Prepare release v2.11.35

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>

.github/FUNDING.yml

@@ -1,3 +0,0 @@
-# These are supported funding model platforms
-
-github: traefik

.github/PULL_REQUEST_TEMPLATE.md

@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.
 
 Documentation fixes or enhancements:
 - for Traefik v2: use branch v2.11
-- for Traefik v3: use branch v3.4
+- for Traefik v3: use branch v3.0
 
 Bug fixes:
 - for Traefik v2: use branch v2.11
-- for Traefik v3: use branch v3.4
+- for Traefik v3: use branch v3.0
 
 Enhancements:
 - for Traefik v2: we only accept bug fixes

.github/workflows/build.yaml

@@ -51,7 +51,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/check_doc.yaml

@@ -0,0 +1,63 @@
+name: Check Documentation
+
+on:
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - '.github/workflows/check_doc.yaml'
+      - 'docs/**'
+
+jobs:
+
+  docs:
+    name: lint, build and verify
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Install markdownlint
+        run: |
+          npm install --global markdownlint@0.29.0 markdownlint-cli@0.35.0
+
+      - name: Lint
+        run: ./docs/scripts/lint.sh docs
+
+      - name: Setup python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+          cache-dependency-path: "./docs/requirements.txt"
+
+      - name: Build documentation
+        working-directory: ./docs
+        run: |
+          pip install -r requirements.txt
+          mkdocs build --strict
+
+      - name: Setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+
+      - name: Install html-proofer
+        run: |
+          gem install nokogiri --version 1.18.6 --no-document -- --use-system-libraries
+          gem install html-proofer --version 5.0.10 --no-document -- --use-system-libraries
+        env:
+          NOKOGIRI_USE_SYSTEM_LIBRARIES: "true"
+
+      # Comes from https://github.com/gjtorikian/html-proofer?tab=readme-ov-file#caching-with-continuous-integration
+      - name: Cache HTMLProofer
+        uses: actions/cache@v4
+        with:
+          path: tmp/.htmlproofer
+          key: ${{ runner.os }}-htmlproofer
+
+      - name: Verify
+        run: ./docs/scripts/verify.sh docs/site

.github/workflows/check_doc.yml

@@ -1,25 +0,0 @@
-name: Check Documentation
-
-on:
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-
-  docs:
-    name: Check, verify and build documentation
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Check documentation
-        run: make docs-pull-images docs
-        env:
-          # These variables are not passed to workflows that are triggered by a pull request from a fork.
-          DOCS_VERIFY_SKIP: ${{ vars.DOCS_VERIFY_SKIP }}
-          DOCS_LINT_SKIP: ${{ vars.DOCS_LINT_SKIP }}

.github/workflows/codeql.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
 
     - name: setup go
       uses: actions/setup-go@v5

.github/workflows/documentation.yaml

@@ -1,6 +1,7 @@
 name: Build and Publish Documentation
 
 on:
+  workflow_dispatch: {}
   push:
     branches:
       - master
@@ -19,7 +20,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -39,14 +40,14 @@ jobs:
         run: curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b $HOME/bin ${MIXTUS_VERSION}
 
       - name: Build documentation
-        run: $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
-        env:
-          STRUCTOR_LATEST_TAG: ${{ vars.STRUCTOR_LATEST_TAG }}
+        run: |
+          STRUCTOR_LATEST_TAG=$(curl -s https://api.github.com/repos/traefik/traefik/releases/latest | jq -r '.tag_name')
+          $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
 
       - name: Apply seo
         run: $HOME/bin/seo -path=./site -product=traefik
 
       - name: Publish documentation
-        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=traefik --src-repo-name=traefik
+        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN_REPO }}

.github/workflows/experimental.yaml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/release.yaml

@@ -10,7 +10,7 @@ env:
   CGO_ENABLED: 0
   VERSION: ${{ github.ref_name }}
   TRAEFIKER_EMAIL: "traefiker@traefik.io"
-  CODENAME: chaource
+  CODENAME: mimolette
 
 jobs:
 
@@ -24,13 +24,13 @@ jobs:
 
     strategy:
       matrix:
-        os: [ linux-amd64, linux-386, linux-arm, linux-arm64, linux-ppc64le, linux-s390x, linux-riscv64, darwin, windows-amd64, windows-arm64, windows-386, freebsd, openbsd ]
+        os: [ linux-amd64, linux-386, linux-arm, linux-arm64, linux-ppc64le, linux-s390x, linux-riscv64, darwin-amd64, darwin-arm64, windows-amd64, windows-arm64, windows-386, freebsd-amd64, freebsd-386, openbsd-amd64, openbsd-386, openbsd-riscv64 ]
     needs:
       - build-webui
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -89,7 +89,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -126,13 +126,11 @@ jobs:
           tar cfz "dist/traefik-${VERSION}.src.tar.gz" \
             --exclude-vcs \
             --exclude .idea \
-            --exclude .travis \
-            --exclude .semaphoreci \
             --exclude .github \
             --exclude dist .
           
           chown -R "$(id -u)":"$(id -g)" dist/
-          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION}
+          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION} --latest=false
           
           ./script/deploy.sh
 

.github/workflows/sync-docker-images.yaml

@@ -1,26 +0,0 @@
-name: Sync Docker Images
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 0 * * *" # Run every day
-
-jobs:
-  sync:
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      contents: read
-    if: github.repository == 'traefik/traefik'
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: imjasonh/setup-crane@v0.4
-      
-      - name: Sync
-        run: |
-          EXCLUDED_TAGS="1.7.9-alpine v1.0.0-beta.392 v1.0.0-beta.404 v1.0.0-beta.704 v1.0.0-rc1 v1.7.9-alpine"
-          EXCLUDED_REGEX=$(echo $EXCLUDED_TAGS | sed 's/ /|/g')
-          diff <(crane ls traefik) <(crane ls ghcr.io/traefik/traefik) | grep '^<' | awk '{print $2}' | while read -r tag; do [[ "$tag" =~ ^($EXCLUDED_REGEX)$ ]] || (echo "Processing image: traefik:$tag"; crane cp "traefik:$tag" "ghcr.io/traefik/traefik:$tag"); done
-          crane cp traefik:latest ghcr.io/traefik/traefik:latest

.github/workflows/template-webui.yaml

@@ -1,6 +1,8 @@
 name: Build Web UI
 on:
   workflow_call: {}
+env:
+  SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 360  # 15 days
 jobs:
 
   build-webui:
@@ -8,7 +10,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -19,10 +21,16 @@ jobs:
           cache: yarn
           cache-dependency-path: webui/yarn.lock
 
+      - name: Setup safe-chain
+        working-directory: ./webui
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
       - name: Build webui
         working-directory: ./webui
         run: |
-          yarn install
+          yarn install --ignore-scripts
           yarn build
 
       - name: Package webui

.github/workflows/test-conformance.yaml

@@ -1,39 +0,0 @@
-name: Test K8s Gateway API conformance
-
-on:
-  pull_request:
-    branches:
-      - '*'
-    paths:
-      - '.github/workflows/test-conformance.yaml'
-      - 'pkg/provider/kubernetes/gateway/**'
-      - 'integration/fixtures/k8s-conformance/**'
-      - 'integration/k8s_conformance_test.go'
-
-env:
-  GO_VERSION: '1.23'
-  CGO_ENABLED: 0
-
-jobs:
-
-  test-conformance:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: Avoid generating webui
-        run: touch webui/static/index.html
-
-      - name: K8s Gateway API conformance test and report
-        run: |
-          make test-gateway-api-conformance
-          git diff --exit-code

.github/workflows/test-integration.yaml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -62,7 +62,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/test-unit.yaml

@@ -21,7 +21,7 @@ jobs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -47,7 +47,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -69,7 +69,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -80,7 +80,12 @@ jobs:
           cache: 'yarn'
           cache-dependency-path: webui/yarn.lock
 
+      - name: Setup safe-chain
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
       - name: UI unit tests
         run: |
-          yarn --cwd webui install
+          yarn --cwd webui install --ignore-scripts
           yarn --cwd webui test:unit:ci

.github/workflows/validate.yaml

@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -37,7 +37,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -61,7 +61,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.gitignore

@@ -19,4 +19,3 @@ plugins-storage/
 plugins-local/
 traefik_changelog.md
 integration/tailscale.secret
-integration/conformance-reports/**/experimental-dev-default-report.yaml

.golangci.yml

@@ -143,15 +143,17 @@ linters:
           alias: gatev1alpha2
 
         # Traefik Kubernetes rewrites:
-        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/traefikio/v1alpha1
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikcontainous/v1alpha1
+          alias: containousv1alpha1
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikio/v1alpha1
           alias: traefikv1alpha1
-        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned
           alias: traefikclientset
-        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/informers/externalversions
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/informers/externalversions
           alias: traefikinformers
-        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme
           alias: traefikscheme
-        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake
           alias: traefikcrdfake
     misspell:
       locale: US
@@ -212,7 +214,6 @@ linters:
     staticcheck:
       checks:
         - all
-        - '-SA1019'
         - '-ST1000'
         - '-ST1003'
         - '-ST1016'
@@ -304,18 +305,6 @@ linters:
         text: 'SA1019: cfg.(SSLRedirect|SSLTemporaryRedirect|SSLHost|SSLForceHost|FeaturePolicy) is deprecated'
       - path: (.+)\.go$
         text: 'SA1019: c.Providers.(ConsulCatalog|Consul|Nomad).Namespace is deprecated'
-      - path: (.+)\.go$
-        text: 'SA1019: dockertypes.ContainerNode is deprecated'
-      - path: pkg/provider/kubernetes/crd/kubernetes.go
-        text: "Function 'loadConfigurationFromCRD' has too many statements"
-        linters:
-          - funlen
-      - path: pkg/plugins/middlewarewasm.go
-        text: 'the methods of "wasmMiddlewareBuilder" use pointer receiver and non-pointer receiver.'
-        linters:
-          - recvcheck
-      - path: pkg/proxy/httputil/bufferpool.go
-        text: 'SA6002: argument should be pointer-like to avoid allocations'
     paths:
       - pkg/provider/kubernetes/crd/generated/
 

.goreleaser.yml.tmpl

@@ -14,7 +14,7 @@ builds:
     env:
       - CGO_ENABLED=0
     ldflags:
-      - -s -w -X github.com/traefik/traefik/v3/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v3/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v3/pkg/version.BuildDate={{.Date}}
+      - -s -w -X github.com/traefik/traefik/v2/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v2/pkg/version.BuildDate={{.Date}}
     flags:
       - -trimpath
     goos:
@@ -54,10 +54,12 @@ changelog:
 archives:
   - id: traefik
     name_template: '{{ .ProjectName }}_v{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
-    format: tar.gz
+    formats:
+      - tar.gz
     format_overrides:
       - goos: windows
-        format: zip
+        formats:
+          - zip
     files:
       - LICENSE.md
       - CHANGELOG.md

.semaphore/semaphore.yml

@@ -1,13 +0,0 @@
-version: v1.0
-name: Traefik Release - deprecated
-agent:
-  machine:
-    type: f1-standard-2
-    os_image: ubuntu2204
-blocks:
-  - name: 'Do nothing'
-    task:
-      jobs:
-        - name: 'Do nothing'
-          commands:
-            - echo "Do nothing"

Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.2
-FROM alpine:3.22
+FROM alpine:3.23
 
 RUN apk add --no-cache --no-progress ca-certificates tzdata
 

Makefile

@@ -58,9 +58,9 @@ generate:
 binary: generate-webui dist
 	@echo SHA: $(VERSION) $(CODENAME) $(DATE)
 	CGO_ENABLED=0 GOGC=${GOGC} GOOS=${GOOS} GOARCH=${GOARCH} go build ${FLAGS[*]} -ldflags "-s -w \
-    -X github.com/traefik/traefik/v3/pkg/version.Version=$(VERSION) \
-    -X github.com/traefik/traefik/v3/pkg/version.Codename=$(CODENAME) \
-    -X github.com/traefik/traefik/v3/pkg/version.BuildDate=$(DATE)" \
+    -X github.com/traefik/traefik/v2/pkg/version.Version=$(VERSION) \
+    -X github.com/traefik/traefik/v2/pkg/version.Codename=$(CODENAME) \
+    -X github.com/traefik/traefik/v2/pkg/version.BuildDate=$(DATE)" \
     -installsuffix nocgo -o "./dist/${GOOS}/${GOARCH}/$(BIN_NAME)" ./cmd/traefik
 
 binary-linux-arm64: export GOOS := linux
@@ -98,12 +98,6 @@ test-unit:
 test-integration:
 	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -test.timeout=20m -failfast -v $(TESTFLAGS)
 
-.PHONY: test-gateway-api-conformance
-#? test-gateway-api-conformance: Run the conformance tests
-test-gateway-api-conformance: build-image-dirty
-	# In case of a new Minor/Major version, the k8sConformanceTraefikVersion needs to be updated.
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.4" $(TESTFLAGS)
-
 .PHONY: test-ui-unit
 #? test-ui-unit: Run the unit tests for the webui
 test-ui-unit:
@@ -183,11 +177,6 @@ generate-crd:
 generate-genconf:
 	go run ./cmd/internal/gen/
 
-.PHONY: release-packages
-#? release-packages: Create packages for the release
-release-packages: generate-webui
-	$(CURDIR)/script/release-packages.sh
-
 .PHONY: fmt
 #? fmt: Format the Code
 fmt:

README.md

@@ -7,7 +7,6 @@
     </picture>
 </p>
 
-[![Build Status SemaphoreCI](https://traefik-oss.semaphoreci.com/badges/traefik/branches/master.svg?style=shields)](https://traefik-oss.semaphoreci.com/projects/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
 [![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
@@ -15,7 +14,7 @@
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)
 
 Traefik (pronounced _traffic_) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
-Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher v2](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
+Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
 Pointing Traefik at your orchestrator should be the _only_ configuration step you need.
 
 ---
@@ -35,8 +34,7 @@ Pointing Traefik at your orchestrator should be the _only_ configuration step yo
 
 ---
 
-:warning: When migrating to a new major version of Traefik, please refer to the [migration guide](https://doc.traefik.io/traefik/migration/v2-to-v3/) to ensure a smooth transition and to be aware of any breaking changes.
-
+:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://doc.traefik.io/traefik/).
 
 ## Overview
 
@@ -59,11 +57,11 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 
 - Continuously updates its configuration (No restarts!)
 - Supports multiple load balancing algorithms
-- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org) (wildcard certificates support)
+- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org)  (wildcard certificates support)
 - Circuit breakers, retry
 - See the magic through its clean web UI
-- WebSocket, HTTP/2, gRPC ready
-- Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB 2.X)
+- WebSocket, HTTP/2, GRPC ready
+- Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB)
 - Keeps access logs (JSON, CLF)
 - Fast
 - Exposes a Rest API
@@ -73,6 +71,8 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 
 - [Docker](https://doc.traefik.io/traefik/providers/docker/) / [Swarm mode](https://doc.traefik.io/traefik/providers/docker/)
 - [Kubernetes](https://doc.traefik.io/traefik/providers/kubernetes-crd/)
+- [Marathon](https://doc.traefik.io/traefik/providers/marathon/)
+- [Rancher](https://doc.traefik.io/traefik/providers/rancher/) (Metadata)
 - [ECS](https://doc.traefik.io/traefik/providers/ecs/)
 - [File](https://doc.traefik.io/traefik/providers/file/)
 
@@ -88,7 +88,7 @@ You can access the simple HTML frontend of Traefik.
 
 ## Documentation
 
-You can find the complete documentation of Traefik v3 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).
+You can find the complete documentation of Traefik v2 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).
 
 ## Support
 

SECURITY.md

@@ -1,10 +1,5 @@
 # Security Policy
 
-You can join our security mailing list to be aware of the latest announcements from our security team.
-You can subscribe by sending an email to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
-
-Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
-
 ## Supported Versions
 
 - We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
@@ -17,10 +12,10 @@ We use [Semantic Versioning](https://semver.org/).
 
 | Version   | Supported          |
 |-----------|--------------------|
-| `2.2.x`   | :white_check_mark: |
-| `< 2.2.x` | :x:                |
-| `1.7.x`   | :white_check_mark: |
-| `< 1.7.x` | :x:                |
+| `3.6.x`   | :white_check_mark: |
+| `< 3.6.x` | :x:                |
+| `2.11.x`   | :white_check_mark: |
+| `< 2.11.x` | :x:                |
 
 ## Reporting a Vulnerability
 
@@ -28,3 +23,5 @@ We want to keep Traefik safe for everyone.
 If you've discovered a security vulnerability in Traefik,
 we appreciate your help in disclosing it to us in a responsible manner,
 by creating a [security advisory](https://github.com/traefik/traefik/security/advisories).
+
+Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).

cmd/configuration.go

@@ -4,7 +4,7 @@ import (
 	"time"
 
 	ptypes "github.com/traefik/paerser/types"
-	"github.com/traefik/traefik/v3/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )
 
 // TraefikCmdConfiguration wraps the static configuration and extra parameters.
@@ -28,10 +28,6 @@ func NewTraefikConfiguration() *TraefikCmdConfiguration {
 			ServersTransport: &static.ServersTransport{
 				MaxIdleConnsPerHost: 200,
 			},
-			TCPServersTransport: &static.TCPServersTransport{
-				DialTimeout:   ptypes.Duration(30 * time.Second),
-				DialKeepAlive: ptypes.Duration(15 * time.Second),
-			},
 		},
 		ConfigFile: "",
 	}

cmd/healthcheck/healthcheck.go

@@ -8,7 +8,7 @@ import (
 	"time"
 
 	"github.com/traefik/paerser/cli"
-	"github.com/traefik/traefik/v3/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )
 
 // NewCmd builds a new HealthCheck command.

cmd/internal/gen/main.go

@@ -11,7 +11,7 @@ import (
 	"strings"
 )
 
-const rootPkg = "github.com/traefik/traefik/v3/pkg/config/dynamic"
+const rootPkg = "github.com/traefik/traefik/v2/pkg/config/dynamic"
 
 const (
 	destModuleName = "github.com/traefik/genconf"
@@ -57,8 +57,8 @@ func run(dest string) error {
 	}
 
 	centrifuge.IncludedImports = []string{
-		"github.com/traefik/traefik/v3/pkg/tls",
-		"github.com/traefik/traefik/v3/pkg/types",
+		"github.com/traefik/traefik/v2/pkg/tls",
+		"github.com/traefik/traefik/v2/pkg/types",
 	}
 
 	centrifuge.ExcludedTypes = []string{
@@ -71,8 +71,8 @@ func run(dest string) error {
 	}
 
 	centrifuge.ExcludedFiles = []string{
-		"github.com/traefik/traefik/v3/pkg/types/logs.go",
-		"github.com/traefik/traefik/v3/pkg/types/metrics.go",
+		"github.com/traefik/traefik/v2/pkg/types/logs.go",
+		"github.com/traefik/traefik/v2/pkg/types/metrics.go",
 	}
 
 	centrifuge.TypeCleaner = cleanType
@@ -87,11 +87,11 @@ func run(dest string) error {
 }
 
 func cleanType(typ types.Type, base string) string {
-	if typ.String() == "github.com/traefik/traefik/v3/pkg/types.FileOrContent" {
+	if typ.String() == "github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
 		return "string"
 	}
 
-	if typ.String() == "[]github.com/traefik/traefik/v3/pkg/types.FileOrContent" {
+	if typ.String() == "[]github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
 		return "[]string"
 	}
 
@@ -103,8 +103,8 @@ func cleanType(typ types.Type, base string) string {
 		return strings.ReplaceAll(typ.String(), base+".", "")
 	}
 
