Prepare release v3.5.4

Merge branch v2.11 into v3.5
Prepare release v2.11.30
2025-11-09 04:23:50 +03:00 · 2025-10-28 11:44:04 +01:00 · 2025-10-28 09:54:03 +01:00 · 2025-10-28 09:44:04 +01:00 · 2025-10-27 10:52:04 +01:00 · 2025-10-27 10:34:04 +01:00
874 changed files with 53214 additions and 29411 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,17 +1,16 @@
 <!--
 PLEASE READ THIS MESSAGE.

-Documentation fixes or enhancements:
- for Traefik v2: use branch v2.11
- for Traefik v3: use branch v3.4
+Documentation:
+- for Traefik v2: use branch v2.11 (fixes only)
+- for Traefik v3: use branch v3.5

-Bug fixes:
- for Traefik v2: use branch v2.11
- for Traefik v3: use branch v3.4
+Bug:
+- for Traefik v2: use branch v2.11 (security fixes only)
+- for Traefik v3: use branch v3.5

 Enhancements:
- for Traefik v2: we only accept bug fixes
- for Traefik v3: use branch master
+- use branch master

 HOW TO WRITE A GOOD PULL REQUEST? https://doc.traefik.io/traefik/contributing/submitting-pull-requests/

--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -51,7 +51,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

--- a/.github/workflows/check_doc.yml
+++ b/.github/workflows/check_doc.yml
@@ -13,7 +13,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -28,7 +28,7 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5

    - name: setup go
      uses: actions/setup-go@v5
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -1,6 +1,7 @@
 name: Build and Publish Documentation

 on:
+  workflow_dispatch: {}
  push:
    branches:
      - master
@@ -19,7 +20,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -39,9 +40,9 @@ jobs:
        run: curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b $HOME/bin ${MIXTUS_VERSION}

      - name: Build documentation
-        run: $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
-        env:
-          STRUCTOR_LATEST_TAG: ${{ vars.STRUCTOR_LATEST_TAG }}
+        run: |
+          STRUCTOR_LATEST_TAG=$(curl -s https://api.github.com/repos/traefik/traefik/releases/latest | jq -r '.tag_name')
+          $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug

      - name: Apply seo
        run: $HOME/bin/seo -path=./site -product=traefik
--- a/.github/workflows/experimental.yaml
+++ b/.github/workflows/experimental.yaml
@@ -23,7 +23,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,7 +10,7 @@ env:
  CGO_ENABLED: 0
  VERSION: ${{ github.ref_name }}
  TRAEFIKER_EMAIL: "traefiker@traefik.io"
-  CODENAME: chaource
+  CODENAME: chabichou

 jobs:

@@ -30,7 +30,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -89,7 +89,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -126,13 +126,11 @@ jobs:
          tar cfz "dist/traefik-${VERSION}.src.tar.gz" \
            --exclude-vcs \
            --exclude .idea \
-            --exclude .travis \
-            --exclude .semaphoreci \
            --exclude .github \
            --exclude dist .
          
          chown -R "$(id -u)":"$(id -g)" dist/
-          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION}
+          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION} --latest=true
          
          ./script/deploy.sh

--- a/.github/workflows/template-webui.yaml
+++ b/.github/workflows/template-webui.yaml
@@ -8,10 +8,13 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

+      - name: Enable corepack
+        run: corepack enable
+
      - name: Setup node
        uses: actions/setup-node@v4
        with:
--- a/.github/workflows/test-conformance.yaml
+++ b/.github/workflows/test-conformance.yaml
@@ -30,9 +30,6 @@ jobs:
        with:
          go-version: ${{ env.GO_VERSION }}

-      - name: Avoid generating webui
-        run: touch webui/static/index.html
-
      - name: K8s Gateway API conformance test and report
        run: |
          make test-gateway-api-conformance
--- a/.github/workflows/test-integration.yaml
+++ b/.github/workflows/test-integration.yaml
@@ -20,7 +20,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -30,9 +30,6 @@ jobs:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true

-      - name: Avoid generating webui
-        run: touch webui/static/index.html
-
      - name: Build binary
        run: make binary-linux-amd64

@@ -62,7 +59,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -72,9 +69,6 @@ jobs:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true

-      - name: Avoid generating webui
-        run: touch webui/static/index.html
-
      - name: Download traefik binary
        uses: actions/download-artifact@v4
        with:
--- a/.github/workflows/test-unit.yaml
+++ b/.github/workflows/test-unit.yaml
@@ -13,7 +13,6 @@ env:
  GO_VERSION: '1.24'

 jobs:
-
  generate-packages:
    name: List Go Packages
    runs-on: ubuntu-latest
@@ -21,7 +20,7 @@ jobs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -47,7 +46,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -57,9 +56,6 @@ jobs:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true

-      - name: Avoid generating webui
-        run: touch webui/static/index.html
-
      - name: Tests
        run: |
          go test -v -parallel 8 ${{ matrix.package.group }}
@@ -69,10 +65,13 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

+      - name: Enable corepack
+        run: corepack enable
+
      - name: Set up Node.js ${{ env.NODE_VERSION }}
        uses: actions/setup-node@v4
        with:
@@ -81,6 +80,9 @@ jobs:
          cache-dependency-path: webui/yarn.lock

      - name: UI unit tests
+        working-directory: ./webui
+        env:
+          VITE_APP_BASE_API_URL: "/api"
        run: |
-          yarn --cwd webui install
-          yarn --cwd webui test:unit:ci
+          yarn install
+          yarn test:unit:ci
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -17,7 +17,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -37,7 +37,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -50,9 +50,6 @@ jobs:
      - name: Install misspell ${{ env.MISSPELL_VERSION }}
        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/HEAD/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSPELL_VERSION}

-      - name: Avoid generating webui
-        run: touch webui/static/index.html
-
      - name: Validate
        run: make validate-files

@@ -61,7 +58,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

--- a/.golangci.yml
+++ b/.golangci.yml
@@ -245,6 +245,10 @@ linters:
        text: Function 'buildConstructor' has too many statements
        linters:
          - funlen
+      - path: pkg/provider/kubernetes/ingress-nginx/kubernetes.go
+        text: Function 'loadConfiguration' has too many statements
+        linters:
+          - funlen
      - path: pkg/tracing/haystack/logger.go
        linters:
          - goprintffuncname
@@ -259,7 +263,7 @@ linters:
      - path: pkg/provider/kubernetes/(crd|gateway)/client.go
        linters:
          - interfacebloat
-      - path: pkg/metrics/metrics.go
+      - path: pkg/observability/metrics/metrics.go
        linters:
          - interfacebloat
      - path: integration/healthcheck_test.go
@@ -304,8 +308,6 @@ linters:
        text: 'SA1019: cfg.(SSLRedirect|SSLTemporaryRedirect|SSLHost|SSLForceHost|FeaturePolicy) is deprecated'
      - path: (.+)\.go$
        text: 'SA1019: c.Providers.(ConsulCatalog|Consul|Nomad).Namespace is deprecated'
-      - path: (.+)\.go$
-        text: 'SA1019: dockertypes.ContainerNode is deprecated'
      - path: pkg/provider/kubernetes/crd/kubernetes.go
        text: "Function 'loadConfigurationFromCRD' has too many statements"
        linters:
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -1,13 +0,0 @@
-version: v1.0
-name: Traefik Release - deprecated
-agent:
-  machine:
-    type: f1-standard-2
-    os_image: ubuntu2204
-blocks:
-  - name: 'Do nothing'
-    task:
-      jobs:
-        - name: 'Do nothing'
-          commands:
-            - echo "Do nothing"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,185 @@
+## [v3.5.4](https://github.com/traefik/traefik/tree/v3.5.4) (2025-10-28)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.3...v3.5.4)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.27.0 ([#12166](https://github.com/traefik/traefik/pull/12166) by [ldez](https://github.com/ldez))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.26.0 ([#12063](https://github.com/traefik/traefik/pull/12063) by [ldez](https://github.com/ldez))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.55.0 ([#12121](https://github.com/traefik/traefik/pull/12121) by [GreyXor](https://github.com/GreyXor))
+- **[kv]** Bump github.com/kvtools/etcdv3 to v1.0.3 ([#12163](https://github.com/traefik/traefik/pull/12163) by [kevinpollet](https://github.com/kevinpollet))
+- **[logs,metrics,tracing,accesslogs,otel]** Fix otel not working without USER ([#12103](https://github.com/traefik/traefik/pull/12103) by [mmatur](https://github.com/mmatur))
+- **[logs,otel]** Enable stdout logging when OTLP is enabled ([#12124](https://github.com/traefik/traefik/pull/12124) by [lbenguigui](https://github.com/lbenguigui))
+- **[metrics,otel]** Rename traefik_tls_certs_not_after_milliseconds to traefik_tls_certs_not_after_seconds ([#12141](https://github.com/traefik/traefik/pull/12141) by [shreealt](https://github.com/shreealt))
+- **[otel]** Update OpenTelemetry to v1.38.0 and semantic conventions to v1.37.0 ([#12099](https://github.com/traefik/traefik/pull/12099) by [rtribotte](https://github.com/rtribotte))
+- **[otel]** Do not fail when pod is not found in K8sAttributesDetector ([#12096](https://github.com/traefik/traefik/pull/12096) by [xe-leon](https://github.com/xe-leon))
+- **[tls]** Make the staple updates continuous ([#12142](https://github.com/traefik/traefik/pull/12142) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Fix version display regression ([#12111](https://github.com/traefik/traefik/pull/12111) by [mdeliatf](https://github.com/mdeliatf))
+
+**Documentation:**
+- **[accesslogs]** Fix link for accesslog.fields.names in documentation ([#12094](https://github.com/traefik/traefik/pull/12094) by [rmbruntz](https://github.com/rmbruntz))
+- **[acme]** Fix Hetzner env var name inside documentation ([#12187](https://github.com/traefik/traefik/pull/12187) by [ldez](https://github.com/ldez))
+- **[acme]** Replace internal dead links ([#12152](https://github.com/traefik/traefik/pull/12152) by [rtribotte](https://github.com/rtribotte))
+- **[acme]** Clean and avoid collisions of anchors in option tables ([#12149](https://github.com/traefik/traefik/pull/12149) by [rtribotte](https://github.com/rtribotte))
+- **[docker/swarm]** Fix swarm code example ([#12115](https://github.com/traefik/traefik/pull/12115) by [Dr4K4n](https://github.com/Dr4K4n))
+- **[healthcheck]** Clarify health check requirement for server status metric ([#12201](https://github.com/traefik/traefik/pull/12201) by [asafm](https://github.com/asafm))
+- **[k8s/crd]** Fix typo in ingressroute.md from pirority to priority ([#12112](https://github.com/traefik/traefik/pull/12112) by [miromichalicka](https://github.com/miromichalicka))
+- **[k8s]** Fix incorrect option and lint page ([#12108](https://github.com/traefik/traefik/pull/12108) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[k8s]** Add API basePath documentation and fix broken links ([#12177](https://github.com/traefik/traefik/pull/12177) by [mloiseleur](https://github.com/mloiseleur))
+- **[k8s]** Merge TLSOption/TLSStore CRD documentation page ([#12164](https://github.com/traefik/traefik/pull/12164) by [nmengin](https://github.com/nmengin))
+- **[logs]** Clarify log.filePath behavior in documentation ([#12153](https://github.com/traefik/traefik/pull/12153) by [Alanxtl](https://github.com/Alanxtl))
+- **[metrics]** Fix incorrect addInternals configuration option ([#12118](https://github.com/traefik/traefik/pull/12118) by [shreealt](https://github.com/shreealt))
+- **[middleware]** Fix anchors in basic auth configuration options ([#12168](https://github.com/traefik/traefik/pull/12168) by [homersimpsons](https://github.com/homersimpsons))
+- **[middleware]** Fix PreserveRequestMethod casing ([#12122](https://github.com/traefik/traefik/pull/12122) by [LeTamanoir](https://github.com/LeTamanoir))
+- **[middleware]** Add missing reference docs for statusRewrites in errors middleware ([#12198](https://github.com/traefik/traefik/pull/12198) by [sevensolutions](https://github.com/sevensolutions))
+- **[middleware]** Document rejectStatusCode ([#12062](https://github.com/traefik/traefik/pull/12062) by [czocher](https://github.com/czocher))
+- **[otel]** Align documentation on default otlp endpoint ([#12151](https://github.com/traefik/traefik/pull/12151) by [mloiseleur](https://github.com/mloiseleur))
+- **[otel]** Fix metric name to metrics.otlp.grpc.insecure ([#12200](https://github.com/traefik/traefik/pull/12200) by [germainlefebvre4](https://github.com/germainlefebvre4))
+- **[server,k8s/crd,k8s]** Add dedicated pages for routers and fix doc links in CRDs ([#12119](https://github.com/traefik/traefik/pull/12119) by [rtribotte](https://github.com/rtribotte))
+- **[tls]** Fix typo in TLS certificate generation description ([#12185](https://github.com/traefik/traefik/pull/12185) by [iraj-jelo](https://github.com/iraj-jelo))
+- Fix wrong references to router&#39;s pages ([#12131](https://github.com/traefik/traefik/pull/12131) by [rtribotte](https://github.com/rtribotte))
+- Fix markdown rendering for table anchors ([#12129](https://github.com/traefik/traefik/pull/12129) by [MaBauMeBad](https://github.com/MaBauMeBad))
+- Fix provider option descriptions ([#12135](https://github.com/traefik/traefik/pull/12135) by [kevinpollet](https://github.com/kevinpollet))
+- Format HTTP headers as code ([#12105](https://github.com/traefik/traefik/pull/12105) by [tyilo](https://github.com/tyilo))
+- Fix heading levels and add links ([#12084](https://github.com/traefik/traefik/pull/12084) by [Granjow](https://github.com/Granjow))
+
+**Misc:**
+- Merge branch v2.11 into v3.5 ([#12206](https://github.com/traefik/traefik/pull/12206) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.11 into v3.5 ([#12158](https://github.com/traefik/traefik/pull/12158) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.30](https://github.com/traefik/traefik/tree/v2.11.30) (2025-10-28)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.29...v2.11.30)
+
+**Bug fixes:**
+- **[http3]** Bump github.com/quic-go/quic-go to v0.55.0 ([#12156](https://github.com/traefik/traefik/pull/12156) by [kevinpollet](https://github.com/kevinpollet))
+- **[kv]** Fix KV key name used to check if connection is alive ([#12162](https://github.com/traefik/traefik/pull/12162) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Bump golang.org/x/net to v0.46.0 ([#12143](https://github.com/traefik/traefik/pull/12143) by [kevinpollet](https://github.com/kevinpollet))
+- **[tracing]** Bump gopkg.in/DataDog/dd-trace-go.v1 to v1.74.6 ([#12083](https://github.com/traefik/traefik/pull/12083) by [hannahkm](https://github.com/hannahkm))
+
+## [v3.5.3](https://github.com/traefik/traefik/tree/v3.5.3) (2025-09-26)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.2...v3.5.3)
+
+**Bug fixes:**
+- **[k8s/crd]** ServersTransport: set minimum MaxIdleConnsPerHost=-1 ([#12077](https://github.com/traefik/traefik/pull/12077) by [xe-leon](https://github.com/xe-leon))
+- **[plugins]** Refactor plugins system ([#12035](https://github.com/traefik/traefik/pull/12035) by [jspdown](https://github.com/jspdown))
+- **[server]** Use client conn to build the proxy protocol header ([#12069](https://github.com/traefik/traefik/pull/12069) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Update hub-button-app to use a local script ([#12060](https://github.com/traefik/traefik/pull/12060) by [mdeliatf](https://github.com/mdeliatf))
+
+**Documentation:**
+- **[acme,middleware]** Fix broken links in documentation ([#12057](https://github.com/traefik/traefik/pull/12057) by [mloiseleur](https://github.com/mloiseleur))
+- **[k8s]** Create Traefik Service CRD sub-resource documentation page ([#12080](https://github.com/traefik/traefik/pull/12080) by [nmengin](https://github.com/nmengin))
+- **[k8s]** Fix conflict in IngressRouteTCP documentation ([#12064](https://github.com/traefik/traefik/pull/12064) by [MatBon01](https://github.com/MatBon01))
+- Fix typo in rules and priority documentation ([#12089](https://github.com/traefik/traefik/pull/12089) by [Darkangeel-hd](https://github.com/Darkangeel-hd))
+- Add govern section ([#12067](https://github.com/traefik/traefik/pull/12067) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Fix entrypoint config examples ([#12056](https://github.com/traefik/traefik/pull/12056) by [markormesher](https://github.com/markormesher))
+- Reorganize the menu entries ([#12044](https://github.com/traefik/traefik/pull/12044) by [nmengin](https://github.com/nmengin))
+- Add New Secure Section to the Documentation ([#11978](https://github.com/traefik/traefik/pull/11978) by [sheddy-traefik](https://github.com/sheddy-traefik))
+
+## [v3.5.2](https://github.com/traefik/traefik/tree/v3.5.2) (2025-09-09)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.1...v3.5.2)
+
+**Bug fixes:**
+- **[middleware,accesslogs]** Add GenericCLF log format for access logs ([#12033](https://github.com/traefik/traefik/pull/12033) by [sdelicata](https://github.com/sdelicata))
+- **[middleware]** Fix customerrors query url replacement ([#11876](https://github.com/traefik/traefik/pull/11876) by [DorianBlues](https://github.com/DorianBlues))
+- **[tls,service]** Send proxy protocol header before TLS handshake ([#11956](https://github.com/traefik/traefik/pull/11956) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Restore empty webui/static to use traefik as library ([#12025](https://github.com/traefik/traefik/pull/12025) by [youkoulayley](https://github.com/youkoulayley))
+
+**Documentation:**
+- **[accesslogs]** Fix path for access-logs header config ([#12030](https://github.com/traefik/traefik/pull/12030) by [cgatt](https://github.com/cgatt))
+- **[acme]** Fixes typo for OCSP in CLI example ([#12039](https://github.com/traefik/traefik/pull/12039) by [mloiseleur](https://github.com/mloiseleur))
+- **[docker/swarm]** Fixes typo for Swarm mode in CLI example ([#12038](https://github.com/traefik/traefik/pull/12038) by [BilalBudhani](https://github.com/BilalBudhani))
+- **[kv]** Fix broken links in KV store documentation ([#12040](https://github.com/traefik/traefik/pull/12040) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[middleware]** Add redis options to ratelimit middleware &amp; Include distributed rate limit middleware ([#12041](https://github.com/traefik/traefik/pull/12041) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[server]** Fix link to HTTP3 section in documentation ([#12028](https://github.com/traefik/traefik/pull/12028) by [vincentbernat](https://github.com/vincentbernat))
+- Fix migration path in documentation ([#12032](https://github.com/traefik/traefik/pull/12032) by [nmengin](https://github.com/nmengin))
+
+## [v3.5.1](https://github.com/traefik/traefik/tree/v3.5.1) (2025-08-27)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.0...v3.5.1)
+
+**Bug fixes:**
+- **[accesslogs,otel]** Provide Log Body in OTEL access Log ([#11867](https://github.com/traefik/traefik/pull/11867) by [tomMoulard](https://github.com/tomMoulard))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.25.1 ([#11882](https://github.com/traefik/traefik/pull/11882) by [ldez](https://github.com/ldez))
+- **[k8s/gatewayapi]** Make app protocol case insensitive ([#11989](https://github.com/traefik/traefik/pull/11989) by [shreealt](https://github.com/shreealt))
+- **[otel]** Fix misspelling in docs ([#11952](https://github.com/traefik/traefik/pull/11952) by [mmanciop](https://github.com/mmanciop))
+- **[server]** Bump to github.com/pires/go-proxyproto v0.8.1 ([#11991](https://github.com/traefik/traefik/pull/11991) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Silent expected errors on receiving sigterm signal ([#11838](https://github.com/traefik/traefik/pull/11838) by [Kwuray](https://github.com/Kwuray))
+- **[tracing]** Fix capturedRequestHeaders and capturedResponseHeaders headers options not being canonicalized in tracing ([#12005](https://github.com/traefik/traefik/pull/12005) by [mcuelenaere](https://github.com/mcuelenaere))
+- **[tracing]** Follow OTel semantic conventions for root span naming ([#11673](https://github.com/traefik/traefik/pull/11673) by [Alex-Waring](https://github.com/Alex-Waring))
+- **[webui]** Update Traefik Proxy dashboard UI development deps ([#11958](https://github.com/traefik/traefik/pull/11958) by [mdeliatf](https://github.com/mdeliatf))
+- Refactor to use reflect.TypeFor ([#12010](https://github.com/traefik/traefik/pull/12010) by [cuiweixie](https://github.com/cuiweixie))
+
+**Documentation:**
+- **[docker]** Fix missing middleware application for whoami service in docker guide ([#12012](https://github.com/traefik/traefik/pull/12012) by [Copilot](https://github.com/apps/copilot-swe-agent))
+- **[k8s/gatewayapi]** Fix documentation to match new gateway-api selector syntax ([#12006](https://github.com/traefik/traefik/pull/12006) by [Firespray-31](https://github.com/Firespray-31))
+- **[middleware,hub]** Add Traefik Hub Middlewares To Reference Section ([#11937](https://github.com/traefik/traefik/pull/11937) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[plugins]** Add extend documentation ([#11904](https://github.com/traefik/traefik/pull/11904) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Update Broken Links in the Migration Docs ([#12016](https://github.com/traefik/traefik/pull/12016) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Fix Documentation menu ([#12013](https://github.com/traefik/traefik/pull/12013) by [nmengin](https://github.com/nmengin))
+- Fix invalid links in documentation ([#11995](https://github.com/traefik/traefik/pull/11995) by [mloiseleur](https://github.com/mloiseleur))
+- Fix typo in index ([#11994](https://github.com/traefik/traefik/pull/11994) by [ignyx](https://github.com/ignyx))
+- Restore missing migration section ([#11973](https://github.com/traefik/traefik/pull/11973) by [rtribotte](https://github.com/rtribotte))
+- Clean Documentation ([#11945](https://github.com/traefik/traefik/pull/11945) by [nmengin](https://github.com/nmengin))
+- Add back the link to Peka&#39;s page ([#11942](https://github.com/traefik/traefik/pull/11942) by [kevinpollet](https://github.com/kevinpollet))
+
+**Misc:**
+- Merge branch v2.11 into v3.5 ([#12019](https://github.com/traefik/traefik/pull/12019) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.11 into v3.5 ([#12017](https://github.com/traefik/traefik/pull/12017) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.11 into v3.5 ([#11966](https://github.com/traefik/traefik/pull/11966) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.4 into v3.5 ([#11953](https://github.com/traefik/traefik/pull/11953) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.29](https://github.com/traefik/traefik/tree/v2.11.29) (2025-08-26)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.28...v2.11.29)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.25.2 ([#11983](https://github.com/traefik/traefik/pull/11983) by [ldez](https://github.com/ldez))
+- **[docker]** Bump github.com/docker/docker to v28.3.3 ([#12007](https://github.com/traefik/traefik/pull/12007) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- Fix invalid links in documentation ([#11960](https://github.com/traefik/traefik/pull/11960) by [mloiseleur](https://github.com/mloiseleur))
+- Update releases docs for v3.5 ([#11949](https://github.com/traefik/traefik/pull/11949) by [jnoordsij](https://github.com/jnoordsij))
+
+## [v3.5.0](https://github.com/traefik/traefik/tree/v3.5.0) (2025-07-23)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.0-rc1...v3.5.0)
+
+**Enhancements:**
+- **[acme]** OCSP stapling ([#8393](https://github.com/traefik/traefik/pull/8393) by [alekitto](https://github.com/alekitto))
+- **[acme]** Add acme.httpChallenge.delay option ([#11643](https://github.com/traefik/traefik/pull/11643) by [ldez](https://github.com/ldez))
+- **[acme]** Allow configuration of ACME provider http timeout ([#11637](https://github.com/traefik/traefik/pull/11637) by [tkw1536](https://github.com/tkw1536))
+- **[healthcheck]** Add url option to healthcheck command ([#11711](https://github.com/traefik/traefik/pull/11711) by [Nelwhix](https://github.com/Nelwhix))
+- **[healthcheck]** Add unhealthy Interval to the health check configuration ([#10610](https://github.com/traefik/traefik/pull/10610) by [sswastik02](https://github.com/sswastik02))
+- **[k8s/gatewayapi]** Bump sigs.k8s.io/gateway-api to v1.3.0 ([#11719](https://github.com/traefik/traefik/pull/11719) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress]** Make the behavior of prefix matching in Ingress consistent with Kubernetes doc ([#11203](https://github.com/traefik/traefik/pull/11203) by [charlie0129](https://github.com/charlie0129))
+- **[k8s]** NGINX Ingress Provider ([#11844](https://github.com/traefik/traefik/pull/11844) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,authentication]** Handle context canceled in ForwardAuth middleware ([#11817](https://github.com/traefik/traefik/pull/11817) by [bengentree](https://github.com/bengentree))
+- **[plugins]** Ability to enable unsafe in yaegi through plugin manifest ([#11589](https://github.com/traefik/traefik/pull/11589) by [Rydez](https://github.com/Rydez))
+- **[tls]** Introduce X25519MLKEM768 for Post-Quantum-Secure TLS ([#11731](https://github.com/traefik/traefik/pull/11731) by [fzoli](https://github.com/fzoli))
+- **[webui]** Migrate Traefik Proxy dashboard UI to React ([#11674](https://github.com/traefik/traefik/pull/11674) by [gndz07](https://github.com/gndz07))
+- **[webui]** Improve visualization for StatusRewrites option of errors middleware ([#11806](https://github.com/traefik/traefik/pull/11806) by [sevensolutions](https://github.com/sevensolutions))
+
+**Bug fixes:**
+- **[healthcheck]** Revert 11711 adding url param to healthcheck command ([#11927](https://github.com/traefik/traefik/pull/11927) by [lbenguigui](https://github.com/lbenguigui))
+- **[logs,metrics,tracing,accesslogs,otel]** Add missing resource attributes detectors ([#11874](https://github.com/traefik/traefik/pull/11874) by [rtribotte](https://github.com/rtribotte))
+- **[logs,tracing,k8s,otel]** Add k8s resource attributes automatically ([#11906](https://github.com/traefik/traefik/pull/11906) by [kevinpollet](https://github.com/kevinpollet))
+- **[metrics,otel]** Add resourceAttributes option to OTel metrics ([#11908](https://github.com/traefik/traefik/pull/11908) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware,tracing]** Introduce trace verbosity config and produce less spans by default ([#11870](https://github.com/traefik/traefik/pull/11870) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[docker,ecs,docker/swarm,consulcatalog,nomad]** Add constraints key limitations for label providers ([#11893](https://github.com/traefik/traefik/pull/11893) by [bluepuma77](https://github.com/bluepuma77))
+- **[k8s]** Add extended NGinX annotation support documentation ([#11920](https://github.com/traefik/traefik/pull/11920) by [nmengin](https://github.com/nmengin))
+- Remove dead link to Peka blog ([#11934](https://github.com/traefik/traefik/pull/11934) by [kevinpollet](https://github.com/kevinpollet))
+- Prepare release v3.5.0-rc2 ([#11899](https://github.com/traefik/traefik/pull/11899) by [kevinpollet](https://github.com/kevinpollet))
+- Prepare release v3.5.0-rc1 ([#11865](https://github.com/traefik/traefik/pull/11865) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- Merge branch v3.4 into v3.5 ([#11933](https://github.com/traefik/traefik/pull/11933) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into v3.5 ([#11898](https://github.com/traefik/traefik/pull/11898) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.4 into master ([#11863](https://github.com/traefik/traefik/pull/11863) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11861](https://github.com/traefik/traefik/pull/11861) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11857](https://github.com/traefik/traefik/pull/11857) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11855](https://github.com/traefik/traefik/pull/11855) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11813](https://github.com/traefik/traefik/pull/11813) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.4 into master ([#11758](https://github.com/traefik/traefik/pull/11758) by [mmatur](https://github.com/mmatur))
+- Merge v3.4 into master ([#11752](https://github.com/traefik/traefik/pull/11752) by [mmatur](https://github.com/mmatur))
+- Merge branch v3.4 into master ([#11708](https://github.com/traefik/traefik/pull/11708) by [kevinpollet](https://github.com/kevinpollet))
+
 ## [v3.4.5](https://github.com/traefik/traefik/tree/v3.4.5) (2025-07-23)
 [All Commits](https://github.com/traefik/traefik/compare/v3.4.4...v3.4.5)

