '-SA1019'
+        - '-ST1000'
+        - '-ST1003'
+        - '-ST1016'
+        - '-ST1020'
+        - '-ST1021'
+        - '-ST1022'
+        - '-QF1001'
+        - '-QF1008' # TODO must be fixed
+
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - std-error-handling
+    rules:
+      - path: (.+)_test.go
+        linters:
+          - canonicalheader
+          - fatcontext
+          - funlen
+          - goconst
+          - godot
+      - path: (.+)_test.go
+        text: ' always receives '
+        linters:
+          - unparam
+      - path: pkg/server/service/bufferpool.go
+        text: 'SA6002: argument should be pointer-like to avoid allocations'
+      - path: pkg/server/middleware/middlewares.go
+        text: Function 'buildConstructor' has too many statements
+        linters:
+          - funlen
+      - path: pkg/tracing/haystack/logger.go
+        linters:
+          - goprintffuncname
+      - path: pkg/tracing/tracing.go
+        text: printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'
+        linters:
+          - goprintffuncname
+      - path: pkg/tls/tlsmanager_test.go
+        text: 'SA1019: config.ClientCAs.Subjects has been deprecated since Go 1.18'
+      - path: pkg/types/tls_test.go
+        text: 'SA1019: tlsConfig.RootCAs.Subjects has been deprecated since Go 1.18'
+      - path: pkg/provider/kubernetes/(crd|gateway)/client.go
+        linters:
+          - interfacebloat
+      - path: pkg/metrics/metrics.go
+        linters:
+          - interfacebloat
+      - path: integration/healthcheck_test.go
+        text: Duplicate words \(wsp2,\) found
+        linters:
+          - dupword
+      - path: pkg/types/domain_test.go
+        text: Duplicate words \(sub\) found
+        linters:
+          - dupword
+      - path: pkg/provider/kubernetes/gateway/client_mock_test.go
+        text: 'unusedwrite: unused write to field'
+        linters:
+          - govet
+      - path: pkg/provider/acme/local_store.go
+        linters:
+          - musttag
+      - path: pkg/tls/certificate.go
+        text: the methods of "Certificates" use pointer receiver and non-pointer receiver.
+        linters:
+          - recvcheck
+      - path: pkg/config/static/static_config.go
+        source: 'errors.New\("Consul Catalog provider'
+        text: 'ST1005: error strings should not be capitalized'
+      - path: pkg/config/static/static_config.go
+        source: 'errors.New\("Consul provider'
+        text: 'ST1005: error strings should not be capitalized'
+      - path: pkg/config/static/static_config.go
+        source: 'errors.New\("Nomad provider'
+        text: 'ST1005: error strings should not be capitalized'
+      - path: (.+)\.go
+        text: 'struct-tag: unknown option ''inline'' in JSON tag'
+        linters:
+          - revive
+      - path: (.+)\.go
+        text: 'struct-tag: unknown option ''omitzero'' in TOML tag'
+        linters:
+          - revive
+      - path: (.+)\.go$
+        text: 'SA1019: http.CloseNotifier has been deprecated' # FIXME must be fixed
+      - path: (.+)\.go$
+        text: 'SA1019: cfg.(SSLRedirect|SSLTemporaryRedirect|SSLHost|SSLForceHost|FeaturePolicy) is deprecated'
+      - path: (.+)\.go$
+        text: 'SA1019: c.Providers.(ConsulCatalog|Consul|Nomad).Namespace is deprecated'
+      - path: (.+)\.go$
+        text: 'SA1019: dockertypes.ContainerNode is deprecated'
+      - path: pkg/provider/kubernetes/crd/kubernetes.go
+        text: "Function 'loadConfigurationFromCRD' has too many statements"
+        linters:
+          - funlen
+      - path: pkg/plugins/middlewarewasm.go
+        text: 'the methods of "wasmMiddlewareBuilder" use pointer receiver and non-pointer receiver.'
+        linters:
+          - recvcheck
+      - path: pkg/proxy/httputil/bufferpool.go
+        text: 'SA6002: argument should be pointer-like to avoid allocations'
+    paths:
+      - pkg/provider/kubernetes/crd/generated/
 
 issues:
-  exclude-use-default: false
   max-issues-per-linter: 0
   max-same-issues: 0
-  exclude-dirs:
-    - pkg/provider/kubernetes/crd/generated/
-  exclude:
-    - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked'
-    - "should have a package comment, unless it's in another file for this package"
-    - 'fmt.Sprintf can be replaced with string'
-    - 'SA1019: dockertypes.ContainerNode is deprecated'
-  exclude-rules:
-    - path: '(.+)_test.go'
-      linters:
-        - goconst
-        - funlen
-        - godot
-        - canonicalheader
-        - fatcontext
-    - path: '(.+)_test.go'
-      text: ' always receives '
-      linters:
-        - unparam
-    - path: '(.+)\.go'
-      text: 'struct-tag: unknown option ''inline'' in JSON tag'
-      linters:
-        - revive
-    - path: pkg/proxy/httputil/bufferpool.go
-      text: 'SA6002: argument should be pointer-like to avoid allocations'
-    - path: pkg/server/middleware/middlewares.go
-      text: "Function 'buildConstructor' has too many statements"
-      linters:
-        - funlen
-    - path: pkg/logs/haystack.go
-      linters:
-        - goprintffuncname
-    - path: pkg/tracing/tracing.go
-      text: "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"
-      linters:
-        - goprintffuncname
-    - path: pkg/tls/tlsmanager_test.go
-      text: 'SA1019: config.ClientCAs.Subjects has been deprecated since Go 1.18'
-    - path: pkg/types/tls_test.go
-      text: 'SA1019: tlsConfig.RootCAs.Subjects has been deprecated since Go 1.18'
-    - path: pkg/provider/kubernetes/crd/kubernetes.go
-      text: 'SA1019: middleware.Spec.IPWhiteList is deprecated: please use IPAllowList instead.'
-    - path: pkg/server/middleware/tcp/middlewares.go
-      text: 'SA1019: config.IPWhiteList is deprecated: please use IPAllowList instead.'
-    - path: pkg/server/middleware/middlewares.go
-      text: 'SA1019: config.IPWhiteList is deprecated: please use IPAllowList instead.'
-    - path: pkg/provider/kubernetes/(crd|gateway)/client.go
-      linters:
-        - interfacebloat
-    - path: pkg/metrics/metrics.go
-      linters:
-        - interfacebloat
-    - path: integration/healthcheck_test.go
-      text: 'Duplicate words \(wsp2,\) found'
-      linters:
-        - dupword
-    - path: pkg/types/domain_test.go
-      text: 'Duplicate words \(sub\) found'
-      linters:
-        - dupword
-    - path: pkg/provider/kubernetes/crd/kubernetes.go
-      text: "Function 'loadConfigurationFromCRD' has too many statements"
-      linters:
-        - funlen
-    - path: pkg/provider/kubernetes/gateway/client_mock_test.go
-      text: 'unusedwrite: unused write to field'
-      linters:
-        - govet
-    - path: pkg/cli/deprecation.go
-      linters:
-        - goconst
-    - path: pkg/cli/loader_file.go
-      linters:
-        - goconst
-    - path: pkg/provider/acme/local_store.go
-      linters:
-        - musttag
-    - path: pkg/types/metrics.go
-      linters:
-        - goconst
-    - path: pkg/tls/certificate.go
-      text: 'the methods of "Certificates" use pointer receiver and non-pointer receiver.'
-      linters:
-        - recvcheck
-    - path: pkg/plugins/middlewarewasm.go
-      text: 'the methods of "wasmMiddlewareBuilder" use pointer receiver and non-pointer receiver.'
-      linters:
-        - recvcheck
-
-output:
-  show-stats: true
-  sort-results: true
-  sort-order:
-    - linter
-    - file

CHANGELOG.md

@@ -1,3 +1,215 @@
+## [v3.3.7](https://github.com/traefik/traefik/tree/v3.3.7) (2025-05-05)
+[All Commits](https://github.com/traefik/traefik/compare/v3.3.6...v3.3.7)
+
+**Bug fixes:**
+- **[logs,middleware,accesslogs]** Add SpanID and TraceID accessLogs fields only when tracing is enabled ([#11715](https://github.com/traefik/traefik/pull/11715) by [rtribotte](https://github.com/rtribotte))
+
+## [v3.3.6](https://github.com/traefik/traefik/tree/v3.3.6) (2025-04-18)
+[All Commits](https://github.com/traefik/traefik/compare/v3.3.5...v3.3.6)
+
+**Documentation:**
+- **[k8s/gatewayapi]** Fix Kubernetes Gateway statusAddress documentation ([#11663](https://github.com/traefik/traefik/pull/11663) by [kevinpollet](https://github.com/kevinpollet))
+- **[tracing]** Document how to pass multiple Headers on tracing with CLI ([#11665](https://github.com/traefik/traefik/pull/11665) by [mloiseleur](https://github.com/mloiseleur))
+- Fix typos on what is Traefik docs page ([#11685](https://github.com/traefik/traefik/pull/11685) by [matthewCmatt](https://github.com/matthewCmatt))
+- Update Welcome Page ([#11615](https://github.com/traefik/traefik/pull/11615) by [sheddy-traefik](https://github.com/sheddy-traefik))
+
+**Misc:**
+- Merge branch v2.11 into v3.3 ([#11703](https://github.com/traefik/traefik/pull/11703) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.11 into v3.3 ([#11696](https://github.com/traefik/traefik/pull/11696) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.11 into v3.3 ([#11694](https://github.com/traefik/traefik/pull/11694) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.24](https://github.com/traefik/traefik/tree/v2.11.24) (2025-04-18)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.22...v2.11.24)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.23.1 ([#11690](https://github.com/traefik/traefik/pull/11690) by [ldez](https://github.com/ldez))
+- **[metrics]** Bump gopkg.in/DataDog/dd-trace-go.v1 to v1.72.2 ([#11693](https://github.com/traefik/traefik/pull/11693) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware]** Add Content-Length header to preflight response ([#11682](https://github.com/traefik/traefik/pull/11682) by [lbenguigui](https://github.com/lbenguigui))
+- **[server]** Sanitize request path ([#11684](https://github.com/traefik/traefik/pull/11684) by [rtribotte](https://github.com/rtribotte))
+- Bump github.com/redis/go-redis/v9 to v9.7.3 ([#11695](https://github.com/traefik/traefik/pull/11695) by [kevinpollet](https://github.com/kevinpollet))
+- Bump golang.org/x/net to v0.38.0 ([#11691](https://github.com/traefik/traefik/pull/11691) by [kevinpollet](https://github.com/kevinpollet))
+- Bump golang.org/x/oauth2 to v0.28.0 ([#11689](https://github.com/traefik/traefik/pull/11689) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[middleware]** Add content-length best practice documentation ([#11697](https://github.com/traefik/traefik/pull/11697) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Typo fix on the Explanation Section for User Guide HTTP Challenge. ([#11676](https://github.com/traefik/traefik/pull/11676) by [YapWC](https://github.com/YapWC))
+
+## [v2.11.23](https://github.com/traefik/traefik/tree/v2.11.23) (2025-04-17)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.22...v2.11.23)
+
+Release canceled.
+
+## [v3.3.5](https://github.com/traefik/traefik/tree/v3.3.5) (2025-03-31)
+[All Commits](https://github.com/traefik/traefik/compare/v3.3.4...v3.3.5)
+
+**Bug fixes:**
+- **[k8s/gatewayapi]** Set scheme to https with BackendTLSPolicy ([#11586](https://github.com/traefik/traefik/pull/11586) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Revert compress middleware algorithms priority to v2 behavior ([#11641](https://github.com/traefik/traefik/pull/11641) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Do not abort request when response content-type is malformed ([#11628](https://github.com/traefik/traefik/pull/11628) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware]** Compress data on flush when compression is not started ([#11583](https://github.com/traefik/traefik/pull/11583) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[middleware]** Add back forwarded headers section in FAQ ([#11606](https://github.com/traefik/traefik/pull/11606) by [kevinpollet](https://github.com/kevinpollet))
+- New Routing Reference Documentation ([#11330](https://github.com/traefik/traefik/pull/11330) by [sheddy-traefik](https://github.com/sheddy-traefik))
+
+**Misc:**
+- Merge branch v2.11 into v3.3 ([#11644](https://github.com/traefik/traefik/pull/11644) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.11 into v3.3 ([#11594](https://github.com/traefik/traefik/pull/11594) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.22](https://github.com/traefik/traefik/tree/v2.11.22) (2025-03-31)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.21...v2.11.22)
+
+**Bug fixes:**
+- **[ecs,logs]** Bump AWS SDK to v2 ([#11359](https://github.com/traefik/traefik/pull/11359) by [Juneezee](https://github.com/Juneezee))
+- **[logs,tls]** Error level log for configuration-related TLS errors with backends ([#11611](https://github.com/traefik/traefik/pull/11611) by [rtribotte](https://github.com/rtribotte))
+- **[rules]** Allow underscore character in HostSNI matcher ([#11557](https://github.com/traefik/traefik/pull/11557) by [rohitlohar45](https://github.com/rohitlohar45))
+- **[server]** Bump github.com/vulcand/oxy/v2 to v2.0.3 ([#11649](https://github.com/traefik/traefik/pull/11649) by [adamvduke](https://github.com/adamvduke))
+- **[server]** Bump golang.org/x/net to v0.37.0 ([#11632](https://github.com/traefik/traefik/pull/11632) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Change boolean module properties default value to undefined ([#11639](https://github.com/traefik/traefik/pull/11639) by [rtribotte](https://github.com/rtribotte))
+- Bump github.com/golang-jwt/jwt to v4.5.2 and v5.2.2 ([#11634](https://github.com/traefik/traefik/pull/11634) by [kevinpollet](https://github.com/kevinpollet))
+- Bump github.com/redis/go-redis/v9 to v9.6.3 ([#11633](https://github.com/traefik/traefik/pull/11633) by [kevinpollet](https://github.com/kevinpollet))
+- Bump golang.org/x/net to v0.36.0 ([#11608](https://github.com/traefik/traefik/pull/11608) by [kevinpollet](https://github.com/kevinpollet))
+- Bump github.com/go-jose/go-jose/v4 to v4.0.5 ([#11571](https://github.com/traefik/traefik/pull/11571) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[accesslogs]** Remove documentation for OriginStatusLine and DownstreamStatusLine accessLogs fields ([#11599](https://github.com/traefik/traefik/pull/11599) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Clarifies that retry middleware uses TCP, not HTTP status codes ([#11603](https://github.com/traefik/traefik/pull/11603) by [geraldcroes](https://github.com/geraldcroes))
+- **[redis]** Add tip for dynamic configuration updates of Redis ([#11577](https://github.com/traefik/traefik/pull/11577) by [Alanxtl](https://github.com/Alanxtl))
+- Add Security Support ([#11610](https://github.com/traefik/traefik/pull/11610) by [nmengin](https://github.com/nmengin))
+
+## [v3.3.4](https://github.com/traefik/traefik/tree/v3.3.4) (2025-02-25)
+[All Commits](https://github.com/traefik/traefik/compare/v3.3.3...v3.3.4)
+
+**Bug fixes:**
+- **[fastproxy]** Bump github.com/valyala/fasthttp to v1.58.0 ([#11526](https://github.com/traefik/traefik/pull/11526) by [kevinpollet](https://github.com/kevinpollet))
+- **[fastproxy]** Add WebSocket headers if they are present in the request ([#11522](https://github.com/traefik/traefik/pull/11522) by [kevinpollet](https://github.com/kevinpollet))
+- **[fastproxy]** Chunked responses does not have a Content-Length header ([#11514](https://github.com/traefik/traefik/pull/11514) by [kevinpollet](https://github.com/kevinpollet))
+- **[metrics,otel]** Change request duration metric unit from millisecond to second ([#11523](https://github.com/traefik/traefik/pull/11523) by [rtribotte](https://github.com/rtribotte))
+- **[sticky-session]** Fix double hash in sticky cookie ([#11518](https://github.com/traefik/traefik/pull/11518) by [juliens](https://github.com/juliens))
+- **[tracing]** Use ResourceAttributes instead of GlobalAttributes ([#11515](https://github.com/traefik/traefik/pull/11515) by [bruno-de-queiroz](https://github.com/bruno-de-queiroz))
+- **[tracing]** Fix panic when calling Tracer ([#11479](https://github.com/traefik/traefik/pull/11479) by [basgys](https://github.com/basgys))
+
+**Documentation:**
+- **[acme]** Update ACME provider configuration options ([#11564](https://github.com/traefik/traefik/pull/11564) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[acme]** Fix incorrect grammar in ACME documentation ([#11553](https://github.com/traefik/traefik/pull/11553) by [Peter-Maguire](https://github.com/Peter-Maguire))
+- **[metrics,tracing,accesslogs]** Add missing options in entrypoints page ([#11524](https://github.com/traefik/traefik/pull/11524) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[tracing]** Replace globalAttributes with resourceAttributes in tracing reference ([#11531](https://github.com/traefik/traefik/pull/11531) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- Merge branch v2.11 into v3.3 ([#11567](https://github.com/traefik/traefik/pull/11567) by [kevinpollet](https://github.com/kevinpollet))
+
+# [v2.11.21](https://github.com/traefik/traefik/tree/v2.11.21) (2025-02-24)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.20...v2.11.21)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.22.2 ([#11537](https://github.com/traefik/traefik/pull/11537) by [ldez](https://github.com/ldez))
+- **[cli]** Bump github.com/traefik/paerser to v0.2.2 ([#11530](https://github.com/traefik/traefik/pull/11530) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware]** Enable the retry middleware in the proxy ([#11536](https://github.com/traefik/traefik/pull/11536) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware]** Retry should send headers on Write ([#11534](https://github.com/traefik/traefik/pull/11534) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v3.3.3](https://github.com/traefik/traefik/tree/v3.3.3) (2025-01-31)
+[All Commits](https://github.com/traefik/traefik/compare/v3.3.2...v3.3.3)
+
+**Bug fixes:**
+- **[api]** Do not create observability model by default ([#11476](https://github.com/traefik/traefik/pull/11476) by [rtribotte](https://github.com/rtribotte))
+- **[fastproxy]** Fix content-length header assertion ([#11498](https://github.com/traefik/traefik/pull/11498) by [kevinpollet](https://github.com/kevinpollet))
+- **[fastproxy]** Handle responses without content length header ([#11458](https://github.com/traefik/traefik/pull/11458) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/crd,k8s]** Add missing headerField in Middleware CRD ([#11499](https://github.com/traefik/traefik/pull/11499) by [jspdown](https://github.com/jspdown))
+- **[tracing,accesslogs]** Bring back TraceID and SpanID fields in access logs ([#11450](https://github.com/traefik/traefik/pull/11450) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- Merge branch v2.11 into v3.3 ([#11502](https://github.com/traefik/traefik/pull/11502) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.11 into v3.3 ([#11491](https://github.com/traefik/traefik/pull/11491) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.20](https://github.com/traefik/traefik/tree/v2.11.20) (2025-01-31)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.19...v2.11.20)
+
+**Bug fixes:**
+- **[acme]** Graceful shutdown for ACME JSON write operation ([#11497](https://github.com/traefik/traefik/pull/11497) by [juliens](https://github.com/juliens))
+
+**Documentation:**
+- Change docker-compose to docker compose ([#11496](https://github.com/traefik/traefik/pull/11496) by [khai-pi](https://github.com/khai-pi))
+
+## [v2.11.19](https://github.com/traefik/traefik/tree/v2.11.19) (2025-01-29)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.18...v2.11.19)
+
+**Bug fixes:**
+- **[middleware]** Changing log message when client cert is not available to debug ([#11453](https://github.com/traefik/traefik/pull/11453) by [Nelwhix](https://github.com/Nelwhix))
+- **[service]** Do not create a logger instance for each proxy ([#11487](https://github.com/traefik/traefik/pull/11487) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Fix auto refresh not clearing on component unmount ([#11477](https://github.com/traefik/traefik/pull/11477) by [DoubleREW](https://github.com/DoubleREW))
+
+**Documentation:**
+- Remove awesome.traefik.io reference in documentation section ([#11435](https://github.com/traefik/traefik/pull/11435) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v3.3.2](https://github.com/traefik/traefik/tree/v3.3.2) (2025-01-14)
+[All Commits](https://github.com/traefik/traefik/compare/v3.3.1...v3.3.2)
+
+**Bug fixes:**
+- **[fastproxy]** Do not read response body for HEAD requests ([#11442](https://github.com/traefik/traefik/pull/11442) by [kevinpollet](https://github.com/kevinpollet))
+- **[metrics,tracing,accesslogs]** Fix observability configuration on EntryPoints ([#11446](https://github.com/traefik/traefik/pull/11446) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Set content-type when serving webui index ([#11428](https://github.com/traefik/traefik/pull/11428) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[acme]** Fix deprecated dnsChallenge propagation logging and documentation ([#11433](https://github.com/traefik/traefik/pull/11433) by [thomscode](https://github.com/thomscode))
+- **[acme]** Add missing trailing s to propagation.delayBeforeCheck option ([#11417](https://github.com/traefik/traefik/pull/11417) by [jspiers](https://github.com/jspiers))
+
+**Misc:**
+- Merge branch v2.11 into v3.3 ([#11419](https://github.com/traefik/traefik/pull/11419) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v3.3.1](https://github.com/traefik/traefik/tree/v3.3.1) (2025-01-07)
+[All Commits](https://github.com/traefik/traefik/compare/v3.3.0...v3.3.1)
+
+**Bug fixes:**
+- **[websocket,server]** Disable http2 connect setting for websocket by default ([#11408](https://github.com/traefik/traefik/pull/11408) by [rtribotte](https://github.com/rtribotte))
+
+## [v3.2.5](https://github.com/traefik/traefik/tree/v3.2.5) (2025-01-07)
+[All Commits](https://github.com/traefik/traefik/compare/v3.2.4...v3.2.5)
+
+**Bug fixes:**
+- **[websocket,server]** Disable http2 connect setting for websocket by default ([#11408](https://github.com/traefik/traefik/pull/11408) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.18](https://github.com/traefik/traefik/tree/v2.11.18) (2025-01-07)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.17...v2.11.18)
+
+**Bug fixes:**
+- **[websocket,server]** Disable http2 connect setting for websocket by default ([#11412](https://github.com/traefik/traefik/pull/11412) by [rtribotte](https://github.com/rtribotte))
+
+## [v3.3.0](https://github.com/traefik/traefik/tree/v3.3.0) (2025-01-06)
+[All Commits](https://github.com/traefik/traefik/compare/v3.2.0-rc1...v3.3.0)
+
+**Enhancements:**
+- **[acme]** Add options to control ACME propagation checks ([#11241](https://github.com/traefik/traefik/pull/11241) by [ldez](https://github.com/ldez))
+- **[api]** Add support dump API endpoint ([#11328](https://github.com/traefik/traefik/pull/11328) by [mmatur](https://github.com/mmatur))
+- **[http]** Set Host header in HTTP provider request ([#11237](https://github.com/traefik/traefik/pull/11237) by [nikonhub](https://github.com/nikonhub))
+- **[k8s/crd,k8s]** Make the IngressRoute kind optional ([#11177](https://github.com/traefik/traefik/pull/11177) by [skirtan1](https://github.com/skirtan1))
+- **[k8s/ingress,sticky-session,k8s/crd,k8s]** Support serving endpoints ([#11121](https://github.com/traefik/traefik/pull/11121) by [BZValoche](https://github.com/BZValoche))
+- **[logs,accesslogs]** OpenTelemetry Logs and Access Logs ([#11319](https://github.com/traefik/traefik/pull/11319) by [rtribotte](https://github.com/rtribotte))
+- **[logs,accesslogs]** Add experimental flag for OTLP logs integration ([#11335](https://github.com/traefik/traefik/pull/11335) by [kevinpollet](https://github.com/kevinpollet))
+- **[metrics,tracing,accesslogs]** Manage observability at entrypoint and router level ([#11308](https://github.com/traefik/traefik/pull/11308) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,authentication]** Add an option to preserve the ForwardAuth Server Location header ([#11318](https://github.com/traefik/traefik/pull/11318) by [Nelwhix](https://github.com/Nelwhix))
+- **[middleware,authentication]** Only calculate basic auth hashes once for concurrent requests ([#11143](https://github.com/traefik/traefik/pull/11143) by [michelheusschen](https://github.com/michelheusschen))
+- **[middleware,authentication]** Send request body to authorization server for forward auth ([#11097](https://github.com/traefik/traefik/pull/11097) by [kyo-ke](https://github.com/kyo-ke))
+- **[plugins]** Add AbortOnPluginFailure option to abort startup on plugin load failure ([#11228](https://github.com/traefik/traefik/pull/11228) by [bmagic](https://github.com/bmagic))
+- **[sticky-session]** Configurable path for sticky cookies ([#11166](https://github.com/traefik/traefik/pull/11166) by [IIpragmaII](https://github.com/IIpragmaII))
+- **[webui,api]** Configurable API & Dashboard base path ([#11250](https://github.com/traefik/traefik/pull/11250) by [rtribotte](https://github.com/rtribotte))
+
+**Bug fixes:**
+- **[k8s/ingress,k8s/crd]** Fix fenced server status computation ([#11361](https://github.com/traefik/traefik/pull/11361) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- Prepare release v3.3.0-rc2 ([#11362](https://github.com/traefik/traefik/pull/11362) by [rtribotte](https://github.com/rtribotte))
+- Prepare Release v3.3.0-rc1 ([#11349](https://github.com/traefik/traefik/pull/11349) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- Merge branch v3.2 into v3.3 ([#11402](https://github.com/traefik/traefik/pull/11402) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.2 into v3.3 ([#11393](https://github.com/traefik/traefik/pull/11393) by [mmatur](https://github.com/mmatur))
+- Merge branch v3.2 into v3.3 ([#11389](https://github.com/traefik/traefik/pull/11389) by [mmatur](https://github.com/mmatur))
+- Merge branch v3.2 into v3.3 ([#11367](https://github.com/traefik/traefik/pull/11367) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.2 into master ([#11340](https://github.com/traefik/traefik/pull/11340) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.2 into master ([#11293](https://github.com/traefik/traefik/pull/11293) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.2 into master ([#11239](https://github.com/traefik/traefik/pull/11239) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.2 into master ([#11187](https://github.com/traefik/traefik/pull/11187) by [kevinpollet](https://github.com/kevinpollet))
+
 ## [v3.2.4](https://github.com/traefik/traefik/tree/v3.2.4) (2025-01-06)
 [All Commits](https://github.com/traefik/traefik/compare/v3.2.3...v3.2.4)
 
@@ -30,6 +242,37 @@
 - **[acme]** Fix allowACMEByPass TOML example ([#11370](https://github.com/traefik/traefik/pull/11370) by [hannesbraun](https://github.com/hannesbraun))
 - **[k8s/crd]** Update copyright for 2025 ([#11383](https://github.com/traefik/traefik/pull/11383) by [kevinpollet](https://github.com/kevinpollet))
 
+## [v3.3.0-rc2](https://github.com/traefik/traefik/tree/v3.3.0-rc2) (2024-12-20)
+[All Commits](https://github.com/traefik/traefik/compare/v3.3.0-rc1...v3.3.0-rc2)
+
+**Bug fixes:**
+- **[k8s/ingress,k8s/crd]** Fix fenced server status computation ([#11361](https://github.com/traefik/traefik/pull/11361) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v3.3.0-rc1](https://github.com/traefik/traefik/tree/v3.3.0-rc1) (2024-12-16)
+[All Commits](https://github.com/traefik/traefik/compare/v3.2.0-rc1...v3.3.0-rc1)
+
+**Enhancements:**
+- **[acme]** Add options to control ACME propagation checks ([#11241](https://github.com/traefik/traefik/pull/11241) by [ldez](https://github.com/ldez))
+- **[api]** Add support dump API endpoint ([#11328](https://github.com/traefik/traefik/pull/11328) by [mmatur](https://github.com/mmatur))
+- **[http]** Set Host header in HTTP provider request ([#11237](https://github.com/traefik/traefik/pull/11237) by [nikonhub](https://github.com/nikonhub))
+- **[k8s/crd,k8s]** Make the IngressRoute kind optional ([#11177](https://github.com/traefik/traefik/pull/11177) by [skirtan1](https://github.com/skirtan1))
+- **[logs,accesslogs]** OpenTelemetry Logs and Access Logs ([#11319](https://github.com/traefik/traefik/pull/11319) by [rtribotte](https://github.com/rtribotte))
+- **[logs,accesslogs]** Add experimental flag for OTLP logs integration ([#11335](https://github.com/traefik/traefik/pull/11335) by [kevinpollet](https://github.com/kevinpollet))
+- **[metrics,tracing,accesslogs]** Manage observability at entrypoint and router level ([#11308](https://github.com/traefik/traefik/pull/11308) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,authentication]** Add an option to preserve the ForwardAuth Server Location header ([#11318](https://github.com/traefik/traefik/pull/11318) by [Nelwhix](https://github.com/Nelwhix))
+- **[middleware,authentication]** Only calculate basic auth hashes once for concurrent requests ([#11143](https://github.com/traefik/traefik/pull/11143) by [michelheusschen](https://github.com/michelheusschen))
+- **[middleware,authentication]** Send request body to authorization server for forward auth ([#11097](https://github.com/traefik/traefik/pull/11097) by [kyo-ke](https://github.com/kyo-ke))
+- **[plugins]** Add AbortOnPluginFailure option to abort startup on plugin load failure ([#11228](https://github.com/traefik/traefik/pull/11228) by [bmagic](https://github.com/bmagic))
+- **[sticky-session]** Configurable path for sticky cookies ([#11166](https://github.com/traefik/traefik/pull/11166) by [IIpragmaII](https://github.com/IIpragmaII))
+- **[sticky-session,k8s/ingress,k8s/crd,k8s]** Support serving endpoints ([#11121](https://github.com/traefik/traefik/pull/11121) by [BZValoche](https://github.com/BZValoche))
+- **[webui,api]** Configurable API & Dashboard base path ([#11250](https://github.com/traefik/traefik/pull/11250) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- Merge branch v3.2 into master ([#11340](https://github.com/traefik/traefik/pull/11340) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.2 into master ([#11293](https://github.com/traefik/traefik/pull/11293) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.2 into master ([#11239](https://github.com/traefik/traefik/pull/11239) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.2 into master ([#11187](https://github.com/traefik/traefik/pull/11187) by [kevinpollet](https://github.com/kevinpollet))
+
 ## [v3.2.3](https://github.com/traefik/traefik/tree/v3.2.3) (2024-12-16)
 [All Commits](https://github.com/traefik/traefik/compare/v3.2.2...v3.2.3)
 

Makefile

@@ -101,7 +101,7 @@ test-integration: binary
 #? test-gateway-api-conformance: Run the conformance tests
 test-gateway-api-conformance: build-image-dirty
 	# In case of a new Minor/Major version, the k8sConformanceTraefikVersion needs to be updated.
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.2" $(TESTFLAGS)
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.3" $(TESTFLAGS)
 
 .PHONY: test-ui-unit
 #? test-ui-unit: Run the unit tests for the webui
@@ -175,7 +175,7 @@ docs-pull-images:
 .PHONY: generate-crd
 #? generate-crd: Generate CRD clientset and CRD manifests
 generate-crd:
-	@$(CURDIR)/script/code-gen-docker.sh
+	@$(CURDIR)/script/code-gen.sh
 
 .PHONY: generate-genconf
 #? generate-genconf: Generate code from dynamic configuration github.com/traefik/genconf

README.md

@@ -59,7 +59,7 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 
 - Continuously updates its configuration (No restarts!)
 - Supports multiple load balancing algorithms
-- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org)  (wildcard certificates support)
+- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org) (wildcard certificates support)
 - Circuit breakers, retry
 - See the magic through its clean web UI
 - WebSocket, HTTP/2, gRPC ready
@@ -90,8 +90,6 @@ You can access the simple HTML frontend of Traefik.
 
 You can find the complete documentation of Traefik v3 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).
 
-A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
-
 ## Support
 
 To get community support, you can:

cmd/traefik/logger.go

@@ -1,6 +1,8 @@
 package main
 
 import (
+	"errors"
+	"fmt"
 	"io"
 	stdlog "log"
 	"os"
@@ -20,12 +22,21 @@ func init() {
 	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
 }
 
-func setupLogger(staticConfiguration *static.Configuration) {
+func setupLogger(staticConfiguration *static.Configuration) error {
+	// Validate that the experimental flag is set up at this point,
+	// rather than validating the static configuration before the setupLogger call.
+	// This ensures that validation messages are not logged using an un-configured logger.
+	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil &&
+		(staticConfiguration.Experimental == nil || !staticConfiguration.Experimental.OTLPLogs) {
+		return errors.New("the experimental OTLPLogs feature must be enabled to use OTLP logging")
+	}
+
 	// configure log format
 	w := getLogWriter(staticConfiguration)
 
 	// configure log level
 	logLevel := getLogLevel(staticConfiguration)
+	zerolog.SetGlobalLevel(logLevel)
 
 	// create logger
 	logCtx := zerolog.New(w).With().Timestamp()
@@ -34,8 +45,16 @@ func setupLogger(staticConfiguration *static.Configuration) {
 	}
 
 	log.Logger = logCtx.Logger().Level(logLevel)
+
+	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
+		var err error
+		log.Logger, err = logs.SetupOTelLogger(log.Logger, staticConfiguration.Log.OTLP)
+		if err != nil {
+			return fmt.Errorf("setting up OpenTelemetry logger: %w", err)
+		}
+	}
+
 	zerolog.DefaultContextLogger = &log.Logger
-	zerolog.SetGlobalLevel(logLevel)
 
 	// Global logrus replacement (related to lib like go-rancher-metadata, docker, etc.)
 	logrus.StandardLogger().Out = logs.NoLevel(log.Logger, zerolog.DebugLevel)
@@ -43,11 +62,16 @@ func setupLogger(staticConfiguration *static.Configuration) {
 	// configure default standard log.
 	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
 	stdlog.SetOutput(logs.NoLevel(log.Logger, zerolog.DebugLevel))
+
+	return nil
 }
 
 func getLogWriter(staticConfiguration *static.Configuration) io.Writer {
-	var w io.Writer = os.Stdout
+	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
+		return io.Discard
+	}
 
+	var w io.Writer = os.Stdout
 	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
 		_, _ = os.OpenFile(staticConfiguration.Log.FilePath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o666)
 		w = &lumberjack.Logger{

cmd/traefik/traefik.go

@@ -91,7 +91,9 @@ Complete documentation is available at https://traefik.io`,
 }
 
 func runCmd(staticConfiguration *static.Configuration) error {
-	setupLogger(staticConfiguration)
+	if err := setupLogger(staticConfiguration); err != nil {
+		return fmt.Errorf("setting up logger: %w", err)
+	}
 
 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
 
@@ -190,7 +192,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}
 
-	acmeProviders := initACMEProvider(staticConfiguration, providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider)
+	acmeProviders := initACMEProvider(staticConfiguration, providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider, routinesPool)
 
 	// Tailscale
 
@@ -239,6 +241,9 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	}
 
 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
+	if err != nil && staticConfiguration.Experimental != nil && staticConfiguration.Experimental.AbortOnPluginFailure {
+		return nil, fmt.Errorf("plugin: failed to create plugin builder: %w", err)
+	}
 	if err != nil {
 		pluginLogger.Err(err).Msg("Plugins are disabled because an error has occurred.")
 	} else if hasPlugins {
@@ -439,7 +444,7 @@ func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP serv
 }
 
 // initACMEProvider creates and registers acme.Provider instances corresponding to the configured ACME certificate resolvers.
-func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider) []*acme.Provider {
+func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider, routinesPool *safe.Pool) []*acme.Provider {
 	localStores := map[string]*acme.LocalStore{}
 
 	var resolvers []*acme.Provider
@@ -449,7 +454,7 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 		}
 
 		if localStores[resolver.ACME.Storage] == nil {
-			localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
+			localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage, routinesPool)
 		}
 
 		p := &acme.Provider{

docs/check.Dockerfile

@@ -14,8 +14,8 @@ RUN apk --no-cache --no-progress add \
     ruby-json \
     zlib-dev
 
-RUN gem install nokogiri --version 1.16.8 --no-document -- --use-system-libraries
-RUN gem install html-proofer --version 5.0.7 --no-document -- --use-system-libraries
+RUN gem install nokogiri --version 1.18.6 --no-document -- --use-system-libraries
+RUN gem install html-proofer --version 5.0.10 --no-document -- --use-system-libraries
 
 # After Ruby, some NodeJS YAY!
 RUN apk --no-cache --no-progress add \

docs/content/deprecation/releases.md

@@ -4,24 +4,31 @@
 
 Below is a non-exhaustive list of versions and their maintenance status:
 
-| Version | Release Date | Community Support  |  
-|---------|--------------|--------------------|
-| 3.2     | Oct 28, 2024 | Yes                |
-| 3.1     | Jul 15, 2024 | Ended Oct 28, 2024 |
-| 3.0     | Apr 29, 2024 | Ended Jul 15, 2024 |
-| 2.11    | Feb 12, 2024 | Ends  Apr 29, 2025 |
-| 2.10    | Apr 24, 2023 | Ended Feb 12, 2024 |
-| 2.9     | Oct 03, 2022 | Ended Apr 24, 2023 |
-| 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 |
-| 2.7     | May 24, 2022 | Ended Jun 29, 2022 |
-| 2.6     | Jan 24, 2022 | Ended May 24, 2022 |
-| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 |
-| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 |
-| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 |
-| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 |
-| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 |
-| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 |
-| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 |
+| Version | Release Date | Active Support     | Security Support  |
+|---------|--------------|--------------------|-------------------|
+| 3.3     | Jan 06, 2025 | Yes                | Yes               |
+| 3.2     | Oct 28, 2024 | Ended Jan 06, 2025 | No                |
+| 3.1     | Jul 15, 2024 | Ended Oct 28, 2024 | No                |
+| 3.0     | Apr 29, 2024 | Ended Jul 15, 2024 | No                |
+| 2.11    | Feb 12, 2024 | Ends  Apr 29, 2025 | Ends Feb 01, 2026 |
+| 2.10    | Apr 24, 2023 | Ended Feb 12, 2024 | No                |
+| 2.9     | Oct 03, 2022 | Ended Apr 24, 2023 | No                |
+| 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 | No                |
+| 2.7     | May 24, 2022 | Ended Jun 29, 2022 | No                |
+| 2.6     | Jan 24, 2022 | Ended May 24, 2022 | No                |
+| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 | No                |
+| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 | No                |
+| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 | No                |
+| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 | No                |
+| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 | No                |
+| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 | No                |
+| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 | No                |
+
+??? example "Active Support / Security Support"
+
+    - **Active support**: Receives any bug fixes.
+
+    - **Security support**: Receives only critical bug and security fixes.
 