-	if strings.Contains(typ.String(), "github.com/traefik/traefik/v3/pkg/") {
-		return strings.ReplaceAll(typ.String(), "github.com/traefik/traefik/v3/pkg/", "")
+	if strings.Contains(typ.String(), "github.com/traefik/traefik/v2/pkg/") {
+		return strings.ReplaceAll(typ.String(), "github.com/traefik/traefik/v2/pkg/", "")
 	}
 
 	return typ.String()
@@ -114,9 +114,9 @@ func cleanPackage(src string) string {
 	switch src {
 	case "github.com/traefik/paerser/types":
 		return ""
-	case "github.com/traefik/traefik/v3/pkg/tls":
+	case "github.com/traefik/traefik/v2/pkg/tls":
 		return path.Join(destModuleName, destPkg, "tls")
-	case "github.com/traefik/traefik/v3/pkg/types":
+	case "github.com/traefik/traefik/v2/pkg/types":
 		return path.Join(destModuleName, destPkg, "types")
 	default:
 		return src

cmd/traefik/logger.go

@@ -1,113 +0,0 @@
-package main
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	stdlog "log"
-	"os"
-	"strings"
-	"time"
-
-	"github.com/rs/zerolog"
-	"github.com/rs/zerolog/log"
-	"github.com/sirupsen/logrus"
-	"github.com/traefik/traefik/v3/pkg/config/static"
-	"github.com/traefik/traefik/v3/pkg/logs"
-	"gopkg.in/natefinch/lumberjack.v2"
-)
-
-func init() {
-	// hide the first logs before the setup of the logger.
-	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
-}
-
-func setupLogger(staticConfiguration *static.Configuration) error {
-	// Validate that the experimental flag is set up at this point,
-	// rather than validating the static configuration before the setupLogger call.
-	// This ensures that validation messages are not logged using an un-configured logger.
-	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil &&
-		(staticConfiguration.Experimental == nil || !staticConfiguration.Experimental.OTLPLogs) {
-		return errors.New("the experimental OTLPLogs feature must be enabled to use OTLP logging")
-	}
-
-	// configure log format
-	w := getLogWriter(staticConfiguration)
-
-	// configure log level
-	logLevel := getLogLevel(staticConfiguration)
-	zerolog.SetGlobalLevel(logLevel)
-
-	// create logger
-	logCtx := zerolog.New(w).With().Timestamp()
-	if logLevel <= zerolog.DebugLevel {
-		logCtx = logCtx.Caller()
-	}
-
-	log.Logger = logCtx.Logger().Level(logLevel)
-
-	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
-		var err error
-		log.Logger, err = logs.SetupOTelLogger(log.Logger, staticConfiguration.Log.OTLP)
-		if err != nil {
-			return fmt.Errorf("setting up OpenTelemetry logger: %w", err)
-		}
-	}
-
-	zerolog.DefaultContextLogger = &log.Logger
-
-	// Global logrus replacement (related to lib like go-rancher-metadata, docker, etc.)
-	logrus.StandardLogger().Out = logs.NoLevel(log.Logger, zerolog.DebugLevel)
-
-	// configure default standard log.
-	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
-	stdlog.SetOutput(logs.NoLevel(log.Logger, zerolog.DebugLevel))
-
-	return nil
-}
-
-func getLogWriter(staticConfiguration *static.Configuration) io.Writer {
-	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
-		return io.Discard
-	}
-
-	var w io.Writer = os.Stdout
-	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
-		_, _ = os.OpenFile(staticConfiguration.Log.FilePath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o666)
-		w = &lumberjack.Logger{
-			Filename:   staticConfiguration.Log.FilePath,
-			MaxSize:    staticConfiguration.Log.MaxSize,
-			MaxBackups: staticConfiguration.Log.MaxBackups,
-			MaxAge:     staticConfiguration.Log.MaxAge,
-			Compress:   true,
-		}
-	}
-
-	if staticConfiguration.Log == nil || staticConfiguration.Log.Format != "json" {
-		w = zerolog.ConsoleWriter{
-			Out:        w,
-			TimeFormat: time.RFC3339,
-			NoColor:    staticConfiguration.Log != nil && (staticConfiguration.Log.NoColor || len(staticConfiguration.Log.FilePath) > 0),
-		}
-	}
-
-	return w
-}
-
-func getLogLevel(staticConfiguration *static.Configuration) zerolog.Level {
-	levelStr := "error"
-	if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
-		levelStr = strings.ToLower(staticConfiguration.Log.Level)
-	}
-
-	logLevel, err := zerolog.ParseLevel(strings.ToLower(levelStr))
-	if err != nil {
-		log.Error().Err(err).
-			Str("logLevel", levelStr).
-			Msg("Unspecified or invalid log level, setting the level to default (ERROR)...")
-
-		logLevel = zerolog.ErrorLevel
-	}
-
-	return logLevel
-}

cmd/traefik/plugins.go

@@ -3,8 +3,8 @@ package main
 import (
 	"fmt"
 
-	"github.com/traefik/traefik/v3/pkg/config/static"
-	"github.com/traefik/traefik/v3/pkg/plugins"
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/plugins"
 )
 
 const outputDir = "./plugins-storage/"

cmd/traefik/traefik.go

@@ -4,13 +4,12 @@ import (
 	"context"
 	"crypto/x509"
 	"fmt"
-	"io"
 	stdlog "log"
-	"maps"
 	"net/http"
 	"os"
 	"os/signal"
-	"slices"
+	"path/filepath"
+	"sort"
 	"strings"
 	"syscall"
 	"time"
@@ -18,44 +17,40 @@ import (
 	"github.com/coreos/go-systemd/v22/daemon"
 	"github.com/go-acme/lego/v4/challenge"
 	gokitmetrics "github.com/go-kit/kit/metrics"
-	"github.com/rs/zerolog/log"
 	"github.com/sirupsen/logrus"
-	"github.com/spiffe/go-spiffe/v2/workloadapi"
 	"github.com/traefik/paerser/cli"
-	"github.com/traefik/traefik/v3/cmd"
-	"github.com/traefik/traefik/v3/cmd/healthcheck"
-	cmdVersion "github.com/traefik/traefik/v3/cmd/version"
-	tcli "github.com/traefik/traefik/v3/pkg/cli"
-	"github.com/traefik/traefik/v3/pkg/collector"
-	"github.com/traefik/traefik/v3/pkg/config/dynamic"
-	"github.com/traefik/traefik/v3/pkg/config/runtime"
-	"github.com/traefik/traefik/v3/pkg/config/static"
-	"github.com/traefik/traefik/v3/pkg/logs"
-	"github.com/traefik/traefik/v3/pkg/metrics"
-	"github.com/traefik/traefik/v3/pkg/middlewares/accesslog"
-	"github.com/traefik/traefik/v3/pkg/provider/acme"
-	"github.com/traefik/traefik/v3/pkg/provider/aggregator"
-	"github.com/traefik/traefik/v3/pkg/provider/tailscale"
-	"github.com/traefik/traefik/v3/pkg/provider/traefik"
-	"github.com/traefik/traefik/v3/pkg/proxy"
-	"github.com/traefik/traefik/v3/pkg/proxy/httputil"
-	"github.com/traefik/traefik/v3/pkg/redactor"
-	"github.com/traefik/traefik/v3/pkg/safe"
-	"github.com/traefik/traefik/v3/pkg/server"
-	"github.com/traefik/traefik/v3/pkg/server/middleware"
-	"github.com/traefik/traefik/v3/pkg/server/service"
-	"github.com/traefik/traefik/v3/pkg/tcp"
-	traefiktls "github.com/traefik/traefik/v3/pkg/tls"
-	"github.com/traefik/traefik/v3/pkg/tracing"
-	"github.com/traefik/traefik/v3/pkg/types"
-	"github.com/traefik/traefik/v3/pkg/version"
+	"github.com/traefik/traefik/v2/cmd"
+	"github.com/traefik/traefik/v2/cmd/healthcheck"
+	cmdVersion "github.com/traefik/traefik/v2/cmd/version"
+	tcli "github.com/traefik/traefik/v2/pkg/cli"
+	"github.com/traefik/traefik/v2/pkg/collector"
+	"github.com/traefik/traefik/v2/pkg/config/dynamic"
+	"github.com/traefik/traefik/v2/pkg/config/runtime"
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v2/pkg/metrics"
+	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
+	"github.com/traefik/traefik/v2/pkg/provider/acme"
+	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
+	"github.com/traefik/traefik/v2/pkg/provider/traefik"
+	"github.com/traefik/traefik/v2/pkg/redactor"
+	"github.com/traefik/traefik/v2/pkg/safe"
+	"github.com/traefik/traefik/v2/pkg/server"
+	"github.com/traefik/traefik/v2/pkg/server/middleware"
+	"github.com/traefik/traefik/v2/pkg/server/service"
+	traefiktls "github.com/traefik/traefik/v2/pkg/tls"
+	"github.com/traefik/traefik/v2/pkg/tracing"
+	"github.com/traefik/traefik/v2/pkg/tracing/jaeger"
+	"github.com/traefik/traefik/v2/pkg/types"
+	"github.com/traefik/traefik/v2/pkg/version"
+	"github.com/vulcand/oxy/v2/roundrobin"
 )
 
 func main() {
 	// traefik config inits
 	tConfig := cmd.NewTraefikConfiguration()
 
-	loaders := []cli.ResourceLoader{&tcli.DeprecationLoader{}, &tcli.FileLoader{}, &tcli.FlagLoader{}, &tcli.EnvLoader{}}
+	loaders := []cli.ResourceLoader{&tcli.FileLoader{}, &tcli.FlagLoader{}, &tcli.EnvLoader{}}
 
 	cmdTraefik := &cli.Command{
 		Name: "traefik",
@@ -82,7 +77,7 @@ Complete documentation is available at https://traefik.io`,
 
 	err = cli.Execute(cmdTraefik)
 	if err != nil {
-		log.Error().Err(err).Msg("Command error")
+		stdlog.Println(err)
 		logrus.Exit(1)
 	}
 
@@ -90,25 +85,31 @@ Complete documentation is available at https://traefik.io`,
 }
 
 func runCmd(staticConfiguration *static.Configuration) error {
-	if err := setupLogger(staticConfiguration); err != nil {
-		return fmt.Errorf("setting up logger: %w", err)
-	}
+	configureLogging(staticConfiguration)
+
+	log.WithoutContext().Warn("Traefik can reject some encoded characters in the request path." +
+		"When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986)," +
+		"it is recommended to set these options to `false` to avoid split-view situation." +
+		"Refer to the documentation for more details: https://doc.traefik.io/traefik/v2.11/migration/v2/#encoded-characters-configuration-default-values")
 
 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
 
+	if err := roundrobin.SetDefaultWeight(0); err != nil {
+		log.WithoutContext().Errorf("Could not set round robin default weight: %v", err)
+	}
+
 	staticConfiguration.SetEffectiveConfiguration()
 	if err := staticConfiguration.ValidateConfiguration(); err != nil {
 		return err
 	}
 
-	log.Info().Str("version", version.Version).
-		Msgf("Traefik version %s built on %s", version.Version, version.BuildDate)
+	log.WithoutContext().Infof("Traefik version %s built on %s", version.Version, version.BuildDate)
 
 	redactedStaticConfiguration, err := redactor.RemoveCredentials(staticConfiguration)
 	if err != nil {
-		log.Error().Err(err).Msg("Could not redact static configuration")
+		log.WithoutContext().Errorf("Could not redact static configuration: %v", err)
 	} else {
-		log.Debug().RawJSON("staticConfiguration", []byte(redactedStaticConfiguration)).Msg("Static configuration loaded [json]")
+		log.WithoutContext().Debugf("Static configuration loaded %s", redactedStaticConfiguration)
 	}
 
 	if staticConfiguration.Global.CheckNewVersion {
@@ -133,16 +134,16 @@ func runCmd(staticConfiguration *static.Configuration) error {
 
 	sent, err := daemon.SdNotify(false, "READY=1")
 	if !sent && err != nil {
-		log.Error().Err(err).Msg("Failed to notify")
+		log.WithoutContext().Errorf("Failed to notify: %v", err)
 	}
 
 	t, err := daemon.SdWatchdogEnabled(false)
 	if err != nil {
-		log.Error().Err(err).Msg("Could not enable Watchdog")
+		log.WithoutContext().Errorf("Could not enable Watchdog: %v", err)
 	} else if t != 0 {
 		// Send a ping each half time given
 		t /= 2
-		log.Info().Msgf("Watchdog activated with timer duration %s", t)
+		log.WithoutContext().Infof("Watchdog activated with timer duration %s", t)
 		safe.Go(func() {
 			tick := time.Tick(t)
 			for range tick {
@@ -153,17 +154,17 @@ func runCmd(staticConfiguration *static.Configuration) error {
 
 				if staticConfiguration.Ping == nil || errHealthCheck == nil {
 					if ok, _ := daemon.SdNotify(false, "WATCHDOG=1"); !ok {
-						log.Error().Msg("Fail to tick watchdog")
+						log.WithoutContext().Error("Fail to tick watchdog")
 					}
 				} else {
-					log.Error().Err(errHealthCheck).Send()
+					log.WithoutContext().Error(errHealthCheck)
 				}
 			}
 		})
 	}
 
 	svr.Wait()
-	log.Info().Msg("Shutting down")
+	log.WithoutContext().Info("Shutting down")
 	return nil
 }
 
@@ -192,28 +193,9 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	acmeProviders := initACMEProvider(staticConfiguration, providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider, routinesPool)
 
-	// Tailscale
-
-	tsProviders := initTailscaleProviders(staticConfiguration, providerAggregator)
-
-	// Observability
-
-	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
-	var semConvMetricRegistry *metrics.SemConvMetricsRegistry
-	if staticConfiguration.Metrics != nil && staticConfiguration.Metrics.OTLP != nil {
-		semConvMetricRegistry, err = metrics.NewSemConvMetricRegistry(ctx, staticConfiguration.Metrics.OTLP)
-		if err != nil {
-			return nil, fmt.Errorf("unable to create SemConv metric registry: %w", err)
-		}
-	}
-	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
-	accessLog := setupAccessLog(staticConfiguration.AccessLog)
-	tracer, tracerCloser := setupTracing(staticConfiguration.Tracing)
-	observabilityMgr := middleware.NewObservabilityMgr(*staticConfiguration, metricsRegistry, semConvMetricRegistry, accessLog, tracer, tracerCloser)
-
 	// Entrypoints
 
-	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver, metricsRegistry)
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver)
 	if err != nil {
 		return nil, err
 	}
@@ -223,29 +205,19 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}
 
+	if staticConfiguration.Pilot != nil {
+		log.WithoutContext().Warn("Traefik Pilot has been removed.")
+	}
+
 	if staticConfiguration.API != nil {
 		version.DisableDashboardAd = staticConfiguration.API.DisableDashboardAd
 	}
 
 	// Plugins
-	pluginLogger := log.Ctx(ctx).With().Logger()
-	hasPlugins := staticConfiguration.Experimental != nil && (staticConfiguration.Experimental.Plugins != nil || staticConfiguration.Experimental.LocalPlugins != nil)
-	if hasPlugins {
-		pluginsList := slices.Collect(maps.Keys(staticConfiguration.Experimental.Plugins))
-		pluginsList = append(pluginsList, slices.Collect(maps.Keys(staticConfiguration.Experimental.LocalPlugins))...)
-
-		pluginLogger = pluginLogger.With().Strs("plugins", pluginsList).Logger()
-		pluginLogger.Info().Msg("Loading plugins...")
-	}
 
 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
-	if err != nil && staticConfiguration.Experimental != nil && staticConfiguration.Experimental.AbortOnPluginFailure {
-		return nil, fmt.Errorf("plugin: failed to create plugin builder: %w", err)
-	}
 	if err != nil {
-		pluginLogger.Err(err).Msg("Plugins are disabled because an error has occurred.")
-	} else if hasPlugins {
-		pluginLogger.Info().Msg("Plugins loaded.")
+		log.WithoutContext().WithError(err).Error("Plugins are disabled because an error has occurred.")
 	}
 
 	// Providers plugins
@@ -266,44 +238,24 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		}
 	}
 
+	// Metrics
+
+	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
+	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
+
 	// Service manager factory
 
-	var spiffeX509Source *workloadapi.X509Source
-	if staticConfiguration.Spiffe != nil && staticConfiguration.Spiffe.WorkloadAPIAddr != "" {
-		log.Info().Str("workloadAPIAddr", staticConfiguration.Spiffe.WorkloadAPIAddr).
-			Msg("Waiting on SPIFFE SVID delivery")
-
-		spiffeX509Source, err = workloadapi.NewX509Source(
-			ctx,
-			workloadapi.WithClientOptions(
-				workloadapi.WithAddr(
-					staticConfiguration.Spiffe.WorkloadAPIAddr,
-				),
-			),
-		)
-		if err != nil {
-			return nil, fmt.Errorf("unable to create SPIFFE x509 source: %w", err)
-		}
-		log.Info().Msg("Successfully obtained SPIFFE SVID.")
-	}
-
-	transportManager := service.NewTransportManager(spiffeX509Source)
-
-	var proxyBuilder service.ProxyBuilder = httputil.NewProxyBuilder(transportManager, semConvMetricRegistry)
-	if staticConfiguration.Experimental != nil && staticConfiguration.Experimental.FastProxy != nil {
-		proxyBuilder = proxy.NewSmartBuilder(transportManager, proxyBuilder, *staticConfiguration.Experimental.FastProxy)
-	}
-
-	dialerManager := tcp.NewDialerManager(spiffeX509Source)
+	roundTripperManager := service.NewRoundTripperManager()
 	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
-	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, observabilityMgr, transportManager, proxyBuilder, acmeHTTPHandler)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry, roundTripperManager, acmeHTTPHandler)
 
 	// Router factory
 
-	routerFactory, err := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, observabilityMgr, pluginBuilder, dialerManager)
-	if err != nil {
-		return nil, fmt.Errorf("creating router factory: %w", err)
-	}
+	accessLog := setupAccessLog(staticConfiguration.AccessLog)
+	tracer := setupTracing(staticConfiguration.Tracing)
+
+	chainBuilder := middleware.NewChainBuilder(metricsRegistry, accessLog, tracer)
+	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder, metricsRegistry)
 
 	// Watcher
 
@@ -333,9 +285,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	// Server Transports
 	watcher.AddListener(func(conf dynamic.Configuration) {
-		transportManager.Update(conf.HTTP.ServersTransports)
-		proxyBuilder.Update(conf.HTTP.ServersTransports)
-		dialerManager.Update(conf.TCP.ServersTransports)
+		roundTripperManager.Update(conf.HTTP.ServersTransports)
 	})
 
 	// Switch router
@@ -355,22 +305,13 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	// TLS challenge
 	watcher.AddListener(tlsChallengeProvider.ListenConfiguration)
 
-	// Certificate Resolvers
-
-	resolverNames := map[string]struct{}{}
-
 	// ACME
+	resolverNames := map[string]struct{}{}
 	for _, p := range acmeProviders {
 		resolverNames[p.ResolverName] = struct{}{}
 		watcher.AddListener(p.ListenConfiguration)
 	}
 
-	// Tailscale
-	for _, p := range tsProviders {
-		resolverNames[p.ResolverName] = struct{}{}
-		watcher.AddListener(p.HandleConfigUpdate)
-	}
-
 	// Certificate resolver logs
 	watcher.AddListener(func(config dynamic.Configuration) {
 		for rtName, rt := range config.HTTP.Routers {
@@ -379,13 +320,12 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 			}
 
 			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
-				log.Error().Err(err).Str(logs.RouterName, rtName).Str("certificateResolver", rt.TLS.CertResolver).
-					Msg("Router uses a nonexistent certificate resolver")
+				log.WithoutContext().Errorf("Router %s uses a nonexistent resolver: %s", rtName, rt.TLS.CertResolver)
 			}
 		}
 	})
 