@@ -22,6 +204,15 @@
 **Documentation:**
 - **[k8s/crd,k8s]** Remove all mentions of ordering for TLSOption CurvePreferences field ([#11924](https://github.com/traefik/traefik/pull/11924) by [jnoordsij](https://github.com/jnoordsij))

+## [v3.5.0-rc2](https://github.com/traefik/traefik/tree/v3.5.0-rc2) (2025-07-11)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.0-rc1...v3.5.0-rc2)
+
+**Bug fixes:**
+- **[logs,metrics,tracing,accesslogs,otel]** Add missing resource attributes detectors ([#11874](https://github.com/traefik/traefik/pull/11874) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- Merge branch v3.4 into v3.5 ([#11898](https://github.com/traefik/traefik/pull/11898) by [kevinpollet](https://github.com/kevinpollet))
+
 ## [v3.4.4](https://github.com/traefik/traefik/tree/v3.4.4) (2025-07-11)
 [All Commits](https://github.com/traefik/traefik/compare/v3.4.3...v3.4.4)

@@ -45,6 +236,34 @@
 **Bug fixes:**
 - Bump github.com/go-viper/mapstructure/v2 to v2.3.0 ([#11880](https://github.com/traefik/traefik/pull/11880) by [kevinpollet](https://github.com/kevinpollet))

+## [v3.5.0-rc1](https://github.com/traefik/traefik/tree/v3.5.0-rc1) (2025-06-26)
+[All Commits](https://github.com/traefik/traefik/compare/v3.4.0-rc1...v3.5.0-rc1)
+
+**Enhancements:**
+- **[acme]** OCSP stapling ([#8393](https://github.com/traefik/traefik/pull/8393) by [alekitto](https://github.com/alekitto))
+- **[acme]** Add acme.httpChallenge.delay option ([#11643](https://github.com/traefik/traefik/pull/11643) by [ldez](https://github.com/ldez))
+- **[acme]** Allow configuration of ACME provider http timeout ([#11637](https://github.com/traefik/traefik/pull/11637) by [tkw1536](https://github.com/tkw1536))
+- **[healthcheck]** Add url option to healthcheck command ([#11711](https://github.com/traefik/traefik/pull/11711) by [Nelwhix](https://github.com/Nelwhix))
+- **[healthcheck]** Add unhealthy Interval to the health check configuration ([#10610](https://github.com/traefik/traefik/pull/10610) by [sswastik02](https://github.com/sswastik02))
+- **[k8s/gatewayapi]** Bump sigs.k8s.io/gateway-api to v1.3.0 ([#11719](https://github.com/traefik/traefik/pull/11719) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress]** Make the behavior of prefix matching in Ingress consistent with Kubernetes doc ([#11203](https://github.com/traefik/traefik/pull/11203) by [charlie0129](https://github.com/charlie0129))
+- **[k8s]** NGINX Ingress Provider ([#11844](https://github.com/traefik/traefik/pull/11844) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,authentication]** Handle context canceled in ForwardAuth middleware ([#11817](https://github.com/traefik/traefik/pull/11817) by [bengentree](https://github.com/bengentree))
+- **[plugins]** Ability to enable unsafe in yaegi through plugin manifest ([#11589](https://github.com/traefik/traefik/pull/11589) by [Rydez](https://github.com/Rydez))
+- **[tls]** Introduce X25519MLKEM768 for Post-Quantum-Secure TLS ([#11731](https://github.com/traefik/traefik/pull/11731) by [fzoli](https://github.com/fzoli))
+- **[webui]** Migrate Traefik Proxy dashboard UI to React ([#11674](https://github.com/traefik/traefik/pull/11674) by [gndz07](https://github.com/gndz07))
+- **[webui]** Improve visualization for StatusRewrites option of errors middleware ([#11806](https://github.com/traefik/traefik/pull/11806) by [sevensolutions](https://github.com/sevensolutions))
+
+**Misc:**
+- Merge branch v3.4 into master ([#11863](https://github.com/traefik/traefik/pull/11863) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11861](https://github.com/traefik/traefik/pull/11861) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11857](https://github.com/traefik/traefik/pull/11857) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11855](https://github.com/traefik/traefik/pull/11855) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11813](https://github.com/traefik/traefik/pull/11813) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.4 into master ([#11758](https://github.com/traefik/traefik/pull/11758) by [mmatur](https://github.com/mmatur))
+- Merge v3.4 into master ([#11752](https://github.com/traefik/traefik/pull/11752) by [mmatur](https://github.com/mmatur))
+- Merge branch v3.4 into master ([#11708](https://github.com/traefik/traefik/pull/11708) by [kevinpollet](https://github.com/kevinpollet))
+
 ## [v3.4.3](https://github.com/traefik/traefik/tree/v3.4.3) (2025-06-26)
 [All Commits](https://github.com/traefik/traefik/compare/v3.4.2...v3.4.3)

--- a/12
+++ b/12
@@ -30,7 +30,7 @@ dist:
 .PHONY: build-webui-image
 #? build-webui-image: Build WebUI Docker image
 build-webui-image:
-	docker build -t traefik-webui -f webui/Dockerfile webui
+	docker build -t traefik-webui -f webui/buildx.Dockerfile webui

 .PHONY: clean-webui
 #? clean-webui: Clean WebUI static generated assets
@@ -41,8 +41,9 @@ clean-webui:

 webui/static/index.html:
 	$(MAKE) build-webui-image
-	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui npm run build:nc
+	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui yarn build:prod
 	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ./static
+	printf 'For more information see `webui/readme.md`' > webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md

 .PHONY: generate-webui
 #? generate-webui: Generate WebUI
@@ -102,7 +103,7 @@ test-integration:
 #? test-gateway-api-conformance: Run the conformance tests
 test-gateway-api-conformance: build-image-dirty
 	# In case of a new Minor/Major version, the k8sConformanceTraefikVersion needs to be updated.
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.4" $(TESTFLAGS)
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.5" $(TESTFLAGS)

 .PHONY: test-ui-unit
 #? test-ui-unit: Run the unit tests for the webui
@@ -183,11 +184,6 @@ generate-crd:
 generate-genconf:
 	go run ./cmd/internal/gen/

-.PHONY: release-packages
-#? release-packages: Create packages for the release
-release-packages: generate-webui
-	$(CURDIR)/script/release-packages.sh
-
 .PHONY: fmt
 #? fmt: Format the Code
 fmt:
--- a/README.md
+++ b/README.md
@@ -7,7 +7,6 @@
    </picture>
 </p>

-[![Build Status SemaphoreCI](https://traefik-oss.semaphoreci.com/badges/traefik/branches/master.svg?style=shields)](https://traefik-oss.semaphoreci.com/projects/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
 [![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
@@ -152,7 +151,7 @@ We use [Semantic Versioning](https://semver.org/).

 ## Credits

-Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the gopher's logo!.
+Kudos to [Peka](https://www.instagram.com/pierroks/) for his awesome work on the gopher's logo!.

 The gopher's logo of Traefik is licensed under the Creative Commons 3.0 Attributions license.

--- a/cmd/traefik/logger.go
+++ b/cmd/traefik/logger.go
@@ -1,6 +1,7 @@
 package main

 import (
+	"context"
 	"errors"
 	"fmt"
 	"io"
@@ -13,7 +14,7 @@ import (
 	"github.com/rs/zerolog/log"
 	"github.com/sirupsen/logrus"
 	"github.com/traefik/traefik/v3/pkg/config/static"
-	"github.com/traefik/traefik/v3/pkg/logs"
+	"github.com/traefik/traefik/v3/pkg/observability/logs"
 	"gopkg.in/natefinch/lumberjack.v2"
 )

@@ -22,7 +23,7 @@ func init() {
 	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
 }

-func setupLogger(staticConfiguration *static.Configuration) error {
+func setupLogger(ctx context.Context, staticConfiguration *static.Configuration) error {
 	// Validate that the experimental flag is set up at this point,
 	// rather than validating the static configuration before the setupLogger call.
 	// This ensures that validation messages are not logged using an un-configured logger.
@@ -39,16 +40,16 @@ func setupLogger(staticConfiguration *static.Configuration) error {
 	zerolog.SetGlobalLevel(logLevel)

 	// create logger
-	logCtx := zerolog.New(w).With().Timestamp()
+	logger := zerolog.New(w).With().Timestamp()
 	if logLevel <= zerolog.DebugLevel {
-		logCtx = logCtx.Caller()
+		logger = logger.Caller()
 	}

-	log.Logger = logCtx.Logger().Level(logLevel)
+	log.Logger = logger.Logger().Level(logLevel)

 	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
 		var err error
-		log.Logger, err = logs.SetupOTelLogger(log.Logger, staticConfiguration.Log.OTLP)
+		log.Logger, err = logs.SetupOTelLogger(ctx, log.Logger, staticConfiguration.Log.OTLP)
 		if err != nil {
 			return fmt.Errorf("setting up OpenTelemetry logger: %w", err)
 		}
@@ -67,10 +68,6 @@ func setupLogger(staticConfiguration *static.Configuration) error {
 }

 func getLogWriter(staticConfiguration *static.Configuration) io.Writer {
-	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
-		return io.Discard
-	}
-
 	var w io.Writer = os.Stdout
 	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
 		_, _ = os.OpenFile(staticConfiguration.Log.FilePath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o666)
--- a/cmd/traefik/plugins.go
+++ b/cmd/traefik/plugins.go
@@ -2,43 +2,62 @@ package main

 import (
 	"fmt"
+	"net/http"
+	"path/filepath"
+	"time"

+	"github.com/hashicorp/go-retryablehttp"
+	"github.com/rs/zerolog/log"
 	"github.com/traefik/traefik/v3/pkg/config/static"
+	"github.com/traefik/traefik/v3/pkg/observability/logs"
 	"github.com/traefik/traefik/v3/pkg/plugins"
 )

 const outputDir = "./plugins-storage/"

 func createPluginBuilder(staticConfiguration *static.Configuration) (*plugins.Builder, error) {
-	client, plgs, localPlgs, err := initPlugins(staticConfiguration)
+	manager, plgs, localPlgs, err := initPlugins(staticConfiguration)
 	if err != nil {
 		return nil, err
 	}

-	return plugins.NewBuilder(client, plgs, localPlgs)
+	return plugins.NewBuilder(manager, plgs, localPlgs)
 }

-func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]plugins.Descriptor, map[string]plugins.LocalDescriptor, error) {
+func initPlugins(staticCfg *static.Configuration) (*plugins.Manager, map[string]plugins.Descriptor, map[string]plugins.LocalDescriptor, error) {
 	err := checkUniquePluginNames(staticCfg.Experimental)
 	if err != nil {
 		return nil, nil, nil, err
 	}

-	var client *plugins.Client
+	var manager *plugins.Manager
 	plgs := map[string]plugins.Descriptor{}

 	if hasPlugins(staticCfg) {
-		opts := plugins.ClientOptions{
+		httpClient := retryablehttp.NewClient()
+		httpClient.Logger = logs.NewRetryableHTTPLogger(log.Logger)
+		httpClient.HTTPClient = &http.Client{Timeout: 10 * time.Second}
+		httpClient.RetryMax = 3
+
+		// Create separate downloader for HTTP operations
+		archivesPath := filepath.Join(outputDir, "archives")
+		downloader, err := plugins.NewRegistryDownloader(plugins.RegistryDownloaderOptions{
+			HTTPClient:   httpClient.HTTPClient,
+			ArchivesPath: archivesPath,
+		})
+		if err != nil {
+			return nil, nil, nil, fmt.Errorf("unable to create plugin downloader: %w", err)
+		}
+
+		opts := plugins.ManagerOptions{
 			Output: outputDir,
 		}
-
-		var err error
-		client, err = plugins.NewClient(opts)
+		manager, err = plugins.NewManager(downloader, opts)
 		if err != nil {
-			return nil, nil, nil, fmt.Errorf("unable to create plugins client: %w", err)
+			return nil, nil, nil, fmt.Errorf("unable to create plugins manager: %w", err)
 		}

-		err = plugins.SetupRemotePlugins(client, staticCfg.Experimental.Plugins)
+		err = plugins.SetupRemotePlugins(manager, staticCfg.Experimental.Plugins)
 		if err != nil {
 			return nil, nil, nil, fmt.Errorf("unable to set up plugins environment: %w", err)
 		}
@@ -57,7 +76,7 @@ func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]p
 		localPlgs = staticCfg.Experimental.LocalPlugins
 	}

-	return client, plgs, localPlgs, nil
+	return manager, plgs, localPlgs, nil
 }

 func checkUniquePluginNames(e *static.Experimental) error {
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -30,9 +30,11 @@ import (
 	"github.com/traefik/traefik/v3/pkg/config/dynamic"
 	"github.com/traefik/traefik/v3/pkg/config/runtime"
 	"github.com/traefik/traefik/v3/pkg/config/static"
-	"github.com/traefik/traefik/v3/pkg/logs"
-	"github.com/traefik/traefik/v3/pkg/metrics"
 	"github.com/traefik/traefik/v3/pkg/middlewares/accesslog"
+	"github.com/traefik/traefik/v3/pkg/observability/logs"
+	"github.com/traefik/traefik/v3/pkg/observability/metrics"
+	"github.com/traefik/traefik/v3/pkg/observability/tracing"
+	otypes "github.com/traefik/traefik/v3/pkg/observability/types"
 	"github.com/traefik/traefik/v3/pkg/provider/acme"
 	"github.com/traefik/traefik/v3/pkg/provider/aggregator"
 	"github.com/traefik/traefik/v3/pkg/provider/tailscale"
@@ -46,8 +48,6 @@ import (
 	"github.com/traefik/traefik/v3/pkg/server/service"
 	"github.com/traefik/traefik/v3/pkg/tcp"
 	traefiktls "github.com/traefik/traefik/v3/pkg/tls"
-	"github.com/traefik/traefik/v3/pkg/tracing"
-	"github.com/traefik/traefik/v3/pkg/types"
 	"github.com/traefik/traefik/v3/pkg/version"
 )

@@ -90,7 +90,10 @@ Complete documentation is available at https://traefik.io`,
 }

 func runCmd(staticConfiguration *static.Configuration) error {
-	if err := setupLogger(staticConfiguration); err != nil {
+	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer cancel()
+
+	if err := setupLogger(ctx, staticConfiguration); err != nil {
 		return fmt.Errorf("setting up logger: %w", err)
 	}

@@ -122,8 +125,6 @@ func runCmd(staticConfiguration *static.Configuration) error {
 		return err
 	}

-	ctx, _ := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
-
 	if staticConfiguration.Ping != nil {
 		staticConfiguration.Ping.WithContext(ctx)
 	}
@@ -181,7 +182,9 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	// ACME

-	tlsManager := traefiktls.NewManager()
+	tlsManager := traefiktls.NewManager(staticConfiguration.OCSP)
+	routinesPool.GoCtx(tlsManager.Run)
+
 	httpChallengeProvider := acme.NewChallengeHTTP()

 	tlsChallengeProvider := acme.NewChallengeTLSALPN()
@@ -207,8 +210,8 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		}
 	}
 	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
-	accessLog := setupAccessLog(staticConfiguration.AccessLog)
-	tracer, tracerCloser := setupTracing(staticConfiguration.Tracing)
+	accessLog := setupAccessLog(ctx, staticConfiguration.AccessLog)
+	tracer, tracerCloser := setupTracing(ctx, staticConfiguration.Tracing)
 	observabilityMgr := middleware.NewObservabilityMgr(*staticConfiguration, metricsRegistry, semConvMetricRegistry, accessLog, tracer, tracerCloser)

 	// Entrypoints
@@ -502,7 +505,7 @@ func initTailscaleProviders(cfg *static.Configuration, providerAggregator *aggre
 	return providers
 }

-func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
+func registerMetricClients(metricsConfig *otypes.Metrics) []metrics.Registry {
 	if metricsConfig == nil {
 		return nil
 	}
@@ -583,12 +586,12 @@ func appendCertMetric(gauge gokitmetrics.Gauge, certificate *x509.Certificate) {
 	gauge.With(labels...).Set(notAfter)
 }

-func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
+func setupAccessLog(ctx context.Context, conf *otypes.AccessLog) *accesslog.Handler {
 	if conf == nil {
 		return nil
 	}

-	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
+	accessLoggerMiddleware, err := accesslog.NewHandler(ctx, conf)
 	if err != nil {
 		log.Warn().Err(err).Msg("Unable to create access logger")
 		return nil
@@ -597,12 +600,12 @@ func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
 	return accessLoggerMiddleware
 }

-func setupTracing(conf *static.Tracing) (*tracing.Tracer, io.Closer) {
+func setupTracing(ctx context.Context, conf *static.Tracing) (*tracing.Tracer, io.Closer) {
 	if conf == nil {
 		return nil, nil
 	}