 This page is maintained and updated periodically to reflect our roadmap and any decisions affecting the end of support for Traefik Proxy.
 

docs/content/getting-started/configuration-overview.md

@@ -79,7 +79,7 @@ traefik --help
 # or
 
 docker run traefik[:version] --help
-# ex: docker run traefik:v3.2 --help
+# ex: docker run traefik:v3.3 --help
 ```
 
 Check the [CLI reference](../reference/static-configuration/cli.md "Link to CLI reference overview") for an overview about all available arguments.

docs/content/getting-started/install-traefik.md

@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:
 
 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
 
-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.2/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.2/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.3/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.3/traefik.sample.toml)
 
 ```shell
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.2
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.3
 ```
 
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip
 
     * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v3.2`
+    ex: `traefik:v3.3`
     * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
     * Any orchestrator using docker images can fetch the official Traefik docker image.
 

docs/content/getting-started/quick-start-with-kubernetes.md

@@ -154,7 +154,7 @@ spec:
       serviceAccountName: traefik-account
       containers:
         - name: traefik
-          image: traefik:v3.2
+          image: traefik:v3.3
           args:
             - --api.insecure
             - --providers.kubernetesingress

docs/content/getting-started/quick-start.md

@@ -20,7 +20,7 @@ version: '3'
 services:
   reverse-proxy:
     # The official v3 Traefik docker image
-    image: traefik:v3.2
+    image: traefik:v3.3
     # Enables the web UI and tells Traefik to listen to docker
     command: --api.insecure=true --providers.docker
     ports:
@@ -38,7 +38,7 @@ services:
 Start your `reverse-proxy` with the following command:
 
 ```shell
-docker-compose up -d reverse-proxy
+docker compose up -d reverse-proxy
 ```
 
 You can open a browser and go to `http://localhost:8080/api/rawdata` to see Traefik's API rawdata (you'll go back there once you have launched a service in step 2).
@@ -68,7 +68,7 @@ The above defines `whoami`: a web service that outputs information about the mac
 Start the `whoami` service with the following command:
 
 ```shell
-docker-compose up -d whoami
+docker compose up -d whoami
 ```
 
 Browse `http://localhost:8080/api/rawdata` and see that Traefik has automatically detected the new container and updated its own configuration.
@@ -92,7 +92,7 @@ IP: 172.27.0.3
 Run more instances of your `whoami` service with the following command:
 
 ```shell
-docker-compose up -d --scale whoami=2
+docker compose up -d --scale whoami=2
 ```
 
 Browse to `http://localhost:8080/api/rawdata` and see that Traefik has automatically detected the new instance of the container.

docs/content/https/acme.md

@@ -316,16 +316,20 @@ For complete details, refer to your provider's _Additional configuration_ link.
 
 | Provider Name                                                          | Provider Code      | Environment Variables                                                                                                                                                            |                                                                                 |
 |------------------------------------------------------------------------|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|
-| [ACME DNS](https://github.com/joohoi/acme-dns)                         | `acme-dns`         | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)         |
+| [ACME DNS](https://github.com/joohoi/acme-dns)                         | `acme-dns`         | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`, `ACME_DNS_STORAGE_BASE_URL`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)         |
+| [Active24](https://www.active24.cz)                                    | `active24`         | `ACTIVE24_API_KEY`, `ACTIVE24_SECRET`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/active24)         |
 | [Alibaba Cloud](https://www.alibabacloud.com)                          | `alidns`           | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)           |
 | [all-inkl](https://all-inkl.com)                                       | `allinkl`          | `ALL_INKL_LOGIN`, `ALL_INKL_PASSWORD`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/allinkl)          |
 | [ArvanCloud](https://www.arvancloud.ir/en)                             | `arvancloud`       | `ARVANCLOUD_API_KEY`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)       |
 | [Auroradns](https://www.pcextreme.com/dns-health-checks)               | `auroradns`        | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)        |
 | [Autodns](https://www.internetx.com/domains/autodns/)                  | `autodns`          | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)          |
+| [Axelname](https://axelname.ru)                                        | `axelname`         | `AXELNAME_NICKNAME`, `AXELNAME_TOKEN`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/axelname)         |
 | [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`                                        | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
 | [AzureDNS](https://azure.microsoft.com/services/dns/)                  | `azuredns`         | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_ENVIRONMENT]`, `[AZURE_PRIVATE_ZONE]`, `[AZURE_ZONE_NAME]` | [Additional configuration](https://go-acme.github.io/lego/dns/azuredns)         |
+| [Baidu Cloud](https://cloud.baidu.com)                                 | `baiducloud`       | `BAIDUCLOUD_ACCESS_KEY_ID`, `BAIDUCLOUD_SECRET_ACCESS_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/baiducloud)       |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)             | `bindman`          | `BINDMAN_MANAGER_ADDRESS`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)          |
 | [Blue Cat](https://www.bluecatnetworks.com/)                           | `bluecat`          | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)          |
+| [BookMyName](https://www.bookmyname.com)                               | `bookmyname`       | `BOOKMYNAME_USERNAME`, `BOOKMYNAME_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/bookmyname)       |
 | [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | `BRANDIT_API_USERNAME`, `BRANDIT_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
 | [Bunny](https://bunny.net)                                             | `bunny`            | `BUNNY_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/bunny)            |
 | [Checkdomain](https://www.checkdomain.de/)                             | `checkdomain`      | `CHECKDOMAIN_TOKEN`,                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/)     |
@@ -358,6 +362,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Efficient IP](https://efficientip.com)                                | `efficientip`      | `EFFICIENTIP_USERNAME`, `EFFICIENTIP_PASSWORD`, `EFFICIENTIP_HOSTNAME`, `EFFICIENTIP_DNS_NAME`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/efficientip)      |
 | [Epik](https://www.epik.com)                                           | `epik`             | `EPIK_SIGNATURE`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/epik)             |
 | [Exoscale](https://www.exoscale.com)                                   | `exoscale`         | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)         |
+| [F5 XC](https://www.f5.com/products/distributed-cloud-services)        | `f5xc`             | `F5XC_API_TOKEN`, `F5XC_TENANT_NAME`, `F5XC_GROUP_NAME`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/f5xc)             |
 | [Fast DNS](https://www.akamai.com/)                                    | `fastdns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
 | [Freemyip.com](https://freemyip.com)                                   | `freemyip`         | `FREEMYIP_TOKEN`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/freemyip)         |
 | [G-Core](https://gcore.com/dns/)                                       | `gcore`            | `GCORE_PERMANENT_API_TOKEN`                                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcore)            |
@@ -395,8 +400,10 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Mail-in-a-Box](https://mailinabox.email)                              | `mailinabox`       | `MAILINABOX_EMAIL`, `MAILINABOX_PASSWORD`, `MAILINABOX_BASE_URL`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/mailinabox)       |
 | [ManageEngine CloudDNS](https://clouddns.manageengine.com)             | `manageengine`     | `MANAGEENGINE_CLIENT_ID`, `MANAGEENGINE_CLIENT_SECRET`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/manageengine)     |
 | [Metaname](https://metaname.net)                                       | `metaname`         | `METANAME_ACCOUNT_REFERENCE`, `METANAME_API_KEY`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/metaname)         |
+| [Metaregistrar](https://metaregistrar.com)                             | `metaregistrar`    | `METAREGISTRAR_API_TOKEN`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/metaregistrar)    |
 | [mijn.host](https://mijn.host/)                                        | `mijnhost`         | `MIJNHOST_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/mijnhost)         |
 | [Mittwald](https://www.mittwald.de)                                    | `mittwald`         | `MITTWALD_TOKEN`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/mittwald)         |
+| [myaddr.{tools,dev,io}](https://myaddr.tools/)                         | `myaddr`           | `MYADDR_PRIVATE_KEYS_MAPPING`                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/myaddr)           |
 | [MyDNS.jp](https://www.mydns.jp/)                                      | `mydnsjp`          | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)          |
 | [Mythic Beasts](https://www.mythic-beasts.com)                         | `mythicbeasts`     | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts)     |
 | [name.com](https://www.name.com/)                                      | `namedotcom`       | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)       |
@@ -434,6 +441,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Shellrent](https://www.shellrent.com)                                 | `shellrent`        | `SHELLRENT_USERNAME`, `SHELLRENT_TOKEN`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/shellrent)        |
 | [Simply.com](https://www.simply.com/en/domains/)                       | `simply`           | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/simply)           |
 | [Sonic](https://www.sonic.com/)                                        | `sonic`            | `SONIC_USER_ID`, `SONIC_API_KEY`                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/sonic)            |
+| [Spaceship](https://spaceship.com)                                     | `spaceship`        | `SPACESHIP_API_KEY`, `SPACESHIP_API_SECRET`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/spaceship)        |
 | [Stackpath](https://www.stackpath.com/)                                | `stackpath`        | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)        |
 | [Technitium](https://technitium.com)                                   | `technitium`       | `TECHNITIUM_SERVER_BASE_URL`, `TECHNITIUM_API_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/technitium)       |
 | [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)             | `tencentcloud`     | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud)     |
@@ -499,11 +507,11 @@ certificatesResolvers:
 --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 ```
 
-#### `delayBeforeCheck`
+#### `propagation.delayBeforeChecks`
 
 By default, the `provider` verifies the TXT record _before_ letting ACME verify.
 
-You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
+You can delay this operation by specifying a delay (in seconds) with `delayBeforeChecks` (value must be greater than zero).
 
 This option is useful when internal networks block external DNS queries.
 
@@ -514,7 +522,9 @@ certificatesResolvers:
       # ...
       dnsChallenge:
         # ...
-        delayBeforeCheck: 2s
+        propagation:
+          # ...
+          delayBeforeChecks: 2s
 ```
 
 ```toml tab="File (TOML)"
@@ -522,19 +532,21 @@ certificatesResolvers:
   # ...
   [certificatesResolvers.myresolver.acme.dnsChallenge]
     # ...
-    delayBeforeCheck = "2s"
+    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
+      # ...
+      delayBeforeChecks = "2s"
 ```
 
 ```bash tab="CLI"
 # ...
---certificatesresolvers.myresolver.acme.dnschallenge.delayBeforeCheck=2s
+--certificatesresolvers.myresolver.acme.dnschallenge.propagation.delayBeforeChecks=2s
 ```
 
-#### `disablePropagationCheck`
+#### `propagation.disableChecks`
 
-**Not recommended**
+Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready. 
 
-Disable the TXT records propagation checks before notifying ACME that the DNS challenge is ready. 
+Please note that disabling checks can prevent the challenge from succeeding.
 
 ```yaml tab="File (YAML)"
 certificatesResolvers:
@@ -543,7 +555,9 @@ certificatesResolvers:
       # ...
       dnsChallenge:
         # ...
-        disablePropagationCheck: true
+        propagation:
+          # ...
+          disableChecks: true
 ```
 
 ```toml tab="File (TOML)"
@@ -551,12 +565,90 @@ certificatesResolvers:
   # ...
   [certificatesResolvers.myresolver.acme.dnsChallenge]
     # ...
-    disablePropagationCheck = true
+    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
+      # ...
+      disableChecks = true
 ```
 
 ```bash tab="CLI"
 # ...
---certificatesresolvers.myresolver.acme.dnschallenge.disablePropagationCheck=true
+--certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableChecks=true
+```
+
+#### `propagation.requireAllRNS`
+
+Requires the challenge TXT record to be propagated to all recursive nameservers.
+
+!!! note
+
+    If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`),
+    it is recommended to check all recursive nameservers instead.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      dnsChallenge:
+        # ...
+        propagation:
+          # ...
+          requireAllRNS: true
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
+      # ...
+      requireAllRNS = true
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.dnschallenge.propagation.requireAllRNS=true
+```
+
+#### `propagation.disableANSChecks`
+
+Disables the challenge TXT record propagation checks against authoritative nameservers.
+
+This option will skip the propagation check against the nameservers of the authority (SOA).
+
+It should be used only if the nameservers of the authority are not reachable.
+
+!!! note
+
+    If you have disabled authoritative nameservers checks,
+    it is recommended to check all recursive nameservers instead.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      dnsChallenge:
+        # ...
+        propagation:
+          # ...
+          disableANSChecks: true
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.dnsChallenge]
+    # ...
+    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
+      # ...
+      disableANSChecks = true
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableANSChecks=true
 ```
 
 #### Wildcard Domains

docs/content/index.md

@@ -1,28 +1,53 @@
 ---
 title: "Traefik Proxy Documentation"
-description: "Traefik Proxy, an open source Edge Router, auto-discovers configurations and supports major orchestrators, like Kubernetes. Read the technical documentation."
+description: "Traefik Proxy, an open-source Edge Router, auto-discovers configurations and supports major orchestrators, like Kubernetes. Read the technical documentation."
 ---
 
-# Welcome
+# What is Traefik?
 
 ![Architecture](assets/img/traefik-architecture.png)
 
 Traefik is an [open-source](https://github.com/traefik/traefik) *Application Proxy* that makes publishing your services a fun and easy experience. 
-It receives requests on behalf of your system and identifies which components are responsible for handling them, and routes them securely. 
+It receives requests on behalf of your system, identifies which components are responsible for handling them, and routes them securely. 
 
 What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
 The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request. 
 
-Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker Swarm, AWS, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
+Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker Swarm, AWS, and [the list goes on](./reference/install-configuration/providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
  
 With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions).
 With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.
 
 And if your needs change, you can add API gateway and API management capabilities seamlessly to your existing Traefik deployments. It takes less than a minute, there’s no rip-and-replace, and all your configurations are preserved. See this in action in [our API gateway demo video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=docs).
 
-Developing Traefik, our main goal is to make it effortless to use, and we're sure you'll enjoy it.
+!!! quote "From the Traefik Maintainer Team" 
+    When developing Traefik, our main goal is to make it easy to use, and we're sure you'll enjoy it.
 
--- The Traefik Maintainer Team 
+## Personas
+
+Traefik supports different needs depending on your background. We keep three user personas in mind as we build and organize these docs:
+
+- **Beginners**: You are new to Traefik or new to reverse proxies. You want simple, guided steps to set things up without diving too deep into advanced topics.
+- **DevOps Engineers**: You manage infrastructure or clusters (Docker, Kubernetes, or other orchestrators). You integrate Traefik into your environment and value reliability, performance, and streamlined deployments.
+- **Developers**: You create and deploy applications or APIs. You focus on how to expose your services through Traefik, apply routing rules, and integrate it with your development workflow.
+
+## Core Concepts
+
+Traefik’s main concepts help you understand how requests flow to your services:
+
+- [Entrypoints](./reference/install-configuration/entrypoints.md) are the network entry points into Traefik. They define the port that will receive the packets and whether to listen for TCP or UDP.
+- [Routers](./reference/routing-configuration/http/router/rules-and-priority.md) are in charge of connecting incoming requests to the services that can handle them. In the process, routers may use pieces of [middleware](./reference/routing-configuration/http/middlewares/overview.md) to update the request or act before forwarding the request to the service.
+- [Services](./reference/routing-configuration/http/load-balancing/service.md) are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
+- [Providers](./reference/install-configuration/providers/overview.md) are infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores. The idea is that Traefik queries the provider APIs in order to find relevant information about routing, and when Traefik detects a change, it dynamically updates the routes.
+
+These concepts work together to manage your traffic from the moment a request arrives until it reaches your application.
+
+## How to Use the Documentation
+
+- **Navigation**: Each main section focuses on a specific stage of working with Traefik - installing, exposing services, observing, extending & migrating. 
+Use the sidebar to navigate to the section that is most appropriate for your needs.
+- **Practical Examples**: You will see code snippets and configuration examples for different environments (YAML/TOML, Labels, & Tags).
+- **Reference**: When you need to look up technical details, our reference section provides a deep dive into configuration options and key terms.
 
 !!! info
 

docs/content/middlewares/http/buffering.md

@@ -264,3 +264,7 @@ The retry expression is defined as a logical combination of the functions below
 - `Attempts()` number of attempts (the first one counts)
 - `ResponseCode()` response code of the service
 - `IsNetworkError()` whether the response code is related to networking error
+
+### Content-Length
+
+See [Best Practices: Content‑Length](../../security/best-practices/content-length.md)

docs/content/middlewares/http/compress.md

@@ -179,9 +179,15 @@ http:
 _Optional, Default=1024_
 
 `minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.
-
 Responses smaller than the specified values will not be compressed.
 
+!!! tip "Streaming"
+
+    When data is sent to the client on flush, the `minResponseBodyBytes` configuration is ignored and the data is compressed.
+    This is particularly the case when data is streamed to the client when using `Transfer-encoding: chunked` response.
+
+When chunked data is sent to the client on flush, it will be compressed by default even if the received data has not reached  
+
 ```yaml tab="Docker & Swarm"
 labels:
   - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
@@ -258,10 +264,10 @@ http:
 
 ### `encodings`
 
-_Optional, Default="zstd, br, gzip"_
+_Optional, Default="gzip, br, zstd"_
 
 `encodings` specifies the list of supported compression encodings.
-At least one encoding value must be specified, and valid entries are `zstd` (Zstandard), `br` (Brotli), and `gzip` (Gzip).
+At least one encoding value must be specified, and valid entries are `gzip` (Gzip), `br` (Brotli), and `zstd` (Zstandard).
 The order of the list also sets the priority, the top entry has the highest priority.
 
 ```yaml tab="Docker & Swarm"

docs/content/middlewares/http/forwardauth.md

@@ -334,6 +334,98 @@ http:
     addAuthCookiesToResponse = ["Session-Cookie", "State-Cookie"]
 ```
 
+### `forwardBody`
+
+_Optional, Default=false_
+
+Set the `forwardBody` option to `true` to send Body.
+
+!!! info
+
+    As body is read inside Traefik before forwarding, this breaks streaming.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    forwardBody: true
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        forwardBody: true
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    forwardBody = true
+```
+
+### `maxBodySize`
+
+_Optional, Default=-1_
+
+Set the `maxBodySize` to limit the body size in bytes.
+If body is bigger than this, it returns a 401 (unauthorized).
+Default is `-1`, which means no limit.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    forwardBody: true
+    maxBodySize: 1000
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        maxBodySize: 1000
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    forwardBody = true
+    maxBodySize = 1000
+```
+
 ### `tls`
 
 _Optional_
@@ -613,4 +705,46 @@ http:
   headerField = "X-WebAuth-User"
 ```
 
+### `preserveLocationHeader`
+
+_Optional, Default=false_
+
+`preserveLocationHeader` defines whether to forward the `Location` header to the client as is or prefix it with the domain name of the authentication server.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.preserveLocationHeader=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    # ...
+    preserveLocationHeader: true
+```
+
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.preserveLocationHeader=true"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        # ...
+        preserveLocationHeader: true
+```
+
+```toml tab="File (TOML)"
+[http.middlewares.test-auth.forwardAuth]
+  # ...
+  preserveLocationHeader = true
+```
+
+
 {!traefik-for-business-applications.md!}

docs/content/middlewares/http/retry.md

@@ -12,8 +12,11 @@ Retrying until it Succeeds
 TODO: add schema
 -->
 
-The Retry middleware reissues requests a given number of times to a backend server if that server does not reply.
-As soon as the server answers, the middleware stops retrying, regardless of the response status.
+The Retry middleware reissues requests a given number of times when it cannot contact the backend service. 
+This applies at the transport level (TCP). 
+If the service does not respond to the initial connection attempt, the middleware retries.
+However, once the service responds, regardless of the HTTP status code, the middleware considers it operational and stops retrying.
+This means that the retry mechanism does not handle HTTP errors; it only retries when there is no response at the TCP level.
 The Retry middleware has an optional configuration to enable an exponential backoff.
 
 ## Configuration Examples

docs/content/migration/v2.md

@@ -659,3 +659,21 @@ Please check out the [entrypoint forwarded headers connection option configurati
 
 In `v2.11.14`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
 Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
+
+## v2.11.24
+
+### Request Path Sanitization
+
+Since `v2.11.24`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends.
+Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed.
+
+If you want to disable this behavior, you can set the [`sanitizePath` option](../routing/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.
+This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
+For example, as base64 uses the “/” character internally,
+if it's not url encoded,
+it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
+
+!!! warning "Security"
+
+    Setting the `sanitizePath` option to `false` is not safe.
+    Ensure every request is properly url encoded instead.

docs/content/migration/v3.md

@@ -86,7 +86,7 @@ This update adds only new optional fields.
 CRDs can be updated with this command:
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
 ```
 
 ### Kubernetes Gateway Provider Standard Channel
@@ -120,7 +120,7 @@ the `grcroutes` and `grpcroutes/status` rights have to be added.
 !!! warning "Breaking changes"
 
     Because of a breaking change introduced in Kubernetes Gateway [v1.2.0-rc1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0-rc1),
-    Traefik v3.2 only supports Kubernetes Gateway v1.2.x when experimental channel features are enabled.
+    Traefik v3.3 only supports Kubernetes Gateway v1.2.x when experimental channel features are enabled.
 
 Starting with v3.2, the Kubernetes Gateway Provider now supports [BackendTLSPolicy](https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/).
 
@@ -167,3 +167,51 @@ Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#
 
 In `v3.2.2`, the `traefik.docker.network` and `traefik.docker.lbswarm` labels have been deprecated,
 please use the `traefik.swarm.network` and `traefik.swarm.lbswarm` labels instead.
+
+## v3.2 to v3.3
+
+### ACME DNS Certificate Resolver
+
+In `v3.3`, the `acme.dnsChallenge.delaybeforecheck` and `acme.dnsChallenge.disablepropagationcheck` options of the ACME certificate resolver are deprecated, 
+please use respectively `acme.dnsChallenge.propagation.delayBeforeChecks` and `acme.dnsChallenge.propagation.disableChecks` options instead.
+
+### Tracing Global Attributes
+
+In `v3.3`, the `tracing.globalAttributes` option has been deprecated, please use the `tracing.resourceAttributes` option instead.
+The `tracing.globalAttributes` option is misleading as its name does not reflect the operation of adding resource attributes to be sent to the collector,
+and will be removed in the next major version.
+
+## v3.3.4
+
+### OpenTelemetry Request Duration metric
+
+In `v3.3.4`, the OpenTelemetry Request Duration metric (named `traefik_(entrypoint|router|service)_request_duration_seconds`) unit has been changed from milliseconds to seconds.
+To be consistent with the naming and other metrics providers, the metric now reports the duration in seconds.
+
+## v3.3.5
+
+### Compress Middleware
+
+In `v3.3.5`, the compress middleware `encodings` option default value is now `gzip, br, zstd`. 
+This change helps the algorithm selection to favor the `gzip` algorithm over the other algorithms.
+
+It impacts requests that do not specify their preferred algorithm,
+or has no order preference, in the `Accept-Encoding` header.
+
+## v3.3.6
+
+### Request Path Sanitization
+
+Since `v3.3.6`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends.
+Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed.
+
+If you want to disable this behavior, you can set the [`sanitizePath` option](../reference/install-configuration/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.
+This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
+For example, as base64 uses the “/” character internally,
+if it's not url encoded,
+it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
+
+!!! warning "Security"
+
+    Setting the `sanitizePath` option to `false` is not safe.
+    Ensure every request is properly url encoded instead.

docs/content/observability/access-logs.md

@@ -30,7 +30,7 @@ accessLog: {}
 
 _Optional, Default="false"_
 
-Enables accessLogs for internal resources (e.g.: `ping@internal`).
+Enables access logs for internal resources (e.g.: `ping@internal`).
 
 ```yaml tab="File (YAML)"
 accesslog:
@@ -256,9 +256,7 @@ accessLog:
     | `OriginDuration`        | The time taken (in nanoseconds) by the origin server ('upstream') to return its response.                                                                           |
     | `OriginContentSize`     | The content length specified by the origin server, or 0 if unspecified.                                                                                             |
     | `OriginStatus`          | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent (0). |
-    | `OriginStatusLine`      | `OriginStatus` + Status code explanation                                                                                                                            |
     | `DownstreamStatus`      | The HTTP status code returned to the client.                                                                                                                        |
-    | `DownstreamStatusLine`  | `DownstreamStatus` + Status code explanation                                                                                                                        |
     | `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
     | `RequestCount`          | The number of requests received since the Traefik instance started.                                                                                                 |
     | `GzipRatio`             | The response body compression ratio achieved.                                                                                                                       |
@@ -294,7 +292,7 @@ version: "3.7"
 
 services:
   traefik:
-    image: traefik:v3.2
+    image: traefik:v3.3
     environment:
       - TZ=US/Alaska
     command:
@@ -306,4 +304,418 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
 ```
 
+## OpenTelemetry
+
+!!! warning "Experimental Feature"
+
+    The OpenTelemetry access logs feature is currently experimental and must be explicitly enabled in the experimental section prior to use.
+    
+    ```yaml tab="File (YAML)"
+    experimental:
+      otlpLogs: true
+    ```
+    
+    ```toml tab="File (TOML)"
+    [experimental.otlpLogs]
+    ```
+    
+    ```bash tab="CLI"
+    --experimental.otlpLogs=true
+    ```
+
+To enable the OpenTelemetry Logger for access logs:
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp: {}
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp]
+```
+
+```bash tab="CLI"
+--accesslog.otlp=true
+```
+
+!!! info "Default protocol"
+
+    The OpenTelemetry Logger exporter will export access logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.
+
+### HTTP configuration
+
+_Optional_
+
+This instructs the exporter to send access logs to the OpenTelemetry Collector using HTTP.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    http: {}
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.http]
+```
+
+```bash tab="CLI"
+--accesslog.otlp.http=true
+```
+
+#### `endpoint`
+
+_Optional, Default="`https://localhost:4318/v1/logs`", Format="`<scheme>://<host>:<port><path>`"_
+
+URL of the OpenTelemetry Collector to send access logs to.
+
+!!! info "Insecure mode"
+
+    To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    http:
+      endpoint: https://collector:4318/v1/logs
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.http]
+  endpoint = "https://collector:4318/v1/logs"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.http.endpoint=https://collector:4318/v1/logs
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with access logs by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    http:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.http.headers]
+  foo = "bar"
+  baz = "buz"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.http.headers.foo=bar --accesslog.otlp.http.headers.baz=buz
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    http:
+      tls:
+        ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.http.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.http.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    http:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.http.tls.cert=path/to/foo.cert
+--accesslog.otlp.http.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    http:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.http.tls.cert=path/to/foo.cert
+--accesslog.otlp.http.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    http:
+      tls:
+        insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.http.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--accesslog.otlp.http.tls.insecureSkipVerify=true
+```
+
+### gRPC configuration
+
+_Optional_
+
+This instructs the exporter to send access logs to the OpenTelemetry Collector using gRPC.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc: {}
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc]
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc=true
+```
+
+#### `endpoint`
+
+_Required, Default="localhost:4317", Format="`<host>:<port>`"_
+
+Address of the OpenTelemetry Collector to send access logs to.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc:
+      endpoint: localhost:4317
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc]
+  endpoint = "localhost:4317"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc.endpoint=localhost:4317
+```
+
+#### `insecure`
+
+_Optional, Default=false_
+
+Allows exporter to send access logs to the OpenTelemetry Collector without using a secured protocol.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc:
+      insecure: true
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc]
+  insecure = true
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc.insecure=true
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with access logs by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc.headers]
+  foo = "bar"
+  baz = "buz"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc.headers.foo=bar --accesslog.otlp.grpc.headers.baz=buz
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc:
+      tls:
+        ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc.tls.cert=path/to/foo.cert
+--accesslog.otlp.grpc.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc.tls.cert=path/to/foo.cert
+--accesslog.otlp.grpc.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    grpc:
+      tls:
+        insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[accesslog.otlp.grpc.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--accesslog.otlp.grpc.tls.insecureSkipVerify=true
+```
+
 {!traefik-for-business-applications.md!}

docs/content/observability/logs.md

@@ -181,4 +181,418 @@ log:
 --log.compress=true
 ```
 
+## OpenTelemetry
+
+!!! warning "Experimental Feature"
+    
+    The OpenTelemetry logs feature is currently experimental and must be explicitly enabled in the experimental section prior to use.
+    
+    ```yaml tab="File (YAML)"
+    experimental:
+      otlpLogs: true
+    ```
+    
+    ```toml tab="File (TOML)"
+    [experimental.otlpLogs]
+    ```
+    
+    ```bash tab="CLI"
+    --experimental.otlpLogs=true
+    ```
+
+To enable the OpenTelemetry Logger for logs:
+
+```yaml tab="File (YAML)"
+log:
+  otlp: {}
+```
+
+```toml tab="File (TOML)"
+[log.otlp]
+```
+
+```bash tab="CLI"
+--log.otlp=true
+```
+
+!!! info "Default protocol"
+
+    The OpenTelemetry Logger exporter will export logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.
+
+### HTTP configuration
+
+_Optional_
+
+This instructs the exporter to send logs to the OpenTelemetry Collector using HTTP.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    http: {}
+```
+
+```toml tab="File (TOML)"
+[log.otlp.http]
+```
+
+```bash tab="CLI"
+--log.otlp.http=true
+```
+
+#### `endpoint`
+
+_Optional, Default="`https://localhost:4318/v1/logs`", Format="`<scheme>://<host>:<port><path>`"_
+
+URL of the OpenTelemetry Collector to send logs to.
+
+!!! info "Insecure mode"
+
+    To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    http:
+      endpoint: https://collector:4318/v1/logs
+```
+
+```toml tab="File (TOML)"
+[log.otlp.http]
+  endpoint = "https://collector:4318/v1/logs"
+```
+
+```bash tab="CLI"
+--log.otlp.http.endpoint=https://collector:4318/v1/logs
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with logs by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    http:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[log.otlp.http.headers]
+  foo = "bar"
+  baz = "buz"
+```
+
+```bash tab="CLI"
+--log.otlp.http.headers.foo=bar --log.otlp.http.headers.baz=buz
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    http:
+      tls:
+        ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[log.otlp.http.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--log.otlp.http.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    http:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[log.otlp.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--log.otlp.http.tls.cert=path/to/foo.cert
+--log.otlp.http.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    http:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[log.otlp.http.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--log.otlp.http.tls.cert=path/to/foo.cert
+--log.otlp.http.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    http:
+      tls:
+        insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[log.otlp.http.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--log.otlp.http.tls.insecureSkipVerify=true
+```
+
+### gRPC configuration
+
+_Optional_
+
+This instructs the exporter to send logs to the OpenTelemetry Collector using gRPC.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc: {}
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc]
+```
+
+```bash tab="CLI"
+--log.otlp.grpc=true
+```
+
+#### `endpoint`
+
+_Required, Default="localhost:4317", Format="`<host>:<port>`"_
+
+Address of the OpenTelemetry Collector to send logs to.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc:
+      endpoint: localhost:4317
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc]
+  endpoint = "localhost:4317"
+```
+
+```bash tab="CLI"
+--log.otlp.grpc.endpoint=localhost:4317
+```
+
+#### `insecure`
+
+_Optional, Default=false_
+
+Allows exporter to send logs to the OpenTelemetry Collector without using a secured protocol.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc:
+      insecure: true
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc]
+  insecure = true
+```
+
+```bash tab="CLI"
+--log.otlp.grpc.insecure=true
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with logs by the exporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc:
+      headers:
+        foo: bar
+        baz: buz
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc.headers]
+  foo = "bar"
+  baz = "buz"
+```
+
+```bash tab="CLI"
+--log.otlp.grpc.headers.foo=bar --log.otlp.grpc.headers.baz=buz
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc:
+      tls:
+        ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--log.otlp.grpc.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--log.otlp.grpc.tls.cert=path/to/foo.cert
+--log.otlp.grpc.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc:
+      tls:
+        cert: path/to/foo.cert
+        key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--log.otlp.grpc.tls.cert=path/to/foo.cert
+--log.otlp.grpc.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    grpc:
+      tls:
+        insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[log.otlp.grpc.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--log.otlp.grpc.tls.insecureSkipVerify=true
+```
+
 {!traefik-for-business-applications.md!}

docs/content/observability/metrics/datadog.md

@@ -68,6 +68,7 @@ metrics:
 ```bash tab="CLI"
 --metrics.datadog.addEntryPointsLabels=true
 ```
+
 #### `addRoutersLabels`
 
 _Optional, Default=false_

docs/content/observability/metrics/opentelemetry.md

@@ -23,7 +23,7 @@ metrics:
 
 !!! info "Default protocol"
 
-    The OpenTelemetry exporter will export metrics to the collector using HTTP by default to https://localhost:4318/v1/metrics, see the [gRPC Section](#grpc-configuration) to use gRPC.
+    The OpenTelemetry exporter will export metrics to the collector using HTTPS by default to https://localhost:4318/v1/metrics, see the [gRPC Section](#grpc-configuration) to use gRPC.
 
 #### `addEntryPointsLabels`
 
@@ -184,25 +184,29 @@ metrics:
 
 #### `endpoint`
 
-_Required, Default="http://localhost:4318/v1/metrics", Format="`<scheme>://<host>:<port><path>`"_
+_Optional, Default="https://localhost:4318/v1/metrics", Format="`<scheme>://<host>:<port><path>`"_
 
 URL of the OpenTelemetry Collector to send metrics to.
 
+!!! info "Insecure mode"
+
+    To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
+
 ```yaml tab="File (YAML)"
 metrics:
   otlp:
     http:
-      endpoint: http://localhost:4318/v1/metrics
+      endpoint: https://collector:4318/v1/metrics
 ```
 
 ```toml tab="File (TOML)"
 [metrics]
   [metrics.otlp.http]
-    endpoint = "http://localhost:4318/v1/metrics"
+    endpoint = "https://collector:4318/v1/metrics"
 ```
 
 ```bash tab="CLI"
---metrics.otlp.http.endpoint=http://localhost:4318/v1/metrics
+--metrics.otlp.http.endpoint=https://collector:4318/v1/metrics
 ```
 
 #### `headers`

docs/content/observability/overview.md

@@ -5,16 +5,80 @@ description: "Traefik provides Logs, Access Logs, Metrics and Tracing. Read the
 
 # Overview
 
-Traefik's Observability system
-{: .subtitle }
+Traefik’s observability features include logs, access logs, metrics, and tracing. You can configure these options globally or at more specific levels, such as per router or per entry point.
 
-## Logs
+## Configuration Example
+
+Enable access logs, metrics, and tracing globally
+
+```yaml tab="File (YAML)"
+accessLog: {}
+
+metrics:
+  otlp: {}
+
+tracing: {}
+```
+
+```yaml tab="File (TOML)"
+[accessLog]
+
+[metrics]
+  [metrics.otlp]
+
+[tracing]
+```
+
+```bash tab="CLI"
+--accesslog=true
+--metrics.otlp=true
+--tracing=true
+```
+
+You can disable access logs, metrics, and tracing for a specific entrypoint attached to a router:
+
+```yaml tab="File (YAML)"
+# Static Configuration
+entryPoints:
+  EntryPoint0:
+    address: ':8000/udp'
+    observability:
+      accessLogs: false
+      tracing: false
+      metrics: false
+```
+
+```toml tab="File (TOML)"
+# Static Configuration
+[entryPoints.EntryPoint0]
+  address = ":8000/udp"
+
+    [entryPoints.EntryPoint0.observability]
+      accessLogs = false
+      tracing = false
+      metrics = false
+```
+
+```bash tab="CLI"
+# Static Configuration
+--entryPoints.EntryPoint0.address=:8000/udp
+--entryPoints.EntryPoint0.observability.accessLogs=false
+--entryPoints.EntryPoint0.observability.metrics=false
+--entryPoints.EntryPoint0.observability.tracing=false
+```
+
+!!!note "Default Behavior"
+    A router with its own observability configuration will override the global default.
+
+## Configuration Options
+
+### Logs
 
 Traefik logs informs about everything that happens within Traefik (startup, configuration, events, shutdown, and so on).
 