-	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, observabilityMgr), nil
+	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, chainBuilder, accessLog), nil
 }
 
 func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvider http.Handler) http.Handler {
@@ -401,27 +341,11 @@ func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvid
 
 func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string {
 	var defaultEntryPoints []string
-
-	// Determines if at least one EntryPoint is configured to be used by default.
-	var hasDefinedDefaults bool
-	for _, ep := range staticConfiguration.EntryPoints {
-		if ep.AsDefault {
-			hasDefinedDefaults = true
-			break
-		}
-	}
-
 	for name, cfg := range staticConfiguration.EntryPoints {
-		// By default all entrypoints are considered.
-		// If at least one is flagged, then only flagged entrypoints are included.
-		if hasDefinedDefaults && !cfg.AsDefault {
-			continue
-		}
-
 		protocol, err := cfg.GetProtocol()
 		if err != nil {
 			// Should never happen because Traefik should not start if protocol is invalid.
-			log.Error().Err(err).Msg("Invalid protocol")
+			log.WithoutContext().Errorf("Invalid protocol: %v", err)
 		}
 
 		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
@@ -429,7 +353,7 @@ func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string
 		}
 	}
 
-	slices.Sort(defaultEntryPoints)
+	sort.Strings(defaultEntryPoints)
 	return defaultEntryPoints
 }
 
@@ -444,7 +368,7 @@ func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP serv
 	}
 }
 
-// initACMEProvider creates and registers acme.Provider instances corresponding to the configured ACME certificate resolvers.
+// initACMEProvider creates an acme provider from the ACME part of globalConfiguration.
 func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider, routinesPool *safe.Pool) []*acme.Provider {
 	localStores := map[string]*acme.LocalStore{}
 
@@ -467,7 +391,7 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 		}
 
 		if err := providerAggregator.AddProvider(p); err != nil {
-			log.Error().Err(err).Str("resolver", name).Msg("The ACME resolve is skipped from the resolvers list")
+			log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
 			continue
 		}
 
@@ -481,27 +405,6 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 	return resolvers
 }
 
-// initTailscaleProviders creates and registers tailscale.Provider instances corresponding to the configured Tailscale certificate resolvers.
-func initTailscaleProviders(cfg *static.Configuration, providerAggregator *aggregator.ProviderAggregator) []*tailscale.Provider {
-	var providers []*tailscale.Provider
-	for name, resolver := range cfg.CertificatesResolvers {
-		if resolver.Tailscale == nil {
-			continue
-		}
-
-		tsProvider := &tailscale.Provider{ResolverName: name}
-
-		if err := providerAggregator.AddProvider(tsProvider); err != nil {
-			log.Error().Err(err).Str(logs.ProviderName, name).Msg("Unable to create Tailscale provider")
-			continue
-		}
-
-		providers = append(providers, tsProvider)
-	}
-
-	return providers
-}
-
 func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	if metricsConfig == nil {
 		return nil
@@ -510,59 +413,42 @@ func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	var registries []metrics.Registry
 
 	if metricsConfig.Prometheus != nil {
-		logger := log.With().Str(logs.MetricsProviderName, "prometheus").Logger()
-
-		prometheusRegister := metrics.RegisterPrometheus(logger.WithContext(context.Background()), metricsConfig.Prometheus)
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "prometheus"))
+		prometheusRegister := metrics.RegisterPrometheus(ctx, metricsConfig.Prometheus)
 		if prometheusRegister != nil {
 			registries = append(registries, prometheusRegister)
-			logger.Debug().Msg("Configured Prometheus metrics")
+			log.FromContext(ctx).Debug("Configured Prometheus metrics")
 		}
 	}
 
 	if metricsConfig.Datadog != nil {
-		logger := log.With().Str(logs.MetricsProviderName, "datadog").Logger()
-
-		registries = append(registries, metrics.RegisterDatadog(logger.WithContext(context.Background()), metricsConfig.Datadog))
-		logger.Debug().
-			Str("address", metricsConfig.Datadog.Address).
-			Str("pushInterval", metricsConfig.Datadog.PushInterval.String()).
-			Msgf("Configured Datadog metrics")
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "datadog"))
+		registries = append(registries, metrics.RegisterDatadog(ctx, metricsConfig.Datadog))
+		log.FromContext(ctx).Debugf("Configured Datadog metrics: pushing to %s once every %s",
+			metricsConfig.Datadog.Address, metricsConfig.Datadog.PushInterval)
 	}
 
 	if metricsConfig.StatsD != nil {
-		logger := log.With().Str(logs.MetricsProviderName, "statsd").Logger()
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "statsd"))
+		registries = append(registries, metrics.RegisterStatsd(ctx, metricsConfig.StatsD))
+		log.FromContext(ctx).Debugf("Configured StatsD metrics: pushing to %s once every %s",
+			metricsConfig.StatsD.Address, metricsConfig.StatsD.PushInterval)
+	}
 
-		registries = append(registries, metrics.RegisterStatsd(logger.WithContext(context.Background()), metricsConfig.StatsD))
-		logger.Debug().
-			Str("address", metricsConfig.StatsD.Address).
-			Str("pushInterval", metricsConfig.StatsD.PushInterval.String()).
-			Msg("Configured StatsD metrics")
+	if metricsConfig.InfluxDB != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb"))
+		registries = append(registries, metrics.RegisterInfluxDB(ctx, metricsConfig.InfluxDB))
+		log.FromContext(ctx).Debugf("Configured InfluxDB metrics: pushing to %s once every %s",
+			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
 	}
 
 	if metricsConfig.InfluxDB2 != nil {
-		logger := log.With().Str(logs.MetricsProviderName, "influxdb2").Logger()
-
-		influxDB2Register := metrics.RegisterInfluxDB2(logger.WithContext(context.Background()), metricsConfig.InfluxDB2)
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb2"))
+		influxDB2Register := metrics.RegisterInfluxDB2(ctx, metricsConfig.InfluxDB2)
 		if influxDB2Register != nil {
 			registries = append(registries, influxDB2Register)
-			logger.Debug().
-				Str("address", metricsConfig.InfluxDB2.Address).
-				Str("bucket", metricsConfig.InfluxDB2.Bucket).
-				Str("organization", metricsConfig.InfluxDB2.Org).
-				Str("pushInterval", metricsConfig.InfluxDB2.PushInterval.String()).
-				Msg("Configured InfluxDB v2 metrics")
-		}
-	}
-
-	if metricsConfig.OTLP != nil {
-		logger := log.With().Str(logs.MetricsProviderName, "openTelemetry").Logger()
-
-		openTelemetryRegistry := metrics.RegisterOpenTelemetry(logger.WithContext(context.Background()), metricsConfig.OTLP)
-		if openTelemetryRegistry != nil {
-			registries = append(registries, openTelemetryRegistry)
-			logger.Debug().
-				Str("pushInterval", metricsConfig.OTLP.PushInterval.String()).
-				Msg("Configured OpenTelemetry metrics")
+			log.FromContext(ctx).Debugf("Configured InfluxDB v2 metrics: pushing to %s (%s org/%s bucket) once every %s",
+				metricsConfig.InfluxDB2.Address, metricsConfig.InfluxDB2.Org, metricsConfig.InfluxDB2.Bucket, metricsConfig.InfluxDB2.PushInterval)
 		}
 	}
 
@@ -570,7 +456,7 @@ func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 }
 
 func appendCertMetric(gauge gokitmetrics.Gauge, certificate *x509.Certificate) {
-	slices.Sort(certificate.DNSNames)
+	sort.Strings(certificate.DNSNames)
 
 	labels := []string{
 		"cn", certificate.Subject.CommonName,
@@ -590,25 +476,130 @@ func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
 
 	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
 	if err != nil {
-		log.Warn().Err(err).Msg("Unable to create access logger")
+		log.WithoutContext().Warnf("Unable to create access logger: %v", err)
 		return nil
 	}
 
 	return accessLoggerMiddleware
 }
 
-func setupTracing(conf *static.Tracing) (*tracing.Tracer, io.Closer) {
+func setupTracing(conf *static.Tracing) *tracing.Tracing {
 	if conf == nil {
-		return nil, nil
+		return nil
 	}
 
-	tracer, closer, err := tracing.NewTracing(conf)
+	var backend tracing.Backend
+
+	if conf.Jaeger != nil {
+		backend = conf.Jaeger
+	}
+
+	if conf.Zipkin != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Zipkin backend.")
+		} else {
+			backend = conf.Zipkin
+		}
+	}
+
+	if conf.Datadog != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Datadog backend.")
+		} else {
+			backend = conf.Datadog
+		}
+	}
+
+	if conf.Instana != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Instana backend.")
+		} else {
+			backend = conf.Instana
+		}
+	}
+
+	if conf.Haystack != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Haystack backend.")
+		} else {
+			backend = conf.Haystack
+		}
+	}
+
+	if conf.Elastic != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Elastic backend.")
+		} else {
+			backend = conf.Elastic
+		}
+	}
+
+	if backend == nil {
+		log.WithoutContext().Debug("Could not initialize tracing, using Jaeger by default")
+		defaultBackend := &jaeger.Config{}
+		defaultBackend.SetDefaults()
+		backend = defaultBackend
+	}
+
+	tracer, err := tracing.NewTracing(conf.ServiceName, conf.SpanNameLimit, backend)
 	if err != nil {
-		log.Warn().Err(err).Msg("Unable to create tracer")
-		return nil, nil
+		log.WithoutContext().Warnf("Unable to create tracer: %v", err)
+		return nil
+	}
+	return tracer
+}
+
+func configureLogging(staticConfiguration *static.Configuration) {
+	// configure default log flags
+	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
+
+	// configure log level
+	// an explicitly defined log level always has precedence. if none is
+	// given and debug mode is disabled, the default is ERROR, and DEBUG
+	// otherwise.
+	levelStr := "error"
+	if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
+		levelStr = strings.ToLower(staticConfiguration.Log.Level)
 	}
 
-	return tracer, closer
+	level, err := logrus.ParseLevel(levelStr)
+	if err != nil {
+		log.WithoutContext().Errorf("Error getting level: %v", err)
+	}
+	log.SetLevel(level)
+
+	var logFile string
+	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
+		logFile = staticConfiguration.Log.FilePath
+	}
+
+	// configure log format
+	var formatter logrus.Formatter
+	if staticConfiguration.Log != nil && staticConfiguration.Log.Format == "json" {
+		formatter = &logrus.JSONFormatter{}
+	} else {
+		disableColors := len(logFile) > 0
+		formatter = &logrus.TextFormatter{DisableColors: disableColors, FullTimestamp: true, DisableSorting: true}
+	}
+	log.SetFormatter(formatter)
+
+	if len(logFile) > 0 {
+		dir := filepath.Dir(logFile)
+
+		if err := os.MkdirAll(dir, 0o755); err != nil {
+			log.WithoutContext().Errorf("Failed to create log path %s: %s", dir, err)
+		}
+
+		err = log.OpenFile(logFile)
+		logrus.RegisterExitHandler(func() {
+			if err := log.CloseFile(); err != nil {
+				log.WithoutContext().Errorf("Error while closing log: %v", err)
+			}
+		})
+		if err != nil {
+			log.WithoutContext().Errorf("Error while opening log file %s: %v", logFile, err)
+		}
+	}
 }
 
 func checkNewVersion() {
@@ -621,16 +612,16 @@ func checkNewVersion() {
 }
 
 func stats(staticConfiguration *static.Configuration) {
-	logger := log.With().Logger()
+	logger := log.WithoutContext()
 
 	if staticConfiguration.Global.SendAnonymousUsage {
-		logger.Info().Msg(`Stats collection is enabled.`)
-		logger.Info().Msg(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
-		logger.Info().Msg(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Info().Msg(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
+		logger.Info(`Stats collection is enabled.`)
+		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
+		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
+		logger.Info(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
-		logger.Info().Msg(`
+		logger.Info(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
 More details on: https://doc.traefik.io/traefik/contributing/data-collection/
@@ -643,7 +634,7 @@ func collect(staticConfiguration *static.Configuration) {
 	safe.Go(func() {
 		for time.Sleep(10 * time.Minute); ; <-ticker {
 			if err := collector.Collect(staticConfiguration); err != nil {
-				log.Debug().Err(err).Send()
+				log.WithoutContext().Debug(err)
 			}
 		}
 	})

cmd/traefik/traefik_test.go

@@ -9,7 +9,6 @@ import (
 	"github.com/go-kit/kit/metrics"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/traefik/traefik/v3/pkg/config/static"
 )
 
 // FooCert is a PEM-encoded TLS cert.
@@ -114,73 +113,3 @@ func TestAppendCertMetric(t *testing.T) {
 		})
 	}
 }
-
-func TestGetDefaultsEntrypoints(t *testing.T) {
-	testCases := []struct {
-		desc        string
-		entrypoints static.EntryPoints
-		expected    []string
-	}{
-		{
-			desc: "Skips special names",
-			entrypoints: map[string]*static.EntryPoint{
-				"web": {
-					Address: ":80",
-				},
-				"traefik": {
-					Address: ":8080",
-				},
-			},
-			expected: []string{"web"},
-		},
-		{
-			desc: "Two EntryPoints not attachable",
-			entrypoints: map[string]*static.EntryPoint{
-				"web": {
-					Address: ":80",
-				},
-				"websecure": {
-					Address: ":443",
-				},
-			},
-			expected: []string{"web", "websecure"},
-		},
-		{
-			desc: "Two EntryPoints only one attachable",
-			entrypoints: map[string]*static.EntryPoint{
-				"web": {
-					Address: ":80",
-				},
-				"websecure": {
-					Address:   ":443",
-					AsDefault: true,
-				},
-			},
-			expected: []string{"websecure"},
-		},
-		{
-			desc: "Two attachable EntryPoints",
-			entrypoints: map[string]*static.EntryPoint{
-				"web": {
-					Address:   ":80",
-					AsDefault: true,
-				},
-				"websecure": {
-					Address:   ":443",
-					AsDefault: true,
-				},
-			},
-			expected: []string{"web", "websecure"},
-		},
-	}
-
-	for _, test := range testCases {
-		t.Run(test.desc, func(t *testing.T) {
-			actual := getDefaultsEntrypoints(&static.Configuration{
-				EntryPoints: test.entrypoints,
-			})
-
-			assert.ElementsMatch(t, test.expected, actual)
-		})
-	}
-}

cmd/version/version.go

@@ -8,7 +8,7 @@ import (
 	"text/template"
 
 	"github.com/traefik/paerser/cli"
-	"github.com/traefik/traefik/v3/pkg/version"
+	"github.com/traefik/traefik/v2/pkg/version"
 )
 
 var versionTemplate = `Version:      {{.Version}}

docs/check.Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.22
+FROM alpine:3.23
 
 RUN apk --no-cache --no-progress add \
     build-base \

docs/content/assets/js/extra.js

@@ -1,4 +1,14 @@
 /* Highlight */
 (function(hljs) {
     hljs.initHighlightingOnLoad();
-})(hljs);
+})(hljs);
+
+/* Scarf Analytics - cookieless, anonymous company-level intelligence */
+(function() {
+    var img = document.createElement('img');
+    img.src = 'https://static.scarf.sh/a.png?x-pxid=1a49232a-b165-4015-8ed2-a1092f1f0d83';
+    img.referrerPolicy = 'no-referrer-when-downgrade';
+    img.loading = 'eager';
+    img.style.cssText = 'visibility:hidden;position:absolute;width:1px;height:1px;';
+    document.body.appendChild(img);
+})();

docs/content/contributing/data-collection.md

@@ -66,6 +66,7 @@ providers:
   docker:
     endpoint: "tcp://10.10.10.10:2375"
     exposedByDefault: true
+    swarmMode: true
 
     tls:
       ca: dockerCA
@@ -85,6 +86,7 @@ providers:
   docker:
     endpoint: "xxxx"
     exposedByDefault: true
+    swarmMode: true
 
     tls:
       ca: xxxx

docs/content/contributing/documentation.md

@@ -15,7 +15,7 @@ Let's see how.
 
 ### General
 
-This [documentation](../../ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to the website of MkDocs").
+This [documentation](https://doc.traefik.io/traefik/ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to the website of MkDocs").
 
 ### Method 1: `Docker` and `make`
 

docs/content/contributing/maintainers.md

@@ -22,7 +22,6 @@ description: "Traefik Proxy is an open source software with a thriving community
 * Landry Benguigui [@lbenguigui](https://github.com/lbenguigui)
 * Simon Delicata [@sdelicata](https://github.com/sdelicata)
 * Baptiste Mayelle [@youkoulayley](https://github.com/youkoulayley)
-* Jesper Noordsij [@jnoordsij](https://github.com/jnoordsij)
 
 ## Past Maintainers
 

docs/content/contributing/submitting-pull-requests.md

@@ -91,8 +91,6 @@ You must run these local verifications before you submit your pull request to pr
 Your PR will not be reviewed until these are green on the CI.
 
 * `make generate`
-* `make generate-crd`
-* `make test-gateway-api-conformance`
 * `make validate`
 * `make pull-images`
 * `make test`

docs/content/deprecation/features.md

@@ -2,19 +2,43 @@
 
 This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.
 
-| Feature                                                                                                              | Deprecated | End of Support | Removal |
-|----------------------------------------------------------------------------------------------------------------------|------------|----------------|---------|
-| [Kubernetes Ingress API Version `networking.k8s.io/v1beta1`](#kubernetes-ingress-api-version-networkingk8siov1beta1) | N/A        | N/A            | 3.0     |
-| [CRD API Version `apiextensions.k8s.io/v1beta1`](#kubernetes-ingress-api-version-networkingk8siov1beta1)             | N/A        | N/A            | 3.0     |
+| Feature                                                                                                     | Deprecated | End of Support | Removal |
+|-------------------------------------------------------------------------------------------------------------|------------|----------------|---------|
+| [Pilot](#pilot)                                                                                             | 2.7        | 2.8            | 2.9     |
+| [Consul Enterprise Namespace](#consul-enterprise-namespace)                                                 | 2.8        | N/A            | 3.0     |
+| [TLS 1.0 and 1.1 Support](#tls-10-and-11)                                                                   | N/A        | 2.8            | N/A     |
+| [Nomad Namespace](#nomad-namespace)                                                                         | 2.10       | N/A            | 3.0     |
+| [Kubernetes CRDs API Group `traefik.containo.us`](#kubernetes-crd-provider-api-group-traefikcontainous)     | 2.10       | N/A            | 3.0     |
+| [Kubernetes CRDs API Version `traefik.io/v1alpha1`](#kubernetes-crd-provider-api-version-traefikiov1alpha1) | 3.0        | N/A            | 4.0     |
 
 ## Impact
 
-### Kubernetes Ingress API Version `networking.k8s.io/v1beta1`
+### Pilot
 
-The Kubernetes Ingress API Version `networking.k8s.io/v1beta1` support is removed in v3. 
-Please use the API Group `networking.k8s.io/v1` instead.
+Metrics will continue to function normally up to 2.8, when they will be disabled.  
+In 2.9, the Pilot platform and all Traefik integration code will be permanently removed.
 
-### Traefik CRD Definitions API Version `apiextensions.k8s.io/v1beta1`
+Starting on 2.7 the pilot token will not be a requirement anymore for plugins.  
+Since 2.8, a [new plugin catalog](https://plugins.traefik.io) is available, decoupled from Pilot.
 