-	tracer, closer, err := tracing.NewTracing(conf)
+	tracer, closer, err := tracing.NewTracing(ctx, conf)
 	if err != nil {
 		log.Warn().Err(err).Msg("Unable to create tracer")
 		return nil, nil
--- a/docs/content/assets/css/menu-icons.css
+++ b/docs/content/assets/css/menu-icons.css
@@ -0,0 +1,58 @@
+/* Traefik Hub Menu icon base styles */
+.menu-icon {
+  height: 18px;
+  width: 18px;
+  vertical-align: middle;
+  margin-left: 6px;
+  transition: all 0.2s ease;
+  filter: drop-shadow(0 1px 1px rgba(0,0,0,0.1));
+  display: inline;
+  white-space: nowrap;
+}
+
+/* Ensure parent container keeps items inline */
+.nav-link-with-icon {
+  white-space: nowrap !important;
+  display: inline-flex !important;
+  align-items: center !important;
+}
+
+/* Hover effects */
+.menu-icon:hover {
+  transform: scale(1.05);
+  opacity: 0.8;
+}
+
+/* Tablet responsive */
+@media (max-width: 1024px) {
+  .menu-icon {
+    height: 14px;
+    width: 14px;
+    margin-left: 4px;
+  }
+}
+
+/* Mobile responsive */
+@media (max-width: 768px) {
+  .menu-icon {
+    height: 12px;
+    width: 12px;
+    margin-left: 3px;
+    vertical-align: middle;
+  }
+  
+  /* Keep mobile navigation items inline */
+  .nav-link-with-icon {
+    display: inline-flex !important;
+    align-items: center !important;
+    width: auto !important;
+  }
+}
+
+/* High DPI displays */
+@media (-webkit-min-device-pixel-ratio: 2), (min-resolution: 192dpi) {
+  .menu-icon {
+    image-rendering: -webkit-optimize-contrast;
+    image-rendering: crisp-edges;
+  }
+}
--- a/docs/content/assets/img/middleware/addprefix.png
+++ b/docs/content/assets/img/middleware/addprefix.png
--- a/docs/content/assets/img/middleware/authforward.png
+++ b/docs/content/assets/img/middleware/authforward.png
--- a/docs/content/assets/img/middleware/basicauth.png
+++ b/docs/content/assets/img/middleware/basicauth.png
--- a/docs/content/assets/img/middleware/buffering.png
+++ b/docs/content/assets/img/middleware/buffering.png
--- a/docs/content/assets/img/middleware/chain.png
+++ b/docs/content/assets/img/middleware/chain.png
--- a/docs/content/assets/img/middleware/circuitbreaker.png
+++ b/docs/content/assets/img/middleware/circuitbreaker.png
--- a/docs/content/assets/img/middleware/compress.png
+++ b/docs/content/assets/img/middleware/compress.png
--- a/docs/content/assets/img/middleware/digestauth.png
+++ b/docs/content/assets/img/middleware/digestauth.png
--- a/docs/content/assets/img/middleware/errorpages.png
+++ b/docs/content/assets/img/middleware/errorpages.png
--- a/docs/content/assets/img/middleware/headers.png
+++ b/docs/content/assets/img/middleware/headers.png
--- a/docs/content/assets/img/middleware/inflightreq.png
+++ b/docs/content/assets/img/middleware/inflightreq.png
--- a/docs/content/assets/img/middleware/ipwhitelist.png
+++ b/docs/content/assets/img/middleware/ipwhitelist.png
--- a/docs/content/assets/img/middleware/overview.png
+++ b/docs/content/assets/img/middleware/overview.png
--- a/docs/content/assets/img/secure/oidc-auth-flow.png
+++ b/docs/content/assets/img/secure/oidc-auth-flow.png
--- a/docs/content/assets/img/webui-dashboard.png
+++ b/docs/content/assets/img/webui-dashboard.png
--- a/docs/content/contributing/documentation.md
+++ b/docs/content/contributing/documentation.md
@@ -15,7 +15,7 @@ Let's see how.

 ### General

-This [documentation](../../ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to the website of MkDocs").
+This [documentation](../index.md "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to the website of MkDocs").

 ### Method 1: `Docker` and `make`

--- a/docs/content/deprecation/releases.md
+++ b/docs/content/deprecation/releases.md
@@ -6,7 +6,8 @@ Below is a non-exhaustive list of versions and their maintenance status:

 | Version | Release Date | Active Support     | Security Support  |
 |---------|--------------|--------------------|-------------------|
-| 3.4     | May 05, 2025 | Yes                | Yes               |
+| 3.5     | Jul 23, 2025 | Yes                | Yes               |
+| 3.4     | May 05, 2025 | Ended Jul 23, 2025 | No                |
 | 3.3     | Jan 06, 2025 | Ended May 05, 2025 | No                |
 | 3.2     | Oct 28, 2024 | Ended Jan 06, 2025 | No                |
 | 3.1     | Jul 15, 2024 | Ended Oct 28, 2024 | No                |
--- a/docs/content/expose/docker.md
+++ b/docs/content/expose/docker.md
@@ -90,7 +90,7 @@ This confirms that Traefik is successfully routing requests to your whoami appli

 ## Add Routing Rules

-Now we'll enhance our routing by directing traffic to different services based on [URL paths](../reference/routing-configuration/http/router/rules-and-priority.md#path-pathprefix-and-pathregexp). This is useful for API versioning, frontend/backend separation, or organizing microservices.
+Now we'll enhance our routing by directing traffic to different services based on [URL paths](../reference/routing-configuration/http/routing/rules-and-priority.md#path-pathprefix-and-pathregexp). This is useful for API versioning, frontend/backend separation, or organizing microservices.

 Update your `docker-compose.yml` to add another service:

@@ -258,6 +258,9 @@ labels:
  
  # IP Allowlist Middleware
  - "traefik.http.middlewares.ip-allowlist.ipallowlist.sourceRange=127.0.0.1/32,192.168.0.0/16,10.0.0.0/8"
+  
+  # Apply middlewares to whoami router
+  - "traefik.http.routers.whoami.middlewares=secure-headers,ip-allowlist"
 ```

 Add the same middleware to your whoami-api service:
@@ -454,7 +457,7 @@ These fundamental capabilities provide a solid foundation for exposing any appli

 Now that you understand the basics of exposing services with Traefik Proxy, you might want to explore:

- [Advanced routing options](../reference/routing-configuration/http/router/rules-and-priority.md) like query parameter matching, header-based routing, and more
+- [Advanced routing options](../reference/routing-configuration/http/routing/rules-and-priority.md) like query parameter matching, header-based routing, and more
 - [Additional middlewares](../reference/routing-configuration/http/middlewares/overview.md) for authentication, rate limiting, and request modifications
 - [Observability features](../reference/install-configuration/observability/metrics.md) for monitoring and debugging your Traefik deployment
 - [TCP services](../reference/routing-configuration/tcp/service.md) for exposing TCP services
--- a/docs/content/expose/kubernetes.md
+++ b/docs/content/expose/kubernetes.md
@@ -325,11 +325,13 @@ kubectl create secret tls whoami-tls --cert=tls.crt --key=tls.key
        web:
          port: 80
          protocol: HTTP
-          namespacePolicy: All
+          namespacePolicy:
+            from: All
        websecure:
          port: 443
          protocol: HTTPS
-          namespacePolicy: All
+          namespacePolicy:
+            from: All
          mode: Terminate
          certificateRefs:
            - kind: Secret
@@ -1003,7 +1005,7 @@ These fundamental capabilities provide a solid foundation for exposing any appli

 Now that you understand the basics of exposing services with Traefik Proxy, you might want to explore:

- [Advanced routing options](../reference/routing-configuration/http/router/rules-and-priority.md) like query parameter matching, header-based routing, and more
+- [Advanced routing options](../reference/routing-configuration/http/routing/rules-and-priority.md) like query parameter matching, header-based routing, and more
 - [Additional middlewares](../reference/routing-configuration/http/middlewares/overview.md) for authentication, rate limiting, and request modifications
 - [Observability features](../reference/install-configuration/observability/metrics.md) for monitoring and debugging your Traefik deployment
 - [TCP services](../reference/routing-configuration/tcp/service.md) for exposing TCP services
--- a/docs/content/expose/swarm.md
+++ b/docs/content/expose/swarm.md
@@ -68,7 +68,7 @@ This confirms that Traefik is successfully routing requests to your whoami appli

 ## Add Routing Rules

-Now we'll enhance our routing by directing traffic to different services based on [URL paths](../reference/routing-configuration/http/router/rules-and-priority.md#path-pathprefix-and-pathregexp). This is useful for API versioning, frontend/backend separation, or organizing microservices.
+Now we'll enhance our routing by directing traffic to different services based on [URL paths](../reference/routing-configuration/http/routing/rules-and-priority.md#path-pathprefix-and-pathregexp). This is useful for API versioning, frontend/backend separation, or organizing microservices.

 Update your `docker-compose.yml` to add another service:

@@ -393,7 +393,7 @@ These fundamental capabilities provide a solid foundation for exposing any appli

 Now that you understand the basics of exposing services with Traefik Proxy, you might want to explore:

- [Advanced routing options](../reference/routing-configuration/http/router/rules-and-priority.md) like query parameter matching, header-based routing, and more
+- [Advanced routing options](../reference/routing-configuration/http/routing/rules-and-priority.md) like query parameter matching, header-based routing, and more
 - [Additional middlewares](../reference/routing-configuration/http/middlewares/overview.md) for authentication, rate limiting, and request modifications
 - [Observability features](../reference/install-configuration/observability/metrics.md) for monitoring and debugging your Traefik deployment
 - [TCP services](../reference/routing-configuration/tcp/service.md) for exposing TCP services
--- a/docs/content/extend/extend-traefik.md
+++ b/docs/content/extend/extend-traefik.md
@@ -0,0 +1,56 @@
+---
+title: Extend Traefik
+description: Extend Traefik with custom plugins using Yaegi and WebAssembly.
+---
+
+# Extend Traefik
+
+Plugins are a powerful feature for extending Traefik with custom features and behaviors. The [Plugin Catalog](https://plugins.traefik.io/) is a software-as-a-service (SaaS) platform that provides an exhaustive list of the existing plugins.
+
+??? note "Plugin Catalog Access"
+    You can reach the [Plugin Catalog](https://plugins.traefik.io/) from the Traefik Dashboard using the `Plugins` menu entry.
+
+## Add a new plugin to a Traefik instance
+
+To add a new plugin to a Traefik instance, you must change that instance's install (static) configuration. Each plugin's **Install** section provides an install (static) configuration example. Many plugins have their own section in the Traefik routing (dynamic) configuration.
+
+!!! danger "Experimental Features"
+    Plugins can change the behavior of Traefik in unforeseen ways. Exercise caution when adding new plugins to production Traefik instances.
+
+To learn more about how to add a new plugin to a Traefik instance, please refer to the [developer documentation](https://plugins.traefik.io/install).
+
+## Plugin Systems
+
+Traefik supports two different plugin systems, each designed for different use cases and developer preferences.
+
+### Yaegi Plugin System
+
+Traefik [Yaegi](https://github.com/traefik/yaegi) plugins are developed using the Go language. It is essentially a Go package. Unlike pre-compiled plugins, Yaegi plugins are executed on the fly by Yaegi, a Go interpreter embedded in Traefik.
+
+This approach eliminates the need for compilation and a complex toolchain, making plugin development as straightforward as creating web browser extensions. Yaegi plugins support both middleware and provider functionality.
+
+#### Key characteristics
+
+- Written in Go language
+- No compilation required
+- Executed by embedded interpreter
+- Supports full Go feature set
+- Hot-reloadable during development
+
+### WebAssembly (WASM) Plugin System
+
+Traefik WASM plugins can be developed using any language that compiles to WebAssembly (WASM). This method is based on [http-wasm](https://http-wasm.io/).
+
+WASM plugins compile to portable binary modules that execute with near-native performance while maintaining security isolation.
+
+#### Key characteristics
+
+- Multi-language support (Go, Rust, C++, etc.)
+- Compiled to WebAssembly binary
+- Near-native performance
+- Strong security isolation
+- Currently supports middleware only
+
+## Build Your Own Plugins
+
+Traefik users can create their own plugins and share them with the community using the [Plugin Catalog](https://plugins.traefik.io/). To learn more about Traefik plugin creation, please refer to the [developer documentation](https://plugins.traefik.io/create).
--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -12,10 +12,10 @@ How the Magic Happens

 Configuration in Traefik can refer to two different things:

- The fully dynamic routing configuration (referred to as the _dynamic configuration_)
- The startup configuration (referred to as the _static configuration_)
+- The fully dynamic routing configuration (referred to as the _routing configuration_, formerly known as the _dynamic configuration_)
+- The startup configuration (referred to as the _install configuration_, formerly known as the _static configuration_)

-Elements in the _static configuration_ set up connections to [providers](../providers/overview.md) and define the [entrypoints](../routing/entrypoints.md) Traefik will listen to (these elements don't change often).
+Elements in the install configuration_ set up connections to [providers](../providers/overview.md) and define the [entrypoints](../routing/entrypoints.md) Traefik will listen to (these elements don't change often).

 The _dynamic configuration_ contains everything that defines how the requests are handled by your system.
 This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.
@@ -32,9 +32,9 @@ Since this configuration is specific to your infrastructure choices, we invite y

 !!! info ""

-    In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers.
+    In the [Quick Start example](../getting-started/quick-start.md), the routing configuration comes from docker in the form of labels attached to your containers.

-!!! info "HTTPS Certificates also belong to the dynamic configuration."
+!!! info "HTTPS Certificates also belong to the routing configuration."

    You can add / update / remove them without restarting your Traefik instance.

@@ -79,14 +79,14 @@ traefik --help
 # or

 docker run traefik[:version] --help
-# ex: docker run traefik:v3.4 --help
+# ex: docker run traefik:v3.5 --help
 ```

-Check the [CLI reference](../reference/static-configuration/cli.md "Link to CLI reference overview") for an overview about all available arguments.
+Check the [CLI reference](../reference/install-configuration/configuration-options.md "Link to CLI reference overview") for an overview about all available arguments.

 ### Environment Variables

-All available environment variables can be found in the [static configuration environment overview](../reference/static-configuration/env.md).
+All available environment variables can be found in the [static configuration environment overview](../reference/install-configuration/configuration-options.md).

 ## Available Configuration Options

--- a/docs/content/getting-started/docker.md
+++ b/docs/content/getting-started/docker.md
@@ -36,7 +36,7 @@ This configuration:
 # docker-compose.yml
 services:
  traefik:
-    image: traefik:v3.4
+    image: traefik:v3.5
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
@@ -84,7 +84,7 @@ docker run -d \
  -p 8080:8080 \
  -v $PWD/traefik.yml:/etc/traefik/traefik.yml \
  -v /var/run/docker.sock:/var/run/docker.sock \
-  traefik:v3.4
+  traefik:v3.5
 ```

 ## Expose the Dashboard
--- a/docs/content/getting-started/faq.md
+++ b/docs/content/getting-started/faq.md
@@ -12,10 +12,10 @@ and while the documentation often demonstrates configuration options through fil
 the core feature of Traefik is its dynamic configurability,
 directly reacting to changes from providers over time.

-Notably, a part of the configuration is [static](../configuration-overview/#the-static-configuration),
+Notably, a part of the configuration is [static](./configuration-overview.md#the-static-configuration),
 and can be provided by a file on startup, whereas various providers,
 such as the file provider,
-contribute dynamically all along the traefik instance lifetime to its [dynamic configuration](../configuration-overview/#the-dynamic-configuration) changes.
+contribute dynamically all along the traefik instance lifetime to its [dynamic configuration](./configuration-overview.md#the-dynamic-configuration) changes.

 In addition, the configuration englobes concepts such as the EntryPoint which can be seen as a listener on the Transport Layer (TCP),
 as apposed to the Router which is more about the Presentation (TLS) and Application layers (HTTP).
@@ -147,13 +147,13 @@ for example, by using the `touch` command on the configuration file.

 By default, the following headers are automatically added when proxying requests:

-| Property                  | HTTP Header                |
-|---------------------------|----------------------------|
-| Client's IP               | X-Forwarded-For, X-Real-Ip |
-| Host                      | X-Forwarded-Host           |
-| Port                      | X-Forwarded-Port           |
-| Protocol                  | X-Forwarded-Proto          |
-| Proxy Server's Hostname   | X-Forwarded-Server         |
+| Property                  | HTTP Header                    |
+|---------------------------|--------------------------------|
+| Client's IP               | `X-Forwarded-For`, `X-Real-Ip` |
+| Host                      | `X-Forwarded-Host`             |
+| Port                      | `X-Forwarded-Port`             |
+| Protocol                  | `X-Forwarded-Proto`            |
+| Proxy Server's Hostname   | `X-Forwarded-Server`           |

 For more details,
 please check out the [forwarded header](../routing/entrypoints.md#forwarded-headers) documentation.
--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:

 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:

-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.4/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.4/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.5/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.5/traefik.sample.toml)

 ```shell
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.4
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.5
 ```

 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip

    * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v3.4`
+    ex: `traefik:v3.5`
    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
    * Any orchestrator using docker images can fetch the official Traefik docker image.

--- a/docs/content/getting-started/kubernetes.md
+++ b/docs/content/getting-started/kubernetes.md
@@ -79,7 +79,10 @@ providers:
  kubernetesGateway:
    enabled: true
 gateway:
-  namespacePolicy: All
+  listeners:
+    web:
+      namespacePolicy:
+        from: All
 ```