 Read the [Logs documentation](./logs.md) to learn how to configure it.
 
-## Access Logs
+### Access Logs
 
 Access logs are a key part of observability in Traefik.
 
@@ -24,7 +88,7 @@ including the source IP address, requested URL, response status code, and more.
 
 Read the [Access Logs documentation](./access-logs.md) to learn how to configure it.
 
-## Metrics
+### Metrics
 
 Traefik offers a metrics feature that provides valuable insights about the performance and usage.
 These metrics include the number of requests received, the requests duration, and more.
@@ -33,7 +97,7 @@ On top of supporting metrics in the OpenTelemetry format, Traefik supports the f
 
 Read the [Metrics documentation](./metrics/overview.md) to learn how to configure it.
 
-## Tracing
+### Tracing
 
 The Traefik tracing system allows developers to gain deep visibility into the flow of requests through their infrastructure.
 

docs/content/observability/tracing/opentelemetry.md

@@ -25,7 +25,7 @@ tracing:
 
 !!! info "Default protocol"
 
-    The OpenTelemetry trace exporter will export traces to the collector using HTTP by default to https://localhost:4318/v1/traces, see the [gRPC Section](#grpc-configuration) to use gRPC.
+    The OpenTelemetry trace exporter will export traces to the collector using HTTPS by default to https://localhost:4318/v1/traces, see the [gRPC Section](#grpc-configuration) to use gRPC.
 
 !!! info "Trace sampling"
 
@@ -72,25 +72,29 @@ tracing:
 
 #### `endpoint`
 
-_Required, Default="http://localhost:4318/v1/traces", Format="`<scheme>://<host>:<port><path>`"_
+_Optional, Default="https://localhost:4318/v1/traces", Format="`<scheme>://<host>:<port><path>`"_
 
 URL of the OpenTelemetry Collector to send spans to.
 
+!!! info "Insecure mode"
+
+    To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
+
 ```yaml tab="File (YAML)"
 tracing:
   otlp:
     http:
-      endpoint: http://localhost:4318/v1/traces
+      endpoint: https://collector:4318/v1/traces
 ```
 
 ```toml tab="File (TOML)"
 [tracing]
   [tracing.otlp.http]
-    endpoint = "http://localhost:4318/v1/traces"
+    endpoint = "https://collector:4318/v1/traces"
 ```
 
 ```bash tab="CLI"
---tracing.otlp.http.endpoint=http://localhost:4318/v1/traces
+--tracing.otlp.http.endpoint=https://collector:4318/v1/traces
 ```
 
 #### `headers`

docs/content/observability/tracing/overview.md

@@ -92,29 +92,29 @@ tracing:
 --tracing.sampleRate=0.2
 ```
 
-#### `globalAttributes`
+#### `resourceAttributes`
 
 _Optional, Default=empty_
 
-Applies a list of shared key:value attributes on all spans.
+Defines additional resource attributes to be sent to the collector.
 
 ```yaml tab="File (YAML)"
 tracing:
-  globalAttributes:
+  resourceAttributes:
     attr1: foo
     attr2: bar
 ```
 
 ```toml tab="File (TOML)"
 [tracing]
-  [tracing.globalAttributes]
+  [tracing.resourceAttributes]
     attr1 = "foo"
     attr2 = "bar"
 ```
 
 ```bash tab="CLI"
---tracing.globalAttributes.attr1=foo
---tracing.globalAttributes.attr2=bar
+--tracing.resourceAttributes.attr1=foo
+--tracing.resourceAttributes.attr2=bar
 ```
 
 #### `capturedRequestHeaders`
@@ -128,15 +128,16 @@ It applies to client and server kind spans.
 tracing:
   capturedRequestHeaders:
     - X-CustomHeader
+    - X-OtherHeader
 ```
 
 ```toml tab="File (TOML)"
 [tracing]
-  capturedRequestHeaders = ["X-CustomHeader"]
+  capturedRequestHeaders = ["X-CustomHeader", "X-OtherHeader"]
 ```
 
 ```bash tab="CLI"
---tracing.capturedRequestHeaders[0]=X-CustomHeader
+--tracing.capturedRequestHeaders="X-CustomHeader,X-OtherHeader"
 ```
 
 #### `capturedResponseHeaders`
@@ -150,20 +151,21 @@ It applies to client and server kind spans.
 tracing:
   capturedResponseHeaders:
     - X-CustomHeader
+    - X-OtherHeader
 ```
 
 ```toml tab="File (TOML)"
 [tracing]
-  capturedResponseHeaders = ["X-CustomHeader"]
+  capturedResponseHeaders = ["X-CustomHeader", "X-OtherHeader"]
 ```
 