-The Traefik CRD definitions API Version `apiextensions.k8s.io/v1beta1` support is removed in v3.
-Please use the API Group `apiextensions.k8s.io/v1` instead.
+### Consul Enterprise Namespace
+
+Starting on 2.8 the `namespace` option of Consul and Consul Catalog providers is deprecated, 
+please use the `namespaces` options instead.  
+
+### TLS 1.0 and 1.1
+
+Starting on 2.8 the default TLS options will use the minimum version of TLS 1.2. Of course, it can still be overridden with custom configuration.  
+
+### Nomad Namespace
+
+Starting on 2.10 the `namespace` option of the Nomad provider is deprecated,
+please use the `namespaces` options instead.
+
+### Kubernetes CRD Provider API Group `traefik.containo.us`
+
+In v2.10, the Kubernetes CRD provider API Group `traefik.containo.us` is deprecated, and its support will end starting with Traefik v3. Please use the API Group `traefik.io` instead.
+
+### Kubernetes CRD Provider API Version `traefik.io/v1alpha1`
+
+The Kubernetes CRD provider API Version `traefik.io/v1alpha1` will subsequently be deprecated in Traefik v3. The next version will be `traefik.io/v1`.

docs/content/deprecation/releases.md

@@ -6,7 +6,8 @@ Below is a non-exhaustive list of versions and their maintenance status:
 
 | Version | Release Date | Active Support     | Security Support  |
 |---------|--------------|--------------------|-------------------|
-| 3.4     | May 05, 2025 | Yes                | Yes               |
+| 3.5     | Jul 23, 2025 | Yes                | Yes               |
+| 3.4     | May 05, 2025 | Ended Jul 23, 2025 | No                |
 | 3.3     | Jan 06, 2025 | Ended May 05, 2025 | No                |
 | 3.2     | Oct 28, 2024 | Ended Jan 06, 2025 | No                |
 | 3.1     | Jul 15, 2024 | Ended Oct 28, 2024 | No                |
@@ -33,7 +34,7 @@ Below is a non-exhaustive list of versions and their maintenance status:
 
 This page is maintained and updated periodically to reflect our roadmap and any decisions affecting the end of support for Traefik Proxy.
 
-Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v2 to v3 migration guide](../migrate/v2-to-v3.md).
+Please refer to our migration guides for specific instructions on upgrading between versions.
 
 !!! important "All target dates for end of support or feature removal announcements may be subject to change."
 

docs/content/expose/docker.md

@@ -1,462 +0,0 @@
-# Exposing Services with Traefik on Docker
-
-This guide will help you expose your services securely through Traefik Proxy using Docker. We'll cover routing HTTP and HTTPS traffic, implementing TLS, adding middlewares, Let's Encrypt integration, and sticky sessions.
-
-## Prerequisites
-
-- Docker and Docker Compose installed
-- Basic understanding of Docker concepts
-- Traefik deployed using the Traefik Docker Setup guide
-
-## Expose Your First HTTP Service
-
-Let's expose a simple HTTP service using the [whoami](https://hub.docker.com/r/traefik/whoami) application. This will demonstrate basic routing to a backend service.
-
-First, create a `docker-compose.yml` file:
-
-```yaml
-services:
-  traefik:
-    image: "traefik:v3.4"
-    container_name: "traefik"
-    restart: unless-stopped
-    security_opt:
-      - no-new-privileges:true
-    networks:
-      - proxy
-    command:
-      - "--providers.docker=true"
-      - "--providers.docker.exposedbydefault=false"
-      - "--providers.docker.network=proxy"
-      - "--entryPoints.web.address=:80"
-    ports:
-      - "80:80"
-      - "8080:8080"
-    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
-
-  whoami:
-    image: "traefik/whoami"
-    restart: unless-stopped
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
-      - "traefik.http.routers.whoami.entrypoints=web"
-
-networks:
-  proxy:
-    name: proxy
-```
-
-Save this as `docker-compose.yml` and start the services:
-
-```bash
-docker compose up -d
-```
-
-### Verify Your Service
-
-Your service is now available at http://whoami.docker.localhost/. Test that it works:
-
-```bash
-curl -H "Host: whoami.docker.localhost" http://localhost/
-```
-
-You should see output similar to:
-
-```bash
-Hostname: whoami
-IP: 127.0.0.1
-IP: ::1
-IP: 172.18.0.3
-IP: fe80::215:5dff:fe00:c9e
-RemoteAddr: 172.18.0.2:55108
-GET / HTTP/1.1
-Host: whoami.docker.localhost
-User-Agent: curl/7.68.0
-Accept: */*
-Accept-Encoding: gzip
-X-Forwarded-For: 172.18.0.1
-X-Forwarded-Host: whoami.docker.localhost
-X-Forwarded-Port: 80
-X-Forwarded-Proto: http
-X-Forwarded-Server: 5789f594e7d5
-X-Real-Ip: 172.18.0.1
-```
-
-This confirms that Traefik is successfully routing requests to your whoami application.
-
-## Add Routing Rules
-
-Now we'll enhance our routing by directing traffic to different services based on [URL paths](../reference/routing-configuration/http/router/rules-and-priority.md#path-pathprefix-and-pathregexp). This is useful for API versioning, frontend/backend separation, or organizing microservices.
-
-Update your `docker-compose.yml` to add another service:
-
-```yaml
-# ...
-
-# New service
-  whoami-api:
-    image: "traefik/whoami"
-    networks:
-      - proxy
-    container_name: "whoami-api"
-    environment:
-      - WHOAMI_NAME=API Service
-    labels:
-      - "traefik.enable=true"
-      # Path-based routing
-      - "traefik.http.routers.whoami-api.rule=Host(`whoami.docker.localhost`) && PathPrefix(`/api`)"
-      - "traefik.http.routers.whoami-api.entrypoints=web"
-```
-
-Apply the changes:
-
-```bash
-docker compose up -d
-```
-
-### Test the Path-Based Routing
-
-Verify that different paths route to different services:
-
-```bash
-# Root path should go to the main whoami service
-curl -H "Host: whoami.docker.localhost" http://localhost/
-
-# /api path should go to the whoami-api service
-curl -H "Host: whoami.docker.localhost" http://localhost/api
-```
-
-For the `/api` requests, you should see the response showing "API Service" in the environment variables section, confirming that your path-based routing is working correctly.
-
-## Enable TLS
-
-Let's secure our service with HTTPS by adding TLS. We'll start with a self-signed certificate for local development.
-
-### Create a Self-Signed Certificate
-
-Generate a self-signed certificate:
-
-```bash
-mkdir -p certs
-openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-  -keyout certs/local.key -out certs/local.crt \
-  -subj "/CN=*.docker.localhost"
-```
-
-Create a directory for dynamic configuration and add a TLS configuration file:
-
-```bash
-mkdir -p dynamic
-cat > dynamic/tls.yml << EOF
-tls:
-  certificates:
-    - certFile: /certs/local.crt
-      keyFile: /certs/local.key
-EOF
-```
-
-Update your `docker-compose.yml` file with the following changes:
-
-```yaml
-services:
-  traefik:
-    image: "traefik:v3.4"
-    container_name: "traefik"
-    restart: unless-stopped
-    security_opt:
-      - no-new-privileges:true
-    networks:
-      - proxy
-    command:
-      - "--api.insecure=false"
-      - "--api.dashboard=true"
-      - "--providers.docker=true"
-      - "--providers.docker.exposedbydefault=false"
-      - "--providers.docker.network=proxy"
-      - "--providers.file.directory=/etc/traefik/dynamic"
-      - "--entryPoints.web.address=:80"
-      - "--entryPoints.websecure.address=:443"
-      - "--entryPoints.websecure.http.tls=true"
-    ports:
-      - "80:80"
-      - "443:443"
-      - "8080:8080"
-    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
-      # Add the following volumes
-      - "./certs:/certs:ro"
-      - "./dynamic:/etc/traefik/dynamic:ro"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.dashboard.rule=Host(`dashboard.docker.localhost`)"
-      - "traefik.http.routers.dashboard.entrypoints=websecure"
-      - "traefik.http.routers.dashboard.service=api@internal"
-      # Add the following label
-      - "traefik.http.routers.dashboard.tls=true"
-
-  whoami:
-    image: "traefik/whoami"
-    restart: unless-stopped
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
-      - "traefik.http.routers.whoami.entrypoints=websecure"
-      # Add the following label
-      - "traefik.http.routers.whoami.tls=true"
-
-  whoami-api:
-    image: "traefik/whoami"
-    container_name: "whoami-api"
-    restart: unless-stopped
-    networks:
-      - proxy
-    environment:
-      - WHOAMI_NAME=API Service
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.whoami-api.rule=Host(`whoami.docker.localhost`) && PathPrefix(`/api`)"
-      - "traefik.http.routers.whoami-api.entrypoints=websecure"
-      # Add the following label
-      - "traefik.http.routers.whoami-api.tls=true"
-
-networks:
-  proxy:
-    name: proxy
-```
-
-Apply the changes:
-
-```bash
-docker compose up -d
-```
-
-Your browser can access https://whoami.docker.localhost/ for the service. You'll need to accept the security warning for the self-signed certificate.
-
-## Add Middlewares
-
-Middlewares allow you to modify requests or responses as they pass through Traefik. Let's add two useful middlewares: [Headers](../reference/routing-configuration/http/middlewares/headers.md) for security and [IP allowlisting](../reference/routing-configuration/http/middlewares/ipallowlist.md) for access control.
-
-Add the following labels to your whoami service in `docker-compose.yml`:
-
-```yaml
-labels:
-  
-  # Secure Headers Middleware
-  - "traefik.http.middlewares.secure-headers.headers.frameDeny=true"
-  - "traefik.http.middlewares.secure-headers.headers.sslRedirect=true"
-  - "traefik.http.middlewares.secure-headers.headers.browserXssFilter=true"
-  - "traefik.http.middlewares.secure-headers.headers.contentTypeNosniff=true"
-  - "traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains=true"
-  - "traefik.http.middlewares.secure-headers.headers.stsPreload=true"
-  - "traefik.http.middlewares.secure-headers.headers.stsSeconds=31536000"
-  
-  # IP Allowlist Middleware
-  - "traefik.http.middlewares.ip-allowlist.ipallowlist.sourceRange=127.0.0.1/32,192.168.0.0/16,10.0.0.0/8"
-```
-
-Add the same middleware to your whoami-api service:
-
-```yaml
-labels:
-  - "traefik.http.routers.whoami-api.middlewares=secure-headers,ip-allowlist"
-```
-
-Apply the changes:
-
-```bash
-docker compose up -d
-```
-
-### Test the Middlewares
-
-Now let's verify that our middlewares are working correctly:
-
-Test the Secure Headers middleware:
-
-```bash
-curl -k -I -H "Host: whoami.docker.localhost" https://localhost/
-```
-
-In the response headers, you should see security headers set by the middleware:
-
-- `X-Frame-Options: DENY` 
-- `X-Content-Type-Options: nosniff`
-- `X-XSS-Protection: 1; mode=block`
-- `Strict-Transport-Security` with the appropriate settings
-
-Test the IP Allowlist middleware:
-
-If your request comes from an IP that's in the allow list (e.g., 127.0.0.1), it should succeed:
-
-```bash
-curl -k -I -H "Host: whoami.docker.localhost" https://localhost/
-```
-
-If you try to access from an IP not in the allow list, the request will be rejected with a `403` Forbidden response. To simulate this in a local environment, you can modify the middleware configuration temporarily to exclude your IP address, then test again.
-
-## Generate Certificates with Let's Encrypt
-
-Let's Encrypt provides free, automated TLS certificates. Let's configure Traefik to automatically obtain and renew certificates for our services.
-
-Instead of using self-signed certificates, update your existing `docker-compose.yml` file with the following changes:
-
-Add the Let's Encrypt certificate resolver to the Traefik service command section:
-
-```yaml
-command:
-  - "--api.insecure=false"
-  - "--api.dashboard=true"
-  - "--providers.docker=true"
-  - "--providers.docker.exposedbydefault=false"
-  - "--providers.docker.network=proxy"
-  - "--entryPoints.web.address=:80"
-  - "--entryPoints.websecure.address=:443"
-  - "--entryPoints.websecure.http.tls=true"
-  - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
-  - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
-  # Let's Encrypt configuration
-  - "--certificatesresolvers.le.acme.email=your-email@example.com" # replace with your actual email
-  - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
-  - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
-```
-
-Add a volume for Let's Encrypt certificates:
-
-```yaml
-volumes:
-  # ...Existing volumes...
-  - "./letsencrypt:/letsencrypt"
-```
-
-Update your service labels to use the certificate resolver:
-
-```yaml
-labels:
-  - "traefik.http.routers.whoami.tls.certresolver=le"
-```
-
-Do the same for any other services you want to secure:
-
-```yaml
-labels:
-  - "traefik.http.routers.whoami-api.tls.certresolver=le"
-```
-
-Create a directory for storing Let's Encrypt certificates:
-
-```bash
-mkdir -p letsencrypt
-```
-
-Apply the changes:
-
-```bash
-docker compose up -d
-```
-
-!!! important "Public DNS Required"
-    Let's Encrypt may require a publicly accessible domain to validate domain ownership. For testing with local domains like `whoami.docker.localhost`, the certificate will remain self-signed. In production, replace it with a real domain that has a publicly accessible DNS record pointing to your Traefik instance.
-
-Once the certificate is issued, you can verify it:
-
-```bash
-# Verify the certificate chain
-curl -v https://whoami.docker.localhost/ 2>&1 | grep -i "server certificate"
-```
-
-You should see that your certificate is issued by Let's Encrypt.
-
-## Configure Sticky Sessions
-
-Sticky sessions ensure that a user's requests always go to the same backend server, which is essential for applications that maintain session state. Let's implement sticky sessions for our whoami service.
-
-### First, Add Sticky Session Labels
-
-Add the following labels to your whoami service in the `docker-compose.yml` file:
-
-```yaml
-labels:
-  - "traefik.http.services.whoami.loadbalancer.sticky.cookie=true"
-  - "traefik.http.services.whoami.loadbalancer.sticky.cookie.name=sticky_cookie"
-  - "traefik.http.services.whoami.loadbalancer.sticky.cookie.secure=true"
-  - "traefik.http.services.whoami.loadbalancer.sticky.cookie.httpOnly=true"
-```
-
-Apply the changes:
-
-```bash
-docker compose up -d
-```
-
-### Then, Scale Up the Service
-
-To demonstrate sticky sessions with Docker, use Docker Compose's scale feature:
-
-```bash
-docker compose up -d --scale whoami=3
-```
-
-This creates multiple instances of the whoami service.
-
-!!! important "Scaling After Configuration Changes"
-    If you run `docker compose up -d` after scaling, it will reset the number of whoami instances back to 1. Always scale after applying configuration changes and starting the services.
-
-### Test Sticky Sessions
-
-You can test the sticky sessions by making multiple requests and observing that they all go to the same backend container:
-
-```bash
-# First request - save cookies to a file
-curl -k -c cookies.txt -H "Host: whoami.docker.localhost" https://localhost/
-
-# Subsequent requests - use the cookies
-curl -k -b cookies.txt -H "Host: whoami.docker.localhost" https://localhost/
-curl -k -b cookies.txt -H "Host: whoami.docker.localhost" https://localhost/
-```
-
-Pay attention to the `Hostname` field in each response - it should remain the same across all requests when using the cookie file, confirming that sticky sessions are working.
-
-For comparison, try making requests without the cookie:
-
-```bash
-# Requests without cookies should be load-balanced across different containers
-curl -k -H "Host: whoami.docker.localhost" https://localhost/
-curl -k -H "Host: whoami.docker.localhost" https://localhost/
-```
-
-You should see different `Hostname` values in these responses, as each request is load-balanced to a different container.
-
-!!! important "Browser Testing"
-    When testing in browsers, you need to use the same browser session to maintain the cookie. The cookie is set with `httpOnly` and `secure` flags for security, so it will only be sent over HTTPS connections and won't be accessible via JavaScript.
-
-For more advanced configuration options, see the [reference documentation](../reference/routing-configuration/http/load-balancing/service.md).
-
-## Conclusion
-
-In this guide, you've learned how to:
-
-- Expose HTTP services through Traefik in Docker
-- Set up path-based routing to direct traffic to different backend services
-- Secure your services with TLS using self-signed certificates
-- Add security with middlewares like secure headers and IP allow listing
-- Automate certificate management with Let's Encrypt
-- Implement sticky sessions for stateful applications
-
-These fundamental capabilities provide a solid foundation for exposing any application through Traefik Proxy in Docker. Each of these can be further customized to meet your specific requirements.
-
-### Next Steps
-
-Now that you understand the basics of exposing services with Traefik Proxy, you might want to explore:
-
-- [Advanced routing options](../reference/routing-configuration/http/router/rules-and-priority.md) like query parameter matching, header-based routing, and more
-- [Additional middlewares](../reference/routing-configuration/http/middlewares/overview.md) for authentication, rate limiting, and request modifications
-- [Observability features](../reference/install-configuration/observability/metrics.md) for monitoring and debugging your Traefik deployment
-- [TCP services](../reference/routing-configuration/tcp/service.md) for exposing TCP services
-- [UDP services](../reference/routing-configuration/udp/service.md) for exposing UDP services
-- [Docker provider documentation](../reference/install-configuration/providers/docker.md) for more details about the Docker integration

docs/content/expose/overview.md

@@ -1,22 +0,0 @@
-# Exposing Services with Traefik Proxy
-
-This section guides you through exposing services securely with Traefik Proxy. You'll learn how to route HTTP and HTTPS traffic to your services, add security features, and implement advanced load balancing.
-
-## What You'll Accomplish
-
-Following these guides, you'll learn how to:
-
-- Route HTTP traffic to your services with [Gateway API](../reference/routing-configuration/kubernetes/gateway-api.md) and [IngressRoute](../reference/routing-configuration/kubernetes/crd/http/ingressroute.md)
-- Configure routing rules to direct requests
-- Enable HTTPS with TLS
-- Add security middlewares
-- Generate certificates automatically with Let's Encrypt
-- Implement sticky sessions for session persistence
-
-## Platform-Specific Guides
-
-For detailed steps tailored to your environment, follow the guide for your platform:
-
-- [Kubernetes](./kubernetes.md)
-- [Docker](./docker.md)
-- [Docker Swarm](./swarm.md)