 !!! info
@@ -106,7 +109,7 @@ helm install traefik traefik/traefik --wait \
  --set ingressRoute.dashboard.matchRule='Host(`dashboard.localhost`)' \
  --set ingressRoute.dashboard.entryPoints={web} \
  --set providers.kubernetesGateway.enabled=true \
-  --set gateway.namespacePolicy=All
+  --set gateway.listeners.web.namespacePolicy.from=All
 ```

 !!! info
--- a/docs/content/govern/index.md
+++ b/docs/content/govern/index.md
@@ -0,0 +1,59 @@
+---
+title: "Govern Your APIs with Traefik Hub"
+description: "Learn how Traefik Hub provides comprehensive API Gateway and API Management capabilities to govern, secure, and manage your APIs at scale."
+---
+
+# Govern Your APIs with Traefik Hub
+
+Traefik Hub transforms your API infrastructure by providing enterprise-grade API Gateway and comprehensive API Management capabilities. Built on the foundation of Traefik Proxy, Hub enables organizations to govern, secure, and manage APIs at scale across cloud-native environments.
+
+## API Gateway and API Management Capabilities
+
+Traefik Hub offers two complementary approaches to API governance:
+
+- [Traefik Hub API Gateway](https://traefik.io/solutions/api-gateway/): Enterprise-grade security, distributed features, and advanced access control for cloud-native API gateway scenarios. It includes AI Gateway capabilities for modern machine learning workloads.
+
+- [Traefik Hub API Management](https://traefik.io/solutions/api-management/): Comprehensive API lifecycle management, developer portals, and organizational features for teams managing multiple APIs across environments.
+
+## API Management Features
+
+Traefik Hub API Management provides a complete suite of features designed to streamline API governance and accelerate developer productivity:
+
+### Comprehensive API Lifecycle Management
+
+- **Centralized API Catalog**: Comprehensive API inventory providing real-time visibility and control
+- **Advanced Versioning**: Utilize the most flexible API versioning and Kubernetes-native labels to logically organize APIs, track their evolution over time, and avoid breaking changes for client applications
+- **Quality Control**: Perform error checks and change impact analysis with Traefik Hub's static analyzer to ensure compliance and prevent misconfiguration by catching errors early
+- **Resource Management**: Centralize rate limits, quotas, and policy enforcement across groups of APIs through Plans & Bundles, ensuring consistent and efficient resource management
+- **Subscription Management**: Create managed and self-serve subscriptions for enhanced ease-of-use, security, and auditability
+- **Standards Compliance**: Import, validate, and manage APIs using industry-standard OpenAPI specifications
+
+### Developer Experience & Self-Service
+
+- **Customizable Portals**: Easily create one or more dedicated API Portals for developers to discover, understand, and interact with your APIs
+- **Interactive API Testing**: Allow developers to test APIs directly within the portal for immediate feedback
+- **Branded Experience**: Customize the API portal to house API documentation, clear integration instructions, and personalized content to foster adoption and streamline development
+- **Credential Management**: Generate API access credentials, such as API keys, directly from the portal for simplified access and secure integration
+- **Auto-generated Documentation**: Automatically generated, interactive API documentation from OpenAPI specifications in the portal
+
+### Enterprise-Grade Security
+
+- **Access Control**: Implement fine-grained permissions through detailed API policies and JWT inspection to secure access to API resources
+- **Identity Integration**: Leverage existing identity and access management (IAM) solutions, such as Keycloak, Okta, Auth0, etc. through industry-standard authentication protocols, including native OIDC support
+- **Data Protection**: Advanced TLS management, supporting Let's Encrypt (ACME) and SPIFFE for robust data protection
+- **Threat Prevention**: Native Web Application Firewall (WAF) powered by OWASP Coraza to defend against known vulnerabilities
+
+### Observability
+
+- **Open Standards Monitoring**: Gain deep insights into API health and performance with OpenTelemetry integration to provide metrics and tracing capabilities without vendor lock-in
+- **Third-party Integrations**: Turnkey integration with Treblle directly on the Traefik Hub Dashboard for real-time, out-of-the-box observability without maintaining a complex monitoring infrastructure
+- **Pre-built Grafana Dashboards**: Ready-to-use monitoring dashboards with key API metrics and performance indicators
+
+## Getting Started with API Governance
+
+Transform your API infrastructure with Traefik Hub's governance capabilities:
+
+1. **Start with API Gateway**: Implement enterprise security, authentication, distributed features, and AI Gateway capabilities
+2. **Scale with API Management**: Add comprehensive lifecycle management, developer portals, and governance features
+
+Ready to govern your APIs at scale? Explore [Traefik Hub API Management](https://traefik.io/solutions/api-management/) and discover how it can transform your API strategy.
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -250,6 +250,34 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
 !!! info ""
    Redirection is fully compatible with the `HTTP-01` challenge.

+#### `Delay`
+
+The delay between the creation of the challenge and the validation.
+A value lower than or equal to zero means no delay.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      httpChallenge:
+        # ...
+        delay: 12
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.httpChallenge]
+    # ...
+    delay = 12
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.httpchallenge.delay=12
+```
+
 ### `dnsChallenge`

 Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record.
@@ -286,7 +314,7 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
 !!! warning "`CNAME` support"

    `CNAME` are supported (and sometimes even [encouraged](https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname)),
-    but there are a few cases where they can be [problematic](../../getting-started/faq/#why-does-lets-encrypt-wildcard-certificate-renewalgeneration-with-dns-challenge-fail).
+    but there are a few cases where they can be [problematic](../getting-started/faq.md#why-does-lets-encrypt-wildcard-certificate-renewalgeneration-with-dns-challenge-fail).

    If needed, `CNAME` support can be disabled with the following environment variable:

@@ -324,13 +352,16 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Auroradns](https://www.pcextreme.com/dns-health-checks)               | `auroradns`        | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)        |
 | [Autodns](https://www.internetx.com/domains/autodns/)                  | `autodns`          | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)          |
 | [Axelname](https://axelname.ru)                                        | `axelname`         | `AXELNAME_NICKNAME`, `AXELNAME_TOKEN`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/axelname)         |
-| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`                                        | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
+| [Azion](https://www.azion.com/en/products/edge-dns/)                   | `azion`            | `AZION_PERSONAL_TOKEN`                                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/azion)            |
+| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | DEPRECATED use `azuredns` instead.                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
 | [AzureDNS](https://azure.microsoft.com/services/dns/)                  | `azuredns`         | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_ENVIRONMENT]`, `[AZURE_PRIVATE_ZONE]`, `[AZURE_ZONE_NAME]` | [Additional configuration](https://go-acme.github.io/lego/dns/azuredns)         |
 | [Baidu Cloud](https://cloud.baidu.com)                                 | `baiducloud`       | `BAIDUCLOUD_ACCESS_KEY_ID`, `BAIDUCLOUD_SECRET_ACCESS_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/baiducloud)       |
+| [Beget](https://beget.com/)                                            | `beget`            | `BEGET_USERNAME`, `BEGET_PASSWORD`                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/beget)            |
+| [Binary Lane](https://www.binarylane.com.au/)                          | `binarylane`       | `BINARYLANE_API_TOKEN`                                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/binarylane)       |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)             | `bindman`          | `BINDMAN_MANAGER_ADDRESS`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)          |
 | [Blue Cat](https://www.bluecatnetworks.com/)                           | `bluecat`          | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)          |
 | [BookMyName](https://www.bookmyname.com)                               | `bookmyname`       | `BOOKMYNAME_USERNAME`, `BOOKMYNAME_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/bookmyname)       |
-| [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | `BRANDIT_API_USERNAME`, `BRANDIT_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
+| [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
 | [Bunny](https://bunny.net)                                             | `bunny`            | `BUNNY_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/bunny)            |
 | [Checkdomain](https://www.checkdomain.de/)                             | `checkdomain`      | `CHECKDOMAIN_TOKEN`,                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/)     |
 | [Civo](https://www.civo.com/)                                          | `civo`             | `CIVO_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/civo)             |
@@ -338,7 +369,8 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [CloudDNS](https://vshosting.eu/)                                      | `clouddns`         | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)         |
 | [Cloudflare](https://www.cloudflare.com)                               | `cloudflare`       | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)       |
 | [ClouDNS](https://www.cloudns.net/)                                    | `cloudns`          | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)          |
-| [CloudXNS](https://www.cloudxns.net) (DEPRECATED)                      | `cloudxns`         | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [CloudXNS](https://www.cloudxns.net) (DEPRECATED)                      | `cloudxns`         | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [ConoHa v3](https://www.conoha.jp/)                                    | `conohav3`         | `CONOHAV3_TENANT_ID`, `CONOHAV3_API_USER_ID`, `CONOHAV3_API_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conohav3)         |
 | [ConoHa](https://www.conoha.jp)                                        | `conoha`           | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)           |
 | [Constellix](https://constellix.com)                                   | `constellix`       | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)       |
 | [Core-Networks](https://www.core-networks.de)                          | `corenetworks`     | `CORENETWORKS_LOGIN`, `CORENETWORKS_PASSWORD`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/corenetworks)     |
@@ -350,12 +382,13 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [DNS Made Easy](https://dnsmadeeasy.com)                               | `dnsmadeeasy`      | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)      |
 | [dnsHome.de](https://www.dnshome.de)                                   | `dnsHomede`        | `DNSHOMEDE_CREDENTIALS`                                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnshomede)        |
 | [DNSimple](https://dnsimple.com)                                       | `dnsimple`         | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)         |
-| [DNSPod](https://www.dnspod.com/)                                      | `dnspod`           | `DNSPOD_API_KEY`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
+| [DNSPod](https://www.dnspod.com/) (DEPRECATED)                         | `dnspod`           | DEPRECATED  use `tencentcloud` instead.                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
 | [Domain Offensive (do.de)](https://www.do.de/)                         | `dode`             | `DODE_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dode)             |
 | [Domeneshop](https://domene.shop)                                      | `domeneshop`       | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)       |
 | [DreamHost](https://www.dreamhost.com/)                                | `dreamhost`        | `DREAMHOST_API_KEY`                                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)        |
 | [Duck DNS](https://www.duckdns.org/)                                   | `duckdns`          | `DUCKDNS_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)          |
 | [Dyn](https://dyn.com)                                                 | `dyn`              | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)              |
+| [DynDnsFree.de](https://www.dyndnsfree.de)                             | `dyndnsfree`       | `DYNDNSFREE_USERNAME`, `DYNDNSFREE_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dyndnsfree)       |
 | [Dynu](https://www.dynu.com)                                           | `dynu`             | `DYNU_API_KEY`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)             |
 | [EasyDNS](https://easydns.com/)                                        | `easydns`          | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)          |
 | [EdgeDNS](https://www.akamai.com/)                                     | `edgedns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
@@ -371,9 +404,10 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Glesys](https://glesys.com/)                                          | `glesys`           | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)           |
 | [GoDaddy](https://www.godaddy.com)                                     | `godaddy`          | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)          |
 | [Google Cloud DNS](https://cloud.google.com/dns/docs/)                 | `gcloud`           | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)           |
-| [Google Domains](https://domains.google)                               | `googledomains`    | `GOOGLE_DOMAINS_ACCESS_TOKEN`                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/googledomains)    |
-| [Hetzner](https://hetzner.com)                                         | `hetzner`          | `HETZNER_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)          |
+| [Google Domains](https://domains.google) (DEPRECATED)                  | `googledomains`    | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/googledomains)    |
+| [Hetzner](https://hetzner.com)                                         | `hetzner`          | `HETZNER_API_TOKEN`                                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)          |
 | [hosting.de](https://www.hosting.de)                                   | `hostingde`        | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)        |
+| [Hostinger](https://www.hostinger.com/)                                | `hostinger`        | `HOSTINGER_API_TOKEN`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/hostinger)        |
 | [Hosttech](https://www.hosttech.eu)                                    | `hosttech`         | `HOSTTECH_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)         |
 | [http.net](https://www.http.net/)                                      | `httpnet`          | `HTTPNET_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/httpnet)          |
 | [Huawei Cloud](https://huaweicloud.com)                                | `huaweicloud`      | `HUAWEICLOUD_ACCESS_KEY_ID`, `HUAWEICLOUD_SECRET_ACCESS_KEY`, `HUAWEICLOUD_REGION`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/huaweicloud)      |
@@ -390,6 +424,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [IPv64](https://ipv64.net)                                             | `ipv64`            | `IPV64_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/ipv64)            |
 | [iwantmyname](https://iwantmyname.com)                                 | `iwantmyname`      | `IWANTMYNAME_USERNAME` , `IWANTMYNAME_PASSWORD`                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/iwantmyname)      |
 | [Joker.com](https://joker.com)                                         | `joker`            | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/joker)            |
+| [KeyHelp](https://www.keyweb.de/en/keyhelp/keyhelp/)                   | `keyhelp`          | `KEYHELP_API_KEY`, `KEYHELP_BASE_URL`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/keyhelp)          |
 | [Liara](https://liara.ir)                                              | `liara`            | `LIARA_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/liara)            |
 | [Lightsail](https://aws.amazon.com/lightsail/)                         | `lightsail`        | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)        |
 | [Lima-City](https://www.lima-city.de)                                  | `limacity`         | `LIMACITY_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/limacity)         |
@@ -417,6 +452,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Njalla](https://njal.la)                                              | `njalla`           | `NJALLA_TOKEN`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/njalla)           |
 | [Nodion](https://www.nodion.com)                                       | `nodion`           | `NODION_API_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/nodion)           |
 | [NS1](https://ns1.com/)                                                | `ns1`              | `NS1_API_KEY`                                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)              |
+| [Octenium](https://octenium.com/)                                      | `octenium`         | `OCTENIUM_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/octenium)         |
 | [Open Telekom Cloud](https://cloud.telekom.de)                         | `otc`              | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/otc)              |
 | [Openstack Designate](https://docs.openstack.org/designate)            | `designate`        | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/designate)        |
 | [Oracle Cloud](https://cloud.oracle.com/home)                          | `oraclecloud`      | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID`                                      | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)      |
@@ -432,6 +468,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [RFC2136](https://tools.ietf.org/html/rfc2136)                         | `rfc2136`          | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)          |
 | [RimuHosting](https://rimuhosting.com)                                 | `rimuhosting`      | `RIMUHOSTING_API_KEY`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)      |
 | [Route 53](https://aws.amazon.com/route53/)                            | `route53`          | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/route53)          |
+| [RU Center](https://nic.ru/)                                           | `nicru`            | `NICRU_USER`, `NICRU_PASSWORD`, `NICRU_SERVICE_ID`, `NICRU_SECRET`, `NICRU_SERVICE_NAME`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/nicru)            |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                            | `sakuracloud`      | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)      |
 | [Scaleway](https://www.scaleway.com)                                   | `scaleway`         | `SCW_API_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
 | [Selectel v2](https://selectel.ru/en/)                                 | `selectelv2`       | `SELECTELV2_ACCOUNT_ID`, `SELECTELV2_PASSWORD`, `SELECTELV2_PROJECT_ID`, `SELECTELV2_USERNAME`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/selectelv2)       |
@@ -445,6 +482,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Stackpath](https://www.stackpath.com/)                                | `stackpath`        | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)        |
 | [Technitium](https://technitium.com)                                   | `technitium`       | `TECHNITIUM_SERVER_BASE_URL`, `TECHNITIUM_API_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/technitium)       |
 | [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)             | `tencentcloud`     | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud)     |
+| [Tencent EdgeOne](https://edgeone.ai/)                                 | `edgeone`          | `EDGEONE_SECRET_ID`, `EDGEONE_SECRET_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/edgeone)          |
 | [Timeweb Cloud](https://timeweb.cloud)                                 | `timewebcloud`     | `TIMEWEBCLOUD_AUTH_TOKEN`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/timewebcloud)     |
 | [TransIP](https://www.transip.nl/)                                     | `transip`          | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/transip)          |
 | [UKFast SafeDNS](https://docs.ukfast.co.uk/domains/safedns/index.html) | `safedns`          | `SAFEDNS_AUTH_TOKEN`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/safedns)          |
@@ -466,6 +504,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Yandex Cloud](https://cloud.yandex.com/en/)                           | `yandexcloud`      | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud)      |
 | [Yandex](https://yandex.com)                                           | `yandex`           | `YANDEX_PDD_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)           |
 | [Zone.ee](https://www.zone.ee)                                         | `zoneee`           | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)           |
+| [ZoneEdit](https://www.zoneedit.com)                                   | `zoneedit`         | `ZONEEDIT_USER`, `ZONEEDIT_AUTH_TOKEN`                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/zoneedit)         |
 | [Zonomi](https://zonomi.com)                                           | `zonomi`           | `ZONOMI_API_KEY`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)           |
 | External Program                                                       | `exec`             | `EXEC_PATH`                                                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/exec)             |
 | HTTP request                                                           | `httpreq`          | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)          |
@@ -809,6 +848,71 @@ certificatesResolvers:
 # ...
 ```

+### `clientTimeout`
+
+_Optional, Default=2m_
+
+`clientTimeout` is the total timeout for a complete HTTP transaction (including TCP connection, sending request and receiving response) with the ACME server.
+It defaults to 2 minutes.
+
+!!! warning "This timeout encompasses the entire request-response cycle, including the response headers timeout. It must be at least `clientResponseHeaderTimeout`, otherwise the certificate resolver will fail to start."
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      clientTimeout: 1m
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  clientTimeout=1m
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.clientTimeout=1m
+# ...
+```
+
+!!! warning
+    This should not be confused with any timeouts used for validating challenges.
+
+### `clientResponseHeaderTimeout`
+
+_Optional, Default=30s_
+
+`clientResponseHeaderTimeout` defines how long the HTTP client waits for response headers when communicating with the `caServer`.
+It defaults to 30 seconds. 
+
+!!! warning "It must be lower than `clientTimeout`, otherwise the certificate resolver will fail to start."
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      clientResponseHeaderTimeout: 1m
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  clientResponseHeaderTimeout=1m
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.clientResponseHeaderTimeout=1m
+# ...
+```
+
 ### `preferredChain`

 _Optional, Default=""_
--- a/docs/content/https/ocsp.md
+++ b/docs/content/https/ocsp.md
@@ -0,0 +1,71 @@
+---
+title: "Traefik OCSP Documentation"
+description: "Learn how to configure Traefik to use OCSP. Read the technical documentation."
+---
+
+# OCSP
+
+Check certificate status and perform OCSP stapling.
+{: .subtitle }
+
+## Overview
+
+### OCSP Stapling
+
+When OCSP is enabled, Traefik checks the status of every certificate in the store that provides an OCSP responder URL,
+including the default certificate, and staples the OCSP response to the TLS handshake.
+The OCSP check is performed when the certificate is loaded,
+and once every hour until it is successful at the halfway point before the update date.
+
+### Caching
+
+Traefik caches the OCSP response as long as the associated certificate is provided by the configuration.
+When a certificate is no longer provided,
+the OCSP response has a 24 hour TTL waiting to be provided again or eventually removed.
+The OCSP response is cached in memory and is not persisted between Traefik restarts.
+
+## Configuration
+
+### General
+
+Enabling OCSP is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
+It can be defined by using a file (YAML or TOML) or CLI arguments:
+
+```yaml tab="File (YAML)"
+## Static configuration
+ocsp: {}
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[ocsp]
+```
+
+```bash tab="CLI"
+## Static configuration
+--ocsp=true
+```
+
+### Responder Overrides
+
+The `responderOverrides` option defines the OCSP responder URLs to use instead of the one provided by the certificate.
+This is useful when you want to use a different OCSP responder.
+
+```yaml tab="File (YAML)"
+## Static configuration
+ocsp:
+  responderOverrides:
+    foo: bar
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[ocsp]
+  [ocsp.responderOverrides]
+    foo = "bar"
+```
+
+```bash tab="CLI"
+## Static configuration
+-ocsp.responderoverrides.foo=bar
+```
--- a/docs/content/https/ref-acme.toml
+++ b/docs/content/https/ref-acme.toml
@@ -30,6 +30,20 @@
  #
  # certificatesDuration=2160

+  # Timeout for a complete HTTP transaction with the ACME server.
+  #
+  # Optional
+  # Default: 2m
+  #
+  # clientTimeout="2m"
+
+  # Timeout for receiving the response headers when communicating with the ACME server.
+  #
+  # Optional
+  # Default: 30s
+  #
+  # clientResponseHeaderTimeout="30s"
+
  # Preferred chain to use.
  #
  # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
--- a/docs/content/https/ref-acme.txt
+++ b/docs/content/https/ref-acme.txt
@@ -29,6 +29,20 @@
 #
 --certificatesresolvers.myresolver.acme.certificatesDuration=2160

+# Timeout for a complete HTTP transaction with the ACME server.
+#
+# Optional
+# Default: 2m
+#
+--certificatesresolvers.myresolver.acme.clientTimeout=2m
+
+# Timeout for receiving the response headers when communicating with the ACME server.
+#
+# Optional
+# Default: 30s
+#
+--certificatesresolvers.myresolver.acme.clientResponseHeaderTimeout=30s
+
 # Preferred chain to use.
 #
 # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
--- a/docs/content/https/ref-acme.yaml
+++ b/docs/content/https/ref-acme.yaml
@@ -32,6 +32,20 @@ certificatesResolvers:
      #
      # certificatesDuration: 2160

+      # Timeout for a complete HTTP transaction with the ACME server.
+      #
+      # Optional
+      # Default: 2m
+      #
+      # clientTimeout: "2m"
+
+      # Timeout for receiving the response headers when communicating with the ACME server.
+      #
+      # Optional
+      # Default: 30s
+      #
+      # clientResponseHeaderTimeout: "30s"
+
      # Preferred chain to use.
      #
      # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -234,7 +234,7 @@ The TLS options allow one to configure some parameters of the TLS connection.

 !!! important "TLSOption in Kubernetes"

-    When using the [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
+    When using the [TLSOption resource](../routing/providers/kubernetes-crd.md#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
    if not explicitly overwritten, should apply to all ingresses.  
    To achieve that, you'll have to create a TLSOption resource with the name `default`.
    There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
@@ -503,7 +503,7 @@ Traefik supports mutual authentication, through the `clientAuth` section.

 For authentication policies that require verification of the client certificate, the certificate authority for the certificates should be set in `clientAuth.caFiles`.

-In Kubernetes environment, CA certificate can be set in `clientAuth.secretNames`. See [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) for more details.
+In Kubernetes environment, CA certificate can be set in `clientAuth.secretNames`. See [TLSOption resource](../routing/providers/kubernetes-crd.md#kind-tlsoption) for more details.

 The `clientAuth.clientAuthType` option governs the behaviour as follows:

--- a/docs/content/index.md
+++ b/docs/content/index.md
@@ -11,7 +11,7 @@ Traefik is an [open-source](https://github.com/traefik/traefik) Application Prox

 If you start with Traefik for service discovery and routing, you can seamlessly add [API management](https://traefik.io/solutions/api-management/), [API gateway](https://traefik.io/solutions/api-gateway/), [AI gateway](https://traefik.io/solutions/ai-gateway/), and [API mocking](https://traefik.io/solutions/api-mocking/) capabilities as needed.

-With 3.3 billion downloads and over 55k stars on GitHub, Traefik is used globally across hybrid cloud, multi-cloud, on prem, and bare metal environments running Kuberentes, Docker Swarm, AWS, [the list goes on](https://doc.traefik.io/traefik/reference/install-configuration/providers/overview/).
+With 3.3 billion downloads and over 55k stars on GitHub, Traefik is used globally across hybrid cloud, multi-cloud, on prem, and bare metal environments running Kubernetes, Docker Swarm, AWS, [the list goes on](https://doc.traefik.io/traefik/reference/install-configuration/providers/overview/).

 Here’s how it works—Traefik receives requests on behalf of your system, identifies which components are responsible for handling them, and routes them securely. It automatically discovers the right configuration for your services by inspecting your infrastructure to identify relevant information and which service serves which request.

@@ -33,7 +33,7 @@ Traefik supports different needs depending on your background. We keep three use
 Traefik’s main concepts help you understand how requests flow to your services:

 - [Entrypoints](./reference/install-configuration/entrypoints.md) are the network entry points into Traefik. They define the port that will receive the packets and whether to listen for TCP or UDP.
- [Routers](./reference/routing-configuration/http/router/rules-and-priority.md) are in charge of connecting incoming requests to the services that can handle them. In the process, routers may use pieces of [middleware](./reference/routing-configuration/http/middlewares/overview.md) to update the request or act before forwarding the request to the service.
+- [Routers](./reference/routing-configuration/http/routing/rules-and-priority.md) are in charge of connecting incoming requests to the services that can handle them. In the process, routers may use pieces of [middleware](./reference/routing-configuration/http/middlewares/overview.md) to update the request or act before forwarding the request to the service.
 - [Services](./reference/routing-configuration/http/load-balancing/service.md) are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
 - [Providers](./reference/install-configuration/providers/overview.md) are infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores. The idea is that Traefik queries the provider APIs in order to find relevant information about routing, and when Traefik detects a change, it dynamically updates the routes.

--- a/docs/content/middlewares/http/addprefix.md
+++ b/docs/content/middlewares/http/addprefix.md
@@ -8,8 +8,6 @@ description: "Learn how to implement the HTTP AddPrefix middleware in Traefik Pr
 Prefixing the Path
 {: .subtitle }

-![AddPrefix](../../assets/img/middleware/addprefix.png)
-
 The AddPrefix middleware updates the path of a request before forwarding it.

 ## Configuration Examples
--- a/docs/content/middlewares/http/basicauth.md
+++ b/docs/content/middlewares/http/basicauth.md
@@ -8,8 +8,6 @@ description: "The HTTP basic authentication (BasicAuth) middleware in Traefik Pr
 Adding Basic Authentication
 {: .subtitle }

-![BasicAuth](../../assets/img/middleware/basicauth.png)
-
 The BasicAuth middleware grants access to services to authorized users only.

 ## Configuration Examples
--- a/docs/content/middlewares/http/buffering.md
+++ b/docs/content/middlewares/http/buffering.md
@@ -8,8 +8,6 @@ description: "The HTTP buffering middleware in Traefik Proxy limits the size of
 How to Read the Request before Forwarding It
 {: .subtitle }

-![Buffering](../../assets/img/middleware/buffering.png)
-
 The Buffering middleware limits the size of requests that can be forwarded to services.

 With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified size limit.
--- a/docs/content/middlewares/http/chain.md
+++ b/docs/content/middlewares/http/chain.md
@@ -8,8 +8,6 @@ description: "The HTTP chain middleware lets you define reusable combinations of
 When One Isn't Enough
 {: .subtitle }

-![Chain](../../assets/img/middleware/chain.png)
-
 The Chain middleware enables you to define reusable combinations of other pieces of middleware.
 It makes reusing the same groups easier.

--- a/docs/content/middlewares/http/circuitbreaker.md
+++ b/docs/content/middlewares/http/circuitbreaker.md
@@ -8,8 +8,6 @@ description: "The HTTP circuit breaker in Traefik Proxy prevents stacking reques
 Don't Waste Time Calling Unhealthy Services
 {: .subtitle }

-![CircuitBreaker](../../assets/img/middleware/circuitbreaker.png)
-
 The circuit breaker protects your system from stacking requests to unhealthy services, resulting in cascading failures.

 When your system is healthy, the circuit is closed (normal operations).
--- a/docs/content/middlewares/http/compress.md
+++ b/docs/content/middlewares/http/compress.md
@@ -8,8 +8,6 @@ description: "Traefik Proxy's HTTP middleware lets you compress responses before
 Compress Allows Compressing Responses before Sending them to the Client
 {: .subtitle }

-![Compress](../../assets/img/middleware/compress.png)
-
 The Compress middleware supports Gzip, Brotli and Zstandard compression.
 The activation of compression, and the compression method choice rely (among other things) on the request's `Accept-Encoding` header.