 ```bash tab="CLI"
---tracing.capturedResponseHeaders[0]=X-CustomHeader
+--tracing.capturedResponseHeaders="X-CustomHeader,X-OtherHeader"
 ```
 
 #### `safeQueryParams`
 
-_Optional, Default={}_
+_Optional, Default=[]_
 
 By default, all query parameters are redacted.
 Defines the list of query parameters to not redact.

docs/content/operations/api.md

@@ -145,34 +145,35 @@ All the following endpoints must be accessed with a `GET` HTTP request.
     curl https://traefik.example.com:8080/api/http/routers?page=2&per_page=20
     ```
 
-| Path                           | Description                                                                                 |
-|--------------------------------|---------------------------------------------------------------------------------------------|
-| `/api/http/routers`            | Lists all the HTTP routers information.                                                     |
-| `/api/http/routers/{name}`     | Returns the information of the HTTP router specified by `name`.                             |
-| `/api/http/services`           | Lists all the HTTP services information.                                                    |
-| `/api/http/services/{name}`    | Returns the information of the HTTP service specified by `name`.                            |
-| `/api/http/middlewares`        | Lists all the HTTP middlewares information.                                                 |
-| `/api/http/middlewares/{name}` | Returns the information of the HTTP middleware specified by `name`.                         |
-| `/api/tcp/routers`             | Lists all the TCP routers information.                                                      |
-| `/api/tcp/routers/{name}`      | Returns the information of the TCP router specified by `name`.                              |
-| `/api/tcp/services`            | Lists all the TCP services information.                                                     |
-| `/api/tcp/services/{name}`     | Returns the information of the TCP service specified by `name`.                             |
-| `/api/tcp/middlewares`         | Lists all the TCP middlewares information.                                                  |
-| `/api/tcp/middlewares/{name}`  | Returns the information of the TCP middleware specified by `name`.                          |
-| `/api/udp/routers`             | Lists all the UDP routers information.                                                      |
-| `/api/udp/routers/{name}`      | Returns the information of the UDP router specified by `name`.                              |
-| `/api/udp/services`            | Lists all the UDP services information.                                                     |
-| `/api/udp/services/{name}`     | Returns the information of the UDP service specified by `name`.                             |
-| `/api/entrypoints`             | Lists all the entry points information.                                                     |
-| `/api/entrypoints/{name}`      | Returns the information of the entry point specified by `name`.                             |
-| `/api/overview`                | Returns statistic information about http and tcp as well as enabled features and providers. |
-| `/api/rawdata`                 | Returns information about dynamic configurations, errors, status and dependency relations.  |
-| `/api/version`                 | Returns information about Traefik version.                                                  |
-| `/debug/vars`                  | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                          |
-| `/debug/pprof/`                | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation.       |
-| `/debug/pprof/cmdline`         | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation.   |
-| `/debug/pprof/profile`         | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation.   |
-| `/debug/pprof/symbol`          | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation.     |
-| `/debug/pprof/trace`           | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation.       |
+| Path                           | Description                                                                                         |
+|--------------------------------|-----------------------------------------------------------------------------------------------------|
+| `/api/http/routers`            | Lists all the HTTP routers information.                                                             |
+| `/api/http/routers/{name}`     | Returns the information of the HTTP router specified by `name`.                                     |
+| `/api/http/services`           | Lists all the HTTP services information.                                                            |
+| `/api/http/services/{name}`    | Returns the information of the HTTP service specified by `name`.                                    |
+| `/api/http/middlewares`        | Lists all the HTTP middlewares information.                                                         |
+| `/api/http/middlewares/{name}` | Returns the information of the HTTP middleware specified by `name`.                                 |
+| `/api/tcp/routers`             | Lists all the TCP routers information.                                                              |
+| `/api/tcp/routers/{name}`      | Returns the information of the TCP router specified by `name`.                                      |
+| `/api/tcp/services`            | Lists all the TCP services information.                                                             |
+| `/api/tcp/services/{name}`     | Returns the information of the TCP service specified by `name`.                                     |
+| `/api/tcp/middlewares`         | Lists all the TCP middlewares information.                                                          |
+| `/api/tcp/middlewares/{name}`  | Returns the information of the TCP middleware specified by `name`.                                  |
+| `/api/udp/routers`             | Lists all the UDP routers information.                                                              |
+| `/api/udp/routers/{name}`      | Returns the information of the UDP router specified by `name`.                                      |
+| `/api/udp/services`            | Lists all the UDP services information.                                                             |
+| `/api/udp/services/{name}`     | Returns the information of the UDP service specified by `name`.                                     |
+| `/api/entrypoints`             | Lists all the entry points information.                                                             |
+| `/api/entrypoints/{name}`      | Returns the information of the entry point specified by `name`.                                     |
+| `/api/overview`                | Returns statistic information about http and tcp as well as enabled features and providers.         |
+| `/api/support-dump`            | Returns an archive that contains the anonymized static configuration and the runtime configuration. |
+| `/api/rawdata`                 | Returns information about dynamic configurations, errors, status and dependency relations.          |
+| `/api/version`                 | Returns information about Traefik version.                                                          |
+| `/debug/vars`                  | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                                  |
+| `/debug/pprof/`                | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation.               |
+| `/debug/pprof/cmdline`         | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation.           |
+| `/debug/pprof/profile`         | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation.           |
+| `/debug/pprof/symbol`          | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation.             |
+| `/debug/pprof/trace`           | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation.               |
 
 {!traefik-for-business-applications.md!}

docs/content/operations/dashboard.md

@@ -87,8 +87,44 @@ rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashb
 ??? example "Dashboard Dynamic Configuration Examples"
     --8<-- "content/operations/include-dashboard-examples.md"
 
+### Custom API Base Path
+
+As shown above, by default Traefik exposes its API and Dashboard under the `/` base path,
+which means that respectively the API is served under the `/api` path,
+and the dashboard under the `/dashboard` path.
+
+However, it is possible to configure this base path:
+
+```yaml tab="File (YAML)"
+api:
+  # Customizes the base path:
+  # - Serving API under `/traefik/api`
+  # - Serving Dashboard under `/traefik/dashboard`
+  basePath: /traefik
+```
+
+```toml tab="File (TOML)"
+[api]
+  # Customizes the base path:
+  # - Serving API under `/traefik/api`
+  # - Serving Dashboard under `/traefik/dashboard`
+  basePath = "/traefik"
+```
+
+```bash tab="CLI"
+# Customizes the base path:
+# - Serving API under `/traefik/api`
+# - Serving Dashboard under `/traefik/dashboard`
+--api.basePath=/traefik
+```
+
+??? example "Dashboard Under Custom Path Dynamic Configuration Examples"
+    --8<-- "content/operations/include-dashboard-custom-path-examples.md"
+
 ## Insecure Mode
 
+!!! warning "Please note that this mode is incompatible with the [custom API base path option](#custom-api-base-path)."
+
 When _insecure_ mode is enabled, one can access the dashboard on the `traefik` port (default: `8080`) of the Traefik instance,
 at the following URL: `http://<Traefik IP>:8080/dashboard/` (trailing slash is mandatory).
 

docs/content/operations/include-dashboard-custom-path-examples.md

@@ -0,0 +1,83 @@
+```yaml tab="Docker & Swarm"
+# Dynamic Configuration
+labels:
+  - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
+  - "traefik.http.routers.dashboard.service=api@internal"
+  - "traefik.http.routers.dashboard.middlewares=auth"
+  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```yaml tab="Docker (Swarm)"
+# Dynamic Configuration
+deploy:
+  labels:
+    - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
+    - "traefik.http.routers.dashboard.service=api@internal"
+    - "traefik.http.routers.dashboard.middlewares=auth"
+    - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+    # Dummy service for Swarm port detection. The port can be any valid integer value.
+    - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
+```
+
+```yaml tab="Kubernetes CRD"
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+spec:
+  routes:
+  - match: Host(`traefik.example.com`) && PathPrefix(`/traefik`)
+    kind: Rule
+    services:
+    - name: api@internal
+      kind: TraefikService
+    middlewares:
+      - name: auth
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: auth
+spec:
+  basicAuth:
+    secret: secretName # Kubernetes secret named "secretName"
+```
+
+```yaml tab="Consul Catalog"
+# Dynamic Configuration
+- "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
+- "traefik.http.routers.dashboard.service=api@internal"
+- "traefik.http.routers.dashboard.middlewares=auth"
+- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```yaml tab="File (YAML)"
+# Dynamic Configuration
+http:
+  routers:
+    dashboard:
+      rule: Host(`traefik.example.com`) && PathPrefix(`/traefik`)
+      service: api@internal
+      middlewares:
+        - auth
+  middlewares:
+    auth:
+      basicAuth:
+        users:
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="File (TOML)"
+# Dynamic Configuration
+[http.routers.my-api]
+  rule = "Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
+  service = "api@internal"
+  middlewares = ["auth"]
+
+[http.middlewares.auth.basicAuth]
+  users = [
+    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+  ]
+```

docs/content/providers/docker.md

@@ -166,7 +166,7 @@ See the [Docker API Access](#docker-api-access) section for more information.
 
     services:
       traefik:
-         image: traefik:v3.2 # The official v3 Traefik docker image
+         image: traefik:v3.3 # The official v3 Traefik docker image
          ports:
            - "80:80"
          volumes:

docs/content/providers/ecs.md

@@ -325,7 +325,8 @@ _Optional_
 If `region` is not provided, it is resolved from the EC2 metadata endpoint for EC2 tasks.
 In a FARGATE context it is resolved from the `AWS_REGION` environment variable.
 
-If `accessKeyID` and `secretAccessKey` are not provided, credentials are resolved in the following order:
+If `accessKeyID` and `secretAccessKey` are not provided, credentials are resolved in the order specified by the
+[default credential chain of AWS SDK for Go V2](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/configure-gosdk.html#specifying-credentials):
 
 - Using the environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
 - Using shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to `default` and `~/.aws/credentials`.

docs/content/providers/kubernetes-crd.md

@@ -31,10 +31,10 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku
 
     ```bash
     # Install Traefik Resource Definitions:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
     
     # Install RBAC for Traefik:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
     ```
 
 ## Resource Configuration

docs/content/providers/kubernetes-gateway.md

@@ -34,7 +34,7 @@ For more details, check out the conformance [report](https://github.com/kubernet
 
     ```bash
     # Install Traefik RBACs.
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
     ```
 
 3. Deploy Traefik and enable the `kubernetesGateway` provider in the static configuration as detailed below:

docs/content/providers/kubernetes-ingress.md

@@ -526,6 +526,6 @@ providers:
 ### Further
 
 To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.2/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.3/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
 
 {!traefik-for-business-applications.md!}

docs/content/providers/redis.md

@@ -10,6 +10,12 @@ A Story of KV store & Containers
 
 Store your configuration in Redis and let Traefik do the rest!
 
+!!! tip "Dynamic configuration updates"
+
+    Dynamic configuration updates require Redis [keyspace notifications](https://redis.io/docs/latest/develop/use/keyspace-notifications) to be enabled.
+    Cloud-managed Redis services (e.g., GCP Memorystore, AWS ElastiCache) may disable this by default due to CPU performance issues.
+    For more information, see the [Redis](https://redis.io/docs/latest/develop/use/keyspace-notifications/) documentation or refer to your cloud provider's documentation for specific configuration steps.
+
 ## Routing Configuration
 
 See the dedicated section in [routing](../routing/providers/kv.md).

docs/content/providers/swarm.md

@@ -212,7 +212,7 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati
 
     services:
       traefik:
-         image: traefik:v3.2 # The official v3 Traefik docker image
+         image: traefik:v3.3 # The official v3 Traefik docker image
          ports:
            - "80:80"
          volumes:

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -38,7 +38,10 @@
 - "traefik.http.middlewares.middleware10.forwardauth.authrequestheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.authresponseheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.authresponseheadersregex=foobar"
+- "traefik.http.middlewares.middleware10.forwardauth.forwardbody=true"
 - "traefik.http.middlewares.middleware10.forwardauth.headerfield=foobar"
+- "traefik.http.middlewares.middleware10.forwardauth.maxbodysize=42"
+- "traefik.http.middlewares.middleware10.forwardauth.preservelocationheader=true"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.ca=foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.caoptional=true"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.cert=foobar"
@@ -147,6 +150,9 @@
 - "traefik.http.middlewares.middleware25.stripprefixregex.regex=foobar, foobar"
 - "traefik.http.routers.router0.entrypoints=foobar, foobar"
 - "traefik.http.routers.router0.middlewares=foobar, foobar"
+- "traefik.http.routers.router0.observability.accesslogs=true"
+- "traefik.http.routers.router0.observability.metrics=true"
+- "traefik.http.routers.router0.observability.tracing=true"
 - "traefik.http.routers.router0.priority=42"
 - "traefik.http.routers.router0.rule=foobar"
 - "traefik.http.routers.router0.rulesyntax=foobar"
@@ -160,6 +166,9 @@
 - "traefik.http.routers.router0.tls.options=foobar"
 - "traefik.http.routers.router1.entrypoints=foobar, foobar"
 - "traefik.http.routers.router1.middlewares=foobar, foobar"
+- "traefik.http.routers.router1.observability.accesslogs=true"
+- "traefik.http.routers.router1.observability.metrics=true"
+- "traefik.http.routers.router1.observability.tracing=true"
 - "traefik.http.routers.router1.priority=42"
 - "traefik.http.routers.router1.rule=foobar"
 - "traefik.http.routers.router1.rulesyntax=foobar"
@@ -191,6 +200,7 @@
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.httponly=true"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.maxage=42"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.name=foobar"
+- "traefik.http.services.service02.loadbalancer.sticky.cookie.path=foobar"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.samesite=foobar"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.secure=true"
 - "traefik.http.services.service02.loadbalancer.server.port=foobar"

docs/content/reference/dynamic-configuration/file.toml

@@ -20,6 +20,10 @@
         [[http.routers.Router0.tls.domains]]
           main = "foobar"
           sans = ["foobar", "foobar"]
+      [http.routers.Router0.observability]
+        accessLogs = true
+        tracing = true
+        metrics = true
     [http.routers.Router1]
       entryPoints = ["foobar", "foobar"]
       middlewares = ["foobar", "foobar"]
@@ -38,6 +42,10 @@
         [[http.routers.Router1.tls.domains]]
           main = "foobar"
           sans = ["foobar", "foobar"]
+      [http.routers.Router1.observability]
+        accessLogs = true
+        tracing = true
+        metrics = true
   [http.services]
     [http.services.Service01]
       [http.services.Service01.failover]
@@ -55,6 +63,7 @@
             httpOnly = true
             sameSite = "foobar"
             maxAge = 42
+            path = "foobar"
 
         [[http.services.Service02.loadBalancer.servers]]
           url = "foobar"
@@ -112,6 +121,7 @@
             httpOnly = true
             sameSite = "foobar"
             maxAge = 42
+            path = "foobar"
         [http.services.Service04.weighted.healthCheck]
   [http.middlewares]
     [http.middlewares.Middleware01]
@@ -172,6 +182,9 @@
         authRequestHeaders = ["foobar", "foobar"]
         addAuthCookiesToResponse = ["foobar", "foobar"]
         headerField = "foobar"
+        forwardBody = true
+        maxBodySize = 42
+        preserveLocationHeader = true
         [http.middlewares.Middleware10.forwardAuth.tls]
           ca = "foobar"
           cert = "foobar"

docs/content/reference/dynamic-configuration/file.yaml

@@ -25,6 +25,10 @@ http:
             sans:
               - foobar
               - foobar
+      observability:
+        accessLogs: true
+        tracing: true
+        metrics: true
     Router1:
       entryPoints:
         - foobar
@@ -48,6 +52,10 @@ http:
             sans:
               - foobar
               - foobar
+      observability:
+        accessLogs: true
+        tracing: true
+        metrics: true
   services:
     Service01:
       failover:
@@ -63,6 +71,7 @@ http:
             httpOnly: true
             sameSite: foobar
             maxAge: 42
+            path: foobar
         servers:
           - url: foobar
             weight: 42
@@ -113,6 +122,7 @@ http:
             httpOnly: true
             sameSite: foobar
             maxAge: 42
+            path: foobar
         healthCheck: {}
   middlewares:
     Middleware01:
@@ -199,6 +209,9 @@ http:
           - foobar
           - foobar
         headerField: foobar
+        forwardBody: true
+        maxBodySize: 42
+        preserveLocationHeader: true
     Middleware11:
       grpcWeb:
         allowOrigins:

docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml

@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -57,18 +57,19 @@ spec:
                       description: |-
                         Kind defines the kind of the route.
                         Rule is the only supported kind.
+                        If not defined, defaults to Rule.
                       enum:
                       - Rule
                       type: string
                     match:
                       description: |-
                         Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule
                       type: string
                     middlewares:
                       description: |-
                         Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-middleware
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-middleware
                       items:
                         description: MiddlewareRef is a reference to a Middleware
                           resource.
@@ -85,10 +86,22 @@ spec:
                         - name
                         type: object
                       type: array
+                    observability:
+                      description: |-
+                        Observability defines the observability configuration for a router.
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#observability
+                      properties:
+                        accessLogs:
+                          type: boolean
+                        metrics:
+                          type: boolean
+                        tracing:
+                          type: boolean
+                      type: object
                     priority:
                       description: |-
                         Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority
                       type: integer
                     services:
                       description: |-
@@ -229,7 +242,7 @@ spec:
                           sticky:
                             description: |-
                               Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                             properties:
                               cookie:
                                 description: Cookie defines the sticky cookie configuration.
@@ -241,13 +254,19 @@ spec:
                                     type: boolean
                                   maxAge:
                                     description: |-
-                                      MaxAge indicates the number of seconds until the cookie expires.
+                                      MaxAge defines the number of seconds until the cookie expires.
                                       When set to a negative number, the cookie expires immediately.
                                       When set to zero, the cookie never expires.
                                     type: integer
                                   name:
                                     description: Name defines the Cookie name.
                                     type: string
+                                  path:
+                                    description: |-
+                                      Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                      When not provided the cookie will be sent on every request to the domain.
+                                      More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                    type: string
                                   sameSite:
                                     description: |-
                                       SameSite defines the same site policy.
@@ -277,28 +296,27 @@ spec:
                     syntax:
                       description: |-
                         Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax
                       type: string
                   required:
-                  - kind
                   - match
                   type: object
                 type: array
               tls:
                 description: |-
                   TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls
                 properties:
                   certResolver:
                     description: |-
                       CertResolver defines the name of the certificate resolver to use.
                       Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
                     type: string
                   domains:
                     description: |-
                       Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -317,17 +335,17 @@ spec:
                     description: |-
                       Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                       If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
                     properties:
                       name:
                         description: |-
                           Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
                         type: string
                       namespace:
                         description: |-
                           Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
                         type: string
                     required:
                     - name
@@ -344,12 +362,12 @@ spec:
                       name:
                         description: |-
                           Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
                         type: string
                       namespace:
                         description: |-
                           Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
                         type: string
                     required:
                     - name
@@ -409,7 +427,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -422,7 +440,7 @@ spec:
                     match:
                       description: |-
                         Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule_1
                       type: string
                     middlewares:
                       description: Middlewares defines the list of references to MiddlewareTCP
@@ -446,7 +464,7 @@ spec:
                     priority:
                       description: |-
                         Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority_1
                       type: integer
                     services:
                       description: Services defines the list of TCP services.
@@ -487,7 +505,7 @@ spec:
                           proxyProtocol:
                             description: |-
                               ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.3/routing/services/#proxy-protocol
                             properties:
                               version:
                                 description: Version defines the PROXY Protocol version
@@ -525,7 +543,7 @@ spec:
                     syntax:
                       description: |-
                         Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax_1
                       type: string
                   required:
                   - match
@@ -534,18 +552,18 @@ spec:
               tls:
                 description: |-
                   TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls_1
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls_1
                 properties:
                   certResolver:
                     description: |-
                       CertResolver defines the name of the certificate resolver to use.
                       Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
                     type: string
                   domains:
                     description: |-
                       Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -564,7 +582,7 @@ spec:
                     description: |-
                       Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                       If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
                     properties:
                       name:
                         description: Name defines the name of the referenced Traefik
@@ -656,7 +674,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -743,7 +761,7 @@ spec:
       openAPIV3Schema:
         description: |-
           Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/overview/
+          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/overview/
         properties:
           apiVersion:
             description: |-
@@ -769,7 +787,7 @@ spec:
                 description: |-
                   AddPrefix holds the add prefix middleware configuration.
                   This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/addprefix/
                 properties:
                   prefix:
                     description: |-
@@ -781,12 +799,12 @@ spec:
                 description: |-
                   BasicAuth holds the basic auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/
                 properties:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
                     type: string
                   realm:
                     description: |-
@@ -807,7 +825,7 @@ spec:
                 description: |-
                   Buffering holds the buffering middleware configuration.
                   This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#maxrequestbodybytes
                 properties:
                   maxRequestBodyBytes:
                     description: |-
@@ -839,14 +857,14 @@ spec:
                     description: |-
                       RetryExpression defines the retry conditions.
                       It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#retryexpression
                     type: string
                 type: object
               chain:
                 description: |-
                   Chain holds the configuration of the chain middleware.
                   This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/chain/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/chain/
                 properties:
                   middlewares:
                     description: Middlewares is the list of MiddlewareRef which composes
@@ -905,7 +923,7 @@ spec:
                 description: |-
                   Compress holds the compress middleware configuration.
                   This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/compress/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/compress/
                 properties:
                   defaultEncoding:
                     description: DefaultEncoding specifies the default encoding if
@@ -954,12 +972,12 @@ spec:
                 description: |-
                   DigestAuth holds the digest auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/digestauth/
                 properties:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
                     type: string
                   realm:
                     description: |-
@@ -979,7 +997,7 @@ spec:
                 description: |-
                   ErrorPage holds the custom error middleware configuration.
                   This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/
                 properties:
                   query:
                     description: |-
@@ -989,7 +1007,7 @@ spec:
                   service:
                     description: |-
                       Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/#service
                     properties:
                       healthCheck:
                         description: Healthcheck defines health checks for ExternalName
@@ -1122,7 +1140,7 @@ spec:
                       sticky:
                         description: |-
                           Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                         properties:
                           cookie:
                             description: Cookie defines the sticky cookie configuration.
@@ -1133,13 +1151,19 @@ spec:
                                 type: boolean
                               maxAge:
                                 description: |-
-                                  MaxAge indicates the number of seconds until the cookie expires.
+                                  MaxAge defines the number of seconds until the cookie expires.
                                   When set to a negative number, the cookie expires immediately.
                                   When set to zero, the cookie never expires.
                                 type: integer
                               name:
                                 description: Name defines the Cookie name.
                                 type: string
+                              path:
+                                description: |-
+                                  Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                  When not provided the cookie will be sent on every request to the domain.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                type: string
                               sameSite:
                                 description: |-
                                   SameSite defines the same site policy.
@@ -1180,7 +1204,7 @@ spec:
                 description: |-
                   ForwardAuth holds the forward auth middleware configuration.
                   This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/
                 properties:
                   addAuthCookiesToResponse:
                     description: AddAuthCookiesToResponse defines the list of cookies
@@ -1208,8 +1232,27 @@ spec:
                   authResponseHeadersRegex:
                     description: |-
                       AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#authresponseheadersregex
                     type: string
+                  forwardBody:
+                    description: ForwardBody defines whether to send the request body
+                      to the authentication server.
+                    type: boolean
+                  headerField:
+                    description: |-
+                      HeaderField defines a header field to store the authenticated user.
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#headerfield
+                    type: string
+                  maxBodySize:
+                    description: MaxBodySize defines the maximum body size in bytes
+                      allowed to be forwarded to the authentication server.
+                    format: int64
+                    type: integer
+                  preserveLocationHeader:
+                    description: PreserveLocationHeader defines whether to forward
+                      the Location header to the client as is or prefix it with the
+                      domain name of the authentication server.
+                    type: boolean
                   tls:
                     description: TLS defines the configuration used to secure the
                       connection to the authentication server.
@@ -1255,7 +1298,7 @@ spec:
                 description: |-
                   Headers holds the headers middleware configuration.
                   This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/headers/#customrequestheaders
                 properties:
                   accessControlAllowCredentials:
                     description: AccessControlAllowCredentials defines whether the
@@ -1426,7 +1469,7 @@ spec:
                 description: |-
                   InFlightReq holds the in-flight request middleware configuration.
                   This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/
                 properties:
                   amount:
                     description: |-
@@ -1439,12 +1482,12 @@ spec:
                       SourceCriterion defines what criterion is used to group requests as originating from a common source.
                       If several strategies are defined at the same time, an error will be raised.
                       If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/#sourcecriterion
                     properties:
                       ipStrategy:
                         description: |-
                           IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
@@ -1479,12 +1522,12 @@ spec:
                 description: |-
                   IPAllowList holds the IP allowlist middleware configuration.
                   This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/
                 properties:
                   ipStrategy:
                     description: |-
                       IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
@@ -1521,7 +1564,7 @@ spec:
                   ipStrategy:
                     description: |-
                       IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
@@ -1551,7 +1594,7 @@ spec:
                 description: |-
                   PassTLSClientCert holds the pass TLS client cert middleware configuration.
                   This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/passtlsclientcert/
                 properties:
                   info:
                     description: Info selects the specific client certificate details
@@ -1660,7 +1703,7 @@ spec:
                 description: |-
                   RateLimit holds the rate limit configuration.
                   This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ratelimit/
                 properties:
                   average:
                     description: |-
@@ -1693,7 +1736,7 @@ spec:
                       ipStrategy:
                         description: |-
                           IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
@@ -1728,7 +1771,7 @@ spec:
                 description: |-
                   RedirectRegex holds the redirect regex middleware configuration.
                   This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectregex/#regex
                 properties:
                   permanent:
                     description: Permanent defines whether the redirection is permanent
@@ -1747,7 +1790,7 @@ spec:
                 description: |-
                   RedirectScheme holds the redirect scheme middleware configuration.
                   This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectscheme/
                 properties:
                   permanent:
                     description: Permanent defines whether the redirection is permanent
@@ -1764,7 +1807,7 @@ spec:
                 description: |-
                   ReplacePath holds the replace path middleware configuration.
                   This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepath/
                 properties:
                   path:
                     description: Path defines the path to use as replacement in the
@@ -1775,7 +1818,7 @@ spec:
                 description: |-
                   ReplacePathRegex holds the replace path regex middleware configuration.
                   This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepathregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression used to match
@@ -1791,7 +1834,7 @@ spec:
                   Retry holds the retry middleware configuration.
                   This middleware reissues requests a given number of times to a backend server if that server does not reply.
                   As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/retry/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/retry/
                 properties:
                   attempts:
                     description: Attempts defines how many times the request should
@@ -1813,7 +1856,7 @@ spec:
                 description: |-
                   StripPrefix holds the strip prefix middleware configuration.
                   This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefix/
                 properties:
                   forceSlash:
                     description: |-
@@ -1832,7 +1875,7 @@ spec:
                 description: |-
                   StripPrefixRegex holds the strip prefix regex middleware configuration.
                   This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefixregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression to match the
@@ -1869,7 +1912,7 @@ spec:
       openAPIV3Schema:
         description: |-
           MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.2/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.3/middlewares/overview/
         properties:
           apiVersion:
             description: |-
@@ -1905,7 +1948,7 @@ spec:
                 description: |-
                   IPAllowList defines the IPAllowList middleware configuration.
                   This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipallowlist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of
@@ -1919,7 +1962,7 @@ spec:
                   IPWhiteList defines the IPWhiteList middleware configuration.
                   This middleware accepts/refuses connections based on the client IP.
                   Deprecated: please use IPAllowList instead.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipwhitelist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of
@@ -1958,7 +2001,7 @@ spec:
           ServersTransport is the CRD implementation of a ServersTransport.
           If no serversTransport is specified, the default@internal will be used.
           The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_1
+          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_1
         properties:
           apiVersion:
             description: |-
@@ -2097,7 +2140,7 @@ spec:
           ServersTransportTCP is the CRD implementation of a TCPServersTransport.
           If no tcpServersTransport is specified, a default one named default@internal will be used.
           The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_3
+          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_3
         properties:
           apiVersion:
             description: |-
@@ -2215,7 +2258,7 @@ spec:
       openAPIV3Schema:
         description: |-
           TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+          More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
         properties:
           apiVersion:
             description: |-
@@ -2240,14 +2283,14 @@ spec:
               alpnProtocols:
                 description: |-
                   ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#alpn-protocols
                 items:
                   type: string
                 type: array
               cipherSuites:
                 description: |-
                   CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#cipher-suites
                 items:
                   type: string
                 type: array
@@ -2275,7 +2318,7 @@ spec:
               curvePreferences:
                 description: |-
                   CurvePreferences defines the preferred elliptic curves in a specific order.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#curve-preferences
                 items:
                   type: string
                 type: array
@@ -2331,7 +2374,7 @@ spec:
           TLSStore is the CRD implementation of a Traefik TLS Store.
           For the time being, only the TLSStore named default is supported.
           This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.3/https/tls/#certificates-stores
         properties:
           apiVersion:
             description: |-
@@ -2429,7 +2472,7 @@ spec:
           TraefikService object allows to:
           - Apply weight to Services on load-balancing
           - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-traefikservice
+          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-traefikservice
         properties:
           apiVersion:
             description: |-
@@ -2675,7 +2718,7 @@ spec:
                         sticky:
                           description: |-
                             Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
@@ -2686,13 +2729,19 @@ spec:
                                   type: boolean
                                 maxAge:
                                   description: |-
-                                    MaxAge indicates the number of seconds until the cookie expires.
+                                    MaxAge defines the number of seconds until the cookie expires.
                                     When set to a negative number, the cookie expires immediately.
                                     When set to zero, the cookie never expires.
                                   type: integer
                                 name:
                                   description: Name defines the Cookie name.
                                   type: string
+                                path:
+                                  description: |-
+                                    Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                    When not provided the cookie will be sent on every request to the domain.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                  type: string
                                 sameSite:
                                   description: |-
                                     SameSite defines the same site policy.
@@ -2782,7 +2831,7 @@ spec:
                   sticky:
                     description: |-
                       Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.
@@ -2793,13 +2842,19 @@ spec:
                             type: boolean
                           maxAge:
                             description: |-
-                              MaxAge indicates the number of seconds until the cookie expires.
+                              MaxAge defines the number of seconds until the cookie expires.
                               When set to a negative number, the cookie expires immediately.
                               When set to zero, the cookie never expires.
                             type: integer
                           name:
                             description: Name defines the Cookie name.
                             type: string
+                          path:
+                            description: |-
+                              Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                              When not provided the cookie will be sent on every request to the domain.
+                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                            type: string
                           sameSite:
                             description: |-
                               SameSite defines the same site policy.
@@ -2965,7 +3020,7 @@ spec:
                         sticky:
                           description: |-
                             Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
@@ -2976,13 +3031,19 @@ spec:
                                   type: boolean
                                 maxAge:
                                   description: |-
-                                    MaxAge indicates the number of seconds until the cookie expires.
+                                    MaxAge defines the number of seconds until the cookie expires.
                                     When set to a negative number, the cookie expires immediately.
                                     When set to zero, the cookie never expires.
                                   type: integer
                                 name:
                                   description: Name defines the Cookie name.
                                   type: string
+                                path:
+                                  description: |-
+                                    Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                    When not provided the cookie will be sent on every request to the domain.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                  type: string
                                 sameSite:
                                   description: |-
                                     SameSite defines the same site policy.
@@ -3012,7 +3073,7 @@ spec:
                   sticky:
                     description: |-
                       Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.
@@ -3023,13 +3084,19 @@ spec:
                             type: boolean
                           maxAge:
                             description: |-
-                              MaxAge indicates the number of seconds until the cookie expires.
+                              MaxAge defines the number of seconds until the cookie expires.
                               When set to a negative number, the cookie expires immediately.
                               When set to zero, the cookie never expires.
                             type: integer
                           name:
                             description: Name defines the Cookie name.
                             type: string
+                          path:
+                            description: |-
+                              Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                              When not provided the cookie will be sent on every request to the domain.
+                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                            type: string
                           sameSite:
                             description: |-
                               SameSite defines the same site policy.

docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml

@@ -25,7 +25,7 @@ spec:
       serviceAccountName: traefik-controller
       containers:
         - name: traefik
-          image: traefik:v3.2
+          image: traefik:v3.3
           args:
             - --entryPoints.web.address=:80
             - --entryPoints.websecure.address=:443

docs/content/reference/dynamic-configuration/kv-ref.md

@@ -48,7 +48,10 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeadersRegex` | `foobar` |
+| `traefik/http/middlewares/Middleware10/forwardAuth/forwardBody` | `true` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/headerField` | `foobar` |
+| `traefik/http/middlewares/Middleware10/forwardAuth/maxBodySize` | `42` |
+| `traefik/http/middlewares/Middleware10/forwardAuth/preserveLocationHeader` | `true` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/ca` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/caOptional` | `true` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/cert` | `foobar` |
@@ -173,6 +176,9 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/routers/Router0/entryPoints/1` | `foobar` |
 | `traefik/http/routers/Router0/middlewares/0` | `foobar` |
 | `traefik/http/routers/Router0/middlewares/1` | `foobar` |
+| `traefik/http/routers/Router0/observability/accessLogs` | `true` |
+| `traefik/http/routers/Router0/observability/metrics` | `true` |
+| `traefik/http/routers/Router0/observability/tracing` | `true` |
 | `traefik/http/routers/Router0/priority` | `42` |
 | `traefik/http/routers/Router0/rule` | `foobar` |
 | `traefik/http/routers/Router0/ruleSyntax` | `foobar` |
@@ -189,6 +195,9 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/routers/Router1/entryPoints/1` | `foobar` |
 | `traefik/http/routers/Router1/middlewares/0` | `foobar` |
 | `traefik/http/routers/Router1/middlewares/1` | `foobar` |
+| `traefik/http/routers/Router1/observability/accessLogs` | `true` |
+| `traefik/http/routers/Router1/observability/metrics` | `true` |
+| `traefik/http/routers/Router1/observability/tracing` | `true` |
 | `traefik/http/routers/Router1/priority` | `42` |
 | `traefik/http/routers/Router1/rule` | `foobar` |
 | `traefik/http/routers/Router1/ruleSyntax` | `foobar` |
@@ -266,6 +275,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/httpOnly` | `true` |
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/maxAge` | `42` |
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/name` | `foobar` |
+| `traefik/http/services/Service02/loadBalancer/sticky/cookie/path` | `foobar` |
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/sameSite` | `foobar` |
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/secure` | `true` |
 | `traefik/http/services/Service03/mirroring/healthCheck` | `` |
@@ -284,6 +294,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/services/Service04/weighted/sticky/cookie/httpOnly` | `true` |
 | `traefik/http/services/Service04/weighted/sticky/cookie/maxAge` | `42` |
 | `traefik/http/services/Service04/weighted/sticky/cookie/name` | `foobar` |
+| `traefik/http/services/Service04/weighted/sticky/cookie/path` | `foobar` |
 | `traefik/http/services/Service04/weighted/sticky/cookie/sameSite` | `foobar` |
 | `traefik/http/services/Service04/weighted/sticky/cookie/secure` | `true` |
 | `traefik/tcp/middlewares/TCPMiddleware01/ipAllowList/sourceRange/0` | `foobar` |

docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml

@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -57,18 +57,19 @@ spec:
                       description: |-
                         Kind defines the kind of the route.
                         Rule is the only supported kind.
+                        If not defined, defaults to Rule.
                       enum:
                       - Rule
                       type: string
                     match:
                       description: |-
                         Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule
                       type: string
                     middlewares:
                       description: |-
                         Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-middleware
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-middleware
                       items:
                         description: MiddlewareRef is a reference to a Middleware
                           resource.
@@ -85,10 +86,22 @@ spec:
                         - name
                         type: object
                       type: array
+                    observability:
+                      description: |-
+                        Observability defines the observability configuration for a router.
+                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#observability
+                      properties:
+                        accessLogs:
+                          type: boolean
+                        metrics:
+                          type: boolean
+                        tracing:
+                          type: boolean
+                      type: object
                     priority:
                       description: |-
                         Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority
                       type: integer
                     services:
                       description: |-
@@ -229,7 +242,7 @@ spec:
                           sticky:
                             description: |-
                               Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                             properties:
                               cookie:
                                 description: Cookie defines the sticky cookie configuration.
@@ -241,13 +254,19 @@ spec:
                                     type: boolean
                                   maxAge:
                                     description: |-
-                                      MaxAge indicates the number of seconds until the cookie expires.
+                                      MaxAge defines the number of seconds until the cookie expires.
                                       When set to a negative number, the cookie expires immediately.
                                       When set to zero, the cookie never expires.
                                     type: integer
                                   name:
                                     description: Name defines the Cookie name.
                                     type: string
+                                  path:
+                                    description: |-
+                                      Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                      When not provided the cookie will be sent on every request to the domain.
+                                      More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                    type: string
                                   sameSite:
                                     description: |-
                                       SameSite defines the same site policy.
@@ -277,28 +296,27 @@ spec:
                     syntax:
                       description: |-
                         Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax
                       type: string
                   required:
-                  - kind
                   - match
                   type: object
                 type: array
               tls:
                 description: |-
                   TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls
                 properties:
                   certResolver:
                     description: |-
                       CertResolver defines the name of the certificate resolver to use.
                       Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
                     type: string
                   domains:
                     description: |-
                       Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -317,17 +335,17 @@ spec:
                     description: |-
                       Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                       If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
                     properties:
                       name:
                         description: |-
                           Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
                         type: string
                       namespace:
                         description: |-
                           Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
                         type: string
                     required:
                     - name
@@ -344,12 +362,12 @@ spec:
                       name:
                         description: |-
                           Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
                         type: string
                       namespace:
                         description: |-
                           Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
                         type: string
                     required:
                     - name

docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml

@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -56,7 +56,7 @@ spec:
                     match:
                       description: |-
                         Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule_1
                       type: string
                     middlewares:
                       description: Middlewares defines the list of references to MiddlewareTCP
@@ -80,7 +80,7 @@ spec:
                     priority:
                       description: |-
                         Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority_1
                       type: integer
                     services:
                       description: Services defines the list of TCP services.
@@ -121,7 +121,7 @@ spec:
                           proxyProtocol:
                             description: |-
                               ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.3/routing/services/#proxy-protocol
                             properties:
                               version:
                                 description: Version defines the PROXY Protocol version
@@ -159,7 +159,7 @@ spec:
                     syntax:
                       description: |-
                         Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax_1
                       type: string
                   required:
                   - match
@@ -168,18 +168,18 @@ spec:
               tls:
                 description: |-
                   TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls_1
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls_1
                 properties:
                   certResolver:
                     description: |-
                       CertResolver defines the name of the certificate resolver to use.
                       Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
                     type: string
                   domains:
                     description: |-
                       Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -198,7 +198,7 @@ spec:
                     description: |-
                       Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                       If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
                     properties:
                       name:
                         description: Name defines the name of the referenced Traefik

docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml

@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                   Default: all.
                 items:
                   type: string

docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml

@@ -19,7 +19,7 @@ spec:
       openAPIV3Schema:
         description: |-
           Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/overview/
+          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/overview/
         properties:
           apiVersion:
             description: |-
@@ -45,7 +45,7 @@ spec:
                 description: |-
                   AddPrefix holds the add prefix middleware configuration.
                   This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/addprefix/
                 properties:
                   prefix:
                     description: |-
@@ -57,12 +57,12 @@ spec:
                 description: |-
                   BasicAuth holds the basic auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/
                 properties:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
                     type: string
                   realm:
                     description: |-
@@ -83,7 +83,7 @@ spec:
                 description: |-
                   Buffering holds the buffering middleware configuration.
                   This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#maxrequestbodybytes
                 properties:
                   maxRequestBodyBytes:
                     description: |-
@@ -115,14 +115,14 @@ spec:
                     description: |-
                       RetryExpression defines the retry conditions.
                       It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#retryexpression
                     type: string
                 type: object
               chain:
                 description: |-
                   Chain holds the configuration of the chain middleware.
                   This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/chain/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/chain/
                 properties:
                   middlewares:
                     description: Middlewares is the list of MiddlewareRef which composes
@@ -181,7 +181,7 @@ spec:
                 description: |-
                   Compress holds the compress middleware configuration.
                   This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/compress/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/compress/
                 properties:
                   defaultEncoding:
                     description: DefaultEncoding specifies the default encoding if
@@ -230,12 +230,12 @@ spec:
                 description: |-
                   DigestAuth holds the digest auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/digestauth/
                 properties:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
                     type: string
                   realm:
                     description: |-
@@ -255,7 +255,7 @@ spec:
                 description: |-
                   ErrorPage holds the custom error middleware configuration.
                   This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/
                 properties:
                   query:
                     description: |-
@@ -265,7 +265,7 @@ spec:
                   service:
                     description: |-
                       Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/#service
                     properties:
                       healthCheck:
                         description: Healthcheck defines health checks for ExternalName
@@ -398,7 +398,7 @@ spec:
                       sticky:
                         description: |-
                           Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                         properties:
                           cookie:
                             description: Cookie defines the sticky cookie configuration.
@@ -409,13 +409,19 @@ spec:
                                 type: boolean
                               maxAge:
                                 description: |-
-                                  MaxAge indicates the number of seconds until the cookie expires.
+                                  MaxAge defines the number of seconds until the cookie expires.
                                   When set to a negative number, the cookie expires immediately.
                                   When set to zero, the cookie never expires.
                                 type: integer
                               name:
                                 description: Name defines the Cookie name.
                                 type: string
+                              path:
+                                description: |-
+                                  Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                  When not provided the cookie will be sent on every request to the domain.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                type: string
                               sameSite:
                                 description: |-
                                   SameSite defines the same site policy.
@@ -456,7 +462,7 @@ spec:
                 description: |-
                   ForwardAuth holds the forward auth middleware configuration.
                   This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/
                 properties:
                   addAuthCookiesToResponse:
                     description: AddAuthCookiesToResponse defines the list of cookies
@@ -484,8 +490,27 @@ spec:
                   authResponseHeadersRegex:
                     description: |-
                       AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#authresponseheadersregex
                     type: string
+                  forwardBody:
+                    description: ForwardBody defines whether to send the request body
+                      to the authentication server.
+                    type: boolean
+                  headerField:
+                    description: |-
+                      HeaderField defines a header field to store the authenticated user.
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#headerfield
+                    type: string
+                  maxBodySize:
+                    description: MaxBodySize defines the maximum body size in bytes
+                      allowed to be forwarded to the authentication server.
+                    format: int64
+                    type: integer
+                  preserveLocationHeader:
+                    description: PreserveLocationHeader defines whether to forward
+                      the Location header to the client as is or prefix it with the
+                      domain name of the authentication server.
+                    type: boolean
                   tls:
                     description: TLS defines the configuration used to secure the
                       connection to the authentication server.
@@ -531,7 +556,7 @@ spec:
                 description: |-
                   Headers holds the headers middleware configuration.
                   This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/headers/#customrequestheaders
                 properties:
                   accessControlAllowCredentials:
                     description: AccessControlAllowCredentials defines whether the
@@ -702,7 +727,7 @@ spec:
                 description: |-
                   InFlightReq holds the in-flight request middleware configuration.
                   This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/
                 properties:
                   amount:
                     description: |-
@@ -715,12 +740,12 @@ spec:
                       SourceCriterion defines what criterion is used to group requests as originating from a common source.
                       If several strategies are defined at the same time, an error will be raised.
                       If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/#sourcecriterion
                     properties:
                       ipStrategy:
                         description: |-
                           IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
@@ -755,12 +780,12 @@ spec:
                 description: |-
                   IPAllowList holds the IP allowlist middleware configuration.
                   This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/
                 properties:
                   ipStrategy:
                     description: |-
                       IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
@@ -797,7 +822,7 @@ spec:
                   ipStrategy:
                     description: |-
                       IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
@@ -827,7 +852,7 @@ spec:
                 description: |-
                   PassTLSClientCert holds the pass TLS client cert middleware configuration.
                   This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/passtlsclientcert/
                 properties:
                   info:
                     description: Info selects the specific client certificate details
@@ -936,7 +961,7 @@ spec:
                 description: |-
                   RateLimit holds the rate limit configuration.
                   This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ratelimit/
                 properties:
                   average:
                     description: |-
@@ -969,7 +994,7 @@ spec:
                       ipStrategy:
                         description: |-
                           IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
@@ -1004,7 +1029,7 @@ spec:
                 description: |-
                   RedirectRegex holds the redirect regex middleware configuration.
                   This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectregex/#regex
                 properties:
                   permanent:
                     description: Permanent defines whether the redirection is permanent
@@ -1023,7 +1048,7 @@ spec:
                 description: |-
                   RedirectScheme holds the redirect scheme middleware configuration.
                   This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectscheme/
                 properties:
                   permanent:
                     description: Permanent defines whether the redirection is permanent
@@ -1040,7 +1065,7 @@ spec:
                 description: |-
                   ReplacePath holds the replace path middleware configuration.
                   This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepath/
                 properties:
                   path:
                     description: Path defines the path to use as replacement in the
@@ -1051,7 +1076,7 @@ spec:
                 description: |-
                   ReplacePathRegex holds the replace path regex middleware configuration.
                   This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepathregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression used to match
@@ -1067,7 +1092,7 @@ spec:
                   Retry holds the retry middleware configuration.
                   This middleware reissues requests a given number of times to a backend server if that server does not reply.
                   As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/retry/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/retry/
                 properties:
                   attempts:
                     description: Attempts defines how many times the request should
@@ -1089,7 +1114,7 @@ spec:
                 description: |-
                   StripPrefix holds the strip prefix middleware configuration.
                   This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefix/
                 properties:
                   forceSlash:
                     description: |-
@@ -1108,7 +1133,7 @@ spec:
                 description: |-
                   StripPrefixRegex holds the strip prefix regex middleware configuration.
                   This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefixregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression to match the

docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml

@@ -19,7 +19,7 @@ spec:
       openAPIV3Schema:
         description: |-
           MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.2/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.3/middlewares/overview/
         properties:
           apiVersion:
             description: |-
@@ -55,7 +55,7 @@ spec:
                 description: |-
                   IPAllowList defines the IPAllowList middleware configuration.
                   This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipallowlist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of
@@ -69,7 +69,7 @@ spec:
                   IPWhiteList defines the IPWhiteList middleware configuration.
                   This middleware accepts/refuses connections based on the client IP.
                   Deprecated: please use IPAllowList instead.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipwhitelist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of

docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml

@@ -21,7 +21,7 @@ spec:
           ServersTransport is the CRD implementation of a ServersTransport.
           If no serversTransport is specified, the default@internal will be used.
           The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_1
+          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_1
         properties:
           apiVersion:
             description: |-

docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml

@@ -21,7 +21,7 @@ spec:
           ServersTransportTCP is the CRD implementation of a TCPServersTransport.
           If no tcpServersTransport is specified, a default one named default@internal will be used.
           The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_3
+          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_3
         properties:
           apiVersion:
             description: |-

docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml

@@ -19,7 +19,7 @@ spec:
       openAPIV3Schema:
         description: |-
           TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+          More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
         properties:
           apiVersion:
             description: |-
@@ -44,14 +44,14 @@ spec:
               alpnProtocols:
                 description: |-
                   ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#alpn-protocols
                 items:
                   type: string
                 type: array
               cipherSuites:
                 description: |-
                   CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#cipher-suites
                 items:
                   type: string
                 type: array
@@ -79,7 +79,7 @@ spec:
               curvePreferences:
                 description: |-
                   CurvePreferences defines the preferred elliptic curves in a specific order.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#curve-preferences
                 items:
                   type: string
                 type: array

docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml

@@ -21,7 +21,7 @@ spec:
           TLSStore is the CRD implementation of a Traefik TLS Store.
           For the time being, only the TLSStore named default is supported.
           This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.3/https/tls/#certificates-stores
         properties:
           apiVersion:
             description: |-

docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml

@@ -22,7 +22,7 @@ spec:
           TraefikService object allows to:
           - Apply weight to Services on load-balancing
           - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-traefikservice
+          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-traefikservice
         properties:
           apiVersion:
             description: |-
@@ -268,7 +268,7 @@ spec:
                         sticky:
                           description: |-
                             Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
@@ -279,13 +279,19 @@ spec:
                                   type: boolean
                                 maxAge:
                                   description: |-
-                                    MaxAge indicates the number of seconds until the cookie expires.
+                                    MaxAge defines the number of seconds until the cookie expires.
                                     When set to a negative number, the cookie expires immediately.
                                     When set to zero, the cookie never expires.
                                   type: integer
                                 name:
                                   description: Name defines the Cookie name.
                                   type: string
+                                path:
+                                  description: |-
+                                    Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                    When not provided the cookie will be sent on every request to the domain.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                  type: string
                                 sameSite:
                                   description: |-
                                     SameSite defines the same site policy.
@@ -375,7 +381,7 @@ spec:
                   sticky:
                     description: |-
                       Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.
@@ -386,13 +392,19 @@ spec:
                             type: boolean
                           maxAge:
                             description: |-
-                              MaxAge indicates the number of seconds until the cookie expires.
+                              MaxAge defines the number of seconds until the cookie expires.
                               When set to a negative number, the cookie expires immediately.
                               When set to zero, the cookie never expires.
                             type: integer
                           name:
                             description: Name defines the Cookie name.
                             type: string
+                          path:
+                            description: |-
+                              Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                              When not provided the cookie will be sent on every request to the domain.
+                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                            type: string
                           sameSite:
                             description: |-
                               SameSite defines the same site policy.
@@ -558,7 +570,7 @@ spec:
                         sticky:
                           description: |-
                             Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
@@ -569,13 +581,19 @@ spec:
                                   type: boolean
                                 maxAge:
                                   description: |-
-                                    MaxAge indicates the number of seconds until the cookie expires.
+                                    MaxAge defines the number of seconds until the cookie expires.
                                     When set to a negative number, the cookie expires immediately.
                                     When set to zero, the cookie never expires.
                                   type: integer
                                 name:
                                   description: Name defines the Cookie name.
                                   type: string
+                                path:
+                                  description: |-
+                                    Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                    When not provided the cookie will be sent on every request to the domain.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                  type: string
                                 sameSite:
                                   description: |-
                                     SameSite defines the same site policy.
@@ -605,7 +623,7 @@ spec:
                   sticky:
                     description: |-
                       Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.
@@ -616,13 +634,19 @@ spec:
                             type: boolean
                           maxAge:
                             description: |-
-                              MaxAge indicates the number of seconds until the cookie expires.
+                              MaxAge defines the number of seconds until the cookie expires.
                               When set to a negative number, the cookie expires immediately.
                               When set to zero, the cookie never expires.
                             type: integer
                           name:
                             description: Name defines the Cookie name.
                             type: string
+                          path:
+                            description: |-
+                              Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                              When not provided the cookie will be sent on every request to the domain.
+                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                            type: string
                           sameSite:
                             description: |-
                               SameSite defines the same site policy.

docs/content/reference/install-configuration/entrypoints.md

@@ -54,35 +54,39 @@ additionalArguments:
 
 ## Configuration Options
 
-| Field | Description | Default | Required |
-|:------|:------------|:--------|:---------|
-| `address` | Define the port, and optionally the hostname, on which to listen for incoming connections and packets.<br /> It also defines the protocol to use (TCP or UDP).<br /> If no protocol is specified, the default is TCP. The format is:`[host]:port[/tcp\|/udp]`. | - | Yes |
-| `asDefault` | Mark the `entryPoint` to be in the list of default `entryPoints`.<br /> `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br /> More information [here](#asdefault).  | false | No |
-| `forwardedHeaders.trustedIPs` | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`). | - | No |
-| `forwardedHeaders.insecure` | Set the insecure mode to always trust the forwarded headers information (`X-Forwarded-*`).<br />We recommend to use this option only for tests purposes, not in production. | false | No |
-| `http.redirections.`<br />`entryPoint.to` | The target element to enable (permanent) redirecting of all incoming requests on an entry point to another one. <br /> The target element can be an entry point name (ex: `websecure`), or a port (`:443`). | - | Yes |
-| `http.redirections.`<br />`entryPoint.scheme` | The target scheme to use for (permanent) redirection of all incoming requests.  | https | No |
-| `http.redirections.`<br />`entryPoint.permanent` | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`). | false | No |
-| `http.redirections.`<br />`entryPoint.priority` | Default priority applied to the routers attached to the `entryPoint`. | MaxInt32-1 (2147483646) | No |
-| `http.encodeQuerySemicolons` | Enable query semicolons encoding. <br /> Use this option to avoid non-encoded semicolons to be interpreted as query parameter separators by Traefik. <br /> When using this option, the non-encoded semicolons characters in query will be transmitted encoded to the backend.<br /> More information [here](#encodequerysemicolons). | false | No |
-| `http.middlewares` | Set the list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point. <br />More information [here](#httpmiddlewares). | - | No |
-| `http.tls` | Enable TLS on every router attached to the `entryPoint`. <br /> If no certificate are set, a default self-signed certificate is generates by Traefik. <br /> We recommend to not use self signed certificates in production. | - | No |
-| `http.tls.options` | Apply TLS options on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../../routing/providers/kubernetes-crd.md#kind-tlsoption). | - | No |
-| `http.tls.certResolver` | Apply a certificate resolver on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../install-configuration/tls/certificate-resolvers/overview.md). | - | No |
-| `http2.maxConcurrentStreams` | Set the number of concurrent streams per connection that each client is allowed to initiate. <br /> The value must be greater than zero. | 250 | No |
-| `http3` | Enable HTTP/3 protocol on the `entryPoint`. <br /> HTTP/3 requires a TCP `entryPoint`. as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP. In most scenarios, this `entryPoint` is the same as the one used for TLS traffic.<br /> More information [here](#http3. | - | No |
-| `http3.advertisedPort` | Set the UDP port to advertise as the HTTP/3 authority. <br /> It defaults to the entryPoint's address port. <br /> It can be used to override the authority in the `alt-svc` header, for example if the public facing port is different from where Traefik is listening. | - | No |
-| `proxyProtocol.trustedIPs` | Enable PROXY protocol with Trusted IPs. <br /> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br /> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br /> If the PROXY protocol header is passed, then the version is determined automatically.<br /> More information [here](#proxyprotocol-and-load-balancers).| - | No |
-| `proxyProtocol.insecure` | Enable PROXY protocol trusting every incoming connection. <br /> Every remote client address will be replaced (`trustedIPs`) won't have any effect). <br /> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br /> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br /> If the PROXY protocol header is passed, then the version is determined automatically.<br />We recommend to use this option only for tests purposes, not in production.<br /> More information [here](#proxyprotocol-and-load-balancers). | - | No |
-| `reusePort` | Enable `entryPoints` from the same or different processes listening on the same TCP/UDP port by utilizing the `SO_REUSEPORT` socket option. <br /> It also allows the kernel to act like a load balancer to distribute incoming connections between entry points..<br /> More information [here](#reuseport). | false | No |
-| `transport.`<br />`respondingTimeouts.`<br />`readTimeout` | Set the timeouts for incoming requests to the Traefik instance. This is the maximum duration for reading the entire request, including the body. Setting them has no effect for UDP `entryPoints`.<br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds. | 60s (seconds) | No |
-| `transport.`<br />`respondingTimeouts.`<br />`writeTimeout` | Maximum duration before timing out writes of the response. <br /> It covers the time from the end of the request header read to the end of the response write. <br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds. | 0s (seconds) | No |
-| `transport.`<br />`respondingTimeouts.`<br />`idleTimeout` | Maximum duration an idle (keep-alive) connection will remain idle before closing itself. <br /> If zero, no timeout exists <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds| 180s (seconds) | No |
-| `transport.`<br />`lifeCycle.`<br />`graceTimeOut` | Set the duration to give active requests a chance to finish before Traefik stops. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds <br /> In this time frame no new requests are accepted.| 10s (seconds) | No |
-| `transport.`<br />`lifeCycle.`<br />`requestAcceptGraceTimeout` | Set the duration to keep accepting requests prior to initiating the graceful termination period (as defined by the `transportlifeCycle.graceTimeOut` option). <br /> This option is meant to give downstream load-balancers sufficient time to take Traefik out of rotation. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds| 0s (seconds) | No |
-| `transport.`<br />`keepAliveMaxRequests` | Set the maximum number of requests Traefik can handle before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). <br /> Zero means no limit. | 0 | No |
-| `transport.`<br />`keepAliveMaxTime` | Set the maximum duration Traefik can handle requests before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). Zero means no limit. | 0s (seconds) | No |
-| `udp.timeout` | Define how long to wait on an idle session before releasing the related resources. <br />The Timeout value must be greater than zero.| 3s (seconds)| No |
+| Field                                                           | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Default | Required |
+|:----------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| `address`                                                       | Define the port, and optionally the hostname, on which to listen for incoming connections and packets.<br /> It also defines the protocol to use (TCP or UDP).<br /> If no protocol is specified, the default is TCP. The format is:`[host]:port[/tcp\|/udp]`.                                                                                                                                                                                                                                                                                                                                                                                                                      | - | Yes |
+| `accessLogs`                                                    | Defines whether a router attached to this EntryPoint produces access-logs by default. Nonetheless, a router defining its own observability configuration will opt-out from this default.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | true | No |
+| `asDefault`                                                     | Mark the `entryPoint` to be in the list of default `entryPoints`.<br /> `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br /> More information [here](#asdefault).                                                                                                                                                                                                                                                                                                                                                                                                                                       | false | No |
+| `forwardedHeaders.trustedIPs`                                   | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | - | No |
+| `forwardedHeaders.insecure`                                     | Set the insecure mode to always trust the forwarded headers information (`X-Forwarded-*`).<br />We recommend to use this option only for tests purposes, not in production.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false | No |
+| `http.redirections.`<br />`entryPoint.to`                       | The target element to enable (permanent) redirecting of all incoming requests on an entry point to another one. <br /> The target element can be an entry point name (ex: `websecure`), or a port (`:443`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | - | Yes |
+| `http.redirections.`<br />`entryPoint.scheme`                   | The target scheme to use for (permanent) redirection of all incoming requests.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | https | No |
+| `http.redirections.`<br />`entryPoint.permanent`                | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false | No |
+| `http.redirections.`<br />`entryPoint.priority`                 | Default priority applied to the routers attached to the `entryPoint`.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | MaxInt32-1 (2147483646) | No |
+| `http.encodeQuerySemicolons`                                    | Enable query semicolons encoding. <br /> Use this option to avoid non-encoded semicolons to be interpreted as query parameter separators by Traefik. <br /> When using this option, the non-encoded semicolons characters in query will be transmitted encoded to the backend.<br /> More information [here](#encodequerysemicolons).                                                                                                                                                                                                                                                                                                                                               | false | No |
+| `http.sanitizePath`                                             | Defines whether to enable the request path sanitization.<br /> More information [here](#sanitizepath).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | false | No |
+| `http.middlewares`                                              | Set the list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point. <br />More information [here](#httpmiddlewares).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | - | No |
+| `http.tls`                                                      | Enable TLS on every router attached to the `entryPoint`. <br /> If no certificate are set, a default self-signed certificate is generates by Traefik. <br /> We recommend to not use self signed certificates in production.                                                                                                                                                                                                                                                                                                                                                                                                                                                        | - | No |
+| `http.tls.options`                                              | Apply TLS options on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../../routing/providers/kubernetes-crd.md#kind-tlsoption).                                                                                                                                                                                                                                                                                                                                                                                                                                                   | - | No |
+| `http.tls.certResolver`                                         | Apply a certificate resolver on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../install-configuration/tls/certificate-resolvers/overview.md).                                                                                                                                                                                                                                                                                                                                                                                                                                  | - | No |
+| `http2.maxConcurrentStreams`                                    | Set the number of concurrent streams per connection that each client is allowed to initiate. <br /> The value must be greater than zero.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 250 | No |
+| `http3`                                                         | Enable HTTP/3 protocol on the `entryPoint`. <br /> HTTP/3 requires a TCP `entryPoint`. as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP. In most scenarios, this `entryPoint` is the same as the one used for TLS traffic.<br /> More information [here](#http3.                                                                                                                                                                                                                                                                                                                                                                                          | - | No |
+| `http3.advertisedPort`                                          | Set the UDP port to advertise as the HTTP/3 authority. <br /> It defaults to the entryPoint's address port. <br /> It can be used to override the authority in the `alt-svc` header, for example if the public facing port is different from where Traefik is listening.                                                                                                                                                                                                                                                                                                                                                                                                            | - | No |
+| `metrics`                                                       | Defines whether a router attached to this EntryPoint produces metrics by default. Nonetheless, a router defining its own observability configuration will opt-out from this default.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | true | No |
+| `proxyProtocol.trustedIPs`                                      | Enable PROXY protocol with Trusted IPs. <br /> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br /> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br /> If the PROXY protocol header is passed, then the version is determined automatically.<br /> More information [here](#proxyprotocol-and-load-balancers).                                                                                                                                                                                               | - | No |
+| `proxyProtocol.insecure`                                        | Enable PROXY protocol trusting every incoming connection. <br /> Every remote client address will be replaced (`trustedIPs`) won't have any effect). <br /> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br /> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br /> If the PROXY protocol header is passed, then the version is determined automatically.<br />We recommend to use this option only for tests purposes, not in production.<br /> More information [here](#proxyprotocol-and-load-balancers). | - | No |
+| `reusePort`                                                     | Enable `entryPoints` from the same or different processes listening on the same TCP/UDP port by utilizing the `SO_REUSEPORT` socket option. <br /> It also allows the kernel to act like a load balancer to distribute incoming connections between entry points..<br /> More information [here](#reuseport).                                                                                                                                                                                                                                                                                                                                                                       | false | No |
+| `tracing`                                                       | Defines whether a router attached to this EntryPoint produces traces by default. Nonetheless, a router defining its own observability configuration will opt-out from this default.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | true | No |
+| `transport.`<br />`respondingTimeouts.`<br />`readTimeout`      | Set the timeouts for incoming requests to the Traefik instance. This is the maximum duration for reading the entire request, including the body. Setting them has no effect for UDP `entryPoints`.<br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds.                                                                                                                                                                                                                                | 60s (seconds) | No |
+| `transport.`<br />`respondingTimeouts.`<br />`writeTimeout`     | Maximum duration before timing out writes of the response. <br /> It covers the time from the end of the request header read to the end of the response write. <br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds.                                                                                                                                                                                                                                                                   | 0s (seconds) | No |
+| `transport.`<br />`respondingTimeouts.`<br />`idleTimeout`      | Maximum duration an idle (keep-alive) connection will remain idle before closing itself. <br /> If zero, no timeout exists <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds                                                                                                                                                                                                                                                                                                                                           | 180s (seconds) | No |
+| `transport.`<br />`lifeCycle.`<br />`graceTimeOut`              | Set the duration to give active requests a chance to finish before Traefik stops. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds <br /> In this time frame no new requests are accepted.                                                                                                                                                                                                                                                                                                                            | 10s (seconds) | No |
+| `transport.`<br />`lifeCycle.`<br />`requestAcceptGraceTimeout` | Set the duration to keep accepting requests prior to initiating the graceful termination period (as defined by the `transportlifeCycle.graceTimeOut` option). <br /> This option is meant to give downstream load-balancers sufficient time to take Traefik out of rotation. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds                                                                                                                                                                                         | 0s (seconds) | No |
+| `transport.`<br />`keepAliveMaxRequests`                        | Set the maximum number of requests Traefik can handle before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). <br /> Zero means no limit.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | 0 | No |
+| `transport.`<br />`keepAliveMaxTime`                            | Set the maximum duration Traefik can handle requests before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). Zero means no limit.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 0s (seconds) | No |
+| `udp.timeout`                                                   | Define how long to wait on an idle session before releasing the related resources. <br />The Timeout value must be greater than zero.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 3s (seconds)| No |
 
 ### asDefault
 
@@ -142,6 +146,33 @@ Behavior examples:
 | false                 | foo=bar&baz=bar;foo | foo=bar&baz=bar&foo     |
 | true                  | foo=bar&baz=bar;foo | foo=bar&baz=bar%3Bfoo   |
 
+### SanitizePath
+
+The `sanitizePath` option defines whether to enable the request path sanitization.
+When disabled, the incoming request path is passed to the backend as is.
+This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
+For example, as base64 uses the “/” character internally,
+if it's not url encoded,
+it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
+
+!!! warning "Security"
+
+    Setting the sanitizePath option to false is not safe.
+    Ensure every request is properly url encoded instead.
+
+#### Examples
+
+| SanitizePath | Request Path    | Resulting Request Path |
+|--------------|-----------------|------------------------|
+| false        | /./foo/bar      | /./foo/bar             |
+| true         | /./foo/bar      | /foo/bar               |
+| false        | /foo/../bar     | /foo/../bar            |
+| true         | /foo/../bar     | /bar                   |
+| false        | /foo/bar//      | /foo/bar//             |
+| true         | /foo/bar//      | /foo/bar/              |
+| false        | /./foo/../bar// | /./foo/../bar//        |
+| true         | /./foo/../bar// | /bar/                  |
+
 ### HTTP3
 
 As HTTP/3 actually uses UDP, when Traefik is configured with a TCP `entryPoint`

docs/content/reference/install-configuration/observability/tracing.md

@@ -36,27 +36,27 @@ tracing: {}
 
 ## Configuration Options
 
-| Field      | Description                                                                                                                                                                                 | Default | Required |
-|:-----------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
-| `tracing.addInternals` | Enables tracing for internal resources (e.g.: `ping@internal`). | false      | No      |
-| `tracing.serviceName` | Service name used in selected backend. | "traefik"      | No      |
-| `tracing.sampleRate` | The proportion of requests to trace, specified between 0.0 and 1.0. | 1.0      | No      |
-| `tracing.globalAttributes` | Applies a list of shared key:value attributes on all spans. | {}      | No      |
-| `tracing.capturedRequestHeaders` | Defines the list of request headers to add as attributes.<br />It applies to client and server kind spans.| {}      | No      |
-| `tracing.capturedResponseHeaders` | Defines the list of response headers to add as attributes.<br />It applies to client and server kind spans.| {}      |False      |
-| `tracing.safeQueryParams` | By default, all query parameters are redacted.<br />Defines the list of query parameters to not redact. | {}      | No      |
-| `tracing.otlp.http` | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | null/false      | No      |
-| `tracing.otlp.http.endpoint` | URL of the OpenTelemetry Collector to send tracing to.<br /> Format="`<scheme>://<host>:<port><path>`" | "http://localhost:4318/v1/tracing"      | Yes      |
-| `tracing.otlp.http.headers` | Additional headers sent with tracing by the exporter to the OpenTelemetry Collector. |       | No      |
-| `tracing.otlp.http.tls.ca` | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | ""  | No      |
-| `tracing.otlp.http.tls.cert` | Path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the `key` option is required. | ""      | No      |
-| `tracing.otlp.http.tls.key` | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | ""null/false ""     | No      |
-| `tracing.otlp.http.tls.insecureskipverify` |If `insecureSkipVerify` is `true`, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.  | false | Yes      |
-| `tracing.otlp.grpc` | This instructs the exporter to send tracing to the OpenTelemetry Collector using gRPC. | false | No      |
-| `tracing.otlp.grpc.endpoint` | Address of the OpenTelemetry Collector to send tracing to.<br /> Format="`<host>:<port>`" | "localhost:4317"      | Yes      |
-| `tracing.otlp.grpc.headers` | Additional headers sent with tracing by the exporter to the OpenTelemetry Collector. |   {}    | No      |
-| `tracing.otlp.grpc.insecure` |Allows exporter to send tracing to the OpenTelemetry Collector without using a secured protocol.  | false | Yes      |
-| `tracing.otlp.grpc.tls.ca` | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | ""  | No      |
-| `tracing.otlp.grpc.tls.cert` | Path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the `key` option is required. | ""      | No      |
-| `tracing.otlp.grpc.tls.key` | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | ""null/false ""     | No      |
-| `tracing.otlp.grpc.tls.insecureskipverify` |If `insecureSkipVerify` is `true`, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.  | false | Yes      |
+| Field                                      | Description                                                                                                                                                                                 | Default                            | Required |
+|:-------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------|:---------|
+| `tracing.addInternals`                     | Enables tracing for internal resources (e.g.: `ping@internal`). | false                              | No      |
+| `tracing.serviceName`                      | Service name used in selected backend. | "traefik"                          | No      |
+| `tracing.sampleRate`                       | The proportion of requests to trace, specified between 0.0 and 1.0. | 1.0                                | No      |
+| `tracing.resourceAttributes`               | Defines additional resource attributes to be sent to the collector. | []                                 | No      |
+| `tracing.capturedRequestHeaders`           | Defines the list of request headers to add as attributes.<br />It applies to client and server kind spans.| []                                 | No      |
+| `tracing.capturedResponseHeaders`          | Defines the list of response headers to add as attributes.<br />It applies to client and server kind spans.| []                                 |False      |
+| `tracing.safeQueryParams`                  | By default, all query parameters are redacted.<br />Defines the list of query parameters to not redact. | []                                 | No      |
+| `tracing.otlp.http`                        | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | null/false                         | No      |
+| `tracing.otlp.http.endpoint`               | URL of the OpenTelemetry Collector to send tracing to.<br /> Format="`<scheme>://<host>:<port><path>`" | "http://localhost:4318/v1/tracing" | Yes      |
+| `tracing.otlp.http.headers`                | Additional headers sent with tracing by the exporter to the OpenTelemetry Collector. |                                    | No      |
+| `tracing.otlp.http.tls.ca`                 | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | ""                                 | No      |
+| `tracing.otlp.http.tls.cert`               | Path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the `key` option is required. | ""                                 | No      |
+| `tracing.otlp.http.tls.key`                | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | ""null/false ""                    | No      |
+| `tracing.otlp.http.tls.insecureskipverify` |If `insecureSkipVerify` is `true`, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.  | false                              | Yes      |
+| `tracing.otlp.grpc`                        | This instructs the exporter to send tracing to the OpenTelemetry Collector using gRPC. | false                              | No      |
+| `tracing.otlp.grpc.endpoint`               | Address of the OpenTelemetry Collector to send tracing to.<br /> Format="`<host>:<port>`" | "localhost:4317"                   | Yes      |
+| `tracing.otlp.grpc.headers`                | Additional headers sent with tracing by the exporter to the OpenTelemetry Collector. | []                                 | No      |
+| `tracing.otlp.grpc.insecure`               |Allows exporter to send tracing to the OpenTelemetry Collector without using a secured protocol.  | false                              | Yes      |
+| `tracing.otlp.grpc.tls.ca`                 | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. | ""                                 | No      |
+| `tracing.otlp.grpc.tls.cert`               | Path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the `key` option is required. | ""                                 | No      |
+| `tracing.otlp.grpc.tls.key`                | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values. | ""null/false ""                    | No      |
+| `tracing.otlp.grpc.tls.insecureskipverify` |If `insecureSkipVerify` is `true`, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.  | false                              | Yes      |

docs/content/reference/install-configuration/providers/kubernetes/kubernetes-crd.md

@@ -52,21 +52,21 @@ providers:
 