docs/content/expose/swarm.md

@@ -1,401 +0,0 @@
-# Exposing Services with Traefik on Docker Swarm
-
-This guide will help you expose your services securely through Traefik Proxy using Docker Swarm. We'll cover routing HTTP and HTTPS traffic, implementing TLS, adding middlewares, Let's Encrypt integration, and sticky sessions.
-
-## Prerequisites
-
-- Docker Swarm cluster initialized
-- Basic understanding of Docker Swarm concepts
-- Traefik deployed using the Traefik Docker Swarm Setup guide
-
-## Expose Your First HTTP Service
-
-Let's expose a simple HTTP service using the [whoami](https://hub.docker.com/r/traefik/whoami) application. This will demonstrate basic routing to a backend service.
-
-First, update your existing `docker-compose.yml` file if you haven't already:
-
-```yaml
-services:
-  whoami:
-    image: traefik/whoami
-    networks:
-      - traefik_proxy
-    deploy:
-      replicas: 3
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.routers.whoami.rule=Host(`whoami.swarm.localhost`)"
-        - "traefik.http.routers.whoami.entrypoints=web,websecure"
-```
-
-Save this as `docker-compose.yml` and deploy the stack:
-
-```bash
-docker stack deploy -c docker-compose.yml traefik
-```
-
-### Verify Your Service
-
-Your service is now available at http://whoami.swarm.localhost/. Test that it works:
-
-```bash
-curl -H "Host: whoami.swarm.localhost" http://localhost/
-```
-
-You should see output similar to:
-
-```bash
-Hostname: whoami.1.7c8f7tr56q3p949rscxrkp80e
-IP: 127.0.0.1
-IP: ::1
-IP: 10.0.1.8
-IP: fe80::215:5dff:fe00:c9e
-RemoteAddr: 10.0.1.2:45098
-GET / HTTP/1.1
-Host: whoami.swarm.localhost
-User-Agent: curl/7.68.0
-Accept: */*
-Accept-Encoding: gzip
-X-Forwarded-For: 10.0.1.1
-X-Forwarded-Host: whoami.swarm.localhost
-X-Forwarded-Port: 80
-X-Forwarded-Proto: http
-X-Forwarded-Server: 5789f594e7d5
-X-Real-Ip: 10.0.1.1
-```
-
-This confirms that Traefik is successfully routing requests to your whoami application.
-
-## Add Routing Rules
-
-Now we'll enhance our routing by directing traffic to different services based on [URL paths](../reference/routing-configuration/http/router/rules-and-priority.md#path-pathprefix-and-pathregexp). This is useful for API versioning, frontend/backend separation, or organizing microservices.
-
-Update your `docker-compose.yml` to add another service:
-
-```yaml
-# ...
-
-# New service
-  whoami-api:
-    image: traefik/whoami
-    networks:
-      - traefik_proxy
-    environment:
-      - WHOAMI_NAME=API Service
-    deploy:
-      replicas: 2
-      labels:
-        - "traefik.enable=true"
-        # Path-based routing
-        - "traefik.http.routers.whoami-api.rule=Host(`whoami.swarm.localhost`) && PathPrefix(`/api`)"
-        - "traefik.http.routers.whoami-api.entrypoints=web,websecure"
-        - "traefik.http.routers.whoami-api.service=whoami-api-svc"
-        - "traefik.http.services.whoami-api-svc.loadbalancer.server.port=80"
-
-# ...
-```
-
-Apply the changes:
-
-```bash
-docker stack deploy -c docker-compose.yml traefik
-```
-
-### Test the Path-Based Routing
-
-Verify that different paths route to different services:
-
-```bash
-# Root path should go to the main whoami service
-curl -H "Host: whoami.swarm.localhost" http://localhost/
-
-# /api path should go to the whoami-api service
-curl -H "Host: whoami.swarm.localhost" http://localhost/api
-```
-
-For the `/api` requests, you should see the response showing "API Service" in the environment variables section, confirming that your path-based routing is working correctly.
-
-## Enable TLS
-
-Let's secure our service with HTTPS by adding TLS. We'll start with a self-signed certificate for local development.
-
-### Create a Self-Signed Certificate 
-
-Generate a self-signed certificate and dynamic config file to tell Traefik where the cert lives:
-
-```bash
-mkdir -p certs
-
-# key + cert (valid for one year)
-openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-  -keyout certs/local.key -out certs/local.crt \
-  -subj "/CN=*.swarm.localhost"
-
-# dynamic config that tells Traefik where the cert lives
-cat > certs/tls.yml <<'EOF'
-tls:
-  certificates:
-    - certFile: /certificates/local.crt
-      keyFile:  /certificates/local.key
-EOF
-```
-
-Create a Docker config for the certificate files:
-
-```bash
-docker config create swarm-cert.crt certs/local.crt
-docker config create swarm-cert.key certs/local.key
-docker config create swarm-tls.yml certs/tls.yml
-```
-
-Update your `docker-compose.yml` file with the following changes:
-
-```yaml
-# Add to the Traefik command section:
-command:
-  # ... existing commands ...
-  - "--entryPoints.websecure.address=:443"
-  - "--entryPoints.websecure.http.tls=true"
-  - "--providers.file.directory=/etc/traefik/dynamic"
-```
-
-```yaml
-# Add to the root of your docker-compose.yml file:
-configs:
-  swarm-cert.crt:
-    file: ./certs/local.crt
-  swarm-cert.key:
-    file: ./certs/local.key
-  swarm-tls.yml:
-    file: ./certs/tls.yml
-```
-
-Deploy the stack:
-
-```bash
-docker stack deploy -c docker-compose.yml traefik
-```
-
-Your browser can access https://whoami.swarm.localhost/ for the service. You'll need to accept the security warning for the self-signed certificate.
-
-## Add Middlewares
-
-Middlewares allow you to modify requests or responses as they pass through Traefik. Let's add two useful middlewares: [Headers](../reference/routing-configuration/http/middlewares/headers.md) for security and [IP allowlisting](../reference/routing-configuration/http/middlewares/ipallowlist.md) for access control.
-
-Add the following labels to your whoami service deployment section in `docker-compose.yml`:
-
-```yaml
-deploy:
-  # ... existing configuration ...
-  labels:
-    # ... existing labels ...
-    
-    # Secure Headers Middleware
-    - "traefik.http.middlewares.secure-headers.headers.frameDeny=true"
-    - "traefik.http.middlewares.secure-headers.headers.sslRedirect=true"
-    - "traefik.http.middlewares.secure-headers.headers.browserXssFilter=true"
-    - "traefik.http.middlewares.secure-headers.headers.contentTypeNosniff=true"
-    - "traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains=true"
-    - "traefik.http.middlewares.secure-headers.headers.stsPreload=true"
-    - "traefik.http.middlewares.secure-headers.headers.stsSeconds=31536000"
-    
-    # IP Allowlist Middleware
-    - "traefik.http.middlewares.ip-allowlist.ipallowlist.sourceRange=127.0.0.1/32,192.168.0.0/16,10.0.0.0/8"
-    
-    # Apply the middlewares
-    - "traefik.http.routers.whoami.middlewares=secure-headers,ip-allowlist"
-```
-
-Add the same middleware to your whoami-api service:
-
-```yaml
-deploy:
-  # ... existing configuration ...
-  labels:
-    # ... existing labels ...
-    - "traefik.http.routers.whoami-api.middlewares=secure-headers,ip-allowlist"
-```
-
-Apply the changes:
-
-```bash
-docker stack deploy -c docker-compose.yml traefik
-```
-
-### Test the Middlewares
-
-Now let's verify that our middlewares are working correctly:
-
-Test the Secure Headers middleware:
-
-```bash
-curl -k -I -H "Host: whoami.swarm.localhost" https://localhost/
-```
-
-In the response headers, you should see security headers set by the middleware:
-
-- `X-Frame-Options: DENY`
-- `X-Content-Type-Options: nosniff`
-- `X-XSS-Protection: 1; mode=block`
-- `Strict-Transport-Security` with the appropriate settings
-
-Test the IP Allowlist middleware:
-
-If your request comes from an IP that's in the allow list (e.g., 127.0.0.1), it should succeed:
-
-```bash
-curl -k -I -H "Host: whoami.swarm.localhost" https://localhost/
-```
-
-If you try to access from an IP not in the allow list, the request will be rejected with a `403` Forbidden response. To simulate this in a local environment, you can modify the middleware configuration temporarily to exclude your IP address, then test again.
-
-## Generate Certificates with Let's Encrypt
-
-Let's Encrypt provides free, automated TLS certificates. Let's configure Traefik to automatically obtain and renew certificates for our services.
-
-Instead of using self-signed certificates, update your existing `docker-compose.yml` file with the following changes:
-
-Add the Let's Encrypt certificate resolver to the Traefik service command section:
-
-```yaml
-command:
-  # ... existing commands ...
-  # Let's Encrypt configuration
-  - "--certificatesresolvers.le.acme.email=your-email@example.com" # replace with your actual email
-  - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
-  - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
-```
-
-Add a volume for Let's Encrypt certificates:
-
-```yaml
-volumes:
-  # ...Existing volumes...
-  - letsencrypt:/letsencrypt
-```
-
-Update your service labels to use the certificate resolver:
-
-```yaml
-labels:
-  # ... existing labels ...
-  - "traefik.http.routers.whoami.tls.certresolver=le"
-```
-
-Do the same for any other services you want to secure:
-
-```yaml
-labels:
-  # ... existing labels ...
-  - "traefik.http.routers.whoami-api.tls.certresolver=le"
-```
-
-Create a named volume for storing Let's Encrypt certificates by adding to the volumes section:
-
-```yaml
-volumes:
-  # ... existing volumes ...
-  letsencrypt:
-    driver: local
-```
-
-Apply the changes:
-
-```bash
-docker stack deploy -c docker-compose.yml traefik
-```
-
-!!! important "Public DNS Required"
-    Let's Encrypt may require a publicly accessible domain to validate domain ownership. For testing with local domains like `whoami.swarm.localhost`, the certificate will remain self-signed. In production, replace it with a real domain that has a publicly accessible DNS record pointing to your Traefik instance.
-
-Once the certificate is issued, you can verify it:
-
-```bash
-# Verify the certificate chain
-curl -v https://whoami.swarm.localhost/ 2>&1 | grep -i "server certificate"
-```
-
-You should see that your certificate is issued by Let's Encrypt.
-
-## Configure Sticky Sessions
-
-Sticky sessions ensure that a user's requests always go to the same backend server, which is essential for applications that maintain session state. Let's implement sticky sessions for our whoami service.
-
-Docker Swarm already has multiple replicas running; we'll now add sticky session configuration. Update your whoami service in the `docker-compose.yml` file:
-
-### Add Sticky Session Configuration
-
-Add the following labels to your whoami service in the `docker-compose.yml` file:
-
-```yaml
-deploy:
-  # ... existing configuration ...
-  labels:
-    # ... existing labels ...
-    
-    # Sticky Sessions Configuration
-    - "traefik.http.services.whoami.loadbalancer.sticky.cookie=true"
-    - "traefik.http.services.whoami.loadbalancer.sticky.cookie.name=sticky_cookie"
-    - "traefik.http.services.whoami.loadbalancer.sticky.cookie.secure=true"
-    - "traefik.http.services.whoami.loadbalancer.sticky.cookie.httpOnly=true"
-```
-
-Apply the changes:
-
-```bash
-docker stack deploy -c docker-compose.yml traefik
-```
-
-### Test Sticky Sessions
-
-You can test the sticky sessions by making multiple requests and observing that they all go to the same backend container:
-
-```bash
-# First request - save cookies to a file
-curl -k -c cookies.txt -H "Host: whoami.swarm.localhost" https://localhost/
-
-# Subsequent requests - use the cookies
-curl -k -b cookies.txt -H "Host: whoami.swarm.localhost" https://localhost/
-curl -k -b cookies.txt -H "Host: whoami.swarm.localhost" https://localhost/
-```
-
-Pay attention to the `Hostname` field in each response - it should remain the same across all requests when using the cookie file, confirming that sticky sessions are working.
-
-For comparison, try making requests without the cookie:
-
-```bash
-# Requests without cookies should be load-balanced across different containers
-curl -k -H "Host: whoami.swarm.localhost" https://localhost/
-curl -k -H "Host: whoami.swarm.localhost" https://localhost/
-```
-
-You should see different `Hostname` values in these responses, as each request is load-balanced to a different container.
-
-!!! important "Browser Testing"
-    When testing in browsers, you need to use the same browser session to maintain the cookie. The cookie is set with `httpOnly` and `secure` flags for security, so it will only be sent over HTTPS connections and won't be accessible via JavaScript.
-
-For more advanced configuration options, see the [reference documentation](../reference/routing-configuration/http/load-balancing/service.md).
-
-## Conclusion
-
-In this guide, you've learned how to:
-
-- Expose HTTP services through Traefik in Docker Swarm
-- Set up path-based routing to direct traffic to different backend services
-- Secure your services with TLS using self-signed certificates
-- Add security with middlewares like secure headers and IP allow listing
-- Automate certificate management with Let's Encrypt
-- Implement sticky sessions for stateful applications
-
-These fundamental capabilities provide a solid foundation for exposing any application through Traefik Proxy in Docker Swarm. Each of these can be further customized to meet your specific requirements.
-
-### Next Steps
-
-Now that you understand the basics of exposing services with Traefik Proxy, you might want to explore:
-
-- [Advanced routing options](../reference/routing-configuration/http/router/rules-and-priority.md) like query parameter matching, header-based routing, and more
-- [Additional middlewares](../reference/routing-configuration/http/middlewares/overview.md) for authentication, rate limiting, and request modifications
-- [Observability features](../reference/install-configuration/observability/metrics.md) for monitoring and debugging your Traefik deployment
-- [TCP services](../reference/routing-configuration/tcp/service.md) for exposing TCP services
-- [UDP services](../reference/routing-configuration/udp/service.md) for exposing UDP services
-- [Docker provider documentation](../reference/install-configuration/providers/docker.md) for more details about the Docker integration

docs/content/getting-started/concepts.md

@@ -57,4 +57,4 @@ You no longer need to create and synchronize configuration files cluttered with
     Traefik is able to use your cluster API to discover the services and read the attached information.
     In Traefik, these connectors are called [providers](../providers/overview.md "Link to overview about Traefik providers") because they *provide* the configuration to Traefik.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/getting-started/configuration-overview.md

@@ -79,7 +79,7 @@ traefik --help
 # or
 
 docker run traefik[:version] --help
-# ex: docker run traefik:v3.4 --help
+# ex: docker run traefik:v2.11 --help
 ```
 
 Check the [CLI reference](../reference/static-configuration/cli.md "Link to CLI reference overview") for an overview about all available arguments.
@@ -94,4 +94,4 @@ All the configuration options are documented in their related section.
 
 You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/getting-started/docker.md

@@ -1,162 +0,0 @@
----
-title: "Docker and Traefik Quick Start"
-description: "Deploy Traefik in Docker and expose your first service"
----
-
-# Getting Started with Docker and Traefik
-
-Docker is a first-class citizen in Traefik, offering native support for Docker containers and services. 
-Whether you're using Docker Compose or running containers directly, Traefik provides a seamless experience for managing your Docker traffic.
-
-This guide shows you how to:
-
-- Install Traefik using Docker
-- Expose the Traefik dashboard
-- Deploy a sample application
-- Configure basic routing
-
-## Prerequisites
-
-- Docker 
-- Docker Compose (optional)
-
-## Install Traefik
-
-### Using Docker Compose
-
-Create a Docker Compose file. 
-This configuration:
-
-- Exposes ports 80 and 8080. 
-- Enables the Docker provider
-- Configures the dashboard with basic settings. Port 8080 serves the dashboard because we enabled `--api.insecure=true` (development use only)
-- Mounts the Docker socket for container discovery
-
-```yaml
-# docker-compose.yml
-services:
-  traefik:
-    image: traefik:v3.4
-    command:
-      - "--api.insecure=true"
-      - "--providers.docker=true"
-      - "--entrypoints.web.address=:80"
-    ports:
-      - "80:80"
-      - "8080:8080"
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-```
-
-Start Traefik:
-
-```bash
-docker-compose up -d
-```
-
-### Using Docker CLI
-
-Alternatively, you can run Traefik directly with Docker. 
-This command:
-
-- Exposes ports 80 and 8080 for web traffic and dashboard access
-- Mounts the configuration file and Docker socket
-- Uses the same configuration as the Docker Compose example
-
-Create a configuration file:
-
-```yaml
-# traefik.yml
-api:
-  insecure: true
-entryPoints:
-  web:
-    address: ":80"
-providers:
-  docker: {}
-```
-
-Start Traefik:
-
-```bash
-docker run -d \
-  -p 80:80 \
-  -p 8080:8080 \
-  -v $PWD/traefik.yml:/etc/traefik/traefik.yml \
-  -v /var/run/docker.sock:/var/run/docker.sock \
-  traefik:v3.4
-```
-
-## Expose the Dashboard
-
-Because we explicitly enabled insecure mode, the [dashboard](../reference/install-configuration/api-dashboard.md) is reachable on port 8080 without authentication. 
-**Do not enable this flag in production**.
-
-You can access the dashboard at:
-
-[http://localhost:8080/dashboard/](http://localhost:8080/dashboard/)
-
-![Traefik Dashboard Screenshot](../assets/img/getting-started/traefik-dashboard.png)
-
-## Deploy a Sample Application
-
-Create a whoami service:
-
-```yaml
-# whoami.yml
-services:
-  whoami:
-    image: traefik/whoami
-    labels:
-      - "traefik.http.routers.whoami.rule=Host(`whoami.localhost`)"
-```
-
-Apply the configuration:
-
-```bash
-docker-compose -f whoami.yml up -d
-```
-
-## Test Your Setup
-
-You can use the following curl command to verify that the application is correctly exposed:
-
-```bash
-curl http://whoami.localhost
-
-Hostname: 068c0a29a8b7
-IP: 127.0.0.1
-IP: ::1
-IP: 192.168.147.3
-RemoteAddr: 192.168.147.2:56006
-GET / HTTP/1.1
-Host: whoami.localhost
-User-Agent: curl/8.7.1
-Accept: */*
-Accept-Encoding: gzip
-X-Forwarded-For: 192.168.147.1
-X-Forwarded-Host: whoami.localhost
-X-Forwarded-Port: 80
-X-Forwarded-Proto: http
-X-Forwarded-Server: 9232cdd4fd6c
-X-Real-Ip: 192.168.147.1
-```
-
-You can also open [http://whoami.localhost](http://whoami.localhost) in a browser to test the application:
-
-![whoami application Screenshot](../assets/img/getting-started/whoami-localhost.png)
-
-If you navigate to the **HTTP Routers** section of the Traefik dashboard, you can see that the `whoami.localhost` route is managed by the Traefik Docker provider:
-
-![Traefik Dashboard HTTP Routers Section Screenshot](../assets/img/getting-started/docker-router.png)
-
-That's it! You've successfully deployed Traefik and configured routing in Docker.
-
-## Next Steps
-
-- [Configure TLS](../reference/routing-configuration/http/tls/overview.md)
-- [Set up Middlewares](../reference/routing-configuration/http/middlewares/overview.md)
-- [Enable Metrics](../reference/install-configuration/observability/metrics.md)
-- [Learn more about Docker provider](../reference/install-configuration/providers/docker.md)
-
-{!traefik-for-business-applications.md!}

docs/content/getting-started/faq.md

@@ -252,4 +252,4 @@ In which case, you should make sure your infrastructure is properly set up for a
 LEGO_DISABLE_CNAME_SUPPORT=true
 ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/getting-started/index.md

@@ -1,25 +0,0 @@
----
-title: "Getting Started with Traefik"
-description: "Quick start guides for deploying Traefik in Kubernetes and Docker environments"
----
-
-# Getting Started with Traefik
-
-Traefik can be deployed in various environments. Choose your preferred deployment method:
-
-- [Kubernetes Quick Start](./kubernetes.md) - Deploy Traefik using Helm
-- [Docker Quick Start](./docker.md) - Deploy Traefik using Docker
-
-Each guide will help you:
-
-- Install Traefik
-- Expose the dashboard
-- Deploy a sample application
-- Configure basic routing
-
-## Before You Begin
-
-Make sure you have the necessary prerequisites for your chosen environment:
-
-- **Kubernetes**: A running Kubernetes cluster, Helm 3, and kubectl
-- **Docker**: Docker and optionally Docker Compose

docs/content/getting-started/install-traefik.md

@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:
 
 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
 
-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.4/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.4/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.11/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.11/traefik.sample.toml)
 