--- a/docs/content/middlewares/http/digestauth.md
+++ b/docs/content/middlewares/http/digestauth.md
@@ -8,8 +8,6 @@ description: "Traefik Proxy's HTTP DigestAuth middleware restricts access to you
 Adding Digest Authentication
 {: .subtitle }

-![BasicAuth](../../assets/img/middleware/digestauth.png)
-
 The DigestAuth middleware grants access to services to authorized users only.

 ## Configuration Examples
--- a/docs/content/middlewares/http/errorpages.md
+++ b/docs/content/middlewares/http/errorpages.md
@@ -8,8 +8,6 @@ description: "In Traefik Proxy, the Errors middleware returns custom pages accor
 It Has Never Been Easier to Say That Something Went Wrong
 {: .subtitle }

-![Errors](../../assets/img/middleware/errorpages.png)
-
 The Errors middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.

 !!! important
--- a/docs/content/middlewares/http/forwardauth.md
+++ b/docs/content/middlewares/http/forwardauth.md
@@ -8,8 +8,6 @@ description: "In Traefik Proxy, the HTTP ForwardAuth middleware delegates authen
 Using an External Service to Forward Authentication
 {: .subtitle }

-![AuthForward](../../assets/img/middleware/authforward.png)
-
 The ForwardAuth middleware delegates authentication to an external service.
 If the service answers with a 2XX code, access is granted, and the original request is performed.
 Otherwise, the response from the authentication server is returned.
@@ -60,11 +58,11 @@ The following request properties are provided to the forward-auth target endpoin

 | Property          | Forward-Request Header |
 |-------------------|------------------------|
-| HTTP Method       | X-Forwarded-Method     |
-| Protocol          | X-Forwarded-Proto      |
-| Host              | X-Forwarded-Host       |
-| Request URI       | X-Forwarded-Uri        |
-| Source IP-Address | X-Forwarded-For        |
+| HTTP Method       | `X-Forwarded-Method`   |
+| Protocol          | `X-Forwarded-Proto`    |
+| Host              | `X-Forwarded-Host`     |
+| Request URI       | `X-Forwarded-Uri`      |
+| Source IP-Address | `X-Forwarded-For`      |

 ## Configuration Options

--- a/docs/content/middlewares/http/headers.md
+++ b/docs/content/middlewares/http/headers.md
@@ -8,8 +8,6 @@ description: "In Traefik Proxy, the HTTP headers middleware manages the headers
 Managing Request/Response headers
 {: .subtitle }

-![Headers](../../assets/img/middleware/headers.png)
-
 The Headers middleware manages the headers of requests and responses.

 A set of forwarded headers are automatically added by default. See the [FAQ](../../getting-started/faq.md#what-are-the-forwarded-headers-when-proxying-http-requests) for more information.
--- a/docs/content/middlewares/http/inflightreq.md
+++ b/docs/content/middlewares/http/inflightreq.md
@@ -8,8 +8,6 @@ description: "Traefik Proxy's HTTP middleware lets you limit the number of simul
 Limiting the Number of Simultaneous In-Flight Requests
 {: .subtitle }

-![InFlightReq](../../assets/img/middleware/inflightreq.png)
-
 To proactively prevent services from being overwhelmed with high load, the number of allowed simultaneous in-flight requests can be limited.

 ## Configuration Examples
@@ -115,7 +113,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and select
 If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
 See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.

-!!! example "Example of Depth & X-Forwarded-For"
+!!! example "Example of Depth & `X-Forwarded-For`"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).

@@ -169,7 +167,7 @@ http:

 !!! important "If `depth` is specified, `excludedIPs` is ignored."

-!!! example "Example of ExcludedIPs & X-Forwarded-For"
+!!! example "Example of ExcludedIPs & `X-Forwarded-For`"

    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
    |-----------------------------------------|-----------------------|--------------|
--- a/docs/content/middlewares/http/ipallowlist.md
+++ b/docs/content/middlewares/http/ipallowlist.md
@@ -78,7 +78,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
 See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.

-!!! example "Examples of Depth & X-Forwarded-For"
+!!! example "Examples of Depth & `X-Forwarded-For`"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).

@@ -144,7 +144,7 @@ http:

 !!! important "If `depth` is specified, `excludedIPs` is ignored."

-!!! example "Example of ExcludedIPs & X-Forwarded-For"
+!!! example "Example of ExcludedIPs & `X-Forwarded-For`"

    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
    |-----------------------------------------|-----------------------|--------------|
@@ -264,3 +264,45 @@ http:
    [http.middlewares.test-ipallowlist.ipallowlist.sourceCriterion.ipStrategy]
      ipv6Subnet = 64
 ```
+
+### `rejectStatusCode`
+
+The `rejectStatusCode` option sets HTTP status code for refused requests. If not set, the default is 403 (Forbidden).
+
+```yaml tab="Docker & Swarm"
+# Reject requests with a 404 rather than a 403
+labels:
+    - "traefik.http.middlewares.test-ipallowlist.ipallowlist.rejectstatuscode=404"
+```
+
+```yaml tab="Kubernetes"
+# Reject requests with a 404 rather than a 403
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ipallowlist
+spec:
+  ipAllowList:
+    rejectStatusCode: 404
+```
+
+```yaml tab="Consul Catalog"
+# Reject requests with a 404 rather than a 403
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.rejectstatuscode=404"
+```
+
+```yaml tab="File (YAML)"
+# Reject requests with a 404 rather than a 403
+http:
+  middlewares:
+    test-ipallowlist:
+      ipAllowList:
+        rejectStatusCode: 404
+```
+
+```toml tab="File (TOML)"
+# Reject requests with a 404 rather than a 403
+[http.middlewares]
+  [http.middlewares.test-ipallowlist.ipAllowList]
+    rejectStatusCode = 404
+```
--- a/docs/content/middlewares/http/ipwhitelist.md
+++ b/docs/content/middlewares/http/ipwhitelist.md
@@ -8,8 +8,6 @@ description: "Learn how to use IPWhiteList in HTTP middleware for limiting clien
 Limiting Clients to Specific IPs
 {: .subtitle }

-![IPWhiteList](../../assets/img/middleware/ipwhitelist.png)
-
 IPWhiteList limits allowed requests based on the client IP.

 !!! warning
@@ -84,7 +82,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
 See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.

-!!! example "Examples of Depth & X-Forwarded-For"
+!!! example "Examples of Depth & `X-Forwarded-For`"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).

@@ -150,7 +148,7 @@ http:

 !!! important "If `depth` is specified, `excludedIPs` is ignored."

-!!! example "Example of ExcludedIPs & X-Forwarded-For"
+!!! example "Example of ExcludedIPs & `X-Forwarded-For`"

    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
    |-----------------------------------------|-----------------------|--------------|
--- a/docs/content/middlewares/http/overview.md
+++ b/docs/content/middlewares/http/overview.md
@@ -8,8 +8,6 @@ description: "Read the official Traefik Proxy documentation for an overview of t
 Controlling connections
 {: .subtitle }

-![Overview](../../assets/img/middleware/overview.png)
-
 ## Configuration Example

 ```yaml tab="Docker & Swarm"
--- a/docs/content/middlewares/http/ratelimit.md
+++ b/docs/content/middlewares/http/ratelimit.md
@@ -225,7 +225,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and select
 If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
 See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.

-!!! example "Example of Depth & X-Forwarded-For"
+!!! example "Example of Depth & `X-Forwarded-For`"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).

@@ -288,7 +288,7 @@ http:

    !!! example "Each IP as a distinct source"

-        | X-Forwarded-For                | excludedIPs           | clientIP     |
+        | `X-Forwarded-For`              | excludedIPs           | clientIP     |
        |--------------------------------|-----------------------|--------------|
        | `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.1"` |
        | `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.2"` |
@@ -298,7 +298,7 @@ http:

    !!! example "Group IPs together as same source"

-        |  X-Forwarded-For               |  excludedIPs | clientIP     |
+        | `X-Forwarded-For`              | excludedIPs  | clientIP     |
        |--------------------------------|--------------|--------------|
        | `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
        | `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
@@ -310,7 +310,7 @@ and the first IP that is _not_ in the pool (if any) is returned.

 !!! example "Matching for clientIP"

-    |  X-Forwarded-For               |  excludedIPs          | clientIP     |
+    | `X-Forwarded-For`              | excludedIPs           | clientIP     |
    |--------------------------------|-----------------------|--------------|
    | `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"11.0.0.1"`          | `"13.0.0.1"` |
    | `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
--- a/docs/content/middlewares/http/redirectscheme.md
+++ b/docs/content/middlewares/http/redirectscheme.md
@@ -19,7 +19,7 @@ The RedirectScheme middleware redirects the request if the request scheme is dif
    When there is at least one other reverse-proxy between the client and Traefik, 
    the other reverse-proxy (i.e. the last hop) needs to be a [trusted](../../routing/entrypoints.md#forwarded-headers) one. 
    
-    Otherwise, Traefik would clean up the X-Forwarded headers coming from this last hop, 
+    Otherwise, Traefik would clean up the `X-Forwarded` headers coming from this last hop,
    and as the RedirectScheme middleware relies on them to determine the scheme used,
    it would not function as intended.

--- a/docs/content/middlewares/overview.md
+++ b/docs/content/middlewares/overview.md
@@ -8,8 +8,6 @@ description: "There are several available middleware in Traefik Proxy used to mo
 Tweaking the Request
 {: .subtitle }

-![Overview](../assets/img/middleware/overview.png)
-
 Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your [service](../routing/services/index.md) (or before the answer from the services are sent to the clients).

 There are several available middleware in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
--- a/docs/content/middlewares/tcp/overview.md
+++ b/docs/content/middlewares/tcp/overview.md
@@ -8,8 +8,6 @@ description: "Read the official Traefik Proxy documentation for an overview of t
 Controlling connections
 {: .subtitle }