 ## Configuration Options
 
-| Field | Description                                               | Default              | Required |
-|:------|:----------------------------------------------------------|:---------------------|:---------|
-| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s  | No |
-| `providers.kubernetesCRD.endpoint` | Server endpoint URL.<br />More information [here](#endpoint). | "" | No |
-| `providers.kubernetesCRD.token` | Bearer token used for the Kubernetes client configuration. | "" | No |
-| `providers.kubernetesCRD.certAuthFilePath` | Path to the certificate authority file.<br />Used for the Kubernetes client configuration. | "" | No |
-| `providers.kubernetesCRD.namespaces` | Array of namespaces to watch.<br />If left empty, watch all namespaces. | {} | No |
-| `providers.kubernetesCRD.labelselector` | Allow filtering on specific resource objects only using label selectors.<br />Only to Traefik [Custom Resources](#list-of-resources) (they all must match the filter).<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | ""  | No |
-| `providers.kubernetesCRD.ingressClass` | Value of `kubernetes.io/ingress.class` annotation that identifies resource objects to be processed.<br />If empty, resources missing the annotation, having an empty value, or the value `traefik` are processed. | ""  | No |
-| `providers.kubernetesCRD.throttleDuration` | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught. | 0s | No |
-| `providers.kubernetesCRD.allowEmptyServices` | Allows creating a route to reach a service that has no endpoint available.<br />It allows Traefik to handle the requests and responses targeting this service (applying middleware or observability operations) before returning a `503` HTTP Status.  | false | No |
-| `providers.kubernetesCRD.allowCrossNamespace` | Allows the `IngressRoutes` to reference resources in namespaces other than theirs. | false | No |
-| `providers.kubernetesCRD.allowExternalNameServices` | Allows the `IngressRoutes` to reference ExternalName services. | false | No |
-| `providers.kubernetesCRD.nativeLBByDefault` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `IngressRoute` by default.<br />It can br overridden in the [`ServerTransport`](../../../../routing/services/index.md#serverstransport). | false | No |
-| `providers.kubernetesCRD.disableClusterScopeResources` | Prevent from discovering cluster scope resources (`IngressClass` and `Nodes`).<br />By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.<br />Furthermore, Traefik will not handle IngressRoutes with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).<br />This will also prevent from using the `NodePortLB` options on services. | false | No |
+| Field | Description                                               | Default | Required |
+|:------|:----------------------------------------------------------|:--------|:---------|
+| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s      | No |
+| `providers.kubernetesCRD.endpoint` | Server endpoint URL.<br />More information [here](#endpoint). | ""      | No |
+| `providers.kubernetesCRD.token` | Bearer token used for the Kubernetes client configuration. | ""      | No |
+| `providers.kubernetesCRD.certAuthFilePath` | Path to the certificate authority file.<br />Used for the Kubernetes client configuration. | ""      | No |
+| `providers.kubernetesCRD.namespaces` | Array of namespaces to watch.<br />If left empty, watch all namespaces. | []      | No |
+| `providers.kubernetesCRD.labelselector` | Allow filtering on specific resource objects only using label selectors.<br />Only to Traefik [Custom Resources](#list-of-resources) (they all must match the filter).<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | ""      | No |
+| `providers.kubernetesCRD.ingressClass` | Value of `kubernetes.io/ingress.class` annotation that identifies resource objects to be processed.<br />If empty, resources missing the annotation, having an empty value, or the value `traefik` are processed. | ""      | No |
+| `providers.kubernetesCRD.throttleDuration` | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught. | 0s      | No |
+| `providers.kubernetesCRD.allowEmptyServices` | Allows creating a route to reach a service that has no endpoint available.<br />It allows Traefik to handle the requests and responses targeting this service (applying middleware or observability operations) before returning a `503` HTTP Status.  | false   | No |
+| `providers.kubernetesCRD.allowCrossNamespace` | Allows the `IngressRoutes` to reference resources in namespaces other than theirs. | false   | No |
+| `providers.kubernetesCRD.allowExternalNameServices` | Allows the `IngressRoutes` to reference ExternalName services. | false   | No |
+| `providers.kubernetesCRD.nativeLBByDefault` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `IngressRoute` by default.<br />It can br overridden in the [`ServerTransport`](../../../../routing/services/index.md#serverstransport). | false   | No |
+| `providers.kubernetesCRD.disableClusterScopeResources` | Prevent from discovering cluster scope resources (`IngressClass` and `Nodes`).<br />By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.<br />Furthermore, Traefik will not handle IngressRoutes with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).<br />This will also prevent from using the `NodePortLB` options on services. | false   | No |
 
 ### endpoint
 

docs/content/reference/install-configuration/providers/kubernetes/kubernetes-gateway.md

@@ -67,20 +67,21 @@ providers:
 
 <!-- markdownlint-disable MD013 -->
 
-| Field | Description                                               | Default              | Required |
-|:------|:----------------------------------------------------------|:---------------------|:---------|
-| `providers.providersThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s  | No |
-| `providers.kubernetesGateway.endpoint` | Server endpoint URL.<br />More information [here](#endpoint). | "" | No |
-| `providers.kubernetesGateway.experimentalChannel` | Toggles support for the Experimental Channel resources ([Gateway API release channels documentation](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels)).<br />(ex: `TCPRoute` and `TLSRoute`)| false | No |
-| `providers.kubernetesGateway.token` | Bearer token used for the Kubernetes client configuration. | "" | No |
-| `providers.kubernetesGateway.certAuthFilePath` | Path to the certificate authority file.<br />Used for the Kubernetes client configuration. | "" | No |
-| `providers.kubernetesGateway.namespaces` | Array of namespaces to watch.<br />If left empty, watch all namespaces. | {} | No |
-| `providers.kubernetesGateway.labelselector` | Allow filtering on specific resource objects only using label selectors.<br />Only to Traefik [Custom Resources](./kubernetes-crd.md#list-of-resources) (they all must match the filter).<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | ""  | No |
-| `providers.kubernetesGateway.throttleDuration` | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught. | 0s | No |
-| `providers.kubernetesGateway.nativeLBByDefault` | Defines whether to use Native Kubernetes load-balancing mode by default. For more information, please check out the `traefik.io/service.nativelb` service annotation documentation. | false | No |
-| `providers.kubernetesGateway.`<br />`statusAddress.hostname` | Hostname copied to the Gateway `status.addresses`. | ""  | No |
-| `providers.kubernetesGateway.`<br />`statusAddress.ip` | IP address copied to the Gateway `status.addresses`, and currently only supports one IP value (IPv4 or IPv6). | ""  | No |
-| `providers.kubernetesGateway.`<br />`statusAddress.publishedService` | The Kubernetes service to copy status addresses from.<br />When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the gateways. | ""  | No |
+| Field                                                                 | Description                                                                                                                                                                                                                                                                                                                                                                                           | Default | Required |
+|:----------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| `providers.providersThrottleDuration`                                 | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.**                  | 2s      | No       |
+| `providers.kubernetesGateway.endpoint`                                | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                                         | ""      | No       |
+| `providers.kubernetesGateway.experimentalChannel`                     | Toggles support for the Experimental Channel resources ([Gateway API release channels documentation](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels)).<br />(ex: `TCPRoute` and `TLSRoute`)                                                                                                                                                                                    | false   | No       |
+| `providers.kubernetesGateway.token`                                   | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                                            | ""      | No       |
+| `providers.kubernetesGateway.certAuthFilePath`                        | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                            | ""      | No       |
+| `providers.kubernetesGateway.namespaces`                              | Array of namespaces to watch.<br />If left empty, watch all namespaces.                                                                                                                                                                                                                                                                                                                               | []      | No       |
+| `providers.kubernetesGateway.labelselector`                           | Allow filtering on specific resource objects only using label selectors.<br />Only to Traefik [Custom Resources](./kubernetes-crd.md#list-of-resources) (they all must match the filter).<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | ""      | No       |
+| `providers.kubernetesGateway.throttleDuration`                        | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                                            | 0s      | No       |
+| `providers.kubernetesGateway.nativeLBByDefault`                       | Defines whether to use Native Kubernetes load-balancing mode by default. For more information, please check out the `traefik.io/service.nativelb` service annotation documentation.                                                                                                                                                                                                                   | false   | No       |
+| `providers.kubernetesGateway.`<br />`statusAddress.hostname`          | Hostname copied to the Gateway `status.addresses`.                                                                                                                                                                                                                                                                                                                                                    | ""      | No       |
+| `providers.kubernetesGateway.`<br />`statusAddress.ip`                | IP address copied to the Gateway `status.addresses`, and currently only supports one IP value (IPv4 or IPv6).                                                                                                                                                                                                                                                                                         | ""      | No       |
+| `providers.kubernetesGateway.`<br />`statusAddress.service.namespace` | The namespace of the Kubernetes service to copy status addresses from.<br />When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the Gateway `status.addresses`.                                                                                                                           | ""      | No       |
+| `providers.kubernetesGateway.`<br />`statusAddress.service.name`      | The name of the Kubernetes service to copy status addresses from.<br />When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the Gateway `status.addresses`.                                                                                                                                | ""      | No       |
 
 <!-- markdownlint-enable MD013 -->
 

docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress.md

@@ -3,7 +3,7 @@ title: "Traefik Kubernetes Ingress Documentation"
 description: "Understand the requirements, routing configuration, and how to set up Traefik Proxy as your Kubernetes Ingress Controller. Read the technical documentation."
 ---
 
-# Traefik & Kubernetes
+# Traefik & Kubernetes 
 
 The Traefik Kubernetes Ingress provider is a Kubernetes Ingress controller; i.e,
 it manages access to cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.

docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md

@@ -79,15 +79,17 @@ ACME certificate resolvers have the following configuration options:
 | `acme.caServer` | CA server to use. | https://acme-v02.api.letsencrypt.org/directory | No       |
 | `acme.preferredChain`  | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. | ""  | No  |
 | `acme.keyType` | KeyType to use. | "RSA4096"  | No       |
-| `acme.eab` | Enable external account binding.| ""  | No  |
-| `acme.eab.kid` | Key identifier from External CA. |  | No |
+| `acme.eab` | Enable external account binding.|   | No  |
+| `acme.eab.kid` | Key identifier from External CA. | "" | No |
 | `acme.eab.hmacEncoded`  | HMAC key from External CA, should be in Base64 URL Encoding without padding format.  | "" | No    |
 | `acme.certificatesDuration`  | The certificates' duration in hours, exclusively used to determine renewal dates. | 2160  | No       |
 | `acme.dnsChallenge`  | Enable DNS-01 challenge. More information [here](#dnschallenge).   | - | No       |
-| `acme.dnsChallenge.provider`    | DNS provider to use.  |  | No   |
-| `acme.dnsChallenge.delayBeforeCheck`  | By default, the provider will verify the TXT DNS challenge record before letting ACME verify. If `delayBeforeCheck` is greater than zero, this check is delayed for the configured duration in seconds. Useful if internal networks block external DNS queries. |   | No  |
-| `acme.dnsChallenge.resolvers` | DNS servers to resolve the FQDN authority.   |   | No       |
-| `acme.dnsChallenge.disablePropagationCheck`  | Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready.   |  | No       |
+| `acme.dnsChallenge.provider`    | DNS provider to use.  | "" | No   |
+| `acme.dnsChallenge.resolvers` | DNS servers to resolve the FQDN authority.   |  [] | No       |
+| `acme.dnsChallenge.propagation.delayBeforeChecks`  | By default, the provider will verify the TXT DNS challenge record before letting ACME verify. If `delayBeforeCheck` is greater than zero, this check is delayed for the configured duration in seconds. This is Useful if internal networks block external DNS queries. | 0s  | No  |
+| `acme.dnsChallenge.propagation.disableChecks`  | Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready. Please note that disabling checks can prevent the challenge from succeeding. | false | No  |
+| `acme.dnsChallenge.propagation.requireAllRNS`  | Enables the challenge TXT record to be propagated to all recursive nameservers. If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`), it is recommended to check all recursive nameservers instead. | false  | No  |
+| `acme.dnsChallenge.propagation.disableANSChecks`  | Disables the challenge TXT record propagation checks against authoritative nameservers. This option will skip the propagation check against the nameservers of the authority (SOA). It should be used only if the nameservers of the authority are not reachable. |  false | No  |
 | `acme.httpChallenge`    | Enable HTTP-01 challenge. More information [here](#httpchallenge).   |  | No   |
 | `acme.httpChallenge.entryPoint`  | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80 |  ""  | Yes      |
 | `acme.tlsChallenge` | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge). | -  | No   |

docs/content/reference/routing-configuration/dynamic-configuration-methods.md

@@ -0,0 +1,187 @@
+---
+title: 'Providing Dynamic Configuration to Traefik'
+description: 'Learn about the different methods for providing dynamic configuration to Traefik. Read the technical documentation.'
+---
+
+# Providing Dynamic (Routing) Configuration to Traefik
+
+Dynamic configuration—now also known as routing configuration—defines how Traefik routes incoming requests to the correct services. This is distinct from install configuration (formerly known as static configuration), which sets up Traefik’s core components and providers.
+
+Depending on your environment and preferences, there are several ways to supply this routing configuration:
+
+- File or Structured Provider: Use TOML or YAML files.
+- Docker and ECS Providers: Use container labels.
+- Kubernetes Providers: Use annotations.
+- KV Providers : Use key-value pairs.
+- Other Providers (Consul, Nomad, etc.) : Use tags.
+
+## Using the File Provider
+
+The File provider allows you to define routing configuration in static files using either TOML or YAML syntax. This method is ideal for environments where services cannot be automatically discovered or when you prefer to manage configurations manually.
+
+### Enabling the File Provider
+
+To enable the File provider, add the following to your Traefik install configuration:
+
+```yaml tab="YAML"
+providers:
+  file:
+    directory: "/path/to/dynamic/conf"
+```
+
+```toml tab="TOML"
+[providers.file]
+  directory = "/path/to/dynamic/conf"
+```
+
+???+ example "Example using the file provider to declare routers & services"
+
+      ```yaml tab="File (YAML)"
+      http:
+        routers:
+          my-router:
+            rule: "Host(`example.com`)"
+            service: my-service
+
+        services:
+          my-service:
+            loadBalancer:
+              servers:
+                - url: "http://localhost:8080"
+      ```
+
+      ```toml tab="File (TOML)"
+      [http]
+        [http.routers]
+          [http.routers.my-router]
+            rule = "Host(`example.com`)"
+            service = "my-service"
+
+        [http.services]
+          [http.services.my-service.loadBalancer]
+            [[http.services.my-service.loadBalancer.servers]]
+              url = "http://localhost:8080"
+      ```
+
+## Using Labels With Docker and ECS
+
+When using Docker or Amazon ECS, you can define routing configuration using container labels. This method allows Traefik to automatically discover services and apply configurations without the need for additional files.
+
+???+ example "Example with Docker"
+
+    When deploying a Docker container, you can specify labels to define routing rules and services:
+
+    ```yaml
+    version: '3'
+
+    services:
+      my-service:
+        image: my-image
+        labels:
+          - "traefik.http.routers.my-router.rule=Host(`example.com`)"
+          - "traefik.http.services.my-service.loadbalancer.server.port=80"
+    ```
+
+???+ example "Example with ECS"
+
+    In ECS, you can use task definition labels to achieve the same effect:
+
+    ```yaml
+    {
+      "containerDefinitions": [
+        {
+          "name": "my-service",
+          "image": "my-image",
+          "dockerLabels": {
+            "traefik.http.routers.my-router.rule": "Host(`example.com`)",
+            "traefik.http.services.my-service.loadbalancer.server.port": "80"
+          }
+        }
+      ]
+    }
+    ```
+
+## Using Kubernetes Providers
+
+For Kubernetes providers, you can configure Traefik using the native Ingress or custom resources (like IngressRoute). Annotations in your Ingress or IngressRoute definition allow you to define routing rules and middleware settings. For example:
+
+???+ example "Example with Kubernetes"
+
+    ```yaml
+    apiVersion: networking.k8s.io/v1
+    kind: Ingress
+    metadata:
+      name: whoami
+      namespace: apps
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.priority: "42"
+        traefik.ingress.kubernetes.io/router.tls: "true"
+        traefik.ingress.kubernetes.io/router.tls.options: apps-opt@kubernetescrd
+    spec:
+      rules:
+        - host: my-domain.example.com
+          http:
+            paths:
+              - path: /
+                pathType: Prefix
+                backend:
+                  service:
+                    name: whoami
+                    namespace: apps
+                    port:
+                      number: 80
+      tls:
+        - secretName: supersecret    
+    ```
+
+## Using Key-Value Pairs With KV Providers
+
+For [KV providers](./other-providers/kv.md) you can configure Traefik with key-value pairs.
+
+???+ example "Examples"
+
+    ```bash tab="etcd"
+    # Set a router rule
+    etcdctl put /traefik/http/routers/my-router/rule "Host(`example.com`)"
+    # Define the service associated with the router
+    etcdctl put /traefik/http/routers/my-router/service "my-service"
+    # Set the backend server URL for the service
+    etcdctl put /traefik/http/services/my-service/loadbalancer/servers/0/url "http://localhost:8080"
+    ```
+
+    ```bash tab="Redis"
+    # Set a router rule
+    redis-cli set traefik/http/routers/my-router/rule "Host(`example.com`)"
+    # Define the service associated with the router
+    redis-cli set traefik/http/routers/my-router/service "my-service"
+    # Set the backend server URL for the service
+    redis-cli set traefik/http/services/my-service/loadbalancer/servers/0/url "http://localhost:8080"
+    ```
+
+    ```bash tab="ZooKeeper"
+    # Set a router rule
+    create /traefik/http/routers/my-router/rule "Host(`example.com`)"
+    # Define the service associated with the router
+    create /traefik/http/routers/my-router/service "my-service"
+    # Set the backend server URL for the service
+    create /traefik/http/services/my-service/loadbalancer/servers/0/url "http://localhost:8080"
+    ```
+
+## Using Tags With Other Providers
+
+For providers that do not support labels, such as Consul & Nomad, you can use tags to provide routing configuration.
+
+???+ example "Example"
+
+    ```json tab="Consul / Nomad"
+    {
+      "Name": "my-service",
+      "Tags": [
+        "traefik.http.routers.my-router.rule=Host(`example.com`)",
+        "traefik.http.services.my-service.loadbalancer.server.port=80"
+      ],
+      "Address": "localhost",
+      "Port": 8080
+    }
+    ```

docs/content/reference/routing-configuration/http/load-balancing/serverstransport.md

@@ -0,0 +1,112 @@
+---
+title: "ServersTransport"
+description: "ServersTransport allows configuring the connection between Traefik and the HTTP servers."
+---
+
+ServersTransport allows you to configure the transport between Traefik and your HTTP servers.
+
+## Configuration Example
+
+Declare the serversTransport:
+
+```yaml tab="Structured (YAML)"
+http:
+  serversTransports:
+    mytransport:
+      serverName: "myhost"
+      certificates:
+        - "/path/to/cert1.pem"
+        - "/path/to/cert2.pem"
+      insecureSkipVerify: true
+      rootcas:
+        - "/path/to/rootca1.pem"
+        - "/path/to/rootca2.pem"
+      maxIdleConnsPerHost: 100
+      disableHTTP2: true
+      peerCertURI: "spiffe://example.org/peer"
+      forwardingTimeouts:
+        dialTimeout: "30s"
+        responseHeaderTimeout: "10s"
+        idleConnTimeout: "60s"
+        readIdleTimeout: "5s"
+        pingTimeout: "15s"
+      spiffe:
+        ids:
+          - "spiffe://example.org/id1"
+          - "spiffe://example.org/id2"
+        trustDomain: "example.org"
+```
+
+```toml tab="Structured (TOML)"
+[http.serversTransports.mytransport]
+  serverName = "myhost"
+  certificates = ["/path/to/cert1.pem", "/path/to/cert2.pem"]
+  insecureSkipVerify = true
+  rootcas = ["/path/to/rootca1.pem", "/path/to/rootca2.pem"]
+  maxIdleConnsPerHost = 100
+  disableHTTP2 = true
+  peerCertURI = "spiffe://example.org/peer"
+
+  [http.serversTransports.mytransport.forwardingTimeouts]
+    dialTimeout = "30s"
+    responseHeaderTimeout = "10s"
+    idleConnTimeout = "60s"
+    readIdleTimeout = "5s"
+    pingTimeout = "15s"
+
+  [http.serversTransports.mytransport.spiffe]
+    ids = ["spiffe://example.org/id1", "spiffe://example.org/id2"]
+    trustDomain = "example.org"
+``` 
+
+Attach the serversTransport to a service:
+
+```yaml tab="Structured (YAML)"
+## Dynamic configuration
+http:
+  services:
+    Service01:
+      loadBalancer:
+        serversTransport: mytransport
+```
+
+```toml tab="Structured(TOML)"
+## Dynamic configuration
+[http.services]
+  [http.services.Service01]
+    [http.services.Service01.loadBalancer]
+      serversTransport = "mytransport"
+```
+
+```yaml tab="Labels"
+labels:
+  - "traefik.http.services.Service01.loadBalancer.serversTransport=mytransport"
+```
+
+```json tab="Tags"
+{
+  // ...
+  "Tags": [
+    "traefik.http.services.Service01.loadBalancer.serversTransport=mytransport"
+  ]
+}
+```
+
+## Configuration Options
+
+| Field | Description                                               | Default              | Required |
+|:------|:----------------------------------------------------------|:---------------------|:---------|
+| `serverName` | Configures the server name that will be used as the SNI. | "" | No |
+| `certificates` | Defines the list of certificates (as file paths, or data bytes) that will be set as client certificates for mTLS. | [] | No |
+| `insecureSkipVerify` | Controls whether the server's certificate chain and host name is verified. | false  | No |
+| `rootcas` | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections). | [] | No |
+| `maxIdleConnsPerHost` | Maximum idle (keep-alive) connections to keep per-host. | 200 | No |
+| `disableHTTP2` | Disables HTTP/2 for connections with servers. | false | No |
+| `peerCertURI` | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
+| `forwardingTimeouts.dialTimeout` | Amount of time to wait until a connection to a server can be established.<br />0 = no timeout | 30s  | No |
+| `forwardingTimeouts.responseHeaderTimeout` | Amount of time to wait for a server's response headers after fully writing the request (including its body, if any).<br />0 = no timeout | 0s  | No |
+| `forwardingTimeouts.idleConnTimeout` | Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.<br />0 = no timeout | 90s  | No |
+| `forwardingTimeouts.readIdleTimeout` | Defines the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection.  | 0s  | No |
+| `forwardingTimeouts.pingTimeout` | Defines the timeout after which the HTTP/2 connection will be closed if a response to ping is not received. | 15s  | No |
+| `spiffe.ids` | Defines the allowed SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain. | []  | No |
+| `spiffe.trustDomain` | Defines the SPIFFE trust domain. | ""  | No |

docs/content/reference/routing-configuration/http/load-balancing/service.md

@@ -0,0 +1,471 @@
+---
+title: "Traefik HTTP Services Documentation"
+description: "A service is in charge of connecting incoming requests to the Servers that can handle them. Read the technical documentation."
+--- 
+
+## Service Load Balancer
+
+The load balancers are able to load balance the requests between multiple instances of your programs.
+
+Each service has a load-balancer, even if there is only one server to forward traffic to.
+
+## Configuration Example
+
+```yaml tab="Structured (YAML)"
+http:
+  services:
+    my-service:
+      loadBalancer:
+        servers:
+          - url: "http://private-ip-server-1/"
+            weight: 2
+            preservePath: true
+        sticky:
+          cookie:
+            name: "sticky-cookie"
+        healthcheck:
+          path: "/health"
+          interval: "10s"
+          timeout: "3s"
+        passHostHeader: true
+        serversTransport: "customTransport@file"
+        responseForwarding:
+          flushInterval: "150ms"
+```
+
+```toml tab="Structured (TOML)"
+[http.services]
+  [http.services.my-service.loadBalancer]
+    [[http.services.my-service.loadBalancer.servers]]
+      url = "http://private-ip-server-1/"
+    
+    [http.services.my-service.loadBalancer.sticky.cookie]
+      name = "sticky-cookie"
+
+    [http.services.my-service.loadBalancer.healthcheck]
+      path = "/health"
+      interval = "10s"
+      timeout = "3s"
+    
+    passHostHeader = true
+    serversTransport = "customTransport@file"
+
+    [http.services.my-service.loadBalancer.responseForwarding]
+      flushInterval = "150ms"
+```
+
+```yaml tab="Labels"
+labels:
+  - "traefik.http.services.my-service.loadBalancer.servers[0].url=http://private-ip-server-1/"
+  - "traefik.http.services.my-service.loadBalancer.servers[0].weight=2"
+  - "traefik.http.services.my-service.loadBalancer.servers[0].preservePath=true"
+  - "traefik.http.services.my-service.loadBalancer.sticky.cookie.name=sticky-cookie"
+  - "traefik.http.services.my-service.loadBalancer.healthcheck.path=/health"
+  - "traefik.http.services.my-service.loadBalancer.healthcheck.interval=10s"
+  - "traefik.http.services.my-service.loadBalancer.healthcheck.timeout=3s"
+  - "traefik.http.services.my-service.loadBalancer.passHostHeader=true"
+  - "traefik.http.services.my-service.loadBalancer.serversTransport=customTransport@file"
+  - "traefik.http.services.my-service.loadBalancer.responseForwarding.flushInterval=150ms"
+```
+
+```json tab="Tags"
+{
+  // ...
+  "Tags": [
+    "traefik.http.services.my-service.loadBalancer.servers[0].url=http://private-ip-server-1/",
+    "traefik.http.services.my-service.loadBalancer.servers[0].weight=2",
+    "traefik.http.services.my-service.loadBalancer.servers[0].preservePath=true",
+    "traefik.http.services.my-service.loadBalancer.sticky.cookie.name=sticky-cookie",
+    "traefik.http.services.my-service.loadBalancer.healthcheck.path=/health",
+    "traefik.http.services.my-service.loadBalancer.healthcheck.interval=10s",
+    "traefik.http.services.my-service.loadBalancer.healthcheck.timeout=3s",
+    "traefik.http.services.my-service.loadBalancer.passHostHeader=true",
+    "traefik.http.services.my-service.loadBalancer.serversTransport=customTransport@file",
+    "traefik.http.services.my-service.loadBalancer.responseForwarding.flushInterval=150ms"
+  ]
+}
+```
+
+### Configuration Options
+
+| Field | Description                                 | Required |
+|----------|------------------------------------------|----------|
+|`servers`| Represents individual backend instances for your service | Yes |
+|`sticky`| Defines a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response. | No |
+|`healthcheck`| Configures health check to remove unhealthy servers from the load balancing rotation. | No |
+|`passHostHeader`| Allows forwarding of the client Host header to server. By default, `passHostHeader` is true. | No |
+|`serversTransport`| Allows to reference an [HTTP ServersTransport](./serverstransport.md) configuration for the communication between Traefik and your servers. If no `serversTransport` is specified, the `default@internal` will be used. | No |
+| `responseForwarding` | Configures how Traefik forwards the response from the backend server to the client.| No |
+| `responseForwarding.FlushInterval` | Specifies the interval in between flushes to the client while copying the response body. It is a duration in milliseconds, defaulting to 100ms. A negative value means to flush immediately after each write to the client. The `FlushInterval` is ignored when ReverseProxy recognizes a response as a streaming response; for such responses, writes are flushed to the client immediately. | No |
+
+#### Servers
+
+Servers represent individual backend instances for your service. The [service loadBalancer](#service-load-balancer) `servers` option lets you configure the list of instances that will handle incoming requests.
+
+##### Configuration Options
+
+| Field | Description                                 | Required |
+|----------|------------------------------------------|----------|
+|`url`| Points to a specific instance. | Yes for File provider, No for [Docker provider](../../other-providers/docker.md) |
+|`weight`| Allows for weighted load balancing on the servers. | No |
+|`preservePath`| Allows to preserve the URL path. | No |
+
+#### Health Check
+
+The `healthcheck` option configures health check to remove unhealthy servers from the load balancing rotation. Traefik will consider HTTP(s) servers healthy as long as they return a status code to the health check request (carried out every interval) between `2XX` and `3XX`, or matching the configured status. For gRPC servers, Traefik will consider them healthy as long as they return SERVING to [gRPC health check v1 requests](https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+To propagate status changes (e.g. all servers of this service are down) upwards, HealthCheck must also be enabled on the parent(s) of this service.
+
+Below are the available options for the health check mechanism:
+
+| Field | Description                                 | Default | Required |
+|----------|------------------------------------------|----------|--------|
+|`path`| Defines the server URL path for the health check endpoint. | "" | Yes |
+|`scheme`| Replaces the server URL scheme for the health check endpoint. | | No |
+|`mode`| If defined to `grpc`, will use the gRPC health check protocol to probe the server. | http | No |
+|`hostname`| Defines the value of hostname in the Host header of the health check request. | "" | No |
+|`port`| Replaces the server URL port for the health check endpoint. |  | No |
+|`interval`| Defines the frequency of the health check calls. | 30s | No |
+|`timeout`| Defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. | 5s | No |
+|`headers`| Defines custom headers to be sent to the health check endpoint. | | No |
+|`followRedirects`| Defines whether redirects should be followed during the health check calls. | true | No |
+|`hostname`| Defines the value of hostname in the Host header of the health check request. | "" | No |
+|`method`| Defines the HTTP method that will be used while connecting to the endpoint. | GET | No |
+|`status`| Defines the expected HTTP status code of the response to the health check request. | | No |
+
+## Weighted Round Robin (WRR)
+
+The WRR is able to load balance the requests between multiple services based on weights.
+
+This strategy is only available to load balance between services and not between servers.
+
+!!! info "Supported Providers"
+
+    This strategy can be defined currently with the [File](../../../install-configuration/providers/others/file.md) or [IngressRoute](../../../install-configuration/providers/kubernetes/kubernetes-ingress.md) providers. To load balance between servers based on weights, the Load Balancer service should be used instead.
+
+```yaml tab="Structured (YAML)"
+## Dynamic configuration
+http:
+  services:
+    app:
+      weighted:
+        services:
+        - name: appv1
+          weight: 3
+        - name: appv2
+          weight: 1
+
+    appv1:
+      loadBalancer:
+        servers:
+        - url: "http://private-ip-server-1/"
+
+    appv2:
+      loadBalancer:
+        servers:
+        - url: "http://private-ip-server-2/"
+```
+
+```toml tab="Structured (TOML)"
+## Dynamic configuration
+[http.services]
+  [http.services.app]
+    [[http.services.app.weighted.services]]
+      name = "appv1"
+      weight = 3
+    [[http.services.app.weighted.services]]
+      name = "appv2"
+      weight = 1
+
+  [http.services.appv1]
+    [http.services.appv1.loadBalancer]
+      [[http.services.appv1.loadBalancer.servers]]
+        url = "http://private-ip-server-1/"
+
+  [http.services.appv2]
+    [http.services.appv2.loadBalancer]
+      [[http.services.appv2.loadBalancer.servers]]
+        url = "http://private-ip-server-2/"
+```
+
+### Health Check
+
+HealthCheck enables automatic self-healthcheck for this service, i.e. whenever one of its children is reported as down, this service becomes aware of it, and takes it into account (i.e. it ignores the down child) when running the load-balancing algorithm. In addition, if the parent of this service also has HealthCheck enabled, this service reports to its parent any status change.
+
+!!! note "Behavior"
+
+    If HealthCheck is enabled for a given service and any of its descendants does not have it enabled, the creation of the service will fail.
+
+    HealthCheck on Weighted services can be defined currently only with the [File provider](../../../install-configuration/providers/others/file.md).  
+
+```yaml tab="Structured (YAML)"
+## Dynamic configuration
+http:
+  services:
+    app:
+      weighted:
+        healthCheck: {}
+        services:
+        - name: appv1
+          weight: 3
+        - name: appv2
+          weight: 1
+
+    appv1:
+      loadBalancer:
+        healthCheck:
+          path: /status
+          interval: 10s
+          timeout: 3s
+        servers:
+        - url: "http://private-ip-server-1/"
+
+    appv2:
+      loadBalancer:
+        healthCheck:
+          path: /status
+          interval: 10s
+          timeout: 3s
+        servers:
+        - url: "http://private-ip-server-2/"
+```
+
+```toml tab="Structured (TOML)"
+## Dynamic configuration
+[http.services]
+  [http.services.app]
+    [http.services.app.weighted.healthCheck]
+    [[http.services.app.weighted.services]]
+      name = "appv1"
+      weight = 3
+    [[http.services.app.weighted.services]]
+      name = "appv2"
+      weight = 1
+
+  [http.services.appv1]
+    [http.services.appv1.loadBalancer]
+      [http.services.appv1.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "10s"
+        timeout = "3s"
+      [[http.services.appv1.loadBalancer.servers]]
+        url = "http://private-ip-server-1/"
+
+  [http.services.appv2]
+    [http.services.appv2.loadBalancer]
+      [http.services.appv2.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "10s"
+        timeout = "3s"
+      [[http.services.appv2.loadBalancer.servers]]
+        url = "http://private-ip-server-2/"
+```
+
+## Mirroring
+
+The mirroring is able to mirror requests sent to a service to other services. Please note that by default the whole request is buffered in memory while it is being mirrored. See the `maxBodySize` option in the example below for how to modify this behaviour. You can also omit the request body by setting the `mirrorBody` option to false.
+
+!!! info "Supported Providers"
+
+    This strategy can be defined currently with the [File](../../../install-configuration/providers/others/file.md) or [IngressRoute](../../../install-configuration/providers/kubernetes/kubernetes-ingress.md) providers.
+    
+```yaml tab="Structured (YAML)"
+## Dynamic configuration
+http:
+  services:
+    mirrored-api:
+      mirroring:
+        service: appv1
+        # mirrorBody defines whether the request body should be mirrored.
+        # Default value is true.
+        mirrorBody: false
+        # maxBodySize is the maximum size allowed for the body of the request.
+        # If the body is larger, the request is not mirrored.
+        # Default value is -1, which means unlimited size.
+        maxBodySize: 1024
+        mirrors:
+        - name: appv2
+          percent: 10
+
+    appv1:
+      loadBalancer:
+        servers:
+        - url: "http://private-ip-server-1/"
+
+    appv2:
+      loadBalancer:
+        servers:
+        - url: "http://private-ip-server-2/
+```
+
+```toml tab="Structured (TOML)"
+## Dynamic configuration
+[http.services]
+  [http.services.mirrored-api]
+    [http.services.mirrored-api.mirroring]
+      service = "appv1"
+      # maxBodySize is the maximum size in bytes allowed for the body of the request.
+      # If the body is larger, the request is not mirrored.
+      # Default value is -1, which means unlimited size.
+      maxBodySize = 1024
+      # mirrorBody defines whether the request body should be mirrored.
+      # Default value is true.
+      mirrorBody = false
+    [[http.services.mirrored-api.mirroring.mirrors]]
+      name = "appv2"
+      percent = 10
+
+  [http.services.appv1]
+    [http.services.appv1.loadBalancer]
+      [[http.services.appv1.loadBalancer.servers]]
+        url = "http://private-ip-server-1/"
+
+  [http.services.appv2]
+    [http.services.appv2.loadBalancer]
+      [[http.services.appv2.loadBalancer.servers]]
+        url = "http://private-ip-server-2/"
+```
+
+### Health Check
+
+HealthCheck enables automatic self-healthcheck for this service, i.e. if the main handler of the service becomes unreachable, the information is propagated upwards to its parent.
+
+!!! note "Behavior"
+
+    If HealthCheck is enabled for a given service and any of its descendants does not have it enabled, the creation of the service will fail.
+
+    HealthCheck on Mirroring services can be defined currently only with the [File provider](../../../install-configuration/providers/others/file.md).  
+
+```yaml tab="Structured (YAML)"
+## Dynamic configuration
+http:
+  services:
+    mirrored-api:
+      mirroring:
+        healthCheck: {}
+        service: appv1
+        mirrors:
+        - name: appv2
+          percent: 10
+
+    appv1:
+      loadBalancer:
+        healthCheck:
+          path: /status
+          interval: 10s
+          timeout: 3s
+        servers:
+        - url: "http://private-ip-server-1/"
+
+    appv2:
+      loadBalancer:
+        servers:
+        - url: "http://private-ip-server-2/"
+```
+
+```toml tab="Structured (TOML)"
+## Dynamic configuration
+[http.services]
+  [http.services.mirrored-api]
+    [http.services.mirrored-api.mirroring]
+      service = "appv1"
+      [http.services.mirrored-api.mirroring.healthCheck]
+    [[http.services.mirrored-api.mirroring.mirrors]]
+      name = "appv2"
+      percent = 10
+
+  [http.services.appv1]
+    [http.services.appv1.loadBalancer]
+      [http.services.appv1.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "10s"
+        timeout = "3s"
+      [[http.services.appv1.loadBalancer.servers]]
+        url = "http://private-ip-server-1/"
+
+  [http.services.appv2]
+    [http.services.appv2.loadBalancer]
+      [http.services.appv1.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "10s"
+        timeout = "3s"
+      [[http.services.appv2.loadBalancer.servers]]
+        url = "http://private-ip-server-2/"
+```
+
+## Failover 
+
+A failover service job is to forward all requests to a fallback service when the main service becomes unreachable.
+
+!!! info "Relation to HealthCheck"
+    The failover service relies on the HealthCheck system to get notified when its main service becomes unreachable, which means HealthCheck needs to be enabled and functional on the main service. However, HealthCheck does not need to be enabled on the failover service itself for it to be functional. It is only required in order to propagate upwards the information when the failover itself becomes down (i.e. both its main and its fallback are down too).
+
+!!! info "Supported Provider"
+    This strategy can currently only be defined with the [File](../../../install-configuration/providers/others/file.md) provider.
+
+### HealthCheck
+
+HealthCheck enables automatic self-healthcheck for this service, i.e. if the main and the fallback services become unreachable, the information is propagated upwards to its parent.
+
+!!! note "Behavior"
+
+    If HealthCheck is enabled for a given service and any of its descendants does not have it enabled, the creation of the service will fail.
+
+    HealthCheck on a Failover service can be defined currently only with the [File provider](../../../install-configuration/providers/others/file.md).  
+
+```yaml tab="Structured (YAML)"
+## Dynamic configuration
+http:
+  services:
+    app:
+      failover:
+        healthCheck: {}
+        service: main
+        fallback: backup
+
+    main:
+      loadBalancer:
+        healthCheck:
+          path: /status
+          interval: 10s
+          timeout: 3s
+        servers:
+        - url: "http://private-ip-server-1/"
+
+    backup:
+      loadBalancer:
+        healthCheck:
+          path: /status
+          interval: 10s
+          timeout: 3s
+        servers:
+        - url: "http://private-ip-server-2/"
+```
+
+```toml tab="Structured (TOML)"
+## Dynamic configuration
+[http.services]
+  [http.services.app]
+    [http.services.app.failover.healthCheck]
+    [http.services.app.failover]
+      service = "main"
+      fallback = "backup"
+
+  [http.services.main]
+    [http.services.main.loadBalancer]
+      [http.services.main.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "10s"
+        timeout = "3s"
+      [[http.services.main.loadBalancer.servers]]
+        url = "http://private-ip-server-1/"
+
+  [http.services.backup]
+    [http.services.backup.loadBalancer]
+      [http.services.backup.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "10s"
+        timeout = "3s"
+      [[http.services.backup.loadBalancer.servers]]
+        url = "http://private-ip-server-2/"
+```

docs/content/reference/routing-configuration/http/middlewares/addprefix.md

@@ -0,0 +1,59 @@
+---
+title: "Traefik AddPrefix Documentation"
+description: "Learn how to implement the HTTP AddPrefix middleware in Traefik Proxy to updates request paths before being forwarded. Read the technical documentation."
+---
+
+![AddPrefix](../../../../assets/img/middleware/addprefix.png)
+
+The `addPrefix` middleware updates the path of a request before forwarding it.
+
+## Configuration Examples
+
+```yaml tab="Structured (YAML)"
+# Prefixing with /foo
+http:
+  middlewares:
+    add-foo:
+      addPrefix:
+        prefix: "/foo"
+```
+
+```toml tab="Structured (TOML)"
+# Prefixing with /foo
+[http.middlewares]
+  [http.middlewares.add-foo.addPrefix]
+    prefix = "/foo"
+```
+
+```yaml tab="Labels"
+# Prefixing with /foo
+labels:
+  - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
+```
+
+```json tab="Tags"
+// Prefixing with /foo
+{
+  // ...
+  "Tags": [
+    "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+# Prefixing with /foo
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: add-foo
+spec:
+  addPrefix:
+    prefix: /foo
+```
+
+## Configuration Options
+
+| Field  | Description                                                                                                                                                                                                | Default | Required |
+|:-----------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| `prefix` | String to add **before** the current path in the requested URL. It should include a leading slash (`/`). | "" | Yes |

docs/content/reference/routing-configuration/http/middlewares/basicauth.md

@@ -0,0 +1,97 @@
+---
+title: "Traefik BasicAuth Documentation"
+description: "The HTTP basic authentication (BasicAuth) middleware in Traefik Proxy restricts access to your Services to known users. Read the technical documentation."
+---
+
+![BasicAuth](../../../../assets/img/middleware/basicauth.png)
+
+The `basicAuth` middleware grants access to services to authorized users only.
+
+## Configuration Examples
+
+```yaml tab="Structured (YAML)"
+# Declaring the user list
+http:
+  middlewares:
+    test-auth:
+      basicAuth:
+        users:
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```toml tab="Structured (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.basicAuth]
+  users = [
+    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
+  ]
+```
+
+```yaml tab="Labels"
+# Declaring the user list
+#
+# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
+# To create user:password pair, it's possible to use this command:
+# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
+#
+# Also, note that dollar signs should NOT be doubled when not evaluated (e.g. Ansible docker_container module).
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
+```
+
+```json tab="Tags"
+{
+  // ...
+  "Tags": [
+    "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+# Declaring the user list
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  basicAuth:
+    secret: secretName
+```
+
+## Configuration Options
+
+| Field      | Description                                                                                                                                                                                 | Default | Required |
+|:-----------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| `users` | Array of authorized users. Each user must be declared using the `name:hashed-password` format. (More information [here](#users))| ""      | No      |
+| `usersFile` | Path to an external file that contains the authorized users for the middleware. <br />The file content is a list of `name:hashed-password`. (More information [here](#usersfile)) | ""      | No      |
+| `realm` | Allow customizing the realm for the authentication.| "traefik"      | No      |
+| `headerField` | Allow defining a header field to store the authenticated user.| ""      | No      |
+| `removeHeader` | Allow removing the authorization header before forwarding the request to your service. | false      | No      |
+
+### Passwords format
+
+Passwords must be hashed using MD5, SHA1, or BCrypt.
+Use `htpasswd` to generate the passwords.
+
+### users & usersFile
+
+- If both `users` and `usersFile` are provided, they are merged. The contents of `usersFile` have precedence over the values in users.
+- Because referencing a file path isn’t feasible on Kubernetes, the `users` & `usersFile` field isn’t used in Kubernetes IngressRoute. Instead, use the `secret` field.
+
+#### Kubernetes Secrets
+
+The option `users` supports Kubernetes secrets.
+
+!!! note "Kubernetes `kubernetes.io/basic-auth` secret type"
+
+    Kubernetes supports a special `kubernetes.io/basic-auth` secret type.
+    This secret must contain two keys: `username` and `password`.
+
+    Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than other methods.
+    You can find more information on the [Kubernetes Basic Authentication Secret Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret)
+
+{!traefik-for-business-applications.md!}

docs/content/reference/routing-configuration/http/middlewares/buffering.md

@@ -0,0 +1,76 @@
+---
+title: "Traefik Buffering Documentation"
+description: "The HTTP buffering middleware in Traefik Proxy limits the size of requests that can be forwarded to Services. Read the technical documentation."
+---
+
+![Buffering](../../../../assets/img/middleware/buffering.png)
+
+The `buffering` middleware limits the size of requests that can be forwarded to services.
+
+With buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified size limit.
+
+This can help services avoid large amounts of data (`multipart/form-data` for example), and can minimize the time spent sending data to a Service
+
+## Configuration Examples
+
+```yaml tab="Structured (YAML)"
+# Sets the maximum request body to 2MB
+http:
+  middlewares:
+    limit:
+      buffering:
+        maxRequestBodyBytes: 2000000
+```
+
+```toml tab="Structured (TOML)"
+# Sets the maximum request body to 2MB
+[http.middlewares]
+  [http.middlewares.limit.buffering]
+    maxRequestBodyBytes = 2000000
+```
+
+```yaml tab="Labels"
+# Sets the maximum request body to 2MB
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
+```json tab="Tags"
+// Sets the maximum request body to 2MB
+{
+  // ...
+  "Tags": [
+    "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+# Sets the maximum request body to 2MB
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: limit
+spec:
+  buffering:
+    maxRequestBodyBytes: 2000000
+```
+
+## Configuration Options
+
+| Field | Description | Default | Required |
+|:------|:------------|:--------|:---------|
+| `maxRequestBodyBytes`  | Maximum allowed body size for the request (in bytes). <br /> If the request exceeds the allowed size, it is not forwarded to the Service, and the client gets a `413` (Request Entity Too Large) response. | 0 | No |
+| `memRequestBodyBytes`  | Threshold (in bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.| 1048576 | No |
+| `maxResponseBodyBytes` | Maximum allowed response size from the Service (in bytes). <br /> If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `500` (Internal Server Error) response instead. | 0 | No |
+| `memResponseBodyBytes` | Threshold (in bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.| 1048576 | No |
+| `retryExpression`      | Replay the request using `retryExpression`.<br /> More information [here](#retryexpression). | "" | No |
+
+### retryExpression
+
+The retry expression is defined as a logical combination of the functions below with the operators AND (`&&`) and OR (`||`).  
+At least one function is required:
+
+- `Attempts()` number of attempts (the first one counts).
+- `ResponseCode()` response code of the Service.
+- `IsNetworkError()` whether the response code is related to networking error.

docs/content/reference/routing-configuration/http/middlewares/chain.md

@@ -0,0 +1,171 @@
+---
+title: "Traefik Chain Middleware Documentation"
+description: "The HTTP chain middleware lets you define reusable combinations of other middleware, to reuse the same groups. Read the technical documentation."
+---
+
+The `chain` middleware enables you to define reusable combinations of other pieces of middleware.
+It makes it effortless to reuse the same groups.
+
+## Configuration Example
+
+Below is an example of a Chain containing `AllowList`, `BasicAuth`, and `RedirectScheme`.
+
+```yaml tab="Structured (YAML)"
+# ...
+http:
+  routers:
+    router1:
+      service: service1
+      middlewares:
+        - secured
+      rule: "Host(`mydomain`)"
+
+  middlewares:
+    secured:
+      chain:
+        middlewares:
+          - https-only
+          - known-ips
+          - auth-users
+
+    auth-users:
+      basicAuth:
+        users:
+          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+
+    https-only:
+      redirectScheme:
+        scheme: https
+
+    known-ips:
+      ipAllowList:
+        sourceRange:
+          - "192.168.1.7"
+          - "127.0.0.1/32"
+
+  services:
+    service1:
+      loadBalancer:
+        servers:
+          - url: "http://127.0.0.1:80"
+```
+
+```toml tab="Structured (TOML)"
+# ...
+[http.routers]
+  [http.routers.router1]
+    service = "service1"
+    middlewares = ["secured"]
+    rule = "Host(`mydomain`)"
+
+[http.middlewares]
+  [http.middlewares.secured.chain]
+    middlewares = ["https-only", "known-ips", "auth-users"]
+
+  [http.middlewares.auth-users.basicAuth]
+    users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
+
+  [http.middlewares.https-only.redirectScheme]
+    scheme = "https"
+
+  [http.middlewares.known-ips.ipAllowList]
+    sourceRange = ["192.168.1.7", "127.0.0.1/32"]
+
+[http.services]
+  [http.services.service1]
+    [http.services.service1.loadBalancer]
+      [[http.services.service1.loadBalancer.servers]]
+        url = "http://127.0.0.1:80"
+``` 
+
+```yaml tab="Labels"
+labels:
+  - "traefik.http.routers.router1.service=service1"
+  - "traefik.http.routers.router1.middlewares=secured"
+  - "traefik.http.routers.router1.rule=Host(`mydomain`)"
+  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
+  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "traefik.http.services.service1.loadbalancer.server.port=80"
+```
+
+```json tab="Tags"
+{
+  // ...
+  "Tags": [
+    "traefik.http.routers.router1.service=service1",
+    "traefik.http.routers.router1.middlewares=secured",
+    "traefik.http.routers.router1.rule=Host(`mydomain`)",
+    "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users",
+    "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+    "traefik.http.middlewares.https-only.redirectscheme.scheme=https",
+    "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32",
+    "traefik.http.services.service1.loadbalancer.server.port=80"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: test
+  namespace: default
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`mydomain`)
+      kind: Rule
+      services:
+        - name: whoami
+          port: 80
+      middlewares:
+        - name: secured
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: secured
+spec:
+  chain:
+    middlewares:
+    - name: https-only
+    - name: known-ips
+    - name: auth-users
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: auth-users
+spec:
+  basicAuth:
+    users:
+    - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: https-only
+spec:
+  redirectScheme:
+    scheme: https