 ```shell
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.4
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.11
 ```
 
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip
 
     * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v3.4`
+    ex: `traefik:v2.11`
     * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
     * Any orchestrator using docker images can fetch the official Traefik docker image.
 
@@ -39,7 +39,7 @@ Traefik can be installed in Kubernetes using the Helm chart from <https://github
 
 Ensure that the following requirements are met:
 
-* Kubernetes 1.22+
+* Kubernetes 1.16+
 * Helm version 3.9+ is [installed](https://helm.sh/docs/intro/install/)
 
 Add Traefik Labs chart repository to Helm:
@@ -144,4 +144,4 @@ And run it:
 
 All the details are available in the [Contributing Guide](../contributing/building-testing.md)
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/getting-started/kubernetes.md

@@ -1,331 +0,0 @@
----
-title: "Kubernetes and Traefik Quick Start"
-description: "Deploy Traefik in Kubernetes using Helm and expose your first service"
-slug: quick-start-with-kubernetes
----
-
-# Getting Started with Kubernetes and Traefik
-
-Kubernetes is a first-class citizen in Traefik, offering native support for Kubernetes resources and the latest Kubernetes standards. 
-Whether you're using Traefik's [IngressRoute CRD](../reference/routing-configuration/kubernetes/crd/http/ingressroute.md), [Ingress](../reference/routing-configuration/kubernetes/ingress.md) or the [Kubernetes Gateway API](../reference/routing-configuration/kubernetes/gateway-api.md), 
-Traefik provides a seamless experience for managing your Kubernetes traffic.
-
-This guide shows you how to:
-
-- Create a Kubernetes cluster using k3d
-- Install Traefik using Helm
-- Expose the Traefik dashboard
-- Deploy a sample application
-- Configure basic routing with IngressRoute and Gateway API
-
-## Prerequisites
-
-- Kubernetes
-- Helm 3
-- kubectl
-- k3d (for local cluster creation)
-
-## Create a Kubernetes Cluster
-
-### Using k3d
-
-Create a cluster with the following command. This command:
-
-- Creates a k3d cluster named "traefik"
-- Maps ports 80, 443, and 8000 to the loadbalancer for accessing services
-- Disables the built-in Traefik ingress controller to avoid conflicts
-
-```bash
-k3d cluster create traefik \
-  --port 80:80@loadbalancer \
-  --port 443:443@loadbalancer \
-  --port 8000:8000@loadbalancer \
-  --k3s-arg "--disable=traefik@server:0"
-```
-
-Configure kubectl:
-
-```bash
-kubectl cluster-info --context k3d-traefik
-```
-
-## Install Traefik
-
-### Using Helm Values File
-
-Add the Traefik Helm repository:
-
-```bash
-helm repo add traefik https://traefik.github.io/charts
-helm repo update
-```
-
-Create a values file. This configuration:
-
-- Maps ports 80 and 443 to the web and websecure [entrypoints](../reference/install-configuration/entrypoints.md)
-- Enables the [dashboard](../reference/install-configuration/api-dashboard.md) with a specific hostname rule
-- Enables the [Kubernetes Gateway API provider](../reference/routing-configuration/kubernetes/gateway-api.md)
-- Allows the Gateway to expose [HTTPRoutes](https://gateway-api.sigs.k8s.io/api-types/httproute/) from all namespaces
-
-```yaml
-# values.yaml
-ingressRoute:
-  dashboard:
-    enabled: true
-    matchRule: Host(`dashboard.localhost`)
-    entryPoints:
-      - web
-providers:
-  kubernetesGateway:
-    enabled: true
-gateway:
-  namespacePolicy: All
-```
-
-!!! info
-    The [KubernetesCRD](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md) provider is enabled by default when using the Helm chart so we don't need to set it in the values file.
-
-Install Traefik:
-
-```bash
-helm install traefik traefik/traefik -f values.yaml --wait
-```
-
-### Using Helm CLI Arguments
-
-Alternatively, you can install Traefik using CLI arguments. This command:
-
-- Maps ports `30000` and `30001` to the web and websecure entrypoints
-- Enables the dashboard with a specific hostname rule
-- Enables the [Kubernetes Gateway API provider](../reference/routing-configuration/kubernetes/gateway-api.md)
-- Allows the Gateway to expose HTTPRoutes from all namespaces
-
-```bash
-helm install traefik traefik/traefik --wait \
-  --set ingressRoute.dashboard.enabled=true \
-  --set ingressRoute.dashboard.matchRule='Host(`dashboard.localhost`)' \
-  --set ingressRoute.dashboard.entryPoints={web} \
-  --set providers.kubernetesGateway.enabled=true \
-  --set gateway.namespacePolicy=All
-```
-
-!!! info
-    The [KubernetesCRD](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md) provider is enabled by default when using the Helm chart so we don't need to set it in the CLI arguments.
-
-When Traefik is installed with the Gateway API provider enabled, it automatically creates a default GatewayClass named **traefik**:
-
-```bash
-kubectl describe GatewayClass traefik
-```
-
-## Expose the Dashboard
-
-The dashboard is exposed with an [IngressRoute](../reference/routing-configuration/kubernetes/crd/http/ingressroute.md) provided by the Chart, as we defined in the helm values during installation. 
-
-Access it at:
-
-[http://dashboard.localhost/dashboard/](http://dashboard.localhost/dashboard/)
-
-![Traefik Dashboard Screenshot](../assets/img/getting-started/traefik-dashboard.png)
-
-## Deploy a Sample Application
-
-Create a deployment:
-
-```yaml
-# whoami.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: whoami
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app: whoami
-  template:
-    metadata:
-      labels:
-        app: whoami
-    spec:
-      containers:
-        - name: whoami
-          image: traefik/whoami
-          ports:
-            - containerPort: 80
-```
-
-Create a service:
-
-```yaml
-# whoami-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: whoami
-spec:
-  ports:
-    - port: 80
-  selector:
-    app: whoami
-```
-
-Apply the manifests:
-
-```bash
-kubectl apply -f whoami.yaml
-kubectl apply -f whoami-service.yaml
-```
-
-## Exposing the Application Using an IngressRoute (CRD)
-
-Create an IngressRoute:
-
-```yaml
-# whoami-ingressroute.yaml
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: whoami
-spec:
-  entryPoints:
-    - web
-  routes:
-    - match: Host(`whoami.localhost`)
-      kind: Rule
-      services:
-        - name: whoami
-          port: 80
-```
-
-Apply the manifest:
-
-```bash
-kubectl apply -f whoami-ingressroute.yaml
-```
-
-### Test Your Setup
-
-You can use the following curl command to verify that the application is correctly exposed:
-
-```bash
-curl http://whoami.localhost
-
-Hostname: whoami-76c9859cfc-6v8hh
-IP: 127.0.0.1
-IP: ::1
-IP: 10.42.0.11
-IP: fe80::20ad:eeff:fe44:a63
-RemoteAddr: 10.42.0.9:38280
-GET / HTTP/1.1
-Host: whoami.localhost
-User-Agent: curl/8.7.1
-Accept: */*
-Accept-Encoding: gzip
-X-Forwarded-For: 127.0.0.1
-X-Forwarded-Host: whoami.localhost
-X-Forwarded-Port: 80
-X-Forwarded-Proto: http
-X-Forwarded-Server: traefik-598946cd7-zds59
-X-Real-Ip: 127.0.0.1
-```
-
-You can also visit [http://whoami.localhost](http://whoami.localhost) in a browser to verify that the application is exposed correctly:
-
-![whoami application Screenshot](../assets/img/getting-started/whoami-localhost.png)
-
-## Exposing the Application Using the Gateway API
-
-Traefik supports the Kubernetes Gateway API specification, which provides a more standardized way to configure ingress in Kubernetes.
-When we installed Traefik earlier, we enabled the Gateway API provider. 
-You can verify this in the providers section of the Traefik dashboard.
-
-![Providers Section Screenshot](../assets/img/getting-started/providers.png)
-
-To use the Gateway API:
-
-Install the Gateway API CRDs in your cluster:
-
-```bash
-kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml
-```
-
-Create an HTTPRoute. This configuration:
-
-- Creates an HTTPRoute named "whoami"
-- Attaches it to the default Gateway that Traefik created during installation
-- Configures routing for the hostname "whoami-gatewayapi.localhost"
-- Routes all traffic to the whoami service on port 80
-
-```yaml
-# httproute.yaml
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: whoami
-spec:
-  parentRefs:
-    - name: traefik-gateway
-  hostnames:
-    - "whoami-gatewayapi.localhost"
-  rules:
-    - matches:
-        - path:
-            type: PathPrefix
-            value: /
-      backendRefs:
-        - name: whoami
-          port: 80
-```
-
-Apply the manifest:
-
-```bash
-kubectl apply -f httproute.yaml
-```
-
-### Test Your Setup
-
-You can use the following curl command to verify that the application is correctly exposed:
-
-```bash
-curl http://whoami-gatewayapi.localhost
-
-Hostname: whoami-76c9859cfc-6v8hh
-IP: 127.0.0.1
-IP: ::1
-IP: 10.42.0.11
-IP: fe80::20ad:eeff:fe44:a63
-RemoteAddr: 10.42.0.9:38280
-GET / HTTP/1.1
-Host: whoami.localhost
-User-Agent: curl/8.7.1
-Accept: */*
-Accept-Encoding: gzip
-X-Forwarded-For: 127.0.0.1
-X-Forwarded-Host: whoami.localhost
-X-Forwarded-Port: 80
-X-Forwarded-Proto: http
-X-Forwarded-Server: traefik-598946cd7-zds59
-X-Real-Ip: 127.0.0.1
-```
-
-You can now visit [http://whoami.localhost](http://whoami.localhost) in your browser to verify that the application is exposed correctly:
-
-![whoami application Screenshot](../assets/img/getting-started/whoami-localhost.png)
-
-If you navigate to the **HTTP Routes** section of the traefik dashboard, you can see that the `whoami.localhost` route is managed by the Traefik Kubernetes Gateway API provider:
-
-![Traefik Dashboard HTTP Routes Section Screenshot](../assets/img/getting-started/kubernetes-gateway.png)
-
-That's it! You've successfully deployed Traefik and configured routing in a Kubernetes cluster.
-
-## Next Steps
-
-- [Configure TLS](../reference/routing-configuration/http/tls/overview.md)
-- [Set up Middlewares](../reference/routing-configuration/http/middlewares/overview.md)
-- [Enable Metrics](../reference/install-configuration/observability/metrics.md)
-- [Learn more about Kubernetes CRD provider](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md)
-- [Learn more about Kubernetes Gateway API provider](../reference/install-configuration/providers/kubernetes/kubernetes-gateway.md)
-
-{!traefik-for-business-applications.md!}

docs/content/getting-started/quick-start-with-kubernetes.md

@@ -3,4 +3,335 @@ title: "Traefik Getting Started With Kubernetes"
 description: "Get started with Traefik Proxy and Kubernetes."
 ---
 
---8<-- "content/getting-started/kubernetes.md"
+# Quick Start
+
+A Use Case of Traefik Proxy and Kubernetes
+{: .subtitle }
+
+This guide is an introduction to using Traefik Proxy in a Kubernetes environment.  
+The objective is to learn how to run an application behind a Traefik reverse proxy in Kubernetes.  
+It presents and explains the basic blocks required to start with Traefik such as Ingress Controller, Ingresses, Deployments, static, and dynamic configuration.
+
+## Permissions and Accesses
+
+Traefik uses the Kubernetes API to discover running services.
+
+To use the Kubernetes API, Traefik needs some permissions.
+This [permission mechanism](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) is based on roles defined by the cluster administrator.  
+The role is then bound to an account used by an application, in this case, Traefik Proxy.
+
+The first step is to create the role.
+The [`ClusterRole`](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole) resource enumerates the resources and actions available for the role.
+In a file called `00-role.yml`, put the following `ClusterRole`:
+
+```yaml tab="00-role.yml"
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik-role
+
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.io
+      - traefik.containo.us
+    resources:
+      - middlewares
+      - middlewaretcps
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - ingressrouteudps
+      - tlsoptions
+      - tlsstores
+      - serverstransports
+    verbs:
+      - get
+      - list
+      - watch
+```
+
+!!! info "You can find the reference for this file [there](../../reference/dynamic-configuration/kubernetes-crd/#rbac)."
+
+The next step is to create a dedicated service account for Traefik.
+In a file called `00-account.yml`, put the following [`ServiceAccount`](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/service-account-v1/#ServiceAccount) resource:
+
+```yaml tab="00-account.yml"
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: traefik-account
+```
+
+And then, bind the role on the account to apply the permissions and rules on the latter. In a file called `01-role-binding.yml`, put the
+following [`ClusterRoleBinding`](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1/#ClusterRoleBinding) resource:
+
+```yaml tab="01-role-binding.yml"
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik-role-binding
+
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-role
+subjects:
+  - kind: ServiceAccount
+    name: traefik-account
+    namespace: default # This tutorial uses the "default" K8s namespace.
+```
+
+!!! info "`roleRef` is the Kubernetes reference to the role created in `00-role.yml`."
+
+!!! info "`subjects` is the list of accounts reference."
+
+    In this guide, it only contains the account created in `00-account.yml`
+
+## Deployment and Exposition
+
+!!! info "This section can be managed with the help of the [Traefik Helm chart](../install-traefik/#use-the-helm-chart)."
+
+The [ingress controller](https://traefik.io/glossary/kubernetes-ingress-and-ingress-controller-101/#what-is-a-kubernetes-ingress-controller)
+is a software that runs in the same way as any other application on a cluster.  
+To start Traefik on the Kubernetes cluster,
+a [`Deployment`](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/) resource must exist to describe how to configure
+and scale containers horizontally to support larger workloads.
+
+Start by creating a file called `02-traefik.yml` and paste the following `Deployment` resource:
+
+```yaml tab="02-traefik.yml"
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: traefik-deployment
+  labels:
+    app: traefik
+
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik
+  template:
+    metadata:
+      labels:
+        app: traefik
+    spec:
+      serviceAccountName: traefik-account
+      containers:
+        - name: traefik
+          image: traefik:v2.11
+          args:
+            - --api.insecure
+            - --providers.kubernetesingress
+          ports:
+            - name: web
+              containerPort: 80
+            - name: dashboard
+              containerPort: 8080
+```
+
+The deployment contains an important attribute for customizing Traefik: `args`.  
+These arguments are the static configuration for Traefik.  
+From here, it is possible to enable the dashboard,
+configure entry points,
+select dynamic configuration providers,
+and [more](../reference/static-configuration/cli.md).
+
+In this deployment,
+the static configuration enables the Traefik dashboard,
+and uses Kubernetes native Ingress resources as router definitions to route incoming requests.
+
+!!! info "When there is no entry point in the static configuration"
+
+    Traefik creates a default one called `web` using the port `80` routing HTTP requests.
+
+!!! info "When enabling the [`api.insecure`](../../operations/api/#insecure) mode, Traefik exposes the dashboard on the port `8080`."
+
+A deployment manages scaling and then can create lots of containers, called [Pods](https://kubernetes.io/docs/concepts/workloads/pods/).
+Each Pod is configured following the `spec` field in the deployment.  
+Given that, a Deployment can run multiple Traefik Proxy Pods,
+a piece is required to forward the traffic to any of the instance:
+namely a [`Service`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#Service).  
+Create a file called `02-traefik-services.yml` and insert the two `Service` resources:
+
+```yaml tab="02-traefik-services.yml"
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-dashboard-service
+
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 8080
+      targetPort: dashboard
+  selector:
+    app: traefik
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-web-service
+
+spec:
+  type: LoadBalancer
+  ports:
+    - targetPort: web
+      port: 80
+  selector:
+    app: traefik
+```
+
+!!! warning "It is possible to expose a service in different ways."
+
+    Depending on your working environment and use case, the `spec.type` might change.  
+    It is strongly recommended to understand the available [service types](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) before proceeding to the next step.
+
+It is now time to apply those files on your cluster to start Traefik.
+
+```shell
+kubectl apply -f 00-role.yml \
+              -f 00-account.yml \
+              -f 01-role-binding.yml \
+              -f 02-traefik.yml \
+              -f 02-traefik-services.yml
+```
+
+## Proxying applications
+
+The only part still missing is the business application behind the reverse proxy.  
+For this guide, we use the example application [traefik/whoami](https://github.com/traefik/whoami),
+but the principles are applicable to any other application.
+
+The `whoami` application is an HTTP server running on port 80 which answers host-related information to the incoming requests.  
+As usual, start by creating a file called `03-whoami.yml` and paste the following `Deployment` resource:
+
+```yaml tab="03-whoami.yml"
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: whoami
+  labels:
+    app: whoami
+
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: whoami
+  template:
+    metadata:
+      labels:
+        app: whoami
+    spec:
+      containers:
+        - name: whoami
+          image: traefik/whoami
+          ports:
+            - name: web
+              containerPort: 80
+```
+
+And continue by creating the following `Service` resource in a file called `03-whoami-services.yml`:
+
+```yaml tab="03-whoami-services.yml"
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+
+spec:
+  ports:
+    - name: web
+      port: 80
+      targetPort: web
+      
+  selector:
+    app: whoami
+```
+
+Thanks to the Kubernetes API,
+Traefik is notified when an Ingress resource is created, updated, or deleted.  
+This makes the process dynamic.  
+The ingresses are, in a way, the [dynamic configuration](../../providers/kubernetes-ingress/) for Traefik.
+
+!!! tip
+
+    Find more information on [ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/),
+    and [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) in the official Kubernetes documentation.
+
+Create a file called `04-whoami-ingress.yml` and insert the `Ingress` resource:
+
+```yaml tab="04-whoami-ingress.yml"
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: whoami-ingress
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: whoami
+            port:
+              name: web
+```
+
+This `Ingress` configures Traefik to redirect any incoming requests starting with `/` to the `whoami:80` service.
+
+At this point, all the configurations are ready.
+It is time to apply those new files:
+
+```shell
+kubectl apply -f 03-whoami.yml \
+              -f 03-whoami-services.yml \
+              -f 04-whoami-ingress.yml
+```
+
+Now you should be able to access the `whoami` application and the Traefik dashboard.
+Load the dashboard on a web browser: [`http://localhost:8080`](http://localhost:8080).
+
+And now access the `whoami` application:
+
+```shell
+curl -v http://localhost/
+```
+
+!!! question "Going further"
+
+    - [Filter the ingresses](../providers/kubernetes-ingress.md#ingressclass) to use with [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)
+    - Use [IngressRoute CRD](../providers/kubernetes-crd.md)
+    - Protect [ingresses with TLS](../routing/providers/kubernetes-ingress.md#enabling-tls-via-annotations)
+    
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/getting-started/quick-start.md

@@ -3,4 +3,122 @@ title: "Traefik Getting Started Quickly"
 description: "Get started with Traefik Proxy and Docker."
 ---
 
---8<-- "content/getting-started/docker.md"
+# Quick Start
+
+A Use Case Using Docker
+{: .subtitle }
+
+![quickstart-diagram](../assets/img/quickstart-diagram.png)
+
+## Launch Traefik With the Docker Provider
+
+Create a `docker-compose.yml` file where you will define a `reverse-proxy` service that uses the official Traefik image:
+
+```yaml
+version: '3'
+
+services:
+  reverse-proxy:
+    # The official v2 Traefik docker image
+    image: traefik:v2.11
+    # Enables the web UI and tells Traefik to listen to docker
+    command: --api.insecure=true --providers.docker
+    ports:
+      # The HTTP port
+      - "80:80"
+      # The Web UI (enabled by --api.insecure=true)
+      - "8080:8080"
+    volumes:
+      # So that Traefik can listen to the Docker events
+      - /var/run/docker.sock:/var/run/docker.sock
+```
+
+**That's it. Now you can launch Traefik!**
+
+Start your `reverse-proxy` with the following command:
+
+```shell
+docker compose up -d reverse-proxy
+```
+
+You can open a browser and go to `http://localhost:8080/api/rawdata` to see Traefik's API rawdata (you'll go back there once you have launched a service in step 2).
+
+## Traefik Detects New Services and Creates the Route for You
+
+Now that you have a Traefik instance up and running, you will deploy new services.
+
+Edit your `docker-compose.yml` file and add the following at the end of your file.
+
+```yaml
+version: '3'
+
+services:
+
+  ...
+
+  whoami:
+    # A container that exposes an API to show its IP address
+    image: traefik/whoami
+    labels:
+      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
+```
+
+The above defines `whoami`: a web service that outputs information about the machine it is deployed on (its IP address, host, and others).
+
+Start the `whoami` service with the following command:
+
+```shell
+docker compose up -d whoami
+```
+
+Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new container and updated its own configuration.
+
+When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_  (Here, you're using curl)
+
+```shell
+curl -H Host:whoami.docker.localhost http://127.0.0.1
+```
+
+_Shows the following output:_
+
+```yaml
+Hostname: a656c8ddca6c
+IP: 172.27.0.3
+#...
+```
+
+## More Instances? Traefik Load Balances Them
+
+Run more instances of your `whoami` service with the following command:
+
+```shell
+docker compose up -d --scale whoami=2
+```
+
+Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new instance of the container.
+
+Finally, see that Traefik load-balances between the two instances of your service by running the following command twice:
+
+```shell
+curl -H Host:whoami.docker.localhost http://127.0.0.1
+```
+
+The output will show alternatively one of the following:
+
+```yaml
+Hostname: a656c8ddca6c
+IP: 172.27.0.3
+#...
+```
+
+```yaml
+Hostname: s458f154e1f1
+IP: 172.27.0.4
+# ...
+```
+
+!!! question "Where to Go Next?"
+
+    Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the user guides](../../user-guides/docker-compose/basic-example/ "Link to the user guides") and [the documentation](/ "Link to the docs landing page") and let Traefik work for you!
+
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/https/acme.md

@@ -13,7 +13,7 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
 !!! warning "Let's Encrypt and Rate Limiting"
     Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to **one week**, and cannot be overridden.
     
-    When running Traefik in a container the `acme.json` file should be persisted across restarts. 
+    When running Traefik in a container this file should be persisted across restarts. 
     If Traefik requests new certificates each time it starts up, a crash-looping container can quickly reach Let's Encrypt's ratelimits.
     To configure where certificates are stored, please take a look at the [storage](#storage) configuration.
 
@@ -324,13 +324,14 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Auroradns](https://www.pcextreme.com/dns-health-checks)               | `auroradns`        | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)        |
 | [Autodns](https://www.internetx.com/domains/autodns/)                  | `autodns`          | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)          |
 | [Axelname](https://axelname.ru)                                        | `axelname`         | `AXELNAME_NICKNAME`, `AXELNAME_TOKEN`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/axelname)         |
-| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`                                        | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
+| [Azion](https://www.azion.com/en/products/edge-dns/)                   | `azion`            | `AZION_PERSONAL_TOKEN`                                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/azion)            |
+| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | DEPRECATED use `azuredns` instead.                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
 | [AzureDNS](https://azure.microsoft.com/services/dns/)                  | `azuredns`         | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_ENVIRONMENT]`, `[AZURE_PRIVATE_ZONE]`, `[AZURE_ZONE_NAME]` | [Additional configuration](https://go-acme.github.io/lego/dns/azuredns)         |
 | [Baidu Cloud](https://cloud.baidu.com)                                 | `baiducloud`       | `BAIDUCLOUD_ACCESS_KEY_ID`, `BAIDUCLOUD_SECRET_ACCESS_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/baiducloud)       |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)             | `bindman`          | `BINDMAN_MANAGER_ADDRESS`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)          |
 | [Blue Cat](https://www.bluecatnetworks.com/)                           | `bluecat`          | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)          |
 | [BookMyName](https://www.bookmyname.com)                               | `bookmyname`       | `BOOKMYNAME_USERNAME`, `BOOKMYNAME_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/bookmyname)       |
-| [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | `BRANDIT_API_USERNAME`, `BRANDIT_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
+| [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
 | [Bunny](https://bunny.net)                                             | `bunny`            | `BUNNY_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/bunny)            |
 | [Checkdomain](https://www.checkdomain.de/)                             | `checkdomain`      | `CHECKDOMAIN_TOKEN`,                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/)     |
 | [Civo](https://www.civo.com/)                                          | `civo`             | `CIVO_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/civo)             |
@@ -338,7 +339,8 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [CloudDNS](https://vshosting.eu/)                                      | `clouddns`         | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)         |
 | [Cloudflare](https://www.cloudflare.com)                               | `cloudflare`       | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)       |
 | [ClouDNS](https://www.cloudns.net/)                                    | `cloudns`          | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)          |
-| [CloudXNS](https://www.cloudxns.net) (DEPRECATED)                      | `cloudxns`         | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [CloudXNS](https://www.cloudxns.net) (DEPRECATED)                      | `cloudxns`         | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [ConoHa v3](https://www.conoha.jp/)                                    | `conohav3`         | `CONOHAV3_TENANT_ID`, `CONOHAV3_API_USER_ID`, `CONOHAV3_API_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conohav3)         |
 | [ConoHa](https://www.conoha.jp)                                        | `conoha`           | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)           |
 | [Constellix](https://constellix.com)                                   | `constellix`       | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)       |
 | [Core-Networks](https://www.core-networks.de)                          | `corenetworks`     | `CORENETWORKS_LOGIN`, `CORENETWORKS_PASSWORD`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/corenetworks)     |
@@ -350,12 +352,13 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [DNS Made Easy](https://dnsmadeeasy.com)                               | `dnsmadeeasy`      | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)      |
 | [dnsHome.de](https://www.dnshome.de)                                   | `dnsHomede`        | `DNSHOMEDE_CREDENTIALS`                                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnshomede)        |
 | [DNSimple](https://dnsimple.com)                                       | `dnsimple`         | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)         |
-| [DNSPod](https://www.dnspod.com/)                                      | `dnspod`           | `DNSPOD_API_KEY`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
+| [DNSPod](https://www.dnspod.com/) (DEPRECATED)                         | `dnspod`           | DEPRECATED  use `tencentcloud` instead.                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
 | [Domain Offensive (do.de)](https://www.do.de/)                         | `dode`             | `DODE_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dode)             |
 | [Domeneshop](https://domene.shop)                                      | `domeneshop`       | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)       |
 | [DreamHost](https://www.dreamhost.com/)                                | `dreamhost`        | `DREAMHOST_API_KEY`                                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)        |
 | [Duck DNS](https://www.duckdns.org/)                                   | `duckdns`          | `DUCKDNS_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)          |
 | [Dyn](https://dyn.com)                                                 | `dyn`              | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)              |
+| [DynDnsFree.de](https://www.dyndnsfree.de)                             | `dyndnsfree`       | `DYNDNSFREE_USERNAME`, `DYNDNSFREE_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dyndnsfree)       |
 | [Dynu](https://www.dynu.com)                                           | `dynu`             | `DYNU_API_KEY`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)             |
 | [EasyDNS](https://easydns.com/)                                        | `easydns`          | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)          |
 | [EdgeDNS](https://www.akamai.com/)                                     | `edgedns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
@@ -371,7 +374,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Glesys](https://glesys.com/)                                          | `glesys`           | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)           |
 | [GoDaddy](https://www.godaddy.com)                                     | `godaddy`          | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)          |
 | [Google Cloud DNS](https://cloud.google.com/dns/docs/)                 | `gcloud`           | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)           |
-| [Google Domains](https://domains.google)                               | `googledomains`    | `GOOGLE_DOMAINS_ACCESS_TOKEN`                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/googledomains)    |
+| [Google Domains](https://domains.google) (DEPRECATED)                  | `googledomains`    | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/googledomains)    |
 | [Hetzner](https://hetzner.com)                                         | `hetzner`          | `HETZNER_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)          |
 | [hosting.de](https://www.hosting.de)                                   | `hostingde`        | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)        |
 | [Hosttech](https://www.hosttech.eu)                                    | `hosttech`         | `HOSTTECH_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)         |
@@ -432,6 +435,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [RFC2136](https://tools.ietf.org/html/rfc2136)                         | `rfc2136`          | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)          |
 | [RimuHosting](https://rimuhosting.com)                                 | `rimuhosting`      | `RIMUHOSTING_API_KEY`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)      |
 | [Route 53](https://aws.amazon.com/route53/)                            | `route53`          | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/route53)          |
+| [RU Center](https://nic.ru/)                                           | `nicru`            | `NICRU_USER`, `NICRU_PASSWORD`, `NICRU_SERVICE_ID`, `NICRU_SECRET`, `NICRU_SERVICE_NAME`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/nicru)            |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                            | `sakuracloud`      | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)      |
 | [Scaleway](https://www.scaleway.com)                                   | `scaleway`         | `SCW_API_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
 | [Selectel v2](https://selectel.ru/en/)                                 | `selectelv2`       | `SELECTELV2_ACCOUNT_ID`, `SELECTELV2_PASSWORD`, `SELECTELV2_PROJECT_ID`, `SELECTELV2_USERNAME`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/selectelv2)       |
@@ -466,6 +470,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Yandex Cloud](https://cloud.yandex.com/en/)                           | `yandexcloud`      | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud)      |
 | [Yandex](https://yandex.com)                                           | `yandex`           | `YANDEX_PDD_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)           |
 | [Zone.ee](https://www.zone.ee)                                         | `zoneee`           | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)           |
+| [ZoneEdit](https://www.zoneedit.com)                                   | `zoneedit`         | `ZONEEDIT_USER`, `ZONEEDIT_AUTH_TOKEN`                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/zoneedit)         |
 | [Zonomi](https://zonomi.com)                                           | `zonomi`           | `ZONOMI_API_KEY`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)           |
 | External Program                                                       | `exec`             | `EXEC_PATH`                                                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/exec)             |
 | HTTP request                                                           | `httpreq`          | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)          |
@@ -507,11 +512,11 @@ certificatesResolvers:
 --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 ```
 
-#### `propagation.delayBeforeChecks`
+#### `delayBeforeCheck`
 
 By default, the `provider` verifies the TXT record _before_ letting ACME verify.
 
-You can delay this operation by specifying a delay (in seconds) with `delayBeforeChecks` (value must be greater than zero).
+You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
 
 This option is useful when internal networks block external DNS queries.
 
@@ -522,9 +527,7 @@ certificatesResolvers:
       # ...
       dnsChallenge:
         # ...
-        propagation:
-          # ...
-          delayBeforeChecks: 2s
+        delayBeforeCheck: 2s
 ```
 
 ```toml tab="File (TOML)"
@@ -532,21 +535,19 @@ certificatesResolvers:
   # ...
   [certificatesResolvers.myresolver.acme.dnsChallenge]
     # ...
-    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
-      # ...
-      delayBeforeChecks = "2s"
+    delayBeforeCheck = "2s"
 ```
 
 ```bash tab="CLI"
 # ...
---certificatesresolvers.myresolver.acme.dnschallenge.propagation.delayBeforeChecks=2s
+--certificatesresolvers.myresolver.acme.dnschallenge.delayBeforeCheck=2s
 ```
 