-![Overview](../../assets/img/middleware/overview.png)
-
 ## Configuration Example

 ```yaml tab="Docker & Swarm"
--- a/docs/content/migrate/v1-to-v2.md
+++ b/docs/content/migrate/v1-to-v2.md
--- a/docs/content/migrate/v2-to-v3-details.md
+++ b/docs/content/migrate/v2-to-v3-details.md
@@ -5,7 +5,7 @@ description: "Configuration changes and their details to successfully migrate fr

 # Configuration Details for Migrating from Traefik v2 to v3

-## Static Configuration Changes
+## Install Configuration Changes

 ### SwarmMode

@@ -135,7 +135,7 @@ It is now unsupported and would prevent Traefik to start.
 ##### Remediation

 The `http3` option should be removed from the static configuration experimental section.
-To configure `http3`, please checkout the [entrypoint configuration documentation](../routing/entrypoints.md#http3_1).
+To configure `http3`, please checkout the [entrypoint configuration documentation](../reference/install-configuration/entrypoints.md#http3).

 ### Consul provider

@@ -619,7 +619,7 @@ Please take a look at the observability documentation for more information:
 In v3, the `ServiceURL` field is not an object anymore but a string representation.
 An update may be required if you index access logs.

-## Dynamic Configuration Changes
+## Routing Configuration Changes

 ### Router Rule Matchers

@@ -730,7 +730,7 @@ In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing

 ### TCP LoadBalancer `terminationDelay` option

-The TCP LoadBalancer `terminationDelay` option has been removed.
+The TCP LoadBalancer `terminationDelay` option has been deprecated.
 This option can now be configured directly on the `TCPServersTransport` level, please take a look at this [documentation](../routing/services/index.md#terminationdelay)

 ### Kubernetes CRDs API Group `traefik.containo.us`
--- a/docs/content/migrate/v2-to-v3.md
+++ b/docs/content/migrate/v2-to-v3.md
@@ -11,7 +11,7 @@ How to Migrate from Traefik v2 to Traefik v3.
 !!! success "Streamlined Migration Process"
    Traefik v3 introduces minimal breaking changes and maintains backward compatibility with v2 syntax in dynamic configuration, offering a gradual migration path.

-With Traefik v3, we are introducing a streamlined transition process from v2. Minimal breaking changes have been made to specific options in the [static configuration](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes"), and we are ensuring backward compatibility with v2 syntax in the [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes"). This will offer a gradual path for adopting the v3 syntax, allowing users to progressively migrate their Kubernetes ingress resources, Docker labels, etc., to the new format.
+With Traefik v3, we are introducing a streamlined transition process from v2. Minimal breaking changes have been made to specific options in the [static configuration](./v2-to-v3-details.md#install-configuration-changes "Link to install configuration changes"), and we are ensuring backward compatibility with v2 syntax in the [dynamic configuration](./v2-to-v3-details.md#routing-configuration-changes "Link to routing configuration changes"). This will offer a gradual path for adopting the v3 syntax, allowing users to progressively migrate their Kubernetes ingress resources, Docker labels, etc., to the new format.

 ## Migration Overview

@@ -33,7 +33,7 @@ The migration process consists of three progressive steps designed to minimize r

 **Review and Update Static Configuration**

-Check the changes in [static configurations](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes") and [operations](./v2-to-v3-details.md#operations-changes "Link to operations changes") brought by Traefik v3. Modify your configurations accordingly.
+Check the changes in [static configurations](./v2-to-v3-details.md#install-configuration-changes "Link to install configuration changes") and [operations](./v2-to-v3-details.md#operations-changes "Link to operations changes") brought by Traefik v3. Modify your configurations accordingly.

 **Enable v2 Compatibility Mode**

@@ -110,13 +110,13 @@ We strongly advise you to follow a progressive migration strategy ([Kubernetes r
 ## Step 3: Progressively Migrate Dynamic Configuration

 !!! info "Optional Immediate Step"
-    This step can be done later in the process, as Traefik v3 is compatible with the v2 format for [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes"). Enable Traefik logs to get some help if any deprecated option is in use.
+    This step can be done later in the process, as Traefik v3 is compatible with the v2 format for [dynamic configuration](./v2-to-v3-details.md#routing-configuration-changes "Link to routing configuration changes"). Enable Traefik logs to get some help if any deprecated option is in use.

 ### Migration Process

 **Review Dynamic Configuration Changes**

-Check the changes in [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes") to understand what updates are needed.
+Check the changes in [dynamic configuration](./v2-to-v3-details.md#routing-configuration-changes "Link to routing configuration changes") to understand what updates are needed.

 **Progressive Router Migration**

--- a/docs/content/migrate/v2.md
+++ b/docs/content/migrate/v2.md
@@ -1,719 +1,11 @@
 ---
-title: "Traefik Migration Documentation"
+title: "Traefik V2 Migration Documentation"
 description: "Learn the steps needed to migrate to new Traefik Proxy v2 versions, i.e. v2.0 to v2.1 or v2.1 to v2.2. Read the technical documentation."
 ---

-# Migration: Steps needed between the versions
+# Migration: Steps needed between the v2 versions

-## v2.0 to v2.1
+The multiple minor versions of Traefik v2 introduced a number of changes,
+which may require one to update their configuration when they migrate.

-### Kubernetes CRD
-
-In v2.1, a new Kubernetes CRD called `TraefikService` was added.
-While updating an installation to v2.1,
-one should apply that CRD, and update the existing `ClusterRole` definition to allow Traefik to use that CRD.
-
-To add that CRD and enhance the permissions, the following definitions need to be applied to the cluster.
-
-```yaml tab="TraefikService"
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: traefikservices.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: TraefikService
-    plural: traefikservices
-    singular: traefikservice
-  scope: Namespaced
-```
-
-```yaml tab="ClusterRole"
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: traefik-ingress-controller
-
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - services
-      - endpoints
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - traefik.io
-      - traefik.containo.us
-    resources:
-      - middlewares
-      - middlewaretcps
-      - ingressroutes
-      - traefikservices
-      - ingressroutetcps
-      - ingressrouteudps
-      - tlsoptions
-      - tlsstores
-      - serverstransports
-      - serverstransporttcps
-    verbs:
-      - get
-      - list
-      - watch
-```
-
-After having both resources applied, Traefik will work properly.
-
-## v2.1 to v2.2
-
-### Headers middleware: accessControlAllowOrigin
-
-`accessControlAllowOrigin` is deprecated.
-This field will be removed in future 2.x releases.
-Please configure your allowed origins in `accessControlAllowOriginList` instead.
-
-### Kubernetes CRD
-
-In v2.2, new Kubernetes CRDs called `TLSStore` and `IngressRouteUDP` were added.
-While updating an installation to v2.2,
-one should apply that CRDs, and update the existing `ClusterRole` definition to allow Traefik to use that CRDs.
-
-To add that CRDs and enhance the permissions, the following definitions need to be applied to the cluster.
-
-```yaml tab="TLSStore"
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: tlsstores.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: TLSStore
-    plural: tlsstores
-    singular: tlsstore
-  scope: Namespaced
-
-```
-
-```yaml tab="IngressRouteUDP"
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: ingressrouteudps.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: IngressRouteUDP
-    plural: ingressrouteudps
-    singular: ingressrouteudp
-  scope: Namespaced
-
-```
-
-```yaml tab="ClusterRole"
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: traefik-ingress-controller
-
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - services
-      - endpoints
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - traefik.io
-      - traefik.containo.us
-    resources:
-      - middlewares
-      - middlewaretcps
-      - ingressroutes
-      - traefikservices
-      - ingressroutetcps
-      - ingressrouteudps
-      - tlsoptions
-      - tlsstores
-      - serverstransports
-      - serverstransporttcps
-    verbs:
-      - get
-      - list
-      - watch
-```
-
-After having both resources applied, Traefik will work properly.
-
-### Kubernetes Ingress
-
-To enable HTTPS, it is not sufficient anymore to only rely on a TLS section in the Ingress.
-
-#### Expose an Ingress on 80 and 443
-
-Define the default TLS configuration on the HTTPS entry point.
-
-```yaml tab="Ingress"
-kind: Ingress
-apiVersion: networking.k8s.io/v1beta1
-metadata:
-  name: example
-
-spec:
-  tls:
-  - secretName: my-tls-secret
-
-  rules:
-  - host: example.com
-    http:
-      paths:
-      - path: "/foo"
-        backend:
-          serviceName: example-com
-          servicePort: 80
-```
-
-Entry points definition and enable Ingress provider:
-
-```yaml tab="File (YAML)"
-# Static configuration
-
-entryPoints:
-  web:
-    address: :80
-  websecure:
-    address: :443
-    http:
-      tls: {}
-
-providers:
-  kubernetesIngress: {}
-```
-
-```toml tab="File (TOML)"
-# Static configuration
-
-[entryPoints.web]
-  address = ":80"
-
-[entryPoints.websecure]
-  address = ":443"
-  [entryPoints.websecure.http]
-    [entryPoints.websecure.http.tls]
-
-[providers.kubernetesIngress]
-```
-
-```bash tab="CLI"
-# Static configuration
-
--entryPoints.web.address=:80
--entryPoints.websecure.address=:443
--entryPoints.websecure.http.tls=true
--providers.kubernetesIngress=true
-```
-
-#### Use TLS only on one Ingress
-
-Define the TLS restriction with annotations.
-
-```yaml tab="Ingress"
-kind: Ingress
-apiVersion: networking.k8s.io/v1beta1
-metadata:
-  name: example-tls
-  annotations:
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-
-spec:
-  tls:
-  - secretName: my-tls-secret
-
-  rules:
-  - host: example.com
-    http:
-      paths:
-      - path: ""
-        backend:
-          serviceName: example-com
-          servicePort: 80
-```
-
-Entry points definition and enable Ingress provider:
-
-```yaml tab="File (YAML)"
-# Static configuration
-
-entryPoints:
-  web:
-    address: :80
-  websecure:
-    address: :443
-
-providers:
-  kubernetesIngress: {}
-```
-
-```toml tab="File (TOML)"
-# Static configuration
-
-[entryPoints.web]
-  address = ":80"
-
-[entryPoints.websecure]
-  address = ":443"
-
-[providers.kubernetesIngress]
-```
-
-```bash tab="CLI"
-# Static configuration
-
--entryPoints.web.address=:80
--entryPoints.websecure.address=:443
--providers.kubernetesIngress=true
-```
-
-## v2.2.2 to v2.2.5
-
-### InsecureSNI removal
-
-In `v2.2.2` we introduced a new flag (`insecureSNI`) which was available as a global option to disable domain fronting.
-Since `v2.2.5` this global option has been removed, and you should not use it anymore.
-
-### HostSNI rule matcher removal
-
-In `v2.2.2` we introduced a new rule matcher (`HostSNI`) for HTTP routers which was allowing to match the Server Name Indication at the router level.
-Since `v2.2.5` this rule has been removed for HTTP routers, and you should not use it anymore.
-
-## v2.2 to v2.3
-
-### X.509 CommonName Deprecation
-
-The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present, is now disabled by default.
-
-It means that if one is using https with your backend servers, and a certificate with only a CommonName,
-Traefik will not try to match the server name indication with the CommonName anymore.
-
-It can be temporarily re-enabled by adding the value `x509ignoreCN=0` to the `GODEBUG` environment variable.
-
-More information: https://golang.org/doc/go1.15#commonname
-
-### File Provider
-
-The file parser has been changed, since v2.3 the unknown options/fields in a dynamic configuration file are treated as errors.
-
-### IngressClass
-
-In `v2.3`, the support of `IngressClass`, which is available since Kubernetes version `1.18`, has been introduced.
-In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated.
-
-## v2.3 to v2.4
-
-### ServersTransport
-
-In `v2.4.0`, the support of `ServersTransport` has been introduced.
-It is therefore necessary to update [RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-crd.md) definitions.
-
-## v2.4.7 to v2.4.8
-
-### Non-ASCII Domain Names
-
-In `v2.4.8`, we introduced a new check on domain names used in HTTP router rule `Host` and `HostRegexp` expressions,
-and in TCP router rule `HostSNI` expression.
-This check ensures that provided domain names don't contain non-ASCII characters.
-If not, an error is raised, and the associated router will be shown as invalid in the dashboard.
-
-This new behavior is intended to show what was failing silently previously and to help troubleshooting configuration issues.
-It doesn't change the support for non-ASCII domain names in routers rules, which is not part of the Traefik feature set so far.
-
-In order to use non-ASCII domain names in a router's rule, one should use the Punycode form of the domain name.
-For more information, please read the [HTTP routers rule](../routing/routers/index.md#rule) part or [TCP router rules](../routing/routers/index.md#rule_1) part of the documentation.
-
-## v2.4.8 to v2.4.9
-
-### Tracing Span
-
-In `v2.4.9`, we changed span error to log only server errors (>= 500).
-
-## v2.4.9 to v2.4.10
-
-### K8S CrossNamespace
-
-In `v2.4.10`, the default value for `allowCrossNamespace` has been changed to `false`.
-
-### K8S ExternalName Service
-
-In `v2.4.10`, by default, it is no longer authorized to reference Kubernetes ExternalName services.
-To allow it, the `allowExternalNameServices` option should be set to `true`.
-
-## v2.4 to v2.5
-
-### Kubernetes CRD
-
-In `v2.5`, the [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions) have been updated to support the new API version `apiextensions.k8s.io/v1`.
-As required by `apiextensions.k8s.io/v1`, we have included the OpenAPI validation schema.
-
-After deploying the new [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions), the resources will be validated only on creation or update.
-
-Please note that the unknown fields will not be pruned when migrating from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1` CRDs.
-For more details check out the official [documentation](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema).
-
-### Kubernetes Ingress
-
-Traefik v2.5 moves forward for the Ingress provider to support Kubernetes v1.22.
-
-Traefik now supports only v1.14+ Kubernetes clusters, which means the support of `extensions/v1beta1` API Version ingresses has been dropped.
-
-The `extensions/v1beta1` API Version should now be replaced either by `networking.k8s.io/v1beta1` or by `networking.k8s.io/v1` (as of Kubernetes v1.19+).
-
-The support of the `networking.k8s.io/v1beta1` API Version will stop in Kubernetes v1.22.
-
-### Headers middleware: ssl redirect options
-
-`sslRedirect`, `sslTemporaryRedirect`, `sslHost` and `sslForceHost` are deprecated in Traefik v2.5.
-
-For simple HTTP to HTTPS redirection, you may use [EntryPoints redirections](../routing/entrypoints.md#redirection).
-
-For more advanced use cases, you can use either the [RedirectScheme middleware](../middlewares/http/redirectscheme.md) or the [RedirectRegex middleware](../middlewares/http/redirectregex.md).
-
-### Headers middleware: accessControlAllowOrigin
-
-`accessControlAllowOrigin` is no longer supported in Traefik v2.5.
-
-### X.509 CommonName Deprecation Bis
-
-Following up on the deprecation started [previously](#x509-commonname-deprecation),
-as the `x509ignoreCN=0` value for the `GODEBUG` is [deprecated in Go 1.17](https://tip.golang.org/doc/go1.17#crypto/x509),
-the legacy behavior related to the CommonName field cannot be enabled at all anymore.
-
-## v2.5.3 to v2.5.4
-
-### Errors middleware
-
-In `v2.5.4`, when the errors service is configured with the [`PassHostHeader`](../routing/services/index.md#pass-host-header) option to `true` (default),
-the forwarded Host header value is now set to the client request Host value and not `0.0.0.0`.
-Check out the [Errors middleware](../middlewares/http/errorpages.md#service) documentation for more details.
-
-## v2.5 to v2.6
-
-### HTTP/3
-
-Traefik v2.6 introduces the `AdvertisedPort` option,
-which allows advertising, in the `Alt-Svc` header, a UDP port different from the one on which Traefik is actually listening (the EntryPoint's port).
-By doing so, it introduces a new configuration structure `http3`, which replaces the `enableHTTP3` option (which therefore doesn't exist anymore).
-To enable HTTP/3 on an EntryPoint, please check out the [HTTP/3 configuration](../routing/entrypoints.md#http3) documentation.
-
-### Kubernetes Gateway API Provider
-
-In `v2.6`, the [Kubernetes Gateway API provider](../providers/kubernetes-gateway.md) now only supports the version [v1alpha2](https://gateway-api.sigs.k8s.io/v1alpha2/guides/) of the specification and 
-[route namespaces](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.RouteNamespaces) selectors, which requires Traefik to fetch and watch the cluster namespaces.
-Therefore, the RBAC and CRD definitions must be updated.
-
-## v2.6.0 to v2.6.1
-
-### Metrics
-
-In `v2.6.1`, the metrics system does not support any more custom HTTP method verbs to prevent potential metrics cardinality overhead.
-In consequence, for metrics having the method label,
-if the HTTP method verb of a request is not one defined in the set of common methods for [`HTTP/1.1`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
-or the [`PRI`](https://datatracker.ietf.org/doc/html/rfc7540#section-11.6) verb (for `HTTP/2`),
-the value for the method label becomes `EXTENSION_METHOD`, instead of the request's one.
-
-### Tracing
-
-In `v2.6.1`, the Datadog tags added to a span changed from `service.name` to `traefik.service.name` and from `router.name` to `traefik.router.name`.
-
-## v2.8
-
-### TLS client authentication
-
-In `v2.8`, the `caOptional` option is deprecated as TLS client authentication is a server side option.
-This option available in the ForwardAuth middleware, as well as in the HTTP, Consul, Etcd, Redis, ZooKeeper, Marathon, Consul Catalog, and Docker providers has no effect and must not be used anymore.
-
-### Consul Enterprise Namespaces
-
-In `v2.8`, the `namespace` option of Consul and Consul Catalog providers is deprecated, please use the `namespaces` options instead.
-
-### Traefik Pilot
-
-In `v2.8`, the `pilot.token` and `pilot.dashboard` options are deprecated.
-Please check our Blog for migration instructions later this year.
-
-## v2.8.2
-
-Since `v2.5.0`, the `PreferServerCipherSuites` is [deprecated and ignored](https://tip.golang.org/doc/go1.17#crypto/tls) by Go,
-in `v2.8.2` the `preferServerCipherSuites` option is also deprecated and ignored in Traefik.
-
-In `v2.8.2`, Traefik now reject certificates signed with the SHA-1 hash function. ([details](https://tip.golang.org/doc/go1.18#sha1))
-
-## v2.9
-
-### Traefik Pilot
-
-In `v2.9`, Traefik Pilot support has been removed.
-
-## v2.10
-
-### Nomad Namespace
-
-In `v2.10`, the `namespace` option of the Nomad provider is deprecated, please use the `namespaces` options instead.
-
-### Kubernetes CRDs
-
-In `v2.10`, the Kubernetes CRDs API Group `traefik.containo.us` is deprecated, and its support will end starting with Traefik v3. Please use the API Group `traefik.io` instead.
-
-As the Kubernetes CRD provider still works with both API Versions (`traefik.io/v1alpha1` and `traefik.containo.us/v1alpha1`),
-it means that for the same kind, namespace and name, the provider will only keep the `traefik.io/v1alpha1` resource.
-
-In addition, the Kubernetes CRDs API Version `traefik.containo.us/v1alpha1` will not be supported in Traefik v3 itself.
-
-Please note that it is a requirement to update the CRDs and the RBAC in the cluster before upgrading Traefik.
-To do so, please apply the required [CRDs](https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml) and [RBAC](https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml) manifests for v2.10:
-
-```bash
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-```
-
-### Traefik Hub
-
-In `v2.10`, Traefik Hub configuration has been removed because Traefik Hub v2 doesn't require this configuration.
-
-## v2.11
-
-### IPWhiteList (HTTP)
-
-In `v2.11`, the `IPWhiteList` middleware is deprecated, please use the [IPAllowList](../middlewares/http/ipallowlist.md) middleware instead.
-
-### IPWhiteList (TCP)
-
-In `v2.11`, the `IPWhiteList` middleware is deprecated, please use the [IPAllowList](../middlewares/tcp/ipallowlist.md) middleware instead.
-
-### TLS CipherSuites
-
-> By default, cipher suites without ECDHE support are no longer offered by either clients or servers during pre-TLS 1.3 handshakes.
-> This change can be reverted with the `tlsrsakex=1 GODEBUG` setting.
-> (https://go.dev/doc/go1.22#crypto/tls)
-
-The _RSA key exchange_ cipher suites are way less secure than the modern ECDHE cipher suites and exposes to potential vulnerabilities like [the Marvin Attack](https://people.redhat.com/~hkario/marvin).
-Decision has been made to support ECDHE cipher suites only by default.
-
-The following ciphers have been removed from the default list:
-
- `TLS_RSA_WITH_AES_128_CBC_SHA`
- `TLS_RSA_WITH_AES_256_CBC_SHA`
- `TLS_RSA_WITH_AES_128_GCM_SHA256`
- `TLS_RSA_WITH_AES_256_GCM_SHA384`
-
-To enable these ciphers, please set the option `CipherSuites` in your [TLS configuration](../https/tls.md#cipher-suites) or set the environment variable `GODEBUG=tlsrsakex=1`.
-
-### Minimum TLS Version
-
-> By default, the minimum version offered by `crypto/tls` servers is now TLS 1.2 if not specified with config.MinimumVersion,
-> matching the behavior of crypto/tls clients.
-> This change can be reverted with the `tls10server=1 GODEBUG` setting.
-> (https://go.dev/doc/go1.22#crypto/tls)
-
-To enable TLS 1.0, please set the option `MinVersion` to `VersionTLS10` in your [TLS configuration](../https/tls.md#cipher-suites) or set the environment variable `GODEBUG=tls10server=1`.
-
-## v2.11.1
-
-### Maximum Router Priority Value
-
-Before v2.11.1, the maximum user-defined router priority value is:
-
- `MaxInt32` for 32-bit platforms,
- `MaxInt64` for 64-bit platforms.
-
-Please check out the [go documentation](https://pkg.go.dev/math#pkg-constants) for more information.
-
-In v2.11.1, Traefik reserves a range of priorities for its internal routers and now, 
-the maximum user-defined router priority value is:
-
- `(MaxInt32 - 1000)` for 32-bit platforms,
- `(MaxInt64 - 1000)` for 64-bit platforms.
-
-### EntryPoint.Transport.RespondingTimeouts.<Timeout>
-
-Starting with `v2.11.1` the following timeout options are deprecated:
-
- `<entryPoint>.transport.respondingTimeouts.readTimeout`
- `<entryPoint>.transport.respondingTimeouts.writeTimeout`
- `<entryPoint>.transport.respondingTimeouts.idleTimeout`
-
-They have been replaced by:
-
- `<entryPoint>.transport.respondingTimeouts.http.readTimeout`
- `<entryPoint>.transport.respondingTimeouts.http.writeTimeout`
- `<entryPoint>.transport.respondingTimeouts.http.idleTimeout`
-
-### EntryPoint.Transport.RespondingTimeouts.TCP.LingeringTimeout
-
-Starting with `v2.11.1` a new `lingeringTimeout` entryPoints option has been introduced, with a default value of 2s.
-
-The lingering timeout defines the maximum duration between each TCP read operation on the connection.
-As a layer 4 timeout, it applies during HTTP handling but respects the configured HTTP server `readTimeout`.
-
-This change avoids Traefik instances with the default configuration hanging while waiting for bytes to be read on the connection.
-
-We suggest to adapt this value accordingly to your situation.
-The new default value is purposely narrowed and can close the connection too early.
-
-Increasing the `lingeringTimeout` value could be the solution notably if you are dealing with the following errors:
-
- TCP: `Error while handling TCP connection: readfrom tcp X.X.X.X:X->X.X.X.X:X: read tcp X.X.X.X:X->X.X.X.X:X: i/o timeout`
- HTTP: `'499 Client Closed Request' caused by: context canceled`
- HTTP: `ReverseProxy read error during body copy: read tcp X.X.X.X:X->X.X.X.X:X: use of closed network connection`
-
-## v2.11.2
-
-### LingeringTimeout
-
-Starting with `v2.11.2` the `<entrypoint>.transport.respondingTimeouts.tcp.lingeringTimeout` introduced in `v2.11.1` has been removed.
-
-### RespondingTimeouts.TCP and RespondingTimeouts.HTTP
-
-Starting with `v2.11.2` the `respondingTimeouts.tcp` and `respondingTimeouts.http` sections introduced in `v2.11.1` have been removed.
-To configure the responding timeouts, please use the [`respondingTimeouts`](../routing/entrypoints.md#respondingtimeouts) section.  
-
-### EntryPoint.Transport.RespondingTimeouts.ReadTimeout
-
-Starting with `v2.11.2` the entryPoints [`readTimeout`](../routing/entrypoints.md#respondingtimeouts) option default value changed to 60 seconds.
-
-For HTTP, this option defines the maximum duration for reading the entire request, including the body.
-For TCP, this option defines the maximum duration for the first bytes to be read on the connection.
-
-The default value was previously set to zero, which means no timeout.
-
-This change has been done to avoid Traefik instances with the default configuration to be hanging forever while waiting for bytes to be read on the connection.
-
-Increasing the `readTimeout` value could be the solution notably if you are dealing with the following errors:
-
- TCP: `Error while handling TCP connection: readfrom tcp X.X.X.X:X->X.X.X.X:X: read tcp X.X.X.X:X->X.X.X.X:X: i/o timeout`
- HTTP: `'499 Client Closed Request' caused by: context canceled`
- HTTP: `ReverseProxy read error during body copy: read tcp X.X.X.X:X->X.X.X.X:X: use of closed network connection`
-
-## v2.11.3
-
-### Connection headers
-
-In `v2.11.3`, the handling of the request Connection headers directives has changed to prevent any abuse.
-Before, Traefik removed any header listed in the Connection header just before forwarding the request to the backends.
-Now, Traefik removes the headers listed in the Connection header as soon as the request is handled.
-As a consequence, middlewares do not have access to those Connection headers,
-and a new option has been introduced to specify which ones could go through the middleware chain before being removed: `<entrypoint>.forwardedHeaders.connection`.
-
-Please check out the [entrypoint forwarded headers connection option configuration](../routing/entrypoints.md#forwarded-headers) documentation.
-
-## v2.11.14
-
-### X-Forwarded-Prefix
-
-In `v2.11.14`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
-Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
-
-## v2.11.24
-
-### Request Path Sanitization
-
-Since `v2.11.24`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends.
-Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed.
-
-If you want to disable this behavior, you can set the [`sanitizePath` option](../routing/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.
-This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
-For example, as base64 uses the “/” character internally,
-if it's not url encoded,
-it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
-
-!!! warning "Security"
-
-    Setting the `sanitizePath` option to `false` is not safe.
-    Ensure every request is properly url encoded instead.
-
-## v2.11.25
-
-### Request Path Normalization
-
-Since `v2.11.25`, the request path is now normalized by decoding unreserved characters in the request path,
-and also uppercasing the percent-encoded characters.
-This follows [RFC 3986 percent-encoding normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2),
-and [RFC 3986 case normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1).
-
-The normalization happens before the request path is sanitized,
-and cannot be disabled.
-This notably helps with encoded dots characters (which are unreserved characters) to be sanitized properly.
-
-### Routing Path
-
-Since `v2.11.25`, the reserved characters [(as per RFC 3986)](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2) are kept encoded in the request path when matching the router rules.
-Those characters, when decoded, change the meaning of the request path for routing purposes,
-and Traefik now keeps them encoded to avoid any ambiguity.
-
-### Request Path Matching Examples
-
-| Request Path      | Router Rule            | Traefik v2.11.24 | Traefik v2.11.25 |
-|-------------------|------------------------|------------------|------------------|
-| `/foo%2Fbar`      | PathPrefix(`/foo/bar`) | Match            | No match         |
-| `/foo/../bar`     | PathPrefix(`/foo`)     | No match         | No match         |
-| `/foo/../bar`     | PathPrefix(`/bar`)     | Match            | Match            |
-| `/foo/%2E%2E/bar` | PathPrefix(`/foo`)     | Match            | No match         |
-| `/foo/%2E%2E/bar` | PathPrefix(`/bar`)     | No match         | Match            |
-
-## v2.11.28
-
-### MultiPath TCP
-
-Since `v2.11.28`, the MultiPath TCP support introduced with `v2.11.26` has been removed.
-It appears that enabling MPTCP on some platforms can cause Traefik to stop with the following error logs message:
-
- `set tcp X.X.X.X:X->X.X.X.X:X: setsockopt: operation not supported`
-
-However, it can be re-enabled by setting the `multipathtcp` variable in the GODEBUG environment variable, see the related [go documentation](https://go.dev/doc/godebug#go-124).
+For more information about the changes between Traefik v2 minor versions, please refer to the [v2 documentation](https://doc.traefik.io/traefik/v2.11/migration/v2/).
--- a/docs/content/migrate/v3.md
+++ b/docs/content/migrate/v3.md
@@ -113,9 +113,9 @@ kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/con

 **Updated Resources:**

- [TraefikService](../../routing/services#mirroring-service) ([PR #11032](https://github.com/traefik/traefik/pull/11032))
- [RateLimit](../../middlewares/http/ratelimit) & [InFlightReq](../../middlewares/http/inflightreq) middlewares ([PR #9747](https://github.com/traefik/traefik/pull/9747))
- [Compress](../../middlewares/http/compress) middleware ([PR #10943](https://github.com/traefik/traefik/pull/10943))
+- [TraefikService](../routing/services/index.md#mirroring-service) ([PR #11032](https://github.com/traefik/traefik/pull/11032))
+- [RateLimit](../middlewares/http/ratelimit.md) & [InFlightReq](../middlewares/http/inflightreq.md) middlewares ([PR #9747](https://github.com/traefik/traefik/pull/9747))
+- [Compress](../middlewares/http/compress.md) middleware ([PR #10943](https://github.com/traefik/traefik/pull/10943))

 ### Kubernetes Gateway Provider Standard Channel

@@ -189,7 +189,7 @@ the `backendtlspolicies` and `backendtlspolicies/status` rights have to be added

 ## v3.2.1

-### X-Forwarded-Prefix Header Changes
+### `X-Forwarded-Prefix` Header Changes

 In v3.2.1, the `X-Forwarded-Prefix` header is now handled like other `X-Forwarded-*` headers - Traefik removes it when sent from untrusted sources.

@@ -326,7 +326,7 @@ kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/con
 !!! warning "Deprecation"
    The `RoundRobin` strategy is deprecated but still supported (equivalent to `wrr`). It will be removed in the next major release.

-Refer to the [HTTP Services Load Balancing documentation](../../routing/services/#load-balancing-strategy) for detailed information.
+Refer to the [HTTP Services Load Balancing documentation](../routing/services/index.md#load-balancing-strategy) for detailed information.

 #### ServersTransport CA Certificate Configuration

@@ -413,10 +413,86 @@ Reserved characters change the meaning of request paths when decoded. Keeping th

 The following table illustrates how path matching behavior has changed:

-| Request Path      | Router Rule            | Traefik v3.4.0 | Traefik v3.4.1 | Explanation |
-|-------------------|------------------------|----------------|----------------|-------------|
-| `/foo%2Fbar`      | ```PathPrefix(`/foo/bar`)``` | Match          | No match       | `%2F` (/) stays encoded, preventing false matches |
-| `/foo/../bar`     | ```PathPrefix(`/foo`)```     | No match       | No match       | Path traversal is sanitized away |
-| `/foo/../bar`     | ```PathPrefix(`/bar`)```     | Match          | Match          | Resolves to `/bar` after sanitization |
-| `/foo/%2E%2E/bar` | ```PathPrefix(`/foo`)```     | Match          | No match       | Encoded dots normalized then sanitized |
+| Request Path      | Router Rule                  | Traefik v3.4.0 | Traefik v3.4.1 | Explanation                                           |
+|-------------------|------------------------------|----------------|----------------|-------------------------------------------------------|
+| `/foo%2Fbar`      | ```PathPrefix(`/foo/bar`)``` | Match          | No match       | `%2F` (/) stays encoded, preventing false matches     |
+| `/foo/../bar`     | ```PathPrefix(`/foo`)```     | No match       | No match       | Path traversal is sanitized away                      |
+| `/foo/../bar`     | ```PathPrefix(`/bar`)```     | Match          | Match          | Resolves to `/bar` after sanitization                 |
+| `/foo/%2E%2E/bar` | ```PathPrefix(`/foo`)```     | Match          | No match       | Encoded dots normalized then sanitized                |
 | `/foo/%2E%2E/bar` | ```PathPrefix(`/bar`)```     | No match       | Match          | Resolves to `/bar` after normalization + sanitization |
+
+## v3.4.5
+
+### MultiPath TCP
+
+Since `v3.4.5`, the MultiPath TCP support introduced with `v3.4.2` has been removed.
+It appears that enabling MPTCP on some platforms can cause Traefik to stop with the following error logs message:
+
+- `set tcp X.X.X.X:X->X.X.X.X:X: setsockopt: operation not supported`
+
+However, it can be re-enabled by setting the `multipathtcp` variable in the GODEBUG environment variable, see the related [go documentation](https://go.dev/doc/godebug#go-124).
+
+## v3.5.0
+
+### Observability
+
+#### TraceVerbosity on Routers and Entrypoints
+
+Starting with `v3.5.0`, a new `traceVerbosity` option is available for both entrypoints and routers.
+This option allows you to control the level of detail for tracing spans.
+Routers can override the value inherited from their entrypoint.
+
+**Impact:**
+
+- If you rely on tracing, review your configuration to explicitly set the desired verbosity level.
+- Existing configurations will default to `minimal` unless overridden, which will result in fewer spans being generated than before.
+
+Possible values are:
+
+- `minimal`: produces a single server span and one client span for each request processed by a router.
+- `detailed`: enables the creation of additional spans for each middleware executed for each request processed by a router.
+
+See the updated documentation for [entrypoints](../reference/install-configuration/entrypoints.md) and [dynamic routers](../reference/routing-configuration/http/routing/observability.md#traceverbosity).
+
+#### K8s Resource Attributes
+
+Since `v3.5.0`, the semconv attributes `k8s.pod.name` and `k8s.pod.uid` are injected automatically in OTel resource attributes when OTel tracing/logs/metrics are enabled.
+
+For that purpose, the following right has to be added to the Traefik Kubernetes RBACs:
+
+```yaml
+  ...
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+  ...
+```
+
+---
+
+## v3.5.2
+
+### Deprecation of ProxyProtocol option
+
+Starting with `v3.5.2`, the `proxyProtocol` option for TCP LoadBalancer is deprecated.
+This option can now be configured at the `TCPServersTransport` level, please check out the [documentation](../reference/routing-configuration/tcp/serverstransport.md) for more details.
+
+#### Kubernetes CRD Provider
+
+To use the new `proxyprotocol` option in the Kubernetes CRD provider, you need to update your CRDs.
+
+**Apply Updated CRDs:**
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+```
+
+## v3.5.4
+
+### Certificate Metric Renamed with OpenTelemetry 
+
+Starting with `v3.5.4`, and when using OpenTelemetry, the `traefik_tls_certs_not_after_milliseconds` metric is renamed to `traefik_tls_certs_not_after_seconds`.
+This change aligns the metric name with its real unit precision, which is in seconds. 
--- a/docs/content/migration/v3.md
+++ b/docs/content/migration/v3.md
@@ -1,332 +0,0 @@
---
-title: "Traefik Migration Documentation"
-description: "Learn the steps needed to migrate to new Traefik Proxy v3 versions. Read the technical documentation."
---
-
-# Migration: Steps needed between the versions
-
-## v3.0 to v3.1
-
-### Kubernetes Provider RBACs
-
-Starting with v3.1, the Kubernetes Providers now use the [EndpointSlices API](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/) (Kubernetes >=v1.21) to discover service endpoint addresses.
-It also brings NodePort load-balancing which requires Nodes resources lookup.
-
-Therefore, in the corresponding RBACs (see [KubernetesIngress](../routing/providers/kubernetes-ingress.md#configuration-example), [KubernetesCRD](../reference/dynamic-configuration/kubernetes-crd.md#rbac), and [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs):
-
- the `endpoints` right has to be removed and the following `endpointslices` right has to be added:
-
-```yaml
-  ... 
-  - apiGroups:
-      - discovery.k8s.io
-    resources:
-      - endpointslices
-    verbs:
-      - list
-      - watch
-  ...
-```
-
- the `nodes` right has to be added:
-
-```yaml
-  ...
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - get
-      - list
-      - watch
-  ...
-```
-
-#### Gateway API: KubernetesGateway Provider
-
-In v3.1, the KubernetesGateway Provider is no longer an experimental feature.
-It can be enabled without the associated `experimental.kubernetesgateway` option, which is now deprecated.
-
-??? example "An example of the experimental `kubernetesgateway` option"
-
-    ```yaml tab="File (YAML)"
-    experimental:
-      kubernetesgateway: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [experimental]
-        kubernetesgateway=true
-    ```
-
-    ```bash tab="CLI"
-    --experimental.kubernetesgateway=true
-    ```
-
-##### Remediation
-
-The `kubernetesgateway` option should be removed from the experimental section of the static configuration.
-To configure `kubernetesgateway`, please check out the [KubernetesGateway Provider documentation](../providers/kubernetes-gateway.md).
-
-## v3.1.0 to v3.1.1
-
-### IngressClass Lookup
-
-The Kubernetes Ingress provider option `disableIngressClassLookup` has been deprecated in v3.1.1, and will be removed in the next major version.
-Please use the `disableClusterScopeResources` option instead to avoid cluster scope resources discovery (IngressClass, Nodes).
-
-## v3.1 to v3.2
-
-### Kubernetes CRD Provider
-
-Starting with v3.2, the CRDs has been updated on [TraefikService](../../routing/services#mirroring-service) (PR [#11032](https://github.com/traefik/traefik/pull/11032)), on [RateLimit](../../middlewares/http/ratelimit) & [InFlightReq](../../middlewares/http/inflightreq) middlewares (PR [#9747](https://github.com/traefik/traefik/pull/9747)) and on [Compress](../../middlewares/http/compress) middleware (PR [#10943](https://github.com/traefik/traefik/pull/10943)).
-
-This update adds only new optional fields.
-CRDs can be updated with this command:
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-```
-
-### Kubernetes Gateway Provider Standard Channel
-
-Starting with v3.2, the Kubernetes Gateway Provider now supports [GRPCRoute](https://gateway-api.sigs.k8s.io/api-types/grpcroute/).
-
-Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
-the `grcroutes` and `grpcroutes/status` rights have to be added.
-
-```yaml
-  ...
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - grpcroutes
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - grpcroutes/status
-    verbs:
-      - update
-  ...
-```
-
-### Kubernetes Gateway Provider Experimental Channel
-
-!!! warning "Breaking changes"
-
-    Because of a breaking change introduced in Kubernetes Gateway [v1.2.0-rc1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0-rc1),
-    Traefik v3.3 only supports Kubernetes Gateway v1.2.x when experimental channel features are enabled.
-
-Starting with v3.2, the Kubernetes Gateway Provider now supports [BackendTLSPolicy](https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/).
-
-Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
-the `backendtlspolicies` and `backendtlspolicies/status` rights have to be added.
-
-```yaml
-  ...
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - backendtlspolicies
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - backendtlspolicies/status
-    verbs:
-      - update
-  ...
-```
-
-## v3.2.1
-
-### X-Forwarded-Prefix
-
-In `v3.2.1`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
-Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
-
-## v3.2.2
-
-### Swarm Provider
-
-In `v3.2.2`, the `traefik.docker.network` and `traefik.docker.lbswarm` labels have been deprecated,
-please use the `traefik.swarm.network` and `traefik.swarm.lbswarm` labels instead.
-
-## v3.2 to v3.3
-
-### ACME DNS Certificate Resolver
-
-In `v3.3`, the `acme.dnsChallenge.delaybeforecheck` and `acme.dnsChallenge.disablepropagationcheck` options of the ACME certificate resolver are deprecated, 
-please use respectively `acme.dnsChallenge.propagation.delayBeforeChecks` and `acme.dnsChallenge.propagation.disableChecks` options instead.
-
-### Tracing Global Attributes
-
-In `v3.3`, the `tracing.globalAttributes` option has been deprecated, please use the `tracing.resourceAttributes` option instead.
-The `tracing.globalAttributes` option is misleading as its name does not reflect the operation of adding resource attributes to be sent to the collector,
-and will be removed in the next major version.
-
-## v3.3.4
-
-### OpenTelemetry Request Duration metric
-
-In `v3.3.4`, the OpenTelemetry Request Duration metric (named `traefik_(entrypoint|router|service)_request_duration_seconds`) unit has been changed from milliseconds to seconds.
-To be consistent with the naming and other metrics providers, the metric now reports the duration in seconds.
-
-## v3.3.5
-
-### Compress Middleware
-
-In `v3.3.5`, the compress middleware `encodings` option default value is now `gzip, br, zstd`. 
-This change helps the algorithm selection to favor the `gzip` algorithm over the other algorithms.
-
-It impacts requests that do not specify their preferred algorithm,
-or has no order preference, in the `Accept-Encoding` header.
-
-## v3.3.6
-
-### Request Path Sanitization
-
-Since `v3.3.6`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends.
-Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed.
-
-If you want to disable this behavior, you can set the [`sanitizePath` option](../reference/install-configuration/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.
-This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
-For example, as base64 uses the “/” character internally,
-if it's not url encoded,
-it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
-
-!!! warning "Security"
-
-    Setting the `sanitizePath` option to `false` is not safe.
-    Ensure every request is properly url encoded instead.
-
-## v3.3 to v3.4
-
-### Kubernetes CRD Provider
-
-#### Load-Balancing
-
-In `v3.4`, the HTTP service definition has been updated.
-The strategy field now supports two new values: `wrr` and `p2c` (please refer to the [HTTP Services Load Balancing documentation](../../routing/services/#load-balancing-strategy) for more details).
-
-CRDs can be updated with this command:
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-```
-
-Please note that the `RoundRobin` strategy value is now deprecated, but still supported and equivalent to `wrr`, and will be removed in the next major release.
-
-#### ServersTransport CA Certificate
-
-In `v3.4`, a new `rootCAs` option has been added to the `ServersTransport` and `ServersTransportTCP` CRDs.
-It allows the configuration of CA certificates from both `ConfigMaps` and `Secrets`,
-and replaces the `rootCAsSecrets` option, as shown below:
-
-CRDs can be updated with this command:
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-```
-
-RBACs need to be updated with this command:
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
-```
-
-```yaml
---
-apiVersion: traefik.io/v1alpha1
-kind: ServersTransport
-metadata:
-  name: foo
-  namespace: bar
-spec:
-  rootCAs:
-    - configMap: ca-config-map
-    - secret: ca-secret
-      
---      
-apiVersion: traefik.io/v1alpha1
-kind: ServersTransportTCP
-metadata:
-  name: foo
-  namespace: bar
-spec:
-  rootCAs:
-    - configMap: ca-config-map
-    - secret: ca-secret
-```
-
-The `rootCAsSecrets` option, which allows only `Secrets` references,
-is still supported, but is now deprecated,
-and will be removed in the next major release.
-
-### Rule Syntax
-
-In `v3.4.0`, the `core.defaultRuleSyntax` static configuration option and the `ruleSyntax` router option have been deprecated,
-and will be removed in the next major version.
-
-This `core.defaultRuleSyntax` option was used to switch between the v2 and v3 syntax for the router's rules,
-and to help with the migration from v2 to v3.
-
-The `ruleSyntax` router's option was used to override the default rule syntax for a specific router.
-
-In preparation for the next major release, please remove any use of these two options and use the v3 syntax for writing the router's rules.
-
-## v3.4.1
-
-### Request Path Normalization
-
-Since `v3.4.1`, the request path is now normalized by decoding unreserved characters in the request path,
-and also uppercasing the percent-encoded characters.
-This follows [RFC 3986 percent-encoding normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2),
-and [RFC 3986 case normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1).
-
-The normalization happens before the request path is sanitized,
-and cannot be disabled.
-This notably helps with encoded dots characters (which are unreserved characters) to be sanitized properly.
-
-### Routing Path
-
-Since `v3.4.1`, the reserved characters [(as per RFC 3986)](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2) are kept encoded in the request path when matching the router rules.
-Those characters, when decoded, change the meaning of the request path for routing purposes,
-and Traefik now keeps them encoded to avoid any ambiguity.
-
-### Request Path Matching Examples
-
-| Request Path      | Router Rule            | Traefik v3.4.0 | Traefik v3.4.1 |
-|-------------------|------------------------|----------------|----------------|
-| `/foo%2Fbar`      | PathPrefix(`/foo/bar`) | Match          | No match       |
-| `/foo/../bar`     | PathPrefix(`/foo`)     | No match       | No match       |
-| `/foo/../bar`     | PathPrefix(`/bar`)     | Match          | Match          |
-| `/foo/%2E%2E/bar` | PathPrefix(`/foo`)     | Match          | No match       |
-| `/foo/%2E%2E/bar` | PathPrefix(`/bar`)     | No match       | Match          |
-
-## v3.4.5
-
-### MultiPath TCP
-
-Since `v3.4.5`, the MultiPath TCP support introduced with `v3.4.2` has been removed.
-It appears that enabling MPTCP on some platforms can cause Traefik to stop with the following error logs message:
-
- `set tcp X.X.X.X:X->X.X.X.X:X: setsockopt: operation not supported`
-
-However, it can be re-enabled by setting the `multipathtcp` variable in the GODEBUG environment variable, see the related [go documentation](https://go.dev/doc/godebug#go-124).
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -69,27 +69,43 @@ accessLog:

 _Optional, Default="common"_

-By default, logs are written using the Common Log Format (CLF).
-To write logs in JSON, use `json` in the `format` option.
-If the given format is unsupported, the default (CLF) is used instead.
+By default, logs are written using the Traefik Common Log Format (CLF).
+The available log formats are:

-!!! info "Common Log Format"
+- `common` - Traefik's extended CLF format (default)
+- `genericCLF` - Generic CLF format compatible with standard log analyzers
+- `json` - JSON format for structured logging

+If the given format is unsupported, the default (`common`) is used instead.
+
+!!! info "Traefik Common Log Format vs Generic CLF"
+
+    **Traefik Common Log Format (`common`):**
    ```html
    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
    ```
+    
+    **Generic CLF Format (`genericCLF`):**
+    ```html
+    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length> "<request_referrer>" "<request_user_agent>"
+    ```
+    
+    The `genericCLF` format omits Traefik-specific fields (request count, router name, service URL, and duration) for better compatibility with standard CLF parsers.