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: known-ips
+spec:
+  ipAllowList:
+    sourceRange:
+    - 192.168.1.7
+    - 127.0.0.1/32
+```
+
+
+## Configuration Options
+
+| Field | Description | Default | Required |
+|:------|:------------|:--------|:---------|
+| `middlewares`  | List of middlewares to chain.<br /> The middlewares have to be in the same namespace as the `chain` middleware. | [] | Yes |

docs/content/reference/routing-configuration/http/middlewares/circuitbreaker.md

@@ -0,0 +1,143 @@
+---
+title: "Traefik CircuitBreaker Documentation"
+description: "The HTTP circuit breaker in Traefik Proxy prevents stacking requests to unhealthy Services, resulting in cascading failures. Read the technical documentation."
+---
+
+![Circuit Breaker](../../../../assets/img/middleware/circuitbreaker.png)
+
+The HTTP circuit breaker prevents stacking requests to unhealthy Services, resulting in cascading failures.
+
+When your system is healthy, the circuit is closed (normal operations).
+When your system becomes unhealthy, the circuit opens, and the requests are no longer forwarded, but instead are handled by a fallback mechanism.
+
+To assess if your system is healthy, the circuit breaker constantly monitors the services.
+
+The circuit breaker only analyzes what happens *after* its position within the middleware chain. What happens *before* has no impact on its state.
+
+Each router gets its own instance of a given circuit breaker.
+One circuit breaker instance can be open while the other remains closed: their state is not shared.
+
+This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route.
+
+## Configuration Examples
+
+```yaml tab="Structured (YAML)"
+# Latency Check
+http:
+  middlewares:
+    latency-check:
+      circuitBreaker:
+        expression: "LatencyAtQuantileMS(50.0) > 100"
+```
+
+```toml tab="Structured (TOML)"
+# Latency Check
+[http.middlewares]
+  [http.middlewares.latency-check.circuitBreaker]
+    expression = "LatencyAtQuantileMS(50.0) > 100"
+```
+
+```yaml tab="Labels"
+# Latency Check
+labels:
+  - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
+```
+
+```json tab="Tags"
+{
+  //..
+  "Tags" : [
+    "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+# Latency Check
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: latency-check
+spec:
+  circuitBreaker:
+    expression: LatencyAtQuantileMS(50.0) > 100
+```
+
+## Configuration Options
+
+| Field | Description | Default | Required |
+|:------|:------------|:--------|:---------|
+| `expression` | Condition to open the circuit breaker and applies the fallback mechanism instead of calling your services.<br />More information [here](#expression) | 100ms | No |
+| `checkPeriod` | The interval between successive checks of the circuit breaker condition (when in standby state). | 100ms | No |
+| `fallbackDuration` | The duration for which the circuit breaker will wait before trying to recover (from a tripped state). | 10s | No |
+| `recoveryDuration` | The duration for which the circuit breaker will try to recover (as soon as it is in recovering state). | 10s | No |
+| `responseCode` | The status code that the circuit breaker will return while it is in the open state. | 503 | No |
+
+### expression
+
+The `expression` option can check three different metrics:
+
+| Metrics | Description | Example |
+|:------|:------------|:--------|
+| `NetworkErrorRatio`   | The network error ratio to open the circuit breaker. | `NetworkErrorRatio() > 0.30` opens the circuit breaker at a 30% ratio of network errors |
+| `ResponseCodeRatio`   | The status code ratio to open the circuit breaker.<br />More information [below](#responsecoderatio) | `ResponseCodeRatio(500, 600, 0, 600) > 0.25` opens the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX)  |
+| `LatencyAtQuantileMS` | The latency at a quantile in milliseconds to open the circuit breaker when a given proportion of your requests become too slow.<br /> Only floating point number (with the trailing .0) for the quantile value. | `LatencyAtQuantileMS(50.0) > 100` opens the circuit breaker when the median latency (quantile 50) reaches 100ms. |
+
+#### ResponseCodeRatio
+
+- It accepts four parameters, `from`, `to`, `dividedByFrom`, `dividedByTo`.
+- The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom` -> `dividedByTo`). If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
+- `from` is inclusive, `to` is exclusive.
+
+#### Using Multiple Metrics
+
+You can combine multiple metrics using operators in your `expression`.
+
+Supported operators are:
+
+- AND (`&&`)
+- OR (`||`)
+
+For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%.
+
+#### Operators
+
+Here is the list of supported operators:
+
+- Greater than (`>`)
+- Greater or equal than (`>=`)
+- Lesser than (`<`)
+- Lesser or equal than (`<=`)
+- Equal (`==`)
+- Not Equal (`!=`)
+
+### Fallback mechanism
+
+The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client instead of calling the target service.  
+This behavior cannot be configured.
+
+## State
+
+There are three possible states for your circuit breaker:
+
+- `Closed` (your service operates normally).
+- `Open` (the fallback mechanism takes over your service).
+- `Recovering` (the circuit breaker tries to resume normal operations by progressively sending requests to your service).
+
+### Closed
+
+While the circuit is closed, the circuit breaker only collects metrics to analyze the behavior of the requests.
+
+At specified intervals (`checkPeriod`), the circuit breaker evaluates `expression` to decide if its state must change.
+
+### Open
+
+While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
+The fallback mechanism returns a `HTTP 503` (or `ResponseCode`) to the client.
+After this duration, it enters the recovering state.
+
+### Recovering
+
+While recovering, the circuit breaker sends linearly increasing amounts of requests to your service (for `RecoveryDuration`).
+If your service fails during recovery, the circuit breaker opens again.
+If the service operates normally during the entire recovery duration, then the circuit breaker closes.

docs/content/reference/routing-configuration/http/middlewares/compress.md

@@ -0,0 +1,80 @@
+---
+title: "Traefik Compress Documentation"
+description: "Traefik Proxy's HTTP middleware lets you compress responses before sending them to the client. Read the technical documentation."
+---
+
+The `compress` middleware compresses response. It supports Gzip, Brotli and Zstandard compression
+
+## Configuration Examples
+
+```yaml tab="Structured (YAML)"
+# Enable compression
+http:
+  middlewares:
+    test-compress:
+      compress: {}
+```
+
+```toml tab="Structured (TOML)"
+# Enable compression
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+```
+
+```yaml tab="Labels"
+# Enable compression
+labels:
+  - "traefik.http.middlewares.test-compress.compress=true"
+```
+
+```json tab="Tags"
+// Enable compression
+{
+  //...
+  "Tags": [
+    "traefik.http.middlewares.test-compress.compress=true"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+# Enable compression
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-compress
+spec:
+  compress: {}
+```
+
+## Configuration Options
+
+| Field                        | Description                                                                                                                                                                                                | Default | Required |
+|:-----------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+|`excludedContentTypes` | List of content types to compare the `Content-Type` header of the incoming requests and responses before compressing. <br /> The responses with content types defined in `excludedContentTypes` are not compressed. <br /> Content types are compared in a case-insensitive, whitespace-ignored manner. <br /> **The `excludedContentTypes` and `includedContentTypes` options are mutually exclusive.** | "" | No |
+|`defaultEncoding` | specifies the default encoding if the `Accept-Encoding` header is not in the request or contains a wildcard (`*`). | "" | No |
+|`encodings` | Specifies the list of supported compression encodings. At least one encoding value must be specified, and valid entries are `zstd` (Zstandard), `br` (Brotli), and `gzip` (Gzip). The order of the list also sets the priority, the top entry has the highest priority. | zstd, br, gzip | No |
+| `includedContentTypes` | List of content types to compare the `Content-Type` header of the responses before compressing. <br /> The responses with content types defined in `includedContentTypes` are compressed. <br /> Content types are compared in a case-insensitive, whitespace-ignored manner.<br /> **The `excludedContentTypes` and `includedContentTypes` options are mutually exclusive.** | "" | No |
+| `minResponseBodyBytes` | `Minimum amount of bytes a response body must have to be compressed. <br />Responses smaller than the specified values will **not** be compressed. | 1024 | No |
+
+## Compression activation
+
+The activation of compression, and the compression method choice rely (among other things) on the request's `Accept-Encoding` header.
+
+Responses are compressed when the following criteria are all met:
+
+- The `Accept-Encoding` request header contains `gzip`, `*`, and/or `br`, and/or `zstd` with or without [quality values](https://developer.mozilla.org/en-US/docs/Glossary/Quality_values).
+If the `Accept-Encoding` request header is absent, the response won't be encoded.
+If it is present, but its value is the empty string, then compression is turned off.
+- The response is not already compressed, that is the `Content-Encoding` response header is not already set.
+- The response`Content-Type` header is not one among the `excludedContentTypes` options, or is one among the `includedContentTypes` options.
+- The response body is larger than the configured minimum amount of bytes(option `minResponseBodyBytes`) (default is `1024`).
+
+## Empty Content-Type Header
+
+If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
+It will also set the `Content-Type` header according to the detected MIME type.
+
+## GRPC application
+
+Note that `application/grpc` is never compressed.

docs/content/reference/routing-configuration/http/middlewares/contenttype.md

@@ -0,0 +1,53 @@
+---
+title: "Traefik ContentType Documentation"
+description: "Traefik Proxy's HTTP middleware automatically sets the `Content-Type` header value when it is not set by the backend. Read the technical documentation."
+---
+
+The `contentType` middleware sets the `Content-Type` header value to the media type detected from the response content,
+when it is not set by the backend.
+
+!!! info
+
+    The `contentType` middleware only applies when Traefik detects the MIME type. If any middleware (such as Headers or Compress) sets the `contentType` header at any point in the chain, the `contentType` middleware has no effect.
+
+## Configuration Examples
+
+```yaml tab="Structured (YAML)"
+# Enable auto-detection
+http:
+  middlewares:
+    autodetect:
+      contentType: {}
+```
+
+```toml tab="Structured (TOML)"
+# Enable auto-detection
+[http.middlewares]
+  [http.middlewares.autodetect.contentType]
+```
+
+```yaml tab="Labels"
+# Enable auto-detection
+labels:
+  - "traefik.http.middlewares.autodetect.contenttype=true"
+```
+
+```json tab="Tags"
+// Enable auto-detection
+{
+  // ...
+  "Tags": [
+    "traefik.http.middlewares.autodetect.contenttype=true"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+# Enable auto-detection
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: autodetect
+spec:
+  contentType: {}
+```

docs/content/reference/routing-configuration/http/middlewares/digestauth.md

@@ -0,0 +1,87 @@
+---
+title: "Traefik DigestAuth Documentation"
+description: "Traefik Proxy's HTTP DigestAuth middleware restricts access to your services to known users. Read the technical documentation."
+---
+
+![DigestAuth](../../../../assets/img/middleware/digestauth.png)
+
+The `DigestAuth` middleware grants access to services to authorized users only.
+
+## Configuration Examples
+
+```yaml tab="Structured (YAML)"
+# Declaring the user list
+http:
+  middlewares:
+    test-auth:
+      digestAuth:
+        users:
+          - "test:traefik:a2688e031edb4be6a3797f3882655c05"
+          - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+```toml tab="Structured (TOML)"
+# Declaring the user list
+[http.middlewares]
+  [http.middlewares.test-auth.digestAuth]
+    users = [
+      "test:traefik:a2688e031edb4be6a3797f3882655c05",
+      "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
+    ]
+```
+
+```yaml tab="Labels"
+# Declaring the user list
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
+```json tab="Tags"
+// Declaring the user list
+{
+  //...
+  "Tags" : [
+    "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+# Declaring the user list
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  digestAuth:
+    secret: userssecret
+```
+
+## Configuration Options
+
+| Field      | Description    | Default | Required |
+|:-----------|:---------------------------------------------------------------------------------|:--------|:---------|
+| `users` | Array of authorized users. Each user must be declared using the `name:realm:encoded-password` format.<br /> The option `users` supports Kubernetes secrets.<br />(More information [here](#users--usersfile))| []  | No      |
+| `usersFile` | Path to an external file that contains the authorized users for the middleware. <br />The file content is a list of `name:realm:encoded-password`. (More information [here](#users--usersfile)) | ""      | No      |
+| `realm` | Allow customizing the realm for the authentication.| "traefik"      | No      |
+| `headerField` | Allow defining a header field to store the authenticated user.| ""      | No      |
+| `removeHeader` | Allow removing the authorization header before forwarding the request to your service. | false      | No      |
+
+### Passwords format
+
+Passwords must be hashed using MD5, SHA1, or BCrypt.
+Use `htpasswd` to generate the passwords.
+
+### users & usersFile
+
+- If both `users` and `usersFile` are provided, they are merged. The contents of `usersFile` have precedence over the values in users.
+- Because referencing a file path isn’t feasible on Kubernetes, the `users` & `usersFile` field isn’t used in Kubernetes IngressRoute. Instead, use the `secret` field.
+
+### Kubernetes Secrets
+
+On Kubernetes, you don’t use the `users` or `usersFile` fields. Instead, you reference a Kubernetes secret using the `secret` field in your Middleware resource. This secret can be one of two types:
+
+- `kubernetes.io/basic-auth secret`: This secret type contains two keys—`username` and `password`—but is generally suited for a smaller number of users. Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than the other method.
+- Opaque secret with a users field: Here, the secret contains a single string field (often called `users`) where each line represents a user. This approach allows you to store multiple users in one secret.
+
+{!traefik-for-business-applications.md!}

docs/content/reference/routing-configuration/http/middlewares/errorpages.md

@@ -0,0 +1,108 @@
+---
+title: "Traefik Errors Documentation"
+description: "In Traefik Proxy, the Errors middleware returns custom pages according to configured ranges of HTTP Status codes. Read the technical documentation."
+---
+
+![Errors](../../../../assets/img/middleware/errorpages.png)
+
+The `errors` middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
+
+## Configuration Examples
+
+```yaml tab="Structured (YAML)"
+# Dynamic Custom Error Page for 5XX Status Code excluding 502 and 504
+http:
+  middlewares:
+    test-errors:
+      errors:
+        status:
+          - "500"
+          - "501"
+          - "503"
+          - "505-599"
+        service: error-handler-service
+        query: "/{status}.html"
+
+  services:
+    # ... definition of the error-handler-service
+```
+
+```toml tab="Structured (TOML)"
+# Dynamic Custom Error Page for 5XX Status Code excluding 502 and 504
+[http.middlewares]
+  [http.middlewares.test-errors.errors]
+    status = ["500","501","503","505-599"]
+    service = "error-handler-service"
+    query = "/{status}.html"
+
+[http.services]
+  # ... definition of the error-handler-service
+```
+
+```yaml tab="Labels"
+# Dynamic Custom Error Page for 5XX Status Code
+labels:
+  - "traefik.http.middlewares.test-errors.errors.status=500,501,503,505-599"
+  - "traefik.http.middlewares.test-errors.errors.service=error-handler-service"
+  - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
+```
+
+```json tab="Tags"
+// Dynamic Custom Error Page for 5XX Status Code excluding 502 and 504
+{
+  // ...
+  "Tags": [
+    "traefik.http.middlewares.test-errors.errors.status=500,501,503,505-599",
+    "traefik.http.middlewares.test-errors.errors.service=error-handler-service",
+    "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
+  ]
+
+}
+
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-errors
+spec:
+  errors:
+    status:
+      - "500"
+      - "501"
+      - "503"
+      - "505-599"
+    query: /{status}.html
+    service:
+      name: error-handler-service
+      port: 80
+```
+
+## Configuration Options
+
+| Field      | Description                                                                                                                                                                                 | Default | Required |
+|:-----------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| `status` | Defines which status or range of statuses should result in an error page.<br/> The status code ranges are inclusive (`505-599` will trigger with every code between `505` and `599`, `505` and `599` included).<br /> You can define either a status code as a number (`500`), as multiple comma-separated numbers (`500,502`), as ranges by separating two codes with a dash (`505-599`), or a combination of the two (`404,418,505-599`).  | []     | No      | 
+| `service` | The service that will serve the new requested error page.<br /> More information [here](#service-and-hostheader). | ""      | No      |
+| `query` | The URL for the error page (hosted by `service`).<br /> More information [here](#query) | ""      | No      |
+
+### service and HostHeader
+
+By default, the client `Host` header value is forwarded to the configured error service.
+To forward the `Host` value corresponding to the configured error service URL, 
+the [`passHostHeader`](../../../../routing/services/index.md#pass-host-header) option must be set to `false`.
+
+!!!info "Kubernetes"
+    When specifying a service in Kubernetes (e.g., in an IngressRoute), you need to reference the `name`, `namespace`, and `port` of your Kubernetes Service resource. For example, `my-service.my-namespace@kubernetescrd` (or `my-service.my-namespace@kubernetescrd:80`) ensures that requests go to the correct service and port.
+
+### query
+
+There are multiple variables that can be placed in the `query` option to insert values in the URL.
+
+The table below lists all the available variables and their associated values.
+
+| Variable   | Value                                                            |
+|------------|------------------------------------------------------------------|
+| `{status}` | The response status code.                                        |
+| `{url}`    | The [escaped](https://pkg.go.dev/net/url#QueryEscape) request URL.|

docs/content/reference/routing-configuration/http/middlewares/forwardauth.md

@@ -0,0 +1,98 @@
+---
+title: "Traefik ForwardAuth Documentation"
+description: "In Traefik Proxy, the HTTP ForwardAuth middleware delegates authentication to an external Service. Read the technical documentation."
+---
+
+![AuthForward](../../../../assets/img/middleware/authforward.png)
+
+The `forwardAuth` middleware delegates authentication to an external service.
+If the service answers with a 2XX code, access is granted, and the original request is performed.
+Otherwise, the response from the authentication server is returned.
+
+## Configuration Example
+
+```yaml tab="Structured (YAML)"
+# Forward authentication to example.com
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+```
+
+```toml tab="Structured (TOML)"
+# Forward authentication to example.com
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+```
+
+```yaml tab="Labels"
+# Forward authentication to example.com
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
+```
+
+```json tab="Tags"
+// Forward authentication to example.com
+{
+  "Tags" : [
+    "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+# Forward authentication to example.com
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+```
+
+## Configuration Options
+
+| Field      | Description     | Default | Required |
+|:-----------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| `address` | Authentication server address. | "" | Yes      |
+| `trustForwardHeader` | Trust all `X-Forwarded-*` headers. | false | No      |
+| `authResponseHeaders` | List of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers. | [] | No      |
+| `authResponseHeadersRegex` | Regex to match by the headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.<br /> More information [here](#authresponseheadersregex). | "" | No      |
+| `authRequestHeaders` | List of the headers to copy from the request to the authentication server. <br /> It allows filtering headers that should not be passed to the authentication server. <br /> If not set or empty, then all request headers are passed. | [] | No      |
+| `addAuthCookiesToResponse` | List of cookies to copy from the authentication server to the response, replacing any existing conflicting cookie from the forwarded response.<br /> Please note that all backend cookies matching the configured list will not be added to the response. | [] | No      |
+| `forwardBody` | Sets the `forwardBody` option to `true` to send the Body. As body is read inside Traefik before forwarding, this breaks streaming. | false | No      |
+| `maxBodySize` | Set the `maxBodySize` to limit the body size in bytes. If body is bigger than this, it returns a 401 (unauthorized). | -1 | No      |
+| `headerField` | Defines a header field to store the authenticated user. | "" | No      |
+| `preserveLocationHeader` | Defines whether to forward the Location header to the client as is or prefix it with the domain name of the authentication server. | false | No      |
+| `PreserveRequestMethod` | Defines whether to preserve the original request method while forwarding the request to the authentication server. | false | No      |
+| `tls.ca` | Sets the path to the certificate authority used for the secured connection to the authentication server, it defaults to the system bundle. | "" | No |
+| `tls.cert` | Sets the path to the public certificate used for the secure connection to the authentication server. When using this option, setting the key option is required. | "" | No |
+| `tls.key` | Sets the path to the private key used for the secure connection to the authentication server. When using this option, setting the `cert` option is required. | "" | No |
+| `tls.caSecret` | Defines the secret that contains the certificate authority used for the secured connection to the authentication server, it defaults to the system bundle. **This option is only available for the Kubernetes CRD**. | | No |
+| `tls.certSecret` | Defines the secret that contains both the private and public certificates used for the secure connection to the authentication server. **This option is only available for the Kubernetes CRD**. |  | No |
+| `tls.insecureSkipVerify` | During TLS connections, if this option is set to `true`, the authentication server will accept any certificate presented by the server regardless of the host names it covers. | false | No |
+
+### authResponseHeadersRegex
+
+It allows partial matching of the regular expression against the header key.
+
+The start of string (`^`) and end of string (`$`) anchors should be used to ensure a full match against the header key.
+
+Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+## Forward-Request Headers
+
+The following request properties are provided to the forward-auth target endpoint as `X-Forwarded-` headers.
+
+| Property          | Forward-Request Header |
+|-------------------|------------------------|
+| HTTP Method       | X-Forwarded-Method     |
+| Protocol          | X-Forwarded-Proto      |
+| Host              | X-Forwarded-Host       |
+| Request URI       | X-Forwarded-Uri        |
+| Source IP-Address | X-Forwarded-For        |
+
+{!traefik-for-business-applications.md!}

docs/content/reference/routing-configuration/http/middlewares/grpcweb.md

@@ -0,0 +1,67 @@
+---
+title: "Traefik GrpcWeb Documentation"
+description: "In Traefik Proxy's HTTP middleware, GrpcWeb converts a gRPC Web requests to HTTP/2 gRPC requests. Read the technical documentation."
+---
+
+The `grpcWeb` middleware converts gRPC Web requests to HTTP/2 gRPC requests before forwarding them to the backends.
+
+!!! tip
+
+    Please note, that Traefik needs to communicate using gRPC with the backends (h2c or HTTP/2 over TLS).
+    Check out the [gRPC](../../../../user-guides/grpc.md) user guide for more details.
+
+## Configuration Examples
+
+```yaml tab="Structured (YAML)"
+http:
+  middlewares:
+    test-grpcweb:
+      grpcWeb:
+        allowOrigins:
+          - "*"
+```
+
+```toml tab="Structured (TOML)"
+[http.middlewares]
+  [http.middlewares.test-grpcweb.grpcWeb]
+    allowOrigins = ["*"]
+```
+
+```yaml tab="Labels"
+labels:
+  - "traefik.http.middlewares.test-grpcweb.grpcweb.allowOrigins=*"
+```
+
+```json tab="Tags"
+{
+  //...
+  "Tags" : [
+    "traefik.http.middlewares.test-grpcweb.grpcWeb.allowOrigins=*"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-grpcweb
+spec:
+  grpcWeb:
+    allowOrigins:
+      - "*"
+```
+
+## Configuration Options
+
+| Field                        | Description         | Default | Required |
+|:-----------------------------|:------------------------------------------|:--------|:---------|
+| `allowOrigins` | List of allowed origins. <br /> A wildcard origin `*` can also be configured to match all requests.<br /> More information [here](#alloworigins). | [] | No |
+
+### allowOrigins
+
+More information including how to use the settings can be found at:
+
+- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
+- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
+- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)

docs/content/reference/routing-configuration/http/middlewares/headers.md

@@ -0,0 +1,328 @@
+---
+title: "Traefik Headers Documentation"
+description: "In Traefik Proxy, the HTTP headers middleware manages the headers of requests and responses. Read the technical documentation."
+---
+
+![Headers](../../../../assets/img/middleware/headers.png)
+
+The Headers middleware manages the headers of requests and responses.
+
+By default, the following headers are automatically added when proxying requests:
+
+| Property                  | HTTP Header                |
+|---------------------------|----------------------------|
+| Client's IP               | X-Forwarded-For, X-Real-Ip |
+| Host                      | X-Forwarded-Host           |
+| Port                      | X-Forwarded-Port           |
+| Protocol                  | X-Forwarded-Proto          |
+| Proxy Server's Hostname   | X-Forwarded-Server         |
+
+## Configuration Examples
+
+### Adding Headers to the Request and the Response
+
+The following example adds the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` header to the response
+
+```yaml tab="Structured (YAML)"
+http:
+  middlewares:
+    testHeader:
+      headers:
+        customRequestHeaders:
+          X-Script-Name: "test"
+        customResponseHeaders:
+          X-Custom-Response-Header: "value"
+```
+
+```toml tab="Structured (TOML)"
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    [http.middlewares.testHeader.headers.customRequestHeaders]
+        X-Script-Name = "test"
+    [http.middlewares.testHeader.headers.customResponseHeaders]
+        X-Custom-Response-Header = "value"
+```
+
+```yaml tab="Labels"
+labels:
+  - "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Script-Name=test"
+  - "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=value"
+```
+
+```json tab="Tags"
+{
+  //...
+  "Tags": [
+    "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test",
+    "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
+  ]
+}
+
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-header
+spec:
+  headers:
+    customRequestHeaders:
+      X-Script-Name: "test"
+    customResponseHeaders:
+      X-Custom-Response-Header: "value"
+```
+
+### Adding and Removing Headers
+
+In the following example, requests are proxied with an extra `X-Script-Name` header while their `X-Custom-Request-Header` header gets stripped,
+and responses are stripped of their `X-Custom-Response-Header` header.
+
+```yaml tab="Structured (YAML)"
+http:
+  middlewares:
+    testHeader:
+      headers:
+        customRequestHeaders:
+          X-Script-Name: "test" # Adds
+          X-Custom-Request-Header: "" # Removes
+        customResponseHeaders:
+          X-Custom-Response-Header: "" # Removes
+```
+
+```toml tab="Structured (TOML)"
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    [http.middlewares.testHeader.headers.customRequestHeaders]
+        X-Script-Name = "test" # Adds
+        X-Custom-Request-Header = "" # Removes
+    [http.middlewares.testHeader.headers.customResponseHeaders]
+        X-Custom-Response-Header = "" # Removes
+```
+
+```yaml tab="Labels"
+labels:
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
+  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
+```
+
+```json tab="Tags"
+{
+  "Tags" : [
+    "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test",
+    "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header=",
+    "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-header
+spec:
+  headers:
+    customRequestHeaders:
+      X-Script-Name: "test" # Adds
+      X-Custom-Request-Header: "" # Removes
+    customResponseHeaders:
+      X-Custom-Response-Header: "" # Removes
+```
+
+### Using Security Headers
+
+Security-related headers (HSTS headers, Browser XSS filter, etc) can be managed similarly to custom headers as shown above.
+This functionality makes it possible to easily use security features by adding headers.
+
+```yaml tab="Structured (YAML)"
+http:
+  middlewares:
+    testHeader:
+      headers:
+        frameDeny: true
+        browserXssFilter: true
+```
+
+```toml tab="Structured (TOML)"
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    frameDeny = true
+    browserXssFilter = true
+```
+
+```yaml tab="Labels"
+labels:
+  - "traefik.http.middlewares.testHeader.headers.framedeny=true"
+  - "traefik.http.middlewares.testHeader.headers.browserxssfilter=true"
+```
+
+```json tab="Tags"
+{
+  "Tags" : [
+    "traefik.http.middlewares.testheader.headers.framedeny=true",
+    "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
+  ]
+}
+
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-header
+spec:
+  headers:
+    frameDeny: true
+    browserXssFilter: true
+```
+
+### CORS Headers
+
+CORS (Cross-Origin Resource Sharing) headers can be added and configured in a manner similar to the custom headers above.
+This functionality allows for more advanced security features to quickly be set.
+If CORS headers are set, then the middleware does not pass preflight requests to any service,
+instead the response will be generated and sent back to the client directly.  
+Please note that the example below is by no means authoritative or exhaustive,
+and should not be used as is for production.
+
+```yaml tab="Structured (YAML)"
+http:
+  middlewares:
+    testHeader:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+        accessControlAllowHeaders: "*"
+        accessControlAllowOriginList:
+          - https://foo.bar.org
+          - https://example.org
+        accessControlMaxAge: 100
+        addVaryHeader: true
+```
+
+```toml tab="Structured (TOML)"
+[http.middlewares]
+  [http.middlewares.testHeader.headers]
+    accessControlAllowMethods = ["GET", "OPTIONS", "PUT"]
+    accessControlAllowHeaders = [ "*" ]
+    accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
+    accessControlMaxAge = 100
+    addVaryHeader = true
+```
+
+```yaml tab="Labels"
+labels:
+  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
+  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
+```
+
+```json tab="Tags"
+{
+  "Tags" : [
+    "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT",
+     "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*",
+    "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org",
+    "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100",
+    "traefik.http.middlewares.testheader.headers.addvaryheader=true"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-header
+spec:
+  headers:
+    accessControlAllowMethods:
+      - "GET"
+      - "OPTIONS"
+      - "PUT"
+    accessControlAllowHeaders:
+      - "*"
+    accessControlAllowOriginList:
+      - "https://foo.bar.org"
+      - "https://example.org"
+    accessControlMaxAge: 100
+    addVaryHeader: true
+```
+
+## Configuration Options
+
+!!! warning
+
+    Custom headers will overwrite existing headers if they have identical names.
+
+!!! note ""
+
+    The detailed documentation for security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
+
+| Field                         | Description                                       | Default   | Required |
+| ----------------------------- | ------------------------------------------------- | --------- | -------- |
+| `customRequestHeaders`          | Lists the header names and values for requests.  | [] | No |
+| `customResponseHeaders`         | Lists the header names and values for responses. | [] | No |
+| `accessControlAllowCredentials` | Indicates if the request can include user credentials.| false     | No |
+| `accessControlAllowHeaders`     | Specifies allowed request header names.          | [] | No |
+| `accessControlAllowMethods`     | Specifies allowed request methods.               | [] | No |
+| `accessControlAllowOriginList`  | Specifies allowed origins. More information [here](#accesscontrolalloworiginlist)      | []      | No |
+| `accessControlAllowOriginListRegex` | Allows origins matching regex. More information [here](#accesscontrolalloworiginlistregex)            | []      | No |
+| `accessControlExposeHeaders`    | Specifies which headers are safe to expose to the API of a CORS API specification.       |  []    | No |
+| `accessControlMaxAge`           | Time (in seconds) to cache preflight requests.   | 0         | No |
+| `addVaryHeader`                | Used in conjunction with `accessControlAllowOriginList` to determine whether the `Vary` header should be added or modified to demonstrate that server responses can differ based on the value of the origin header. | false     | No |
+| `allowedHosts`                  | Lists allowed domain names.                      | []      | No |
+| `hostsProxyHeaders`             | Specifies header keys for proxied hostname.      | []      | No |
+| `sslProxyHeaders`               | Defines a set of header keys with associated values that would indicate a valid HTTPS request. It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`).        |   {}   | No |
+| `stsSeconds`                    | Max age for `Strict-Transport-Security` header.    | 0         | No |
+| `stsIncludeSubdomains`          | If set to `true`, the `includeSubDomains` directive is appended to the `Strict-Transport-Security` header.    | false     | No |
+| `stsPreload`                    | Adds preload flag to STS header.                 | false     | No |
+| `forceSTSHeader`                | Adds STS header for HTTP connections.            | false     | No |
+| `frameDeny`                     | Set `frameDeny` to `true` to add the `X-Frame-Options` header with the value of `DENY`.                | false     | No |
+| `customFrameOptionsValue`       | allows the `X-Frame-Options` header value to be set with a custom value. This overrides the `FrameDeny` option.  |    ""  | No |
+| `contentTypeNosniff`            | Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with the value `nosniff`.  | false     | No |
+| `browserXssFilter`              | Set `browserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.  | false     | No |
+| `customBrowserXSSValue`         | allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the `BrowserXssFilter` option.   | false | No |
+| `contentSecurityPolicy`         | allows the `Content-Security-Policy` header value to be set with a custom value.           | false | No |
+| `contentSecurityPolicyReportOnly` | allows the `Content-Security-Policy-Report-Only` header value to be set with a custom value.    |   ""  | No |
+| `publicKey`                     | Implements HPKP for certificate pinning.         |  "" | No |
+| `referrerPolicy`                | Controls forwarding of `Referer` header.         | "" | No |
+| `permissionsPolicy`             | allows sites to control browser features.                   | ""      | No |
+| `isDevelopment`                 | Set `true` when developing to mitigate the unwanted effects of the `AllowedHosts`, SSL, and STS options. Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.    | false     | No |
+
+### `accessControlAllowOriginList`
+
+The `accessControlAllowOriginList` indicates whether a resource can be shared by returning different values.
+
+A wildcard origin `*` can also be configured, and matches all requests.
+If this value is set by a backend service, it will be overwritten by Traefik.
+
+This value can contain a list of allowed origins.
+
+More information including how to use the settings can be found at:
+
+- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
+- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
+- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
+
+Traefik no longer supports the `null` value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
+
+### `accessControlAllowOriginListRegex`
+
+The `accessControlAllowOriginListRegex` option is the counterpart of the `accessControlAllowOriginList` option with regular expressions instead of origin values.
+It allows all origins that contain any match of a regular expression in the `accessControlAllowOriginList`.
+
+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
+
+{!traefik-for-business-applications.md!}

docs/content/reference/routing-configuration/http/middlewares/inflightreq.md

@@ -0,0 +1,115 @@
+---
+title: "Traefik InFlightReq Documentation"
+description: "Traefik Proxy's HTTP middleware lets you limit the number of simultaneous in-flight requests. Read the technical documentation."
+---
+
+The `inFlightReq` middleware proactively prevents services from being overwhelmed with high load.
+
+## Configuration Examples
+
+```yaml tab="Structured (YAML)"
+# Limiting to 10 simultaneous connections
+http:
+  middlewares:
+    test-inflightreq:
+      inFlightReq:
+        amount: 10
+```
+
+```toml tab="Structured (TOML)"
+# Limiting to 10 simultaneous connections
+[http.middlewares]
+  [http.middlewares.test-inflightreq.inFlightReq]
+    amount = 10
+```
+
+```yaml tab="Labels"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
+```json tab="Consul Catalog"
+// Limiting to 10 simultaneous connections
+{
+  "Tags" : [
+    "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+  ]
+}
+
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-inflightreq
+spec:
+  inFlightReq:
+    amount: 10
+```
+
+## Configuration Options
+
+<!-- markdownlint-disable MD013 -->
+
+| Field      | Description                                                                                                                                                                                 | Default | Required |
+|:-----------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| `amount` | The `amount` option defines the maximum amount of allowed simultaneous in-flight request. <br /> The middleware responds with `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy). | 0      | No      |
+| `sourceCriterion.requestHost` | Whether to consider the request host as the source.<br /> More information about `sourceCriterion`[here](#sourcecriterion). | false      | No      |
+| `sourceCriterion.requestHeaderName` | Name of the header used to group incoming requests.<br /> More information about `sourceCriterion`[here](#sourcecriterion). | ""      | No      |
+| `sourceCriterion.ipStrategy.depth` | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br />If higher than 0, the `excludedIPs` options is not evaluated.<br /> More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy](#ipstrategy), and [`depth`](#example-of-depth--x-forwarded-for) below. | 0      | No      |
+| `sourceCriterion.ipStrategy.excludedIPs` | Allows Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br /> More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy](#ipstrategy), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. | | No      |
+| `sourceCriterion.ipStrategy.ipv6Subnet` |  If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to. <br /> More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy.ipv6Subnet`](#ipstrategyipv6subnet), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. |  | No      |
+
+### sourceCriterion
+
+The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
+If several strategies are defined at the same time, an error will be raised.
+If none are set, the default is to use the `requestHost`.
+
+### ipStrategy
+
+The `ipStrategy` option defines three parameters that configures how Traefik determines the client IP: `depth`, `excludedIPs` and `ipv6Subnet`.
+
+As a middleware, `inFlightReq` happens before the actual proxying to the backend takes place.
+In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, that is after it has already passed through the middleware.
+Therefore, during InFlightReq, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be used and/or relied upon.
+
+### `ipStrategy.ipv6Subnet`
+
+This strategy applies to `Depth` and `RemoteAddr` strategy only.
+If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
+
+This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
+
+- `ipv6Subnet` is ignored if its value is outside 0-128 interval
+
+#### Example of ipv6Subnet
+
+If `ipv6Subnet` is provided, the IP is transformed in the following way.
+
+| IP                     | ipv6Subnet | clientIP              |
+|---------------------------|--------------|-----------------------|
+| `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
+| `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
+| `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
+
+### Example of Depth & X-Forwarded-For
+
+If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
+
+| X-Forwarded-For                      | depth | clientIP     |
+|-----------------------------------------|---------|--------------|
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
+
+### Example of ExcludedIPs & X-Forwarded-For
+
+| X-Forwarded-For                       | excludedIPs        | clientIP     |
+|-----------------------------------------|-----------------------|--------------|
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+| `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |

docs/content/reference/routing-configuration/http/middlewares/ipallowlist.md

@@ -0,0 +1,120 @@
+---
+title: "Traefik HTTP Middlewares IPAllowList"
+description: "Learn how to use IPAllowList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
+---
+
+`ipAllowList` accepts / refuses requests based on the client IP.
+
+## Configuration Example
+
+```yaml tab="Structured (YAML)"
+# Accepts request from defined IP
+http:
+  middlewares:
+    test-ipallowlist:
+      ipAllowList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "192.168.1.7"
+```
+
+```toml tab="Structured (TOML)"
+# Accepts request from defined IP
+[http.middlewares]
+  [http.middlewares.test-ipallowlist.ipAllowList]
+    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
+```
+
+```yaml tab="Labels"
+# Accepts request from defined IP
+labels:
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
+```json tab="Tags"
+// Accepts request from defined IP
+{
+  "Tags" : [
+    "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ipallowlist
+spec:
+  ipAllowList:
+    sourceRange:
+      - 127.0.0.1/32
+      - 192.168.1.7
+```
+
+## Configuration Options
+
+| Field      | Description     | Default | Required |
+|:-----------|:------------------------------|:--------|:---------|
+| `sourceRange` | List of allowed IPs (or ranges of allowed IPs by using CIDR notation). |      | Yes      |
+| `ipStrategy.depth` | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br /> If higher than 0, the `excludedIPs` options is not evaluated.<br /> More information about [`ipStrategy](#ipstrategy), and [`depth`](#example-of-depth--x-forwarded-for) below. | 0      | No      |
+| `ipStrategy.excludedIPs` | Allows Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br /> More information about [`ipStrategy](#ipstrategy), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. |       | No      |
+| `ipStrategy.ipv6Subnet` |  If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to. <br />More information about [`ipStrategy.ipv6Subnet`](#ipstrategyipv6subnet), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. |       | No      |
+
+### ipStrategy
+
+The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.
+
+If no strategy is set, the default behavior is to match `sourceRange` against the Remote address found in the request.
+
+As a middleware, passlisting happens before the actual proxying to the backend takes place.
+In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, that is after it has already passed through passlisting.
+Therefore, during passlisting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be matched against `sourceRange`.
+
+#### `ipStrategy.depth`
+
+The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
+
+- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
+- `depth` is ignored if its value is less than or equal to 0.
+
+If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
+
+### `ipStrategy.ipv6Subnet`
+
+This strategy applies to `Depth` and `RemoteAddr` strategy only.
+If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
+
+This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
+
+- `ipv6Subnet` is ignored if its value is outside 0-128 interval
+
+#### Example of ipv6Subnet
+
+If `ipv6Subnet` is provided, the IP is transformed in the following way.
+
+| IP                      | ipv6Subnet | clientIP              |
+|---------------------------|--------------|-----------------------|
+| `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
+| `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
+| `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
+
+### Example of Depth & X-Forwarded-For
+
+If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
+
+| X-Forwarded-For                       | depth | clientIP     |
+|-----------------------------------------|---------|--------------|
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
+
+### Example of ExcludedIPs & X-Forwarded-For
+
+| X-Forwarded-For                       | excludedIPs         | clientIP     |
+|-----------------------------------------|-----------------------|--------------|
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+| `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |

docs/content/reference/routing-configuration/http/middlewares/overview.md

@@ -0,0 +1,51 @@
+---
+title: "Traefik Proxy Middleware Overview"
+description: "There are several available middleware in Traefik Proxy used to modify requests or headers, take charge of redirections, add authentication, and so on."
+---
+
+# HTTP Middleware Overview
+
+Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service (or before the answer from the services are sent to the clients).
+
+There are several available middlewares in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
+
+Middlewares that use the same protocol can be combined into chains to fit every scenario.
+
+!!! warning "Provider Namespace"
+
+    Be aware of the concept of Providers Namespace described in the [Configuration Discovery](../../../install-configuration/providers/overview.md#provider-namespace) section.
+    It also applies to Middlewares.
+
+## Available HTTP Middlewares
+
+| Middleware                                | Purpose                                           | Area                        |
+|-------------------------------------------|---------------------------------------------------|-----------------------------|
+| [AddPrefix](addprefix.md)                 | Adds a Path Prefix                                | Path Modifier               |
+| [BasicAuth](basicauth.md)                 | Adds Basic Authentication                         | Security, Authentication    |
+| [Buffering](buffering.md)                 | Buffers the request/response                      | Request Lifecycle           |
+| [Chain](chain.md)                         | Combines multiple pieces of middleware            | Misc                        |
+| [CircuitBreaker](circuitbreaker.md)       | Prevents calling unhealthy services               | Request Lifecycle           |
+| [Compress](compress.md)                   | Compresses the response                           | Content Modifier            |
+| [ContentType](contenttype.md)             | Handles Content-Type auto-detection               | Misc                        |
+| [DigestAuth](digestauth.md)               | Adds Digest Authentication                        | Security, Authentication    |
+| [Errors](errorpages.md)                   | Defines custom error pages                        | Request Lifecycle           |
+| [ForwardAuth](forwardauth.md)             | Delegates Authentication                          | Security, Authentication    |
+| [GrpcWeb](grpcweb.md)                     | Converts gRPC Web requests to HTTP/2 gRPC requests.                           | Request                   |
+| [Headers](headers.md)                     | Adds / Updates headers                            | Security                    |
+| [IPAllowList](ipallowlist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
+| [InFlightReq](inflightreq.md)             | Limits the number of simultaneous connections     | Security, Request lifecycle |
+| [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header              | Security                    |
+| [RateLimit](ratelimit.md)                 | Limits the call frequency                         | Security, Request lifecycle |
+| [RedirectScheme](redirectscheme.md)       | Redirects based on scheme                         | Request lifecycle           |
+| [RedirectRegex](redirectregex.md)         | Redirects based on regex                          | Request lifecycle           |
+| [ReplacePath](replacepath.md)             | Changes the path of the request                   | Path Modifier               |
+| [ReplacePathRegex](replacepathregex.md)   | Changes the path of the request                   | Path Modifier               |
+| [Retry](retry.md)                         | Automatically retries in case of error            | Request lifecycle           |
+| [StripPrefix](stripprefix.md)             | Changes the path of the request                   | Path Modifier               |
+| [StripPrefixRegex](stripprefixregex.md)   | Changes the path of the request                   | Path Modifier               |
+
+## Community Middlewares
+
+Please take a look at the community-contributed plugins in the [plugin catalog](https://plugins.traefik.io/plugins).
+
+{!traefik-for-business-applications.md!}

docs/content/reference/routing-configuration/http/middlewares/passtlsclientcert.md

@@ -0,0 +1,366 @@
+---
+title: "Traefik PassTLSClientCert Documentation"
+description: "In Traefik Proxy's HTTP middleware, the PassTLSClientCert adds selected data from passed client TLS certificates to headers. Read the technical documentation."
+---
+
+The `passTLSClientCert` middleware adds the selected data from the passed client TLS certificate to a header.
+
+## Configuration Examples
+
+Pass the pem in the `X-Forwarded-Tls-Client-Cert` header:
+
+```yaml tab="Structured (YAML)"
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
+http:
+  middlewares:
+    test-passtlsclientcert:
+      passTLSClientCert:
+        pem: true
+```
+
+```toml tab="Structured (TOML)"
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
+[http.middlewares]
+  [http.middlewares.test-passtlsclientcert.passTLSClientCert]
+    pem = true
+```
+
+```yaml tab="Labels"
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
+labels:
+  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
+```
+
+```json tab="Tags"
+// Pass the pem in the `X-Forwarded-Tls-Client-Cert` header
+{
+  "Tags": [
+    "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-passtlsclientcert
+spec:
+  passTLSClientCert:
+    pem: true
+```
+
+??? example "Pass the pem in the `X-Forwarded-Tls-Client-Cert` header"
+
+    ```yaml tab="Structured (YAML)"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    http:
+      middlewares:
+        test-passtlsclientcert:
+          passTLSClientCert:
+            info:
+              notAfter: true
+              notBefore: true
+              sans: true
+              subject:
+                country: true
+                province: true
+                locality: true
+                organization: true
+                organizationalUnit: true
+                commonName: true
+                serialNumber: true
+                domainComponent: true
+              issuer:
+                country: true
+                province: true
+                locality: true
+                organization: true
+                commonName: true
+                serialNumber: true
+                domainComponent: true
+    ```
+
+    ```toml tab="Structured (TOML)"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    [http.middlewares]
+      [http.middlewares.test-passtlsclientcert.passTLSClientCert]
+        [http.middlewares.test-passtlsclientcert.passTLSClientCert.info]
+          notAfter = true
+          notBefore = true
+          sans = true
+          [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.subject]
+            country = true
+            province = true
+            locality = true
+            organization = true
+            organizationalUnit = true
+            commonName = true
+            serialNumber = true
+            domainComponent = true
+          [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.issuer]
+            country = true
+            province = true
+            locality = true
+            organization = true
+            commonName = true
+            serialNumber = true
+            domainComponent = true
+    ```
+
+    ```yaml tab="Labels"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    labels:
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
+    ```
+
+    ```json tab="Tags"
+    // Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    {
+      //...
+      "Tags" : [
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true",
+        "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
+      ]
+    }
+    ```
+
+    ```yaml tab="Kubernetes"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    apiVersion: traefik.io/v1alpha1
+    kind: Middleware
+    metadata:
+      name: test-passtlsclientcert
+    spec:
+      passTLSClientCert:
+        info:
+          notAfter: true
+          notBefore: true
+          sans: true
+          subject:
+            country: true
+            province: true
+            locality: true
+            organization: true
+            organizationalUnit: true
+            commonName: true
+            serialNumber: true
+            domainComponent: true
+          issuer:
+            country: true
+            province: true
+            locality: true
+            organization: true
+            commonName: true
+            serialNumber: true
+            domainComponent: true
+    ```
+
+## General Information
+
+`passTLSClientCert` can add two headers to the request:
+
+- `X-Forwarded-Tls-Client-Cert` that contains the pem.
+- `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
+
+!!! info
+
+    - `X-Forwarded-Tls-Client-Cert-Info` header value is a string that has been escaped in order to be a valid URL query.
+    - These options only work accordingly to the MutualTLS configuration. i.e, only the certificates that match the `clientAuth.clientAuthType` policy are passed.
+