-#### `propagation.disableChecks`
+#### `disablePropagationCheck`
 
-Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready. 
+**Not recommended**
 
-Please note that disabling checks can prevent the challenge from succeeding.
+Disable the TXT records propagation checks before notifying ACME that the DNS challenge is ready. 
 
 ```yaml tab="File (YAML)"
 certificatesResolvers:
@@ -555,9 +556,7 @@ certificatesResolvers:
       # ...
       dnsChallenge:
         # ...
-        propagation:
-          # ...
-          disableChecks: true
+        disablePropagationCheck: true
 ```
 
 ```toml tab="File (TOML)"
@@ -565,90 +564,12 @@ certificatesResolvers:
   # ...
   [certificatesResolvers.myresolver.acme.dnsChallenge]
     # ...
-    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
-      # ...
-      disableChecks = true
+    disablePropagationCheck = true
 ```
 
 ```bash tab="CLI"
 # ...
---certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableChecks=true
-```
-
-#### `propagation.requireAllRNS`
-
-Requires the challenge TXT record to be propagated to all recursive nameservers.
-
-!!! note
-
-    If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`),
-    it is recommended to check all recursive nameservers instead.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
-  myresolver:
-    acme:
-      # ...
-      dnsChallenge:
-        # ...
-        propagation:
-          # ...
-          requireAllRNS: true
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  [certificatesResolvers.myresolver.acme.dnsChallenge]
-    # ...
-    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
-      # ...
-      requireAllRNS = true
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.dnschallenge.propagation.requireAllRNS=true
-```
-
-#### `propagation.disableANSChecks`
-
-Disables the challenge TXT record propagation checks against authoritative nameservers.
-
-This option will skip the propagation check against the nameservers of the authority (SOA).
-
-It should be used only if the nameservers of the authority are not reachable.
-
-!!! note
-
-    If you have disabled authoritative nameservers checks,
-    it is recommended to check all recursive nameservers instead.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
-  myresolver:
-    acme:
-      # ...
-      dnsChallenge:
-        # ...
-        propagation:
-          # ...
-          disableANSChecks: true
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  [certificatesResolvers.myresolver.acme.dnsChallenge]
-    # ...
-    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
-      # ...
-      disableANSChecks = true
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableANSChecks=true
+--certificatesresolvers.myresolver.acme.dnschallenge.disablePropagationCheck=true
 ```
 
 #### Wildcard Domains
@@ -767,8 +688,6 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 
 _Optional, Default=2160_
 
-`certificatesDuration` specifies the duration (in hours) of the certificates issued by the CA server. It is used to determine when to renew the certificate, but it **doesn't** define the duration of the certificates, that is up to the CA server. 
-
 `certificatesDuration` is used to calculate two durations:
 
 - `Renew Period`: the period before the end of the certificate duration, during which the certificate should be renewed.
@@ -780,7 +699,6 @@ It defaults to `2160` (90 days) to follow Let's Encrypt certificates' duration.
 |----------------------|-------------------|-------------------------|
 | >= 1 year            | 4 months          | 1 week                  |
 | >= 90 days           | 30 days           | 1 day                   |
-| >= 30 days           | 10 days           | 12 hours                |
 | >= 7 days            | 1 day             | 1 hour                  |
 | >= 24 hours          | 6 hours           | 10 min                  |
 | < 24 hours           | 20 min            | 1 min                   |
@@ -840,66 +758,6 @@ certificatesResolvers:
 # ...
 ```
 
-### `profile`
-
-_Optional, Default=""_
-
-Certificate profile to use.
-
-For more information, please check out the [Let's Encrypt blog post](https://letsencrypt.org/2025/01/09/acme-profiles/) about certificate profile selection.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
-  myresolver:
-    acme:
-      # ...
-      profile: tlsserver
-      # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  profile = "tlsserver"
-  # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.profile=tlsserver
-# ...
-```
-
-### `emailAddresses`
-
-_Optional, Default=""_
-
-CSR email addresses to use.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
-  myresolver:
-    acme:
-      # ...
-      emailAddresses:
-        - foo@example.com
-        - bar@example.org
-      # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  emailAddresses = ["foo@example.com", "bar@example.org"]
-  # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.emailaddresses=foo@example.com,bar@example.org
-# ...
-```
-
 ### `keyType`
 
 _Optional, Default="RSA4096"_
@@ -928,109 +786,6 @@ certificatesResolvers:
 # ...
 ```
 
-### `caCertificates`
-
-_Optional, Default=[]_
-
-The `caCertificates` option specifies the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
-  myresolver:
-    acme:
-      # ...
-      caCertificates:
-        - path/certificates1.pem
-        - path/certificates2.pem
-      # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  caCertificates = [ "path/certificates1.pem", "path/certificates2.pem" ]
-  # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.caCertificates="path/certificates1.pem,path/certificates2.pem"
-# ...
-```
-
-??? note "LEGO Environment Variable"
-
-    It can be defined globally by using the environment variable `LEGO_CA_CERTIFICATES`.
-    This environment variable is neither a fallback nor an override of the configuration option.
-
-### `caSystemCertPool`
-
-_Optional, Default=false_
-
-The `caSystemCertPool` option defines if the certificates pool must use a copy of the system cert pool.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
-  myresolver:
-    acme:
-      # ...
-      caSystemCertPool: true
-      # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  caSystemCertPool = true
-  # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.caSystemCertPool=true
-# ...
-```
-
-??? note "LEGO Environment Variable"
-
-    It can be defined globally by using the environment variable `LEGO_CA_SYSTEM_CERT_POOL`.
-    `LEGO_CA_SYSTEM_CERT_POOL` is ignored if `LEGO_CA_CERTIFICATES` is not set or empty.
-    This environment variable is neither a fallback nor an override of the configuration option.
-
-### `caServerName`
-
-_Optional, Default=""_
-
-The `caServerName` option specifies the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
-  myresolver:
-    acme:
-      # ...
-      caServerName: "my-server"
-      # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  caServerName = "my-server"
-  # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.caServerName="my-server"
-# ...
-```
-
-??? note "LEGO Environment Variable"
-
-    It can be defined globally by using the environment variable `LEGO_CA_SERVER_NAME`.
-    `LEGO_CA_SERVER_NAME` is ignored if `LEGO_CA_CERTIFICATES` is not set or empty.
-    This environment variable is neither a fallback nor an override of the configuration option.
-
 ## Fallback
 
 If Let's Encrypt is not reachable, the following certificates will apply:
@@ -1042,4 +797,4 @@ If Let's Encrypt is not reachable, the following certificates will apply:
 !!! important
     For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/https/include-acme-multiple-domains-example.md

@@ -1,5 +1,5 @@
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 ## Dynamic configuration
 labels:
   - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
@@ -9,6 +9,18 @@ labels:
   - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
 ```
 
+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.routers.blog.tls.domains[0].main=example.com
+    - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
@@ -31,6 +43,27 @@ spec:
       - '*.example.org'
 ```
 
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.routers.blog.tls.domains[0].main": "example.com",
+  "traefik.http.routers.blog.tls.domains[0].sans": "*.example.org",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+  - traefik.http.routers.blog.tls.domains[0].main=example.com
+  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
+```
+
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:

docs/content/https/include-acme-multiple-domains-from-rule-example.md

@@ -1,5 +1,5 @@
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 ## Dynamic configuration
 labels:
   - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
@@ -35,6 +35,23 @@ spec:
     certResolver: myresolver
 ```
 
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:

docs/content/https/include-acme-single-domain-example.md

@@ -1,5 +1,5 @@
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 ## Dynamic configuration
 labels:
   - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
@@ -35,6 +35,23 @@ spec:
     certResolver: myresolver
 ```
 
+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:

docs/content/https/overview.md

@@ -20,4 +20,4 @@ That is to say, how to obtain [TLS certificates](./tls.md#certificates-definitio
 either through a definition in the dynamic configuration, or through [Let's Encrypt](./acme.md) (ACME).
 And how to configure [TLS options](./tls.md#tls-options), and [certificates stores](./tls.md#certificates-stores).
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/https/spiffe.md