 ```yaml tab="File (YAML)"
+# JSON format
 accessLog:
  format: "json"
 ```

 ```toml tab="File (TOML)"
+# JSON format
 [accessLog]
  format = "json"
 ```

 ```bash tab="CLI"
+# JSON format
 --accesslog.format=json
 ```

@@ -290,7 +306,7 @@ Example utilizing Docker Compose:
 ```yaml
 services:
  traefik:
-    image: traefik:v3.4
+    image: traefik:v3.5
    environment:
      - TZ=US/Alaska
    command:
@@ -340,6 +356,54 @@ accesslog:

    The OpenTelemetry Logger exporter will export access logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.

+### `serviceName`
+
+_Optional, Default="traefik"_
+
+Defines the service name resource attribute.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    serviceName: name
+```
+
+```toml tab="File (TOML)"
+[accesslog]
+  [accesslog.otlp]
+    serviceName = "name"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.serviceName=name
+```
+
+### `resourceAttributes`
+
+_Optional, Default=empty_
+
+Defines additional resource attributes to be sent to the collector.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    resourceAttributes:
+      attr1: foo
+      attr2: bar
+```
+
+```toml tab="File (TOML)"
+[accesslog]
+  [accesslog.otlp.resourceAttributes]
+    attr1 = "foo"
+    attr2 = "bar"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.resourceAttributes.attr1=foo
+--accesslog.otlp.resourceAttributes.attr2=bar
+```
+
 ### HTTP configuration

 _Optional_
--- a/docs/content/observability/logs.md
+++ b/docs/content/observability/logs.md
@@ -20,6 +20,7 @@ Traefik logs concern everything that happens to Traefik itself (startup, configu

 By default, the logs are written to the standard output.
 You can configure a file path instead using the `filePath` option.
+When `filePath` is specified, Traefik will write logs only to that file (not to standard output).

 ```yaml tab="File (YAML)"
 # Writing Logs to a File
@@ -219,6 +220,54 @@ log:

    The OpenTelemetry Logger exporter will export logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.

+### `serviceName`
+
+_Optional, Default="traefik"_
+
+Defines the service name resource attribute.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    serviceName: name
+```
+
+```toml tab="File (TOML)"
+[log]
+  [log.otlp]
+    serviceName = "name"
+```
+
+```bash tab="CLI"
+--log.otlp.serviceName=name
+```
+
+### `resourceAttributes`
+
+_Optional, Default=empty_
+
+Defines additional resource attributes to be sent to the collector.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    resourceAttributes:
+      attr1: foo
+      attr2: bar
+```
+
+```toml tab="File (TOML)"
+[log]
+  [log.otlp.resourceAttributes]
+    attr1 = "foo"
+    attr2 = "bar"
+```
+
+```bash tab="CLI"
+--log.otlp.resourceAttributes.attr1=foo
+--log.otlp.resourceAttributes.attr2=bar
+```
+
 ### HTTP configuration

 _Optional_
--- a/docs/content/observability/metrics/opentelemetry.md
+++ b/docs/content/observability/metrics/opentelemetry.md
@@ -143,7 +143,7 @@ metrics:

 _Optional, Default="traefik"_

-OTEL service name to use.
+Defines the service name resource attribute.

 ```yaml tab="File (YAML)"
 metrics:
@@ -160,6 +160,31 @@ metrics:
 ```bash tab="CLI"
 --metrics.otlp.serviceName=name
 ```
+#### `resourceAttributes`
+
+_Optional, Default=empty_
+
+Defines additional resource attributes to be sent to the collector.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    resourceAttributes:
+      attr1: foo
+      attr2: bar
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp.resourceAttributes]
+    attr1 = "foo"
+    attr2 = "bar"
+```
+
+```bash tab="CLI"
+--metrics.otlp.resourceAttributes.attr1=foo
+--metrics.otlp.resourceAttributes.attr2=bar
+```

 ### HTTP configuration

--- a/docs/content/observability/tracing/opentelemetry.md
+++ b/docs/content/observability/tracing/opentelemetry.md
@@ -5,7 +5,7 @@ description: "Traefik supports several tracing backends, including OpenTelemetry

 # OpenTelemetry

-Traefik Proxy follows [official OpenTelemetry semantic conventions v1.26.0](https://github.com/open-telemetry/semantic-conventions/blob/v1.26.0/docs/http/http-spans.md).
+Traefik Proxy follows [official OpenTelemetry semantic conventions v1.37.0](https://github.com/open-telemetry/semantic-conventions/blob/v1.37.0/docs/http/http-spans.md).

 To enable the OpenTelemetry tracer:

--- a/docs/content/observe/logs-and-access-logs.md
+++ b/docs/content/observe/logs-and-access-logs.md
@@ -155,8 +155,9 @@ When the `observability` options are not defined on a router, it inherits the be

 Traefik Proxy supports the following log formats:

- Common Log Format (CLF)
- JSON
+- `common` - Traefik's extended CLF format (default)
+- `genericCLF` - Generic CLF format compatible with standard log analyzers
+- `json` - JSON format for structured logging

 ## Access Log Filters

@@ -172,7 +173,7 @@ The available filters are:

 When using the `json` format, you can customize which fields are included in your access logs.

- **Request Fields:** You can choose to `keep`, `drop`, or `redact` any of the standard request fields. A complete list of available fields like `ClientHost`, `RequestMethod`, and `Duration` can be found in the [reference documentation](../reference/install-configuration/observability/logs-and-accesslogs.md#available-fields).
+- **Request Fields:** You can choose to `keep`, `drop`, or `redact` any of the standard request fields. A complete list of available fields like `ClientHost`, `RequestMethod`, and `Duration` can be found in the [reference documentation](../reference/install-configuration/observability/logs-and-accesslogs.md#json-format-fields).
 - **Request Headers:** You can also specify which request headers should be included in the logs, and whether their values should be `kept`, `dropped`, or `redacted`.

 !!! info
--- a/docs/content/operations/api.md
+++ b/docs/content/operations/api.md
@@ -46,7 +46,7 @@ And then define a routing configuration on Traefik itself with the

 --8<-- "content/operations/include-api-examples.md"

-??? warning "The router's [rule](../../routing/routers#rule) must catch requests for the URI path `/api`"
+??? warning "The router's [rule](../routing/routers/index.md#rule) must catch requests for the URI path `/api`"
    Using an "Host" rule is recommended, by catching all the incoming traffic on this host domain to the API.
    However, you can also use "path prefix" rule or any combination or rules.

@@ -109,7 +109,7 @@ api:
 --api.dashboard=true
 ```

-!!! warning "With Dashboard enabled, the router [rule](../../routing/routers#rule) must catch requests for both `/api` and `/dashboard`"
+!!! warning "With Dashboard enabled, the router [rule](../routing/routers/index.md#rule) must catch requests for both `/api` and `/dashboard`"
    Please check the [Dashboard documentation](./dashboard.md#dashboard-router-rule) to learn more about this and to get examples.

 ### `debug`
--- a/docs/content/operations/cli.md
+++ b/docs/content/operations/cli.md
@@ -31,7 +31,7 @@ traefik [--flag=flag_argument] [-f [flag_argument]]
 traefik [--flag[=true|false| ]] [-f [true|false| ]]
 ```

-All flags are documented in the [(static configuration) CLI reference](../reference/static-configuration/cli.md).
+All flags are documented in the [(static configuration) CLI reference](../reference/install-configuration/configuration-options.md).

 !!! info "Flags are case-insensitive."

--- a/docs/content/operations/dashboard.md
+++ b/docs/content/operations/dashboard.md
@@ -11,7 +11,7 @@ See What's Going On
 The dashboard is the central place that shows you the current active routes handled by Traefik.

 <figure>
-    <img src="../../assets/img/webui-dashboard.png" alt="Dashboard - Providers" />
+    <img src="../assets/img/webui-dashboard.png" alt="Dashboard - Providers" />
    <figcaption>The dashboard in action</figcaption>
 </figure>

--- a/docs/content/providers/consul-catalog.md
+++ b/docs/content/providers/consul-catalog.md
@@ -477,7 +477,7 @@ _Optional, Default=true_
 Expose Consul Catalog services by default in Traefik.
 If set to `false`, services that don't have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.

-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).

 ```yaml tab="File (YAML)"
 providers:
@@ -672,7 +672,7 @@ providers:
 # ...
 ```

-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).

 ### `namespaces`

--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -163,7 +163,7 @@ See the [Docker API Access](#docker-api-access) section for more information.
    ```yaml
    services:
      traefik:
-         image: traefik:v3.4 # The official v3 Traefik docker image
+         image: traefik:v3.5 # The official v3 Traefik docker image
         ports:
           - "80:80"
         volumes:
@@ -380,7 +380,7 @@ _Optional, Default=true_
 Expose containers by default through Traefik.
 If set to `false`, containers that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.

-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).

 ```yaml tab="File (YAML)"
 providers:
@@ -554,7 +554,7 @@ as well as the usual boolean logic, as shown in examples below.
    constraints = "LabelRegex(`a.label.name`, `a.+`)"
    ```

-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).

 ```yaml tab="File (YAML)"
 providers:
--- a/docs/content/providers/ecs.md
+++ b/docs/content/providers/ecs.md
@@ -214,7 +214,7 @@ as well as the usual boolean logic, as shown in examples below.
    constraints = "LabelRegex(`a.label.name`, `a.+`)"
    ```

-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).

 ```yaml tab="File (YAML)"
 providers:
--- a/docs/content/providers/file.md
+++ b/docs/content/providers/file.md
@@ -103,7 +103,7 @@ It supports providing configuration through a [single configuration file](#filen

 ## Provider Configuration

-For an overview of all the options that can be set with the file provider, see the [dynamic configuration](../reference/dynamic-configuration/file.md) and [static configuration](../reference/static-configuration/overview.md) references.
+For an overview of all the options that can be set with the file provider, see the [routing configuration](../reference/routing-configuration/other-providers/file.md) and [install configuration](../reference/install-configuration/configuration-options.md) references.

 !!! warning "Limitations"

--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -31,10 +31,10 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku

    ```bash
    # Install Traefik Resource Definitions:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
    
    # Install RBAC for Traefik:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
    ```

 ## Resource Configuration
--- a/docs/content/providers/kubernetes-gateway.md
+++ b/docs/content/providers/kubernetes-gateway.md
@@ -8,11 +8,11 @@ description: "Learn how to use the Kubernetes Gateway API as a provider for conf
 The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
 specification from the Kubernetes Special Interest Groups (SIGs).

-This provider supports Standard version [v1.2.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.1) of the Gateway API specification. 
+This provider supports Standard version [v1.3.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.3.0) of the Gateway API specification. 

 It fully supports all HTTP core and some extended features, as well as the `TCPRoute` and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).

-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.2.1/traefik-traefik).
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.3.0/traefik-traefik).

 ## Requirements

@@ -27,14 +27,14 @@ For more details, check out the conformance [report](https://github.com/kubernet

    ```bash
    # Install Gateway API CRDs from the Standard channel.
-    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml
    ```

 2. Install the additional Traefik RBAC required for Gateway API.

    ```bash
    # Install Traefik RBACs.
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
    ```

 3. Deploy Traefik and enable the `kubernetesGateway` provider in the static configuration as detailed below:
@@ -275,7 +275,7 @@ providers:

    ```bash
    # Install Gateway API CRDs from the Experimental channel.
-    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/experimental-install.yaml
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml
    ```

 ### `labelselector`
--- a/docs/content/providers/kubernetes-ingress.md
+++ b/docs/content/providers/kubernetes-ingress.md
@@ -529,9 +529,32 @@ providers:
 --providers.kubernetesingress.nativeLBByDefault=true
 ```

+### `strictPrefixMatching`
+
+_Optional, Default: false_
+
+Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). For example, a PathPrefix of `/foo` will match `/foo`, `/foo/`, and `/foo/bar` but not `/foobar`.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    strictPrefixMatching: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  strictPrefixMatching = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.strictPrefixMatching=true
+```
+
 ### Further

 To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.4/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.5/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.