+??? example "Example of a complete certificate and explaining each of the middleware options"
+
+    ```txt
+    Certificate:
+        Data:
+            Version: 3 (0x2)
+            Serial Number: 1 (0x1)
+            Signature Algorithm: sha1WithRSAEncryption
+            Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
+            Validity
+                Not Before: Dec  6 11:10:16 2018 GMT
+                Not After : Dec  5 11:10:16 2020 GMT
+            Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com statemailAddress=cert@example.org/emailAddress=cert@sexample.com
+            Subject Public Key Info:
+                Public Key Algorithm: rsaEncryption
+                    RSA Public-Key: (2048 bit)
+                    Modulus:
+                        00:de:77:fa:8d:03:70:30:39:dd:51:1b:cc:60:db:
+                        a9:5a:13:b1:af:fe:2c:c6:38:9b:88:0a:0f:8e:d9:
+                        1b:a1:1d:af:0d:66:e4:13:5b:bc:5d:36:92:d7:5e:
+                        d0:fa:88:29:d3:78:e1:81:de:98:b2:a9:22:3f:bf:
+                        8a:af:12:92:63:d4:a9:c3:f2:e4:7e:d2:dc:a2:c5:
+                        39:1c:7a:eb:d7:12:70:63:2e:41:47:e0:f0:08:e8:
+                        dc:be:09:01:ec:28:09:af:35:d7:79:9c:50:35:d1:
+                        6b:e5:87:7b:34:f6:d2:31:65:1d:18:42:69:6c:04:
+                        11:83:fe:44:ae:90:92:2d:0b:75:39:57:62:e6:17:
+                        2f:47:2b:c7:53:dd:10:2d:c9:e3:06:13:d2:b9:ba:
+                        63:2e:3c:7d:83:6b:d6:89:c9:cc:9d:4d:bf:9f:e8:
+                        a3:7b:da:c8:99:2b:ba:66:d6:8e:f8:41:41:a0:c9:
+                        d0:5e:c8:11:a4:55:4a:93:83:87:63:04:63:41:9c:
+                        fb:68:04:67:c2:71:2f:f2:65:1d:02:5d:15:db:2c:
+                        d9:04:69:85:c2:7d:0d:ea:3b:ac:85:f8:d4:8f:0f:
+                        c5:70:b2:45:e1:ec:b2:54:0b:e9:f7:82:b4:9b:1b:
+                        2d:b9:25:d4:ab:ca:8f:5b:44:3e:15:dd:b8:7f:b7:
+                        ee:f9
+                    Exponent: 65537 (0x10001)
+            X509v3 extensions:
+                X509v3 Key Usage: critical
+                    Digital Signature, Key Encipherment
+                X509v3 Basic Constraints:
+                    CA:FALSE
+                X509v3 Extended Key Usage:
+                    TLS Web Server Authentication, TLS Web Client Authentication
+                X509v3 Subject Key Identifier:
+                    94:BA:73:78:A2:87:FB:58:28:28:CF:98:3B:C2:45:70:16:6E:29:2F
+                X509v3 Authority Key Identifier:
+                    keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03
+
+                X509v3 Subject Alternative Name:
+                    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
+        Signature Algorithm: sha1WithRSAEncryption
+            76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
+            16:b2:9b:27:1c:02:ac:b5:df:1b:d0:d0:75:a4:2b:2c:5c:65:
+            ed:99:ab:f7:cd:fe:38:3f:c3:9a:22:31:1b:ac:8c:1c:c2:f9:
+            5d:d4:75:7a:2e:72:c7:85:a9:04:af:9f:2a:cc:d3:96:75:f0:
+            8e:c7:c6:76:48:ac:45:a4:b9:02:1e:2f:c0:15:c4:07:08:92:
+            cb:27:50:67:a1:c8:05:c5:3a:b3:a6:48:be:eb:d5:59:ab:a2:
+            1b:95:30:71:13:5b:0a:9a:73:3b:60:cc:10:d0:6a:c7:e5:d7:
+            8b:2f:f9:2e:98:f2:ff:81:14:24:09:e3:4b:55:57:09:1a:22:
+            74:f1:f6:40:13:31:43:89:71:0a:96:1a:05:82:1f:83:3a:87:
+            9b:17:25:ef:5a:55:f2:2d:cd:0d:4d:e4:81:58:b6:e3:8d:09:
+            62:9a:0c:bd:e4:e5:5c:f0:95:da:cb:c7:34:2c:34:5f:6d:fc:
+            60:7b:12:5b:86:fd:df:21:89:3b:48:08:30:bf:67:ff:8c:e6:
+            9b:53:cc:87:36:47:70:40:3b:d9:90:2a:d2:d2:82:c6:9c:f5:
+            d1:d8:e0:e6:fd:aa:2f:95:7e:39:ac:fc:4e:d4:ce:65:b3:ec:
+            c6:98:8a:31
+    -----BEGIN CERTIFICATE-----
+    MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is
+    ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz
+    ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl
+    Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE
+    AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB
+    IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux
+    DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM
+    D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu
+    Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw
+    NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn
+    MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV
+    BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw
+    HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl
+    ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG
+    A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD
+    VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl
+    MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW
+    EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+    AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6
+    iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs
+    KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt
+    yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj
+    BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb
+    Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG
+    A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
+    BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC
+    BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM
+    Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA
+    Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL
+    FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f
+    KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb
+    CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH
+    mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI
+    -----END CERTIFICATE-----
+    ```
+
+## Configuration Options
+
+| Field      | Description        | Default | Required |
+|:-----------|:------------------------------------------------------------|:--------|:---------|
+| `pem` | Fills the `X-Forwarded-Tls-Client-Cert` header with the certificate information.<br /> More information [here](#pem). | false      | No      |
+| `info.serialNumber` | Add the `Serial Number` of the certificate.<br /> More information about `info` [here](#info). | false | No |
+| `info.notAfter` | Add the `Not After` information from the `Validity` part. <br /> More information about `info` [here](#info). | false | No |
+| `info.notBefore` | Add the `Not Before` information from the `Validity` part. <br />More information about `info` [here](#info). | false      | No      |
+| `info.sans` | Add the `Subject Alternative Name` information from the `Subject Alternative Name` part. <br /> More information about `info` [here](#info). | false      | No      |
+| `info.subject` | The `info.subject` selects the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header. <br />More information about `info` [here](#info). | false      | No      |
+| `info.subject.country` | Add the `country` information into the subject.<br /> The data is taken from the subject part with the `C` key. <br />More information about `info` [here](#info). | false      | No      |
+| `info.subject.province` | Add the `province` information into the subject.<br /> The data is taken from the subject part with the `ST` key. <br />More information about `info` [here](#info). | false      | No      |
+| `info.subject.locality` | Add the `locality` information into the subject.<br /> The data is taken from the subject part with the `L` key. <br />More information about `info` [here](#info). | false      | No      |
+| `info.subject.organization` | Add the `organization` information into the subject.<br /> The data is taken from the subject part with the `O` key. <br />More information about `info` [here](#info). | false      | No      |
+| `info.subject.organizationalUnit` | Add the `organizationalUnit` information into the subject.<br /> The data is taken from the subject part with the `OU` key. <br />More information about `info` [here](#info). | false      | No      |
+| `info.subject.commonName` | Add the `commonName` information into the subject.<br /> The data is taken from the subject part with the `CN` key.| false      | No      |
+| `info.subject.serialNumber` | Add the `serialNumber` information into the subject.<br /> The data is taken from the subject part with the `SN` key.| false      | No      |
+| `info.subject.domainComponent` | Add the `domainComponent` information into the subject.<br />The data is taken from the subject part with the `DC` key. <br />More information about `info` [here](#info). | false      | No      |
+| `info.issuer` | The `info.issuer` selects the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header. <br />More information about `info` [here](#info). | false      | No      |
+| `info.issuer.country` | Add the `country` information into the issuer.<br /> The data is taken from the issuer part with the `C` key. <br />More information about `info` [here](#info). | false      | No      |
+| `info.issuer.province` | Add the `province` information into the issuer.<br />The data is taken from the issuer part with the `ST` key. <br />More information about `info` [here](#info). | false      | No      |
+| `info.issuer.locality` | Add the `locality` information into the issuer.<br /> The data is taken from the issuer part with the `L` key. <br />More information about `info` [here](#info). | false      | No      |
+| `info.issuer.organization` | Add the `organization` information into the issuer.<br /> The data is taken from the issuer part with the `O` key. <br />More information about `info` [here](#info). | false      | No      |
+| `info.issuer.commonName` |Add the `commonName` information into the issuer.<br /> The data is taken from the issuer part with the `CN` key. <br />More information about `info` [here](#info). | false      | No      |
+| `info.issuer.serialNumber` |Add the `serialNumber` information into the issuer.<br /> The data is taken from the issuer part with the `SN` key. <br />More information about `info` [here](#info). | false      | No      |
+| `info.issuer.domainComponent` | Add the `domainComponent` information into the issuer.<br /> The data is taken from the issuer part with the `DC` key. <br />More information about `info` [here](#info). | false      | No      |
+
+### pem
+
+#### Data Format
+
+The delimiters and `\n` will be removed.  
+If there are more than one certificate, they are separated by a "`,`".
+
+#### Header size
+
+The `X-Forwarded-Tls-Client-Cert` header value could exceed the web server header size limit
+
+The header size limit of web servers is commonly between 4kb and 8kb.  
+If that turns out to be a problem, and if reconfiguring the server to allow larger headers is not an option,
+one can alleviate the problem by selecting only the interesting parts of the cert,
+through the use of the `info` options described below. (And by setting `pem` to false).
+
+### info
+
+The `info` option selects the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
+
+#### Data Format
+
+The value of the header is an escaped concatenation of all the selected certificate details.
+Unless specified otherwise, all the header values examples are shown unescaped, for readability.
+
+If there are more than one certificate, they are separated by a `,`.
+
+The following example shows such a concatenation, when all the available fields are selected:
+
+```text
+Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
+```

docs/content/reference/routing-configuration/http/middlewares/ratelimit.md

@@ -0,0 +1,150 @@
+---
+title: "Traefik RateLimit Documentation"
+description: "Traefik Proxy's HTTP RateLimit middleware ensures Services receive fair amounts of requests. Read the technical documentation."
+---
+
+The `rateLimit` middleware ensures that services will receive a *fair* amount of requests, and allows you to define what fair is.
+
+It is based on a [token bucket](https://en.wikipedia.org/wiki/Token_bucket) implementation.
+In this analogy, the `average` and `period` parameters define the **rate** at which the bucket refills, and the `burst` is the size (volume) of the bucket
+
+## Rate and Burst
+
+The rate is defined by dividing `average` by `period`.
+For a rate below 1 req/s, define a `period` larger than a second
+
+## Configuration Example
+
+```yaml tab="Structured (YAML)"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 200 requests is allowed.
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        average: 100
+        burst: 200
+```
+
+```toml tab="Structured (TOML)"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 200 requests is allowed.
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 100
+    burst = 200
+```
+
+```yaml tab="Labels"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 200 requests is allowed.
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=200"
+```
+
+```json tab="Tags"
+// Here, an average of 100 requests per second is allowed.
+// In addition, a burst of 200 requests is allowed.
+{
+  "Tags": [
+    "traefik.http.middlewares.test-ratelimit.ratelimit.average=100",
+    "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 200 requests is allowed.
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    average: 100
+    burst: 200
+```
+
+## Configuration Options
+
+| Field      | Description       | Default | Required |
+|:-----------|:-------------------------------------------------------|:--------|:---------|
+| `average` | Number of requests used to define the rate using the `period`.<br /> 0 means **no rate limiting**.<br />More information [here](#rate-and-burst). | 0      | No      |
+| `period` | Period of time used to define the rate.<br />More information [here](#rate-and-burst). | 1s | No |
+| `burst` | Maximum number of requests allowed to go through at the very same moment.<br />More information [here](#rate-and-burst).| 1 | No |
+| `sourceCriterion.requestHost` | Whether to consider the request host as the source.<br />More information about `sourceCriterion`[here](#sourcecriterion). | false      | No      |
+| `sourceCriterion.requestHeaderName` | Name of the header used to group incoming requests.<br />More information about `sourceCriterion`[here](#sourcecriterion). | ""      | No      |
+| `sourceCriterion.ipStrategy.depth` | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br />If higher than 0, the `excludedIPs` options is not evaluated.<br />More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy`](#ipstrategy), and [`depth`](#sourcecriterionipstrategydepth) below. | 0      | No      |
+| `sourceCriterion.ipStrategy.excludedIPs` | Allows scanning the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br />More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy`](#ipstrategy), and [`excludedIPs`](#sourcecriterionipstrategyexcludedips) below. |       | No      |
+| `sourceCriterion.ipStrategy.ipv6Subnet` |  If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to. <br />More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy.ipv6Subnet`](#sourcecriterionipstrategyipv6subnet) below. |       | No      |
+
+### sourceCriterion
+
+The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
+If several strategies are defined at the same time, an error will be raised.
+If none are set, the default is to use the request's remote address field (as an `ipStrategy`).
+
+### ipStrategy
+
+The `ipStrategy` option defines three parameters that configures how Traefik determines the client IP: `depth`, `excludedIPs` and `ipv6Subnet`.
+
+As a middleware, rate-limiting happens before the actual proxying to the backend takes place.
+In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, that is after it has already passed through rate-limiting.
+Therefore, during rate-limiting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be found and/or relied upon.
+
+### `sourceCriterion.ipStrategy.ipv6Subnet`
+
+This strategy applies to `Depth` and `RemoteAddr` strategy only.
+If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
+
+This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
+
+- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
+
+#### Example of ipv6Subnet
+
+If `ipv6Subnet` is provided, the IP is transformed in the following way.
+
+| `IP`                      | `ipv6Subnet` | clientIP              |
+|---------------------------|--------------|-----------------------|
+| `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
+| `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
+| `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
+
+### sourceCriterion.ipStrategy.depth
+
+If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
+
+| `X-Forwarded-For`                       | `depth` | clientIP     |
+|-----------------------------------------|---------|--------------|
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1`     | `"13.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
+| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
+
+### sourceCriterion.ipStrategy.excludedIPs
+
+Contrary to what the name might suggest, this option is *not* about excluding an IP from the rate limiter, and therefore cannot be used to deactivate rate limiting for some IPs.
+
+`excludedIPs` is meant to address two classes of somewhat distinct use-cases:
+
+1. Distinguish IPs which are behind the same (set of) reverse-proxies so that each of them contributes, independently to the others, to its own rate-limit "bucket" (cf the [token bucket](https://en.wikipedia.org/wiki/Token_bucket)).
+In this case, `excludedIPs` should be set to match the list of `X-Forwarded-For IPs` that are to be excluded, in order to find the actual clientIP.
+
+Example to use each IP as a distinct source:
+
+| X-Forwarded-For                | excludedIPs           | clientIP     |
+|--------------------------------|-----------------------|--------------|
+| `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.1"` |
+| `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.2"` |
+
+2. Group together a set of IPs (also behind a common set of reverse-proxies) so that they are considered the same source, and all contribute to the same rate-limit bucket.
+
+Example to group IPs together as same source:
+
+|  X-Forwarded-For               |  excludedIPs | clientIP     |
+|--------------------------------|--------------|--------------|
+| `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
+| `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
+| `"10.0.0.3,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |

docs/content/reference/routing-configuration/http/middlewares/redirectregex.md

@@ -0,0 +1,88 @@
+---
+title: "Traefik RedirectRegex Documentation"
+description: "In Traefik Proxy's HTTP middleware, RedirectRegex redirecting clients to different locations. Read the technical documentation."
+---
+
+The `RedirectRegex` redirects a request using regex matching and replacement.
+
+## Configuration Examples
+
+```yaml tab="Structured (YAML)"
+# Redirect with domain replacement
+http:
+  middlewares:
+    test-redirectregex:
+      redirectRegex:
+        regex: "^http://localhost/(.*)"
+        replacement: "http://mydomain/${1}"
+```
+
+```toml tab="Structured (TOML)"
+# Redirect with domain replacement
+[http.middlewares]
+  [http.middlewares.test-redirectregex.redirectRegex]
+    regex = "^http://localhost/(.*)"
+    replacement = "http://mydomain/${1}"
+```
+
+```yaml tab="Labels"
+# Redirect with domain replacement
+# Note: all dollar signs need to be doubled for escaping.
+labels:
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
+```
+
+```json tab="Tags"
+// Redirect with domain replacement
+// Note: all dollar signs need to be doubled for escaping.
+{
+  // ...
+  "Tags" : [
+    "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
+    "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+# Redirect with domain replacement
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectregex
+spec:
+  redirectRegex:
+    regex: ^http://localhost/(.*)
+    replacement: http://mydomain/${1}
+```
+
+## Configuration Options
+
+<!-- markdownlint-disable MD013 -->
+
+| Field                        | Description                                                                                                                                                                                                | Default | Required |
+|:-----------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| `regex` | The `regex` option is the regular expression to match and capture elements from the request URL.| "" | Yes |
+| `permanent` | Enable a permanent redirection. | false | No |
+| `replacement` | The `replacement` option defines how to modify the URL to have the new target URL..<br /> `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax. | "" | No |
+
+### `regex`
+
+The `regex` option is the regular expression to match and capture elements from the request URL.
+
+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
+    
+### `replacement`
+
+The `replacement` option defines how to modify the URL to have the new target URL.
+
+!!! warning
+
+    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
+
+{!traefik-for-business-applications.md!}

docs/content/reference/routing-configuration/http/middlewares/redirectscheme.md

@@ -0,0 +1,74 @@
+---
+title: "Traefik RedirectScheme Documentation"
+description: "In Traefik Proxy's HTTP middleware, RedirectScheme redirects clients to different schemes/ports. Read the technical documentation."
+---
+
+The `RedirectScheme` middleware redirects the request if the request scheme is different from the configured scheme.
+
+!!! warning "When behind another reverse-proxy"
+
+    When there is at least one other reverse-proxy between the client and Traefik, 
+    the other reverse-proxy (i.e. the last hop) needs to be a [trusted](../../../install-configuration/entrypoints.md#configuration-options) one. 
+    
+    Otherwise, Traefik would clean up the X-Forwarded headers coming from this last hop, 
+    and as the RedirectScheme middleware relies on them to determine the scheme used,
+    it would not function as intended.
+
+## Configuration Examples
+
+```yaml tab="Structured (YAML)"
+# Redirect to https
+http:
+  middlewares:
+    test-redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true
+```
+
+```toml tab="Structured (TOML)"
+# Redirect to https
+[http.middlewares]
+  [http.middlewares.test-redirectscheme.redirectScheme]
+    scheme = "https"
+    permanent = true
+```
+
+```yaml tab="Labels"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
+```json tab="Tags"
+// Redirect to https
+{
+  // ...
+  "Tags": [
+    "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+    "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+  ]
+}
+
+```
+
+```yaml tab="Kubernetes"
+# Redirect to https
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-redirectscheme
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+```
+
+## Configuration Options
+
+| Field                        | Description                                             | Default | Required |
+|:-----------------------------|----------------------------------------------------------|:--------|:---------|
+| `scheme` | Scheme of the new URL. | "" | Yes |
+| `permanent` | Enable a permanent redirection. | false | No |
+| `port` | Port of the new URL.<br />Set a string, **not** a numeric value. | "" | No |

docs/content/reference/routing-configuration/http/middlewares/replacepath.md

@@ -0,0 +1,60 @@
+---
+title: "Traefik ReplacePath Documentation"
+description: "In Traefik Proxy's HTTP middleware, ReplacePath updates paths before forwarding requests. Read the technical documentation."
+---
+
+The `replacePath` middleware will:
+
+- Replace the actual path with the specified one.
+- Store the original path in a `X-Replaced-Path` header
+
+## Configuration Examples
+
+```yaml tab="Structured (YAML)"
+# Replace the path with /foo
+http:
+  middlewares:
+    test-replacepath:
+      replacePath:
+        path: "/foo"
+```
+
+```toml tab="Structured (TOML)"
+# Replace the path with /foo
+[http.middlewares]
+  [http.middlewares.test-replacepath.replacePath]
+    path = "/foo"
+```
+
+```yaml tab="Labels"
+# Replace the path with /foo
+labels:
+  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
+```
+
+```json tab="Tags"
+// Replace the path with /foo
+{
+  // ...
+  "Tags" : [
+    "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
+  ]
+} 
+```
+
+```yaml tab="Kubernetes"
+# Replace the path with /foo
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-replacepath
+spec:
+  replacePath:
+    path: "/foo"
+```
+
+## Configuration Options
+
+| Field | Description |
+|:------|:------------|
+| `path` | The `path` option defines the path to use as replacement in the request URL. |

docs/content/reference/routing-configuration/http/middlewares/replacepathregex.md

@@ -0,0 +1,67 @@
+---
+title: "Traefik ReplacePathRegex Documentation"
+description: "In Traefik Proxy's HTTP middleware, ReplacePathRegex updates paths before forwarding requests, using a regex. Read the technical documentation."
+---
+
+The `replacePathRegex` middleware will:
+
+- Replace the matching path with the specified one.
+- Store the original path in an `X-Replaced-Path` header
+
+## Configuration Examples
+
+```yaml tab="File (YAML)"
+# Replace path with regex
+http:
+  middlewares:
+    test-replacepathregex:
+      replacePathRegex:
+        regex: "^/foo/(.*)"
+        replacement: "/bar/$1"
+```
+
+```toml tab="File (TOML)"
+# Replace path with regex
+[http.middlewares]
+  [http.middlewares.test-replacepathregex.replacePathRegex]
+    regex = "^/foo/(.*)"
+    replacement = "/bar/$1"
+```
+
+```yaml tab="Kubernetes"
+# Replace path with regex
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-replacepathregex
+spec:
+  replacePathRegex:
+    regex: "^/foo/(.*)"
+    replacement: "/bar/$1"
+```
+
+```yaml tab="Docker & Swarm"
+# Replace path with regex
+labels:
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$$1"
+```
+
+```yaml tab="Consul Catalog"
+# Replace path with regex
+- "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
+- "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
+```
+
+## Configuration Options
+
+| Field                        | Description      | Default | Required |
+|:-----------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| `regex` | Regular expression to match and capture the path from the request URL. | | Yes |
+| `replacement` | Replacement path format, which can include captured variables.<br /> `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax. | | No 
+
+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.

docs/content/reference/routing-configuration/http/middlewares/retry.md

@@ -0,0 +1,68 @@
+---
+title: "Traefik HTTP Retry Documentation"
+description: "Configure Traefik Proxy's HTTP Retry middleware, so you can retry requests to a backend server until it succeeds. Read the technical documentation."
+---
+
+The `retry` middleware retries requests a given number of times to a backend server if that server does not reply.  
+As soon as the server answers, the middleware stops retrying, regardless of the response status.
+
+The Retry middleware has an optional configuration to enable an exponential backoff.
+
+## Configuration Examples
+
+```yaml tab="Structured (YAML)"
+# Retry 4 times with exponential backoff
+http:
+  middlewares:
+    test-retry:
+      retry:
+        attempts: 4
+        initialInterval: 100ms
+```
+
+```toml tab="Structured (TOML)"
+# Retry 4 times with exponential backoff
+[http.middlewares]
+  [http.middlewares.test-retry.retry]
+    attempts = 4
+    initialInterval = "100ms"
+```
+
+```yaml tab="Labels"
+# Retry 4 times with exponential backoff
+labels:
+  - "traefik.http.middlewares.test-retry.retry.attempts=4"
+  - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
+```
+
+```json tab="Tags"
+// Retry 4 times with exponential backoff
+
+{
+  // ...
+  "Tags" : [
+    "traefik.http.middlewares.test-retry.retry.attempts=4",
+    "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
+  ]
+}
+
+```
+
+```yaml tab="Kubernetes"
+# Retry 4 times with exponential backoff
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-retry
+spec:
+  retry:
+    attempts: 4
+    initialInterval: 100ms
+```
+
+## Configuration Options
+
+| Field | Description | Default | Required |
+|:------|:------------|:--------|:---------|
+| `attempts` | number of times the request should be retried. |  | Yes |
+| `initialInterval` | First wait time in the exponential backoff series. <br />The maximum interval is calculated as twice the `initialInterval`. <br /> If unspecified, requests will be retried immediately.<br /> Defined in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration). | 0 | No |

docs/content/reference/routing-configuration/http/middlewares/stripprefix.md

@@ -0,0 +1,66 @@
+---
+title: "Traefik StripPrefix Documentation"
+description: "In Traefik Proxy's HTTP middleware, StripPrefix removes prefixes from paths before forwarding requests. Read the technical documentation."
+---
+
+The `stripPrefix` middleware strips the matching path prefix and stores it in an `X-Forwarded-Prefix` header.
+
+!!! tip
+
+    Use a `StripPrefix` middleware if your backend listens on the root path (`/`) but should be exposed on a specific prefix.
+
+## Configuration Examples
+
+```yaml tab="Structured (YAML)"
+# Strip prefix /foobar and /fiibar
+http:
+  middlewares:
+    test-stripprefix:
+      stripPrefix:
+        prefixes:
+          - "/foobar"
+          - "/fiibar"
+```
+
+```toml tab="Structured (TOML)"
+# Strip prefix /foobar and /fiibar
+[http.middlewares]
+  [http.middlewares.test-stripprefix.stripPrefix]
+    prefixes = ["/foobar", "/fiibar"]
+```
+
+```yaml tab="Labels"
+# Strip prefix /foobar and /fiibar
+labels:
+  - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
+```
+
+```json tab="Tags"
+// Strip prefix /foobar and /fiibar
+{
+  "Tags" : [
+    "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
+  ]
+}
+```
+
+```yaml tab="Kubernetes"
+# Strip prefix /foobar and /fiibar
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-stripprefix
+spec:
+  stripPrefix:
+    prefixes:
+      - /foobar
+      - /fiibar
+```
+
+## Configuration Options
+
+| Field                        | Description           | Default | Required |
+|:-----------------------------|:--------------------------------------------------------------|:--------|:---------|
+| `prefixes` | List of prefixes to strip from the request URL.<br />If your backend is serving assets (for example, images or JavaScript files), it can use the `X-Forwarded-Prefix` header to construct relative URLs. | [] | No |
+
+{!traefik-for-business-applications.md!}

docs/content/reference/routing-configuration/http/middlewares/stripprefixregex.md

@@ -0,0 +1,70 @@
+---
+title: "Traefik StripPrefixRegex Documentation"
+description: "In Traefik Proxy's HTTP middleware, StripPrefixRegex removes prefixes from paths before forwarding requests, using regex. Read the technical documentation."
+---
+
+The `stripPrefixRegex` middleware strips the matching path prefix and stores it in an `X-Forwarded-Prefix` header.
+
+!!! tip
+
+    Use a `stripPrefixRegex` middleware if your backend listens on the root path (`/`) but should be exposed on a specific prefix.
+
+## Configuration Example
+
+```yaml tab="Structured (YAML)"
+http:
+  middlewares:
+    test-stripprefixregex:
+      stripPrefixRegex:
+        regex:
+          - "/foo/[a-z0-9]+/[0-9]+/"
+```
+
+```toml tab="Structured (TOML)"
+[http.middlewares]
+  [http.middlewares.test-stripprefixregex.stripPrefixRegex]
+    regex = ["/foo/[a-z0-9]+/[0-9]+/"]
+```
+
+```yaml tab="Labels"
+labels:
+  - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
+```
+
+```yaml tab="Tags"
+{
+  //..
+  "Tags" : [
+    "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
+  ]
+}
+- 
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-stripprefixregex
+spec:
+  stripPrefixRegex:
+    regex:
+      - "/foo/[a-z0-9]+/[0-9]+/"
+```
+
+## Configuration Options
+
+| Field                        | Description                                                                                                                                                                                                | Default | Required |
+|:-----------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| `regex` | List of regular expressions to match the path prefix from the request URL.<br /> For instance, `/products` also matches `/products/shoes` and `/products/shirts`.<br />More information [here](#regex). | | No |
+
+### regex
+
+If your backend is serving assets (for example, images or JavaScript files), it can use the `X-Forwarded-Prefix` header to construct relative URLs.
+Using the previous example, the backend should return `/products/shoes/image.png` (and not `/images.png`, which Traefik would likely not be able to associate with the same backend).
+
+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.

docs/content/reference/routing-configuration/http/router/observability.md

@@ -0,0 +1,80 @@
+---
+title: "Per-Router Observability"
+description: "You can disable access logs, metrics, and tracing for a specific entrypoint attached to a HTTP Router. Read the technical documentation."
+---
+
+Traefik's observability features include logs, access logs, metrics, and tracing. You can configure these options globally or at more specific levels, such as per router or per entry point.
+
+By default, the router observability configuration is inherited from the attached EntryPoints and can be configured with the observability [options](../../../install-configuration/entrypoints.md#configuration-options)).
+However, a router defining its own observability configuration will opt-out from these defaults.
+
+!!! info
+    To enable router-level observability, you must first enable access-logs, tracing, and metrics.
+
+    When metrics layers are not enabled with the `addEntryPointsLabels`, `addRoutersLabels` and/or `addServicesLabels` options,
+    enabling metrics for a router will not enable them.
+
+!!! warning "AddInternals option"
+
+    By default, and for any type of signal (access-logs, metrics and tracing),
+    Traefik disables observability for internal resources.
+    The observability options described below cannot interfere with the `AddInternals` ones,
+    and will be ignored.
+
+    For instance, if a router exposes the `api@internal` service and `metrics.AddInternals` is false,
+    it will never produces metrics, even if the router observability configuration enables metrics.
+
+## Configuration Example
+
+```yaml tab="Structured (YAML)"
+http:
+  routers:
+    my-router:
+      rule: "Path(`/foo`)"
+      service: service-foo
+      observability:
+        metrics: false
+        accessLogs: false
+        tracing: false
+```
+
+```yaml tab="Structured (TOML)"
+[http.routers.my-router]
+  rule = "Path(`/foo`)"
+  service = "service-foo"
+
+  [http.routers.my-router.observability]
+    metrics = false
+    accessLogs = false
+    tracing = false
+```
+
+```yaml tab="Labels"
+labels:
+  - "traefik.http.routers.my-router.rule=Path(`/foo`)"
+  - "traefik.http.routers.my-router.service=service-foo"
+  - "traefik.http.routers.my-router.observability.metrics=false"
+  - "traefik.http.routers.my-router.observability.accessLogs=false"
+  - "traefik.http.routers.my-router.observability.tracing=false"
+```
+
+```json tab="Tags"
+{
+  // ...
+  "Tags": [
+    "traefik.http.routers.my-router.rule=Path(`/foo`)",
+    "traefik.http.routers.my-router.service=service-foo",
+    "traefik.http.routers.my-router.observability.metrics=false",
+    "traefik.http.routers.my-router.observability.accessLogs=false",
+    "traefik.http.routers.my-router.observability.tracing=false"
+  ]
+}
+```
+
+## Configuration Options
+
+| Field | Description | Default | Required |
+|:------|:------------|:--------|:---------|
+| `accessLogs` | The `accessLogs` option controls whether the router will produce access-logs. | `true` | No |
+| `metrics` | The `metrics` option controls whether the router will produce metrics. | `true` | No |
+| `tracing` | The `tracing` option controls whether the router will produce traces. | `true` | No |

docs/content/reference/routing-configuration/http/router/rules-and-priority.md

@@ -0,0 +1,291 @@
+---
+title: "Traefik HTTP Routers Rules & Priority Documentation"
+description: "In Traefik Proxy, an HTTP router is in charge of connecting incoming requests to the Services that can handle them. Read the technical documentation."
+---
+
+An HTTP router is in charge of connecting incoming requests to the services that can handle them. Traefik allows you to define your matching rules and [prioritize](#priority-calculation) the routes.
+
+## Rules
+
+Rules are a set of matchers configured with values, that determine if a particular request matches a specific criteria. 
+If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service.
+
+- The character `@` is not authorized in the router name.
+- To set the value of a rule, use [backticks](https://en.wiktionary.org/wiki/backtick) ` or escaped double-quotes ``\"``.
+- Single quotes ' are not accepted since the values are [Go's String Literals](https://golang.org/ref/spec#String_literals).
+- Regular Expressions:
+    - Matchers that accept a regexp as their value use a [Go](https://golang.org/pkg/regexp/) flavored syntax.
+    - The usual `AND` (&&) and `OR` (||) logical operators can be used, with the expected precedence rules, as well as parentheses to express complex rules.
+    - The `NOT` (!) operator allows you to invert the matcher.
+
+The table below lists all the available matchers:
+
+| Matcher                                                         | Description                                                                    |
+|-----------------------------------------------------------------|:-------------------------------------------------------------------------------|
+| [```Header(`key`, `value`)```](#header-and-headerregexp)        | Matches requests containing a header named `key` set to `value`.               |
+| [```HeaderRegexp(`key`, `regexp`)```](#header-and-headerregexp) | Matches requests containing a header named `key` matching `regexp`.            |
+| [```Host(`domain`)```](#host-and-hostregexp)                    | Matches requests host set to `domain`.                                         |
+| [```HostRegexp(`regexp`)```](#host-and-hostregexp)              | Matches requests host matching `regexp`.                                       |
+| [```Method(`method`)```](#method)                               | Matches requests method set to `method`.                                       |
+| [```Path(`path`)```](#path-pathprefix-and-pathregexp)           | Matches requests path set to `path`.                                           |
+| [```PathPrefix(`prefix`)```](#path-pathprefix-and-pathregexp)   | Matches requests path prefix set to `prefix`.                                  |
+| [```PathRegexp(`regexp`)```](#path-pathprefix-and-pathregexp)   | Matches request path using `regexp`.                                           |
+| [```Query(`key`, `value`)```](#query-and-queryregexp)           | Matches requests query parameters named `key` set to `value`.                  |
+| [```QueryRegexp(`key`, `regexp`)```](#query-and-queryregexp)    | Matches requests query parameters named `key` matching `regexp`.               |
+| [```ClientIP(`ip`)```](#clientip)                               | Matches requests client IP using `ip`. It accepts IPv4, IPv6 and CIDR formats. |
+
+### Header and HeaderRegexp
+
+The `Header` and `HeaderRegexp` matchers allow matching requests that contain specific header.
+
+| Behavior                                                        | Rule                                                                    |
+|-----------------------------------------------------------------|:------------------------------------------------------------------------|
+| Match requests with a `Content-Type` header set to `application/yaml`.| ```Header(`Content-Type`, `application/yaml`)``` |
+| Match requests with a `Content-Type` header set to either `application/json` or `application/yaml`. | ```HeaderRegexp(`Content-Type`, `^application/(json\|yaml)$`)``` |
+| Match headers [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity). | ```HeaderRegexp(`Content-Type`, `(?i)^application/(json\|yaml)$`)``` |
+
+### Host and HostRegexp
+
+The `Host` and `HostRegexp` matchers allow matching requests that are targeted to a given host.
+
+These matchers do not support non-ASCII characters, use punycode encoded values ([rfc 3492](https://tools.ietf.org/html/rfc3492)) to match such domains.
+
+If no `Host` is set in the request URL (for example, it's an IP address), these matchers will look at the `Host` header.
+
+These matchers will match the request's host in lowercase.
+
+| Behavior                                                        | Rule                                                                    |
+|-----------------------------------------------------------------|:------------------------------------------------------------------------|
+| Match requests with `Host` set to `example.com`. | ```Host(`example.com`)``` |
+| Match requests sent to any subdomain of `example.com`. | ```HostRegexp(`^.+\.example\.com$`)``` |
+| Match requests with `Host` set to either `example.com` or `example.org`. | ```HostRegexp(`^example\.(com\|org)$`)``` |
+| Match `Host` [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity). | ```HostRegexp(`(?i)^example\.(com\|org)$`)``` |
+
+### Method
+
+The `Method` matchers allows matching requests sent based on their HTTP method (also known as request verb).
+
+| Behavior                                                        | Rule                                                                    |
+|-----------------------------------------------------------------|:------------------------------------------------------------------------|
+| Match `OPTIONS` requests. | ```Method(`OPTIONS`)``` |
+
+### Path, PathPrefix, and PathRegexp
+
+These matchers allow matching requests based on their URL path.
+
+For exact matches, use `Path` and its prefixed alternative `PathPrefix`, for regexp matches, use `PathRegexp`.
+
+Path are always starting with a `/`, except for `PathRegexp`.
+
+| Behavior                                                        | Rule                                                                    |
+|-----------------------------------------------------------------|:------------------------------------------------------------------------|
+| Match `/products` but neither `/products/shoes` nor `/products/`. | ```Path(`/products`)``` |
+| Match `/products` as well as everything under `/products`, such as `/products/shoes`, `/products/` but also `/products-for-sale`. | ```PathPrefix(`/products`)``` |
+| Match both `/products/shoes` and `/products/socks` with and ID like `/products/shoes/31`. | ```PathRegexp(`^/products/(shoes\|socks)/[0-9]+$`)``` |
+| Match requests with a path ending in either `.jpeg`, `.jpg` or `.png`. | ```PathRegexp(`\.(jpeg\|jpg\|png)$`)``` |
+| Match `/products` as well as everything under `/products`, such as `/products/shoes`, `/products/` but also `/products-for-sale`, [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity). | ```HostRegexp(`(?i)^/products`)``` |
+
+### Query and QueryRegexp
+
+The `Query` and `QueryRegexp` matchers allow matching requests based on query parameters.
+
+| Behavior                                                        | Rule                                                                    |
+|-----------------------------------------------------------------|:------------------------------------------------------------------------|
+| Match requests with a `mobile` query parameter set to `true`, such as in `/search?mobile=true`. | ```Query(`mobile`, `true`)``` |
+| Match requests with a query parameter `mobile` that has no value, such as in `/search?mobile`. | ```Query(`mobile`)``` |
+| Match requests with a `mobile` query parameter set to either `true` or `yes`. | ```QueryRegexp(`mobile`, `^(true\|yes)$`)``` |
+| Match requests with a `mobile` query parameter set to any value (including the empty value). | ```QueryRegexp(`mobile`, `^.*$`)``` |
+| Match query parameters [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity). | ```QueryRegexp(`mobile`, `(?i)^(true\|yes)$`)``` |
+
+### ClientIP
+
+The `ClientIP` matcher allows matching requests sent from the given client IP.
+
+It only matches the request client IP and does not use the `X-Forwarded-For` header for matching.
+
+| Behavior                                                        | Rule                                                                    |
+|-----------------------------------------------------------------|:------------------------------------------------------------------------|
+| Match requests coming from a given IP (IPv4). | ```ClientIP(`10.76.105.11`)``` |
+| Match requests coming from a given IP (IPv6). | ```ClientIP(`::1`)``` |
+| Match requests coming from a given subnet (IPv4). | ```ClientIP(`192.168.1.0/24`)``` |
+| Match requests coming from a given subnet (IPv6). | ```ClientIP(`fe80::/10`)``` |
+
+### RuleSyntax
+
+In Traefik v3 a new rule syntax has been introduced ([migration guide](../../../../migration/v3.md)). the `ruleSyntax` option allows to configure the rule syntax to be used for parsing the rule on a per-router basis. This allows to have heterogeneous router configurations and ease migration.
+
+The default value of the `ruleSyntax` option is inherited from the `defaultRuleSyntax` option in the install configuration (formerly known as static configuration). By default, the `defaultRuleSyntax` static option is v3, meaning that the default rule syntax is also v3
+
+#### Configuration Example
+
+The configuration below uses the [File Provider (Structured)](../../../install-configuration/providers/others/file.md) to configure the `ruleSyntax` to allow `Router-v2` to use v2 syntax, while for `Router-v3` it is configured to use v3 syntax.
+
+```yaml tab="Structured (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    Router-v3:
+      rule: HostRegexp(`[a-z]+\\.traefik\\.com`)
+      ruleSyntax: v3
+    Router-v2:
+      rule: HostRegexp(`{subdomain:[a-z]+}.traefik.com`)
+      ruleSyntax: v2
+```
+
+```toml tab="Structured (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.Router-v3]
+    rule = "HostRegexp(`[a-z]+\\.traefik\\.com`)"
+    ruleSyntax = v3
+  [http.routers.Router-v2]
+    rule = "HostRegexp(`{subdomain:[a-z]+}.traefik.com`)"
+    ruleSyntax = v2
+```
+
+```yaml tab="Labels"
+labels:
+  - "traefik.http.routers.Router-v3.rule=HostRegexp(`[a-z]+\\.traefik\\.com`)"
+  - "traefik.http.routers.Router-v3.ruleSyntax=v3"
+  - "traefik.http.routers.Router-v2.rule=HostRegexp(`{subdomain:[a-z]+}.traefik.com`)"
+  - "traefik.http.routers.Router-v2.ruleSyntax=v2"
+```
+
+```json tab="Tags"
+{
+  // ...
+  "Tags": [
+    "traefik.http.routers.Router-v3.rule=HostRegexp(`[a-z]+\\.traefik\\.com`)",
+    "traefik.http.routers.Router-v3.ruleSyntax=v3"
+    "traefik.http.routers.Router-v2.rule=HostRegexp(`{subdomain:[a-z]+}.traefik.com`)",
+    "traefik.http.routers.Router-v2.ruleSyntax=v2"
+  ]
+},
+```
+
+## Priority Calculation
+
+??? info "How default priorities are computed"
+
+    ```yaml tab="Structured (YAML)"
+    http:
+      routers:
+        Router-1:
+          rule: "HostRegexp(`[a-z]+\.traefik\.com`)"
+          # ...
+        Router-2:
+          rule: "Host(`foobar.traefik.com`)"
+          # ...
+    ```
+
+    ```toml tab="Structured (TOML)"
+    [http.routers]
+      [http.routers.Router-1]
+        rule = "HostRegexp(`[a-z]+\\.traefik\\.com`)"
+        # ...
+      [http.routers.Router-2]
+        rule = "Host(`foobar.traefik.com`)"
+        # ...
+    ```
+
+    ```yaml tab="Labels"
+    labels:
+      - "traefik.http.routers.Router-1.rule=HostRegexp(`[a-z]+\\.traefik\\.com`)"
+      - "traefik.http.routers.Router-2.rule=Host(`foobar.traefik.com`)"
+    ```
+
+    ```json tab="Tags"
+    {
+        // ...
+        "Tags": [
+          "traefik.http.routers.Router-1.rule=HostRegexp(`[a-z]+\\.traefik\\.com`)",
+          "traefik.http.routers.Router-2.rule=Host(`foobar.traefik.com`)"
+        ]
+      }
+    ```
+
+    In this case, all requests with host `foobar.traefik.com` will be routed through `Router-1` instead of `Router-2`.
+
+    | Name     | Rule                                     | Priority |
+    |----------|------------------------------------------|----------|
+    | Router-1 | ```HostRegexp(`[a-z]+\.traefik\.com`)``` | 34       |
+    | Router-2 | ```Host(`foobar.traefik.com`)```         | 26       |
+
+    The previous table shows that `Router-1` has a higher priority than `Router-2`.
+
+    To solve this issue, the priority must be set.
+
+To avoid path overlap, routes are sorted, by default, in descending order using rules length.
+The priority is directly equal to the length of the rule, and so the longest length has the highest priority.
+
+A value of `0` for the priority is ignored: `priority: 0` means that the default rules length sorting is used.
+
+Traefik reserves a range of priorities for its internal routers, the maximum user-defined router priority value is:
+
+- `(MaxInt32 - 1000)` for 32-bit platforms,
+- `(MaxInt64 - 1000)` for 64-bit platforms.
+
+### Example
+
+```yaml tab="Structured (YAML)"
+## Dynamic configuration
+http:
+  routers:
+    Router-1:
+      rule: "HostRegexp(`[a-z]+\\.traefik\\.com`)"
+      entryPoints:
+      - "web"
+      service: service-1
+      priority: 1
+    Router-2:
+      rule: "Host(`foobar.traefik.com`)"
+      entryPoints:
+      - "web"
+      priority: 2
+      service: service-2
+```
+
+```toml tab="Structured (TOML)"
+## Dynamic configuration
+[http.routers]
+  [http.routers.Router-1]
+    rule = "HostRegexp(`[a-z]+\\.traefik\\.com`)"
+    entryPoints = ["web"]
+    service = "service-1"
+    priority = 1
+  [http.routers.Router-2]
+    rule = "Host(`foobar.traefik.com`)"
+    entryPoints = ["web"]
+    priority = 2
+    service = "service-2"
+```
+
+```yaml tab="Labels"
+labels:
+  - "traefik.http.routers.Router-1.rule=HostRegexp(`[a-z]+\\.traefik\\.com`)"
+  - "traefik.http.routers.Router-1.entryPoints=web"
+  - "traefik.http.routers.Router-1.service=service-1"
+  - "traefik.http.routers.Router-1.priority=1"
+  - "traefik.http.routers.Router-2.rule=Host(`foobar.traefik.com`)"
+  - "traefik.http.routers.Router-2.entryPoints=web"
+  - "traefik.http.routers.Router-2.service=service-2"
+  - "traefik.http.routers.Router-2.priority=2"
+```
+
+```json tab="Tags"
+  {
+    // ...
+    "Tags": [
+      "traefik.http.routers.Router-1.rule=HostRegexp(`[a-z]+\\.traefik\\.com`)",
+      "traefik.http.routers.Router-1.entryPoints=web",
+      "traefik.http.routers.Router-1.service=service-1",
+      "traefik.http.routers.Router-1.priority=1"
+      "traefik.http.routers.Router-2.rule=Host(`foobar.traefik.com`)",
+      "traefik.http.routers.Router-2.entryPoints=web",
+      "traefik.http.routers.Router-2.service=service-2",
+      "traefik.http.routers.Router-2.priority=2"
+    ]
+  }
+```
+
+In the example above, the priority is configured to allow `Router-2` to handle requests with the `foobar.traefik.com` host.

docs/content/reference/routing-configuration/http/tls/overview.md

@@ -0,0 +1,10 @@
+---
+title: "Traefik TLS Documentation"
+description: "Learn how to configure the transport layer security (TLS) connection in Traefik Proxy. Read the technical documentation."
+---
+
+Traefik's TLS configuration defines how TLS negotiation is handled for incoming connections.
+
+The next section of this documentation explains how to configure TLS connections through a definition in the dynamic configuration and how to configure TLS options, and certificates stores.
+
+{!traefik-for-business-applications.md!}

docs/content/reference/routing-configuration/http/tls/tls-certificates.md

@@ -0,0 +1,158 @@
+---
+title: "Traefik TLS Certificates Documentation"
+description: "Learn how to configure the transport layer security (TLS) connection in Traefik Proxy. Read the technical documentation."
+---
+
+!!! info
+    When a router has to handle HTTPS traffic, it should be specified with a `tls` field of the router definition.
+
+## Certificates Definition
+
+### Automated
+
+See the [Let's Encrypt](../../../install-configuration/tls/certificate-resolvers/acme.md) page.
+
+### User defined
+
+To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../../dynamic-configuration-methods.md#providing-dynamic-routing-configuration-to-traefik), in the `[[tls.certificates]]` section:
+
+```yaml tab="Structured (YAML)"
+tls:
+  certificates:
+    - certFile: /path/to/domain.cert
+      keyFile: /path/to/domain.key
+    - certFile: /path/to/other-domain.cert
+      keyFile: /path/to/other-domain.key
+```
+
+```toml tab="Structured (TOML)"
+[[tls.certificates]]
+  certFile = "/path/to/domain.cert"
+  keyFile = "/path/to/domain.key"
+
+[[tls.certificates]]
+  certFile = "/path/to/other-domain.cert"
+  keyFile = "/path/to/other-domain.key"
+```
+
+!!! important "Restriction"
+
+    In the above example, we've used the [file provider](../../../install-configuration/providers/others/file.md) to handle these definitions.
+    It is the only available method to configure the certificates (as well as the options and the stores).
+    However, in [Kubernetes](../../../install-configuration/providers/kubernetes/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/).
+
+## Certificates Stores
+
+In Traefik, certificates are grouped together in certificates stores.
+
+!!! important "Restriction"
+
+    Any store definition other than the default one (named `default`) will be ignored,
+    and there is therefore only one globally available TLS store.
+
+In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
+
+```yaml tab="Structured (YAML)"
+tls:
+  certificates:
+    - certFile: /path/to/domain.cert
+      keyFile: /path/to/domain.key
+      stores:
+        - default
+    # Note that since no store is defined,
+    # the certificate below will be stored in the `default` store.
+    - certFile: /path/to/other-domain.cert
+      keyFile: /path/to/other-domain.key
+```
+
+```toml tab="Structured (TOML)"
+[[tls.certificates]]
+  certFile = "/path/to/domain.cert"
+  keyFile = "/path/to/domain.key"
+  stores = ["default"]
+
+[[tls.certificates]]
+  # Note that since no store is defined,
+  # the certificate below will be stored in the `default` store.
+  certFile = "/path/to/other-domain.cert"
+  keyFile = "/path/to/other-domain.key"
+```
+
+!!! important "Restriction"
+
+    The `stores` list will actually be ignored and automatically set to `["default"]`.
+
+### Default Certificate
+
+Traefik can use a default certificate for connections without a SNI, or without a matching domain.
+This default certificate should be defined in a TLS store:
+
+```yaml tab="Structured (YAML)"
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: path/to/cert.crt
+        keyFile: path/to/cert.key
+```
+
+```toml tab="Structured (TOML)"
+[tls.stores]
+  [tls.stores.default]
+    [tls.stores.default.defaultCertificate]
+      certFile = "path/to/cert.crt"
+      keyFile  = "path/to/cert.key"
+```
+
+If no `defaultCertificate` is provided, Traefik will use the generated one.
+
+### ACME Default Certificate
+
+You can configure Traefik to use an ACME provider (like Let's Encrypt) to generate the default certificate.
+The configuration to resolve the default certificate should be defined in a TLS store:
+
+!!! important "Precedence with the `defaultGeneratedCert` option"
+
+    The `defaultGeneratedCert` definition takes precedence over the ACME default certificate configuration.
+
+```yaml tab="Structured (YAML)"
+tls:
+  stores:
+    default:
+      defaultGeneratedCert:
+        resolver: myresolver
+        domain:
+          main: example.org
+          sans:
+            - foo.example.org
+            - bar.example.org
+```
+
+```toml tab="Structured (TOML)"
+[tls.stores]
+  [tls.stores.default.defaultGeneratedCert]
+    resolver = "myresolver"
+    [tls.stores.default.defaultGeneratedCert.domain]
+      main = "example.org"
+      sans = ["foo.example.org", "bar.example.org"]
+```
+
+```yaml tab="Labels"
+labels:
+  - "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
+  - "traefik.tls.stores.default.defaultgeneratedcert.domain.main=example.org"
+  - "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org"
+```
+
+```json tab="Tags"
+{
+  "Name": "default",
+  "Tags": [
+    "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver",
+    "traefik.tls.stores.default.defaultgeneratedcert.domain.main=example.org",
+    "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org"
+  ]
+}
+```
+
+{!traefik-for-business-applications.md!}