@@ -1,56 +0,0 @@
----
-title: "Traefik SPIFFE Documentation"
-description: "Learn how to configure Traefik to use SPIFFE. Read the technical documentation."
----
-
-# SPIFFE
-
-Secure the backend connection with SPIFFE.
-{: .subtitle }
-
-[SPIFFE](https://spiffe.io/docs/latest/spiffe-about/overview/) (Secure Production Identity Framework For Everyone), 
-provides a secure identity in the form of a specially crafted X.509 certificate, 
-to every workload in an environment.
-
-Traefik is able to connect to the Workload API to obtain an x509-SVID used to secure the connection with SPIFFE enabled backends.
-
-## Configuration
-
-### General
-
-Enabling SPIFFE is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
-It can be defined by using a file (YAML or TOML) or CLI arguments.
-
-### Workload API
-
-The `workloadAPIAddr` configuration defines the address of the SPIFFE [Workload API](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-workload-api).
-
-!!! info "Enabling SPIFFE in ServersTransports"
-
-    Enabling SPIFFE does not imply that backend connections are going to use it automatically.
-    Each [ServersTransport](../routing/services/index.md#serverstransport_1) or [TCPServersTransport](../routing/services/index.md#serverstransport_2),
-	that is meant to be secured with SPIFFE,
-	must explicitly enable it (see [SPIFFE with ServersTransport](../routing/services/index.md#spiffe) or [SPIFFE with TCPServersTransport](../routing/services/index.md#spiffe_1)).
-
-!!! warning "SPIFFE can cause Traefik to stall"
-	When using SPIFFE,
-	Traefik will wait for the first SVID to be delivered before starting.
-	If Traefik is hanging when waiting on SPIFFE SVID delivery,
-	please double check that it is correctly registered as workload in your SPIFFE infrastructure.
-
-```yaml tab="File (YAML)"
-## Static configuration
-spiffe:
-    workloadAPIAddr: localhost
-```
-
-```toml tab="File (TOML)"
-## Static configuration
-[spiffe]
-    workloadAPIAddr: localhost
-```
-
-```bash tab="CLI"
-## Static configuration
---spiffe.workloadAPIAddr=localhost
-```

docs/content/https/tailscale.md

@@ -1,207 +0,0 @@
----
-title: "Traefik Tailscale Documentation"
-description: "Learn how to configure Traefik Proxy to resolve TLS certificates for your Tailscale services. Read the technical documentation."
----
-
-# Tailscale
-
-Provision TLS certificates for your internal Tailscale services.
-{: .subtitle }
-
-To protect a service with TLS, a certificate from a public Certificate Authority is needed.
-In addition to its vpn role, Tailscale can also [provide certificates](https://tailscale.com/kb/1153/enabling-https/) for the machines in your Tailscale network.
-
-## Certificate resolvers
-
-To obtain a TLS certificate from the Tailscale daemon,
-a Tailscale certificate resolver needs to be configured as below.
-
-!!! info "Referencing a certificate resolver"
-
-    Defining a certificate resolver does not imply that routers are going to use it automatically.
-    Each router or entrypoint that is meant to use the resolver must explicitly [reference](../routing/routers/index.md#certresolver) it.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
-    myresolver:
-        tailscale: {}
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.tailscale]
-```
-
-```bash tab="CLI"
---certificatesresolvers.myresolver.tailscale=true
-```
-
-## Domain Definition
-
-A certificate resolver requests certificates for a set of domain names inferred from routers, according to the following:
-
-- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
-  then the certificate resolver derives this router domain name from the `main` option of `tls.domains`.
-
-- Otherwise, the certificate resolver derives the domain name from any `Host()` or `HostSNI()` matchers
-  in the [router's rule](../routing/routers/index.md#rule).
-
-!!! info "Tailscale Domain Format"
-
-    The domain is only taken into account if it is a Tailscale-specific one,
-    i.e. of the form `machine-name.domains-alias.ts.net`.
-
-## Configuration Example
-
-!!! example "Enabling Tailscale certificate resolution"
-
-    ```yaml tab="File (YAML)"
-    entryPoints:
-      web:
-        address: ":80"
-
-      websecure:
-        address: ":443"
-
-    certificatesResolvers:
-      myresolver:
-        tailscale: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-
-      [entryPoints.websecure]
-        address = ":443"
-
-    [certificatesResolvers.myresolver.tailscale]
-    ```
-
-    ```bash tab="CLI"
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
-    # ...
-    --certificatesresolvers.myresolver.tailscale=true
-    ```
-
-!!! example "Domain from Router's Rule Example"
-
-    ```yaml tab="Docker & Swarm"
-    ## Dynamic configuration
-    labels:
-      - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
-      - traefik.http.routers.blog.tls.certresolver=myresolver
-    ```
-
-    ```yaml tab="Docker (Swarm)"
-    ## Dynamic configuration
-    deploy:
-      labels:
-        - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
-        - traefik.http.routers.blog.tls.certresolver=myresolver
-    ```
-
-    ```yaml tab="Kubernetes"
-    apiVersion: traefik.io/v1alpha1
-    kind: IngressRoute
-    metadata:
-      name: blogtls
-    spec:
-      entryPoints:
-        - websecure
-      routes:
-        - match: Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
-          kind: Rule
-          services:
-            - name: blog
-              port: 8080
-      tls:
-        certResolver: myresolver
-    ```
-
-    ```yaml tab="File (YAML)"
-    ## Dynamic configuration
-    http:
-      routers:
-        blog:
-          rule: "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
-          tls:
-            certResolver: myresolver
-    ```
-
-    ```toml tab="File (TOML)"
-    ## Dynamic configuration
-    [http.routers]
-      [http.routers.blog]
-      rule = "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
-      [http.routers.blog.tls]
-        certResolver = "myresolver"
-    ```
-
-!!! example "Domain from Router's tls.domain Example"
-
-    ```yaml tab="Docker & Swarm"
-    ## Dynamic configuration
-    labels:
-      - traefik.http.routers.blog.rule=Path(`/metrics`)
-      - traefik.http.routers.blog.tls.certresolver=myresolver
-      - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
-    ```
-
-    ```yaml tab="Docker (Swarm)"
-    ## Dynamic configuration
-    deploy:
-      labels:
-        - traefik.http.routers.blog.rule=Path(`/metrics`)
-        - traefik.http.routers.blog.tls.certresolver=myresolver
-        - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
-    ```
-
-    ```yaml tab="Kubernetes"
-    apiVersion: traefik.io/v1alpha1
-    kind: IngressRoute
-    metadata:
-      name: blogtls
-    spec:
-      entryPoints:
-        - websecure
-      routes:
-        - match: Path(`/metrics`)
-          kind: Rule
-          services:
-            - name: blog
-              port: 8080
-      tls:
-        certResolver: myresolver
-        domains:
-          - main: monitoring.yak-bebop.ts.net
-    ```
-
-    ```yaml tab="File (YAML)"
-    ## Dynamic configuration
-    http:
-      routers:
-        blog:
-          rule: "Path(`/metrics`)"
-          tls:
-            certResolver: myresolver
-            domains:
-              - main: "monitoring.yak-bebop.ts.net"
-    ```
-
-    ```toml tab="File (TOML)"
-    ## Dynamic configuration
-    [http.routers]
-      [http.routers.blog]
-        rule = "Path(`/metrics`)"
-        [http.routers.blog.tls]
-          certResolver = "myresolver"
-          [[http.routers.blog.tls.domains]]
-            main = "monitoring.yak-bebop.ts.net"
-    ```
-
-## Automatic Renewals
-
-Traefik automatically tracks the expiry date of each Tailscale certificate it fetches,
-and starts to renew a certificate 14 days before its expiry to match Tailscale daemon renew policy.

docs/content/https/tls.md

@@ -211,7 +211,7 @@ spec:
         - bar.example.org
 ```
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 ## Dynamic configuration
 labels:
   - "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
@@ -219,6 +219,14 @@ labels:
   - "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org"
 ```
 
+```json tab="Marathon"
+labels: {
+  "traefik.tls.stores.default.defaultgeneratedcert.resolver": "myresolver",
+  "traefik.tls.stores.default.defaultgeneratedcert.domain.main": "example.org",
+  "traefik.tls.stores.default.defaultgeneratedcert.domain.sans": "foo.example.org, bar.example.org",
+}
+```
+
 ## TLS Options
 
 The TLS options allow one to configure some parameters of the TLS connection.
@@ -234,7 +242,7 @@ The TLS options allow one to configure some parameters of the TLS connection.
 
 !!! important "TLSOption in Kubernetes"
 
-    When using the [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
+    When using the [TLSOption resource](../../routing/providers/kubernetes-crd/#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
     if not explicitly overwritten, should apply to all ingresses.  
     To achieve that, you'll have to create a TLSOption resource with the name `default`.
     There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
@@ -553,38 +561,4 @@ spec:
     clientAuthType: RequireAndVerifyClientCert
 ```
 
-### Disable Session Tickets
-
-_Optional, Default="false"_
-
-When set to true, Traefik disables the use of session tickets, forcing every client to perform a full TLS handshake instead of resuming sessions.
-
-```yaml tab="File (YAML)"
-# Dynamic configuration
-
-tls:
-  options:
-    default:
-      disableSessionTickets: true
-```
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-  [tls.options.default]
-    disableSessionTickets = true
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: TLSOption
-metadata:
-  name: default
-  namespace: default
-
-spec:
-  disableSessionTickets: true
-```
-
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/includes/kubernetes-requirements.md

@@ -1,3 +0,0 @@
-Traefik follows the [Kubernetes support policy](https://kubernetes.io/releases/version-skew-policy/#supported-versions),
-and supports at least the latest three minor versions of Kubernetes.
-General functionality cannot be guaranteed for older versions.

docs/content/index.md

@@ -1,55 +1,33 @@
 ---
 title: "Traefik Proxy Documentation"
-description: "Traefik Proxy, an open-source Edge Router, auto-discovers configurations and supports major orchestrators, like Kubernetes. Read the technical documentation."
+description: "Traefik Proxy, an open source Edge Router, auto-discovers configurations and supports major orchestrators, like Kubernetes. Read the technical documentation."
 ---
 
-# What is Traefik?
+# Welcome
 
 ![Architecture](assets/img/traefik-architecture.png)
 
-Traefik is an [open-source](https://github.com/traefik/traefik) Application Proxy and the core of the Traefik Hub Runtime Platform.
+Traefik is an [open-source](https://github.com/traefik/traefik) *Application Proxy* that makes publishing your services a fun and easy experience. 
+It receives requests on behalf of your system and identifies which components are responsible for handling them, and routes them securely. 
 
-If you start with Traefik for service discovery and routing, you can seamlessly add [API management](https://traefik.io/solutions/api-management/), [API gateway](https://traefik.io/solutions/api-gateway/), [AI gateway](https://traefik.io/solutions/ai-gateway/), and [API mocking](https://traefik.io/solutions/api-mocking/) capabilities as needed.
+What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
+The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request. 
 
-With 3.3 billion downloads and over 55k stars on GitHub, Traefik is used globally across hybrid cloud, multi-cloud, on prem, and bare metal environments running Kuberentes, Docker Swarm, AWS, [the list goes on](https://doc.traefik.io/traefik/reference/install-configuration/providers/overview/).
+Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker Swarm, AWS, Mesos, Marathon, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
+ 
+With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions).
+With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.
 
-Here’s how it works—Traefik receives requests on behalf of your system, identifies which components are responsible for handling them, and routes them securely. It automatically discovers the right configuration for your services by inspecting your infrastructure to identify relevant information and which service serves which request.
+And if your needs change, you can add API gateway and API management capabilities seamlessly to your existing Traefik deployments. It takes less than a minute, there’s no rip-and-replace, and all your configurations are preserved. See this in action in [our API gateway demo video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=docs).
 
-Because everything happens automatically, in real time (no restarts, no connection interruptions), you can focus on developing and deploying new features to your system, instead of configuring and maintaining its working state.
+Developing Traefik, our main goal is to make it effortless to use, and we're sure you'll enjoy it.
 
-!!! quote "From the Traefik Maintainer Team" 
-    When developing Traefik, our main goal is to make it easy to use, and we're sure you'll enjoy it.
-
-## Personas
-
-Traefik supports different needs depending on your background. We keep three user personas in mind as we build and organize these docs:
-
-- **Beginners**: You are new to Traefik or new to reverse proxies. You want simple, guided steps to set things up without diving too deep into advanced topics.
-- **DevOps Engineers**: You manage infrastructure or clusters (Docker, Kubernetes, or other orchestrators). You integrate Traefik into your environment and value reliability, performance, and streamlined deployments.
-- **Developers**: You create and deploy applications or APIs. You focus on how to expose your services through Traefik, apply routing rules, and integrate it with your development workflow.
-
-## Core Concepts
-
-Traefik’s main concepts help you understand how requests flow to your services:
-
-- [Entrypoints](./reference/install-configuration/entrypoints.md) are the network entry points into Traefik. They define the port that will receive the packets and whether to listen for TCP or UDP.
-- [Routers](./reference/routing-configuration/http/router/rules-and-priority.md) are in charge of connecting incoming requests to the services that can handle them. In the process, routers may use pieces of [middleware](./reference/routing-configuration/http/middlewares/overview.md) to update the request or act before forwarding the request to the service.
-- [Services](./reference/routing-configuration/http/load-balancing/service.md) are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
-- [Providers](./reference/install-configuration/providers/overview.md) are infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores. The idea is that Traefik queries the provider APIs in order to find relevant information about routing, and when Traefik detects a change, it dynamically updates the routes.
-
-These concepts work together to manage your traffic from the moment a request arrives until it reaches your application.
-
-## How to Use the Documentation
-
-- **Navigation**: Each main section focuses on a specific stage of working with Traefik - installing, exposing services, observing, extending & migrating. 
-Use the sidebar to navigate to the section that is most appropriate for your needs.
-- **Practical Examples**: You will see code snippets and configuration examples for different environments (YAML/TOML, Labels, & Tags).
-- **Reference**: When you need to look up technical details, our reference section provides a deep dive into configuration options and key terms.
+-- The Traefik Maintainer Team 
 
 !!! info
 
     Have a question? Join our [Community Forum](https://community.traefik.io "Link to Traefik Community Forum") to discuss, learn, and connect with the Traefik community.
 
-    Using Traefik OSS in production? Consider upgrading to our API gateway ([watch demo video](https://info.traefik.io/watch-traefik-api-gw-demo)) for better security, control, and 24/7 support.
+    Using Traefik OSS in Production? Consider our enterprise-grade [API Gateway](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc) or our [24/7/365 OSS Support](https://info.traefik.io/request-commercial-support?cta=doc).
 
-    Just need support? Explore our [24/7/365 support for Traefik OSS](https://info.traefik.io/request-commercial-support?cta=doc).
+    Explore our API Gateway upgrade via [this short demo video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc).

docs/content/middlewares/http/addprefix.md

@@ -14,7 +14,7 @@ The AddPrefix middleware updates the path of a request before forwarding it.
 
 ## Configuration Examples
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Prefixing with /foo
 labels:
   - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
@@ -36,6 +36,18 @@ spec:
 - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.add-foo.addprefix.prefix": "/foo"
+}
+```
+
+```yaml tab="Rancher"
+# Prefixing with /foo
+labels:
+  - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
+```
+
 ```yaml tab="File (YAML)"
 # Prefixing with /foo
 http:

docs/content/middlewares/http/basicauth.md

@@ -14,7 +14,7 @@ The BasicAuth middleware grants access to services to authorized users only.
 
 ## Configuration Examples
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Declaring the user list
 #
 # Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
@@ -41,6 +41,18 @@ spec:
 - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -88,7 +100,7 @@ The `users` option is an array of authorized users. Each user must be declared u
     Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than other methods.
     You can find more information on the [Kubernetes Basic Authentication Secret Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret)
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Declaring the user list
 #
 # Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
@@ -145,6 +157,18 @@ data:
 - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -177,7 +201,7 @@ The file content is a list of `name:hashed-password`.
     - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
     - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
 ```
@@ -208,6 +232,17 @@ data:
 - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.usersfile": "/path/to/my/usersfile"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -233,7 +268,7 @@ http:
 
 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
 ```
@@ -252,6 +287,17 @@ spec:
 - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.realm": "MyRealm"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -270,7 +316,7 @@ http:
 
 You can define a header field to store the authenticated user using the `headerField`option.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
 ```
@@ -290,6 +336,12 @@ spec:
 - "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.my-auth.basicauth.headerField": "X-WebAuth-User"
+}
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -309,7 +361,7 @@ http:
 
 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
 ```
@@ -328,6 +380,17 @@ spec:
 - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.removeheader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -341,5 +404,4 @@ http:
   [http.middlewares.test-auth.basicAuth]
     removeHeader = true
 ```
-
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/middlewares/http/buffering.md

@@ -18,7 +18,7 @@ This can help services avoid large amounts of data (`multipart/form-data` for ex
 
 ## Configuration Examples
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Sets the maximum request body to 2MB
 labels:
   - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
@@ -40,6 +40,18 @@ spec:
 - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+# Sets the maximum request body to 2MB
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
 ```yaml tab="File (YAML)"
 # Sets the maximum request body to 2MB
 http:
@@ -66,7 +78,7 @@ The `maxRequestBodyBytes` option configures the maximum allowed body size for th
 
 If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a `413` (Request Entity Too Large) response.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
@@ -85,6 +97,17 @@ spec:
 - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -105,7 +128,7 @@ _Optional, Default=1048576_
 
 You can configure a threshold (in bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
 ```
@@ -124,6 +147,17 @@ spec:
 - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.memRequestBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -146,7 +180,7 @@ The `maxResponseBodyBytes` option configures the maximum allowed response size f
 
 If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `500` (Internal Server Error) response instead.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
 ```
@@ -165,6 +199,17 @@ spec:
 - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -185,7 +230,7 @@ _Optional, Default=1048576_
 
 You can configure a threshold (in bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
 ```
@@ -204,6 +249,17 @@ spec:
 - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.memResponseBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -226,7 +282,7 @@ You can have the Buffering middleware replay the request using `retryExpression`
 
 ??? example "Retries once in the case of a network error"
 
-    ```yaml tab="Docker & Swarm"
+    ```yaml tab="Docker"
     labels:
       - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
     ```
@@ -245,6 +301,17 @@ You can have the Buffering middleware replay the request using `retryExpression`
     - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
     ```
 
+    ```json tab="Marathon"
+    "labels": {
+      "traefik.http.middlewares.limit.buffering.retryExpression": "IsNetworkError() && Attempts() < 2"
+    }
+    ```
+
+    ```yaml tab="Rancher"
+    labels:
+      - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
+    ```
+
     ```yaml tab="File (YAML)"
     http:
       middlewares:

docs/content/middlewares/http/chain.md

@@ -15,9 +15,9 @@ It makes reusing the same groups easier.
 
 ## Configuration Example
 
-Below is an example of a Chain containing `AllowList`, `BasicAuth`, and `RedirectScheme`.
+Below is an example of a Chain containing `WhiteList`, `BasicAuth`, and `RedirectScheme`.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.routers.router1.service=service1"
   - "traefik.http.routers.router1.middlewares=secured"
@@ -25,7 +25,7 @@ labels:
   - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
   - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
   - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-  - "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
   - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```
 
@@ -80,7 +80,7 @@ kind: Middleware
 metadata:
   name: known-ips
 spec:
-  ipAllowList:
+  ipWhiteList:
     sourceRange:
     - 192.168.1.7
     - 127.0.0.1/32
@@ -93,10 +93,35 @@ spec:
 - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
 - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
 - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
+- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
 - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.routers.router1.service": "service1",
+  "traefik.http.routers.router1.middlewares": "secured",
+  "traefik.http.routers.router1.rule": "Host(`mydomain`)",
+  "traefik.http.middlewares.secured.chain.middlewares": "https-only,known-ips,auth-users",
+  "traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+  "traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
+  "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
+  "traefik.http.services.service1.loadbalancer.server.port": "80"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.routers.router1.service=service1"
+  - "traefik.http.routers.router1.middlewares=secured"
+  - "traefik.http.routers.router1.rule=Host(`mydomain`)"
+  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
+  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "traefik.http.services.service1.loadbalancer.server.port=80"
+```
+
 ```yaml tab="File (YAML)"
 # ...
 http:
@@ -125,7 +150,7 @@ http:
         scheme: https
 
     known-ips:
-      ipAllowList:
+      ipWhiteList:
         sourceRange:
           - "192.168.1.7"
           - "127.0.0.1/32"
@@ -155,7 +180,7 @@ http:
   [http.middlewares.https-only.redirectScheme]
     scheme = "https"
 
-  [http.middlewares.known-ips.ipAllowList]
+  [http.middlewares.known-ips.ipWhiteList]
     sourceRange = ["192.168.1.7", "127.0.0.1/32"]
 
 [http.services]

docs/content/middlewares/http/circuitbreaker.md

@@ -30,7 +30,7 @@ To assess if your system is healthy, the circuit breaker constantly monitors the
 
 ## Configuration Examples
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Latency Check
 labels:
   - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
@@ -52,6 +52,18 @@ spec:
 - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.latency-check.circuitbreaker.expression": "LatencyAtQuantileMS(50.0) > 100"
+}
+```
+
+```yaml tab="Rancher"
+# Latency Check
+labels:
+  - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
+```
+
 ```yaml tab="File (YAML)"
 # Latency Check
 http:
@@ -85,7 +97,6 @@ At specified intervals (`checkPeriod`), the circuit breaker evaluates `expressio
 ### Open
 
 While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
-The fallback mechanism returns a `HTTP 503` (or `ResponseCode`) to the client.
 After this duration, it enters the recovering state.
 
 ### Recovering
@@ -160,8 +171,8 @@ Here is the list of supported operators:
 
 ### Fallback mechanism
 
-By default the fallback mechanism returns a `HTTP 