 {!traefik-for-business-applications.md!}
--- a/docs/content/providers/nomad.md
+++ b/docs/content/providers/nomad.md
@@ -384,7 +384,7 @@ _Optional, Default=true_
 Expose Nomad services by default in Traefik.
 If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.

-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).

 ```yaml tab="File (YAML)"
 providers:
@@ -504,7 +504,7 @@ providers:
 # ...
 ```

-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).

 ### `namespaces`

--- a/docs/content/providers/swarm.md
+++ b/docs/content/providers/swarm.md
@@ -424,7 +424,7 @@ _Optional, Default=true_
 Expose containers by default through Traefik.
 If set to `false`, containers that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.

-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).

 ```yaml tab="File (YAML)"
 providers:
@@ -621,7 +621,7 @@ as well as the usual boolean logic, as shown in examples below.
    constraints = "LabelRegex(`a.label.name`, `a.+`)"
    ```

-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).

 ```yaml tab="File (YAML)"
 providers:
--- a/docs/content/reference/dynamic-configuration/consul-catalog.md
+++ b/docs/content/reference/dynamic-configuration/consul-catalog.md
@@ -1,16 +0,0 @@
---
-title: "Traefik Consul Configuration Documentation"
-description: "View the reference for performing dynamic configurations with Traefik Proxy and Consul Catalog. Read the technical documentation."
---
-
-# Consul Catalog Configuration Reference
-
-Dynamic configuration with Consul Catalog
-{: .subtitle }
-
-The labels are case-insensitive.
-
-```yaml
--8<-- "content/reference/dynamic-configuration/consul-catalog.yml"
--8<-- "content/reference/dynamic-configuration/docker-labels.yml"
-```
--- a/docs/content/reference/dynamic-configuration/consul-catalog.yml
+++ b/docs/content/reference/dynamic-configuration/consul-catalog.yml
@@ -1,2 +0,0 @@
- "traefik.enable=true"
- "traefik.consulcatalog.connect=true"
--- a/docs/content/reference/dynamic-configuration/docker-labels.yml
+++ b/docs/content/reference/dynamic-configuration/docker-labels.yml
@@ -169,6 +169,7 @@
 - "traefik.http.routers.router0.middlewares=foobar, foobar"
 - "traefik.http.routers.router0.observability.accesslogs=true"
 - "traefik.http.routers.router0.observability.metrics=true"
+- "traefik.http.routers.router0.observability.traceverbosity=foobar"
 - "traefik.http.routers.router0.observability.tracing=true"
 - "traefik.http.routers.router0.priority=42"
 - "traefik.http.routers.router0.rule=foobar"
@@ -185,6 +186,7 @@
 - "traefik.http.routers.router1.middlewares=foobar, foobar"
 - "traefik.http.routers.router1.observability.accesslogs=true"
 - "traefik.http.routers.router1.observability.metrics=true"
+- "traefik.http.routers.router1.observability.traceverbosity=foobar"
 - "traefik.http.routers.router1.observability.tracing=true"
 - "traefik.http.routers.router1.priority=42"
 - "traefik.http.routers.router1.rule=foobar"
@@ -209,6 +211,7 @@
 - "traefik.http.services.service02.loadbalancer.healthcheck.scheme=foobar"
 - "traefik.http.services.service02.loadbalancer.healthcheck.status=42"
 - "traefik.http.services.service02.loadbalancer.healthcheck.timeout=42s"
+- "traefik.http.services.service02.loadbalancer.healthcheck.unhealthyinterval=42s"
 - "traefik.http.services.service02.loadbalancer.passhostheader=true"
 - "traefik.http.services.service02.loadbalancer.responseforwarding.flushinterval=42s"
 - "traefik.http.services.service02.loadbalancer.serverstransport=foobar"
--- a/docs/content/reference/dynamic-configuration/docker.md
+++ b/docs/content/reference/dynamic-configuration/docker.md
@@ -1,17 +0,0 @@
---
-title: "Traefik Docker Configuration Documentation"
-description: "Reference dynamic configuration with Docker labels in Traefik Proxy. Read the technical documentation."
---
-
-# Docker Configuration Reference
-
-Dynamic configuration with Docker Labels
-{: .subtitle }
-
-The labels are case-insensitive.
-
-```yaml
-labels:
-  --8<-- "content/reference/dynamic-configuration/docker.yml"
-  --8<-- "content/reference/dynamic-configuration/docker-labels.yml"
-```
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Romain	06f401d472	Prepare release v3.5.4	2025-10-28 11:44:04 +01:00
kevinpollet	3b9eaed9c9	Merge branch v2.11 into v3.5	2025-10-28 09:54:03 +01:00
Romain	998868450f	Prepare release v2.11.30	2025-10-28 09:44:04 +01:00
Daniel Peinhopf	8914057766	Add missing reference docs for statusRewrites in errors middleware	2025-10-27 10:52:04 +01:00
Asaf Mesika	e1b6668a84	Clarify health check requirement for server status metric	2025-10-27 10:34:04 +01:00
Michel Loiseleur	e67fbcc5c2	Add API basePath documentation and fix broken links	2025-10-27 10:20:05 +01:00
Germain Lefebvre	ea3e08ec3b	Fix metric name to metrics.otlp.grpc.insecure	2025-10-27 09:34:04 +01:00
Romain	f3ecfa82bc	Mitigate TestShutdown flakyness	2025-10-23 14:30:05 +02:00
Ludovic Fernandez	5e2b393ceb	Fix Hetzner env var name inside documentation	2025-10-23 11:36:04 +02:00
Romain	0880cc672f	Mitigate TestShutdownUDPConn flakyness	2025-10-23 11:28:04 +02:00
iraj jelodari	822f349fa1	Fix typo in TLS certificate generation description	2025-10-23 09:16:04 +02:00
homersimpsons	6c4dfaa56e	Fix anchors in basic auth configuration options	2025-10-20 16:38:04 +02:00
Ludovic Fernandez	ecf08b91a3	Bump github.com/go-acme/lego/v4 to v4.27.0	2025-10-20 16:22:06 +02:00
Evgenii Domashenkin	b4847d74bc	Do not fail when pod is not found in K8sAttributesDetector	2025-10-20 15:24:05 +02:00
Landry Benguigui	6e0012cb0a	fix: enable stdio logging when otlp is enabled	2025-10-17 16:06:06 +02:00
Landry Benguigui	862116c050	Remove flaky TestReadLoopMaxDataSize	2025-10-17 15:16:10 +02:00
Nicolas Mengin	3a7d331967	Merge TLSOption/TLSStore CRD documentation page	2025-10-17 14:54:04 +02:00
Kevin Pollet	9dfcded534	Bump github.com/kvtools/etcdv3 to v1.0.3	2025-10-16 17:48:04 +02:00
Kevin Pollet	ffd82c92cb	Fix KV key name used to check if connection is alive	2025-10-16 16:50:05 +02:00
romain	f7e59510b4	Merge branch v2.11 into v3.5	2025-10-14 17:15:54 +02:00
Romain	835899f4bc	Replace internal dead links	2025-10-14 16:26:05 +02:00
Kevin Pollet	34d7091f31	Bump github.com/quic-go/quic-go to v0.55.0	2025-10-14 15:48:05 +02:00
Xuetao Li	0ea8cbdfbf	Clarify log.filePath behavior in documentation	2025-10-14 10:18:05 +02:00
Michel Loiseleur	c18ba96f87	Align documentation on default otlp endpoint	2025-10-14 09:26:44 +02:00
Romain	cc1cb77abb	Clean and avoid collisions of anchors in option tables	2025-10-13 11:34:04 +02:00
Kevin Pollet	b04759a80b	Bump golang.org/x/net to v0.46.0	2025-10-10 17:22:04 +02:00
MaBu	b2f9996fa4	Fix markdown rendering for table anchors	2025-10-10 14:16:04 +02:00
Romain	fe730d3ad9	Make the staple updates continuous	2025-10-10 12:10:05 +02:00
shreealt	c948417866	Rename traefik_tls_certs_not_after_milliseconds to traefik_tls_certs_not_after_seconds	2025-10-10 11:10:05 +02:00
GreyXor	b61df559d2	Bump github.com/quic-go/quic-go to v0.55.0	2025-10-10 10:40:45 +02:00
Kevin Pollet	2a3b696d85	Fix provider option descriptions	2025-10-07 14:38:05 +01:00
Romain	5688b1777d	Fix wrong references to router's pages	2025-10-06 15:42:08 +01:00
Kevin Pollet	c61fb89d3f	Use k8s.ResourceEventHandler for Gateway API provider	2025-10-06 07:58:04 +01:00
Michael	c5ed376d5f	fix: otel not working without USER	2025-10-03 13:48:04 +01:00
Martin Saldinger	ad566ee9ef	Fix PreserveRequestMethod casing	2025-10-03 13:10:04 +01:00
Simon A. Eugster	83b28270a4	Fix heading levels and add links	2025-10-03 09:52:04 +01:00
Hannah Kim	8441c476f1	Bump gopkg.in/DataDog/dd-trace-go.v1 to v1.74.6	2025-10-03 09:44:04 +01:00
Ludovic Fernandez	5f415615eb	Bump github.com/go-acme/lego/v4 to v4.26.0	2025-10-03 09:42:04 +01:00
Romain	5dfb832921	Update OpenTelemetry to v1.38.0 and semantic conventions to v1.37.0	2025-10-03 09:04:04 +01:00
Romain	5878238077	Add dedicated pages for routers and fix doc links in CRDs	2025-10-02 16:32:04 +01:00
shreealt	614ba391fa	Fix incorrect addInternals configuration option	2025-10-02 15:54:05 +01:00
Stefan Ortgies	92d06b733c	Fix swam code example	2025-10-02 15:34:04 +01:00
Ryan Bruntz	98121cb081	Fix link for accesslog.fields.names in documentation	2025-10-02 09:00:04 +01:00
Miro Michalicka	52fa989d00	Fix typo in ingressroute.md from pirority to priority	2025-10-02 08:08:04 +01:00
Massimiliano D.	6aaae0e6f7	Fix version display regression	2025-09-30 14:42:04 +01:00
Paweł Czochański	b0a6c40c33	Document rejectStatusCode	2025-09-30 10:28:04 +01:00
Sheddy	7c30752d21	chore: fix incorrect option and lint page	2025-09-29 14:16:08 +01:00
Asger Hautop Drewsen	284d665aa0	docs: Format more HTTP headers as code	2025-09-29 13:50:04 +01:00
Romain	5ab001b55b	Prepare release v3.5.3	2025-09-26 09:46:03 +01:00
Darkangeel_hd	7e3dbc22f7	Fix typo in rules and priority documentation	2025-09-23 08:22:06 +01:00
Sheddy	53df34e070	docs: add govern section	2025-09-22 13:38:05 +01:00
Evgenii Domashenkin	e4f0f7be35	ServersTransport: set minimum MaxIdleConnsPerHost=-1	2025-09-22 10:54:04 +01:00
Massimiliano D.	2580d0f95c	Update hub-button-app to use a local script Co-authored-by: Firespray-31 <147506444+Firespray-31@users.noreply.github.com>	2025-09-22 09:00:44 +01:00
Romain	5df4c270a7	Use client conn to build the proxy protocol header Co-authored-by: Simon Delicata <simon.delicata@free.fr>	2025-09-19 10:36:05 +02:00
Nicolas Mengin	660acf3b42	Create Traefik Service CRD sub-resource documentation page.	2025-09-17 14:56:06 +02:00
Harold Ozouf	fed86bd816	Refactor plugins system	2025-09-16 16:16:07 +02:00
Matteo Bongiovanni	ffd01fc88a	Fix conflict in IngressRouteTCP documentation	2025-09-16 10:50:05 +02:00
Nicolas Mengin	27a820950a	Reorganize the menu entries	2025-09-12 10:02:05 +02:00
Mark Ormesher	f9f825163a	fix config examples in entrypoints.md	2025-09-12 09:44:04 +02:00
Michel Loiseleur	cff924f4fd	Fix broken links in documentation	2025-09-11 14:48:04 +02:00
Sheddy	01bc0a0a0a	Add New Secure Section to the Documentation	2025-09-11 09:44:04 +02:00
Nicolas Mengin	c294b87a45	Add an anchor on the options names.	2025-09-09 17:26:05 +02:00
Romain	0b240ca97a	Prepare release v3.5.2	2025-09-09 12:12:04 +02:00
Dorian Allen	ff848c74f9	Fix customerrors query url replacement	2025-09-09 09:54:04 +02:00
Simon Delicata	e2282b1379	Add GenericCLF log format for access logs	2025-09-08 11:24:05 +02:00
Sheddy	a051f20876	Add redis options to ratelimit middleware & Include distributed rate limit middleware	2025-09-05 11:16:04 +02:00
Sheddy	e96034f494	Fix broken links in KV store documentation	2025-09-04 11:16:04 +02:00
Bilal Budhani	f685b3f258	Fixes typo for Swarm mode in CLI example	2025-09-04 09:22:04 +02:00
Michel Loiseleur	7ab17d228f	Fixes typo for OCSP in CLI example	2025-09-03 10:28:04 +02:00
Baptiste Mayelle	5f28c56437	Restore empty webui/static to use traefik as library	2025-09-01 16:30:09 +02:00
Nicolas Mengin	2023ffe2d3	Fix migration path in documentation	2025-09-01 11:10:05 +02:00
Chris Gatt	cc7f409d46	Fix path for access-logs header config	2025-09-01 10:50:04 +02:00
Vincent Bernat	19ed2346cb	Fix link to HTTP3 section in documentation	2025-09-01 09:25:04 +02:00
Romain	f9fbcfbb42	Send proxy protocol header before TLS handshake Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2025-08-29 12:30:04 +02:00
Romain	30b0666219	Prepare release v3.5.1	2025-08-27 11:05:05 +02:00
romain	3f1b5216f0	Merge branch v2.11 into v3.5	2025-08-27 09:40:51 +02:00
Romain	4ff8eca572	Fix Swarm unit test for the nodeIP property	2025-08-27 09:40:05 +02:00
romain	c2db9db1aa	Merge branch v2.11 into v3.5	2025-08-26 17:35:37 +02:00
Maurus Cuelenaere	90702d93ab	Fix HTTP headers not being canonicalized in tracing	2025-08-26 15:55:05 +02:00
Sheddy	0bf6442c5d	Update Broken Links in the Migration Docs	2025-08-26 15:10:04 +02:00
Romain	1986610363	Prepare release v2.11.29	2025-08-26 14:50:08 +02:00
Nicolas Mengin	09c11532ac	Fix Documentation menu	2025-08-25 20:35:03 +02:00
Nicolas Mengin	1997bc7432	Clean Documentation	2025-08-25 14:35:04 +02:00
Copilot	8ac8473554	Fix missing middleware application for whoami service in docker guide	2025-08-22 17:20:04 +02:00
Alex Waring	fcae39bf13	Follow OTel semantic conventions for root span naming	2025-08-22 16:45:04 +02:00
Nicolas	fd8a64ca95	Errors on receving sigterm	2025-08-22 11:30:09 +02:00
cui	86422af988	Refactor to use reflect.TypeFor	2025-08-21 16:10:07 +02:00
Firespray-31	50f95dd909	Fix documentation to match new gateway-api selector syntax	2025-08-21 15:30:07 +02:00
shreealt	3b33ffa245	Make app protocol case insensitive	2025-08-20 16:00:08 +02:00
Kevin Pollet	5cc2a8344c	Bump github.com/docker/docker to v28.3.3	2025-08-20 15:52:06 +02:00
Michael	fc5359b6f6	Remove Semaphore CI	2025-08-13 10:30:06 +02:00
Michael	c5d448fba9	chore: upgrade actions/checkout to v5	2025-08-13 09:22:04 +02:00
ignyx	c60815ed08	Fix typo in index	2025-08-13 09:20:04 +02:00
Michel Loiseleur	aac3d70fa1	Fix invalid links in documentation	2025-08-12 15:38:05 +02:00
Romain	c450306c5a	Bump to github.com/pires/go-proxyproto v0.8.1	2025-08-11 17:28:04 +02:00
Ludovic Fernandez	c820d18ada	Bump github.com/go-acme/lego/v4 to v4.25.2	2025-08-11 14:44:05 +02:00
Romain	16c536e83a	Restore missing migration section	2025-08-04 16:52:04 +02:00
kevinpollet	1827652258	Merge branch v2.11 into v3.5	2025-08-01 16:42:28 +02:00
Michael	19a2e2efc5	Allow maintainers to run deploy documentation	2025-08-01 12:10:05 +02:00
Massimiliano D.	b350ad7f7c	Update Traefik Proxy dashboard UI development deps	2025-08-01 11:42:05 +02:00
Michel Loiseleur	bcdb70b689	Fix invalid links in documentation	2025-08-01 11:34:05 +02:00
Michele Mancioppi	860159315d	Fix mispelling in docs	2025-07-31 15:48:05 +02:00
romain	a274f52924	Merge branch v3.4 into v3.5	2025-07-29 17:10:28 +02:00
Sheddy	cf1e582af5	Add Traefik Hub Middlewares To Reference Section	2025-07-29 16:02:52 +02:00
Jesper Noordsij	9896192efb	Update releases docs for v3.5	2025-07-29 16:00:06 +02:00
Sheddy	40bdea4db8	chore: add extend documentation	2025-07-24 17:58:04 +02:00
Kevin Pollet	31db97cbe4	Add back the link to Peka's page	2025-07-24 16:06:04 +02:00
Tom Moulard	5d85e6d088	Provide Log Body in OTEL access Log	2025-07-24 11:52:04 +02:00
Ludovic Fernandez	c0edcc09bb	Bump github.com/go-acme/lego/v4 to v4.25.1	2025-07-24 09:54:05 +02:00
Romain	2cbd96e64c	Prepare release v3.5.0	2025-07-23 15:46:04 +02:00
Kevin Pollet	4576155005	Remove dead link to Peka blog	2025-07-23 15:04:08 +02:00
romain	2dcc1c16b7	Merge branch v3.4 into v3.5	2025-07-23 14:38:33 +02:00
bluepuma77	2ed2123fc0	Add constraints key limitations for label providers	2025-07-23 11:40:04 +02:00
Nicolas Mengin	117e0b4471	Add extended NGinX annotation support documentation	2025-07-23 09:30:05 +02:00
Landry Benguigui	028e8ca0b0	Revert 11711 adding url param to healthcheck command	2025-07-22 17:10:05 +02:00
Kevin Pollet	78cc85283c	Add k8s resource attributes automatically Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2025-07-21 12:06:04 +02:00
Kevin Pollet	7b78128d4e	Add resourceAttributes option to OTel metrics Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2025-07-18 17:08:04 +02:00
Romain	8c23eb6833	Introduce trace verbosity config and produce less spans by default	2025-07-18 15:32:05 +02:00
Kevin Pollet	77ef7fe490	Prepare release v3.5.0-rc2	2025-07-11 11:24:04 +02:00
kevinpollet	ff992fb7f9	Merge branch v3.4 into v3.5	2025-07-11 10:29:18 +02:00
Romain	91331415ce	Add missing resource attributes detectors	2025-07-07 15:36:04 +02:00
Romain	9862cd6780	Prepare release v3.5.0-rc1	2025-06-26 16:44:04 +02:00
romain	4af188242c	Merge branch v3.4 into master	2025-06-26 15:39:55 +02:00
romain	c02ec6857f	Merge branch v3.4 into master	2025-06-26 14:12:07 +02:00
romain	2d98795cc5	Merge current branch v3.4 into master	2025-06-25 14:31:25 +02:00
romain	cbfecc5d49	Merge branch v3.4 into master	2025-06-25 11:14:51 +02:00
Nelson Isioma	56a95d6c16	Add url option to healthcheck command	2025-06-24 10:56:09 +02:00
Romain	9bd5c61782	NGINX Ingress Provider Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2025-06-23 18:06:04 +02:00
Alessandro Chitolina	b39ee8ede5	OCSP stapling	2025-06-06 17:44:04 +02:00
Ben	2949995abc	Handle context canceled in ForwardAuth middleware	2025-06-04 15:38:04 +02:00
Zoltán Farkas	bf72b9768c	Introduce X25519MLKEM768 for Post-Quantum-Secure TLS	2025-06-03 11:44:05 +02:00
Daniel Peinhopf	fd5796ac39	Improve visualization for StatusRewrites option of errors middleware	2025-06-03 10:02:04 +02:00
Romain	ce1b13f228	Bump sigs.k8s.io/gateway-api to v1.3.0	2025-06-03 09:20:04 +02:00
kevinpollet	289d6e5dca	Merge branch v3.4 into master	2025-06-02 17:01:46 +02:00
Gina A.	f16fff577a	Migrate Traefik Proxy dashboard UI to React	2025-05-28 11:26:04 +02:00
Charlie Chiang	4790e4910f	Make the behavior of prefix matching in Ingress consistent with Kubernetes doc	2025-05-20 14:40:05 +02:00
mmatur	8c6ed23c5f	Merge branch v3.4 into master	2025-05-14 09:55:58 +02:00
mmatur	c5f7381c80	Merge current v3.4 into master	2025-05-13 09:33:27 +02:00
Tom Wiesing	dddb68cd5f	Allow configuration of ACME provider http timeout	2025-04-28 14:30:06 +02:00
Ryan Melendez	8f37c8f0c5	Ability to enable unsafe in yaegi through plugin manifest	2025-04-25 11:26:04 +02:00
kevinpollet	a092c4f535	Merge branch v3.4 into master	2025-04-18 16:42:34 +02:00
Swastik Sarkar	d7d0017545	Add unhealthy Interval to the health check configuration	2025-04-09 10:10:05 +02:00
Ludovic Fernandez	6c3b099c25	Add acme.httpChallenge.delay option	2025-04-01 17:08:05 +02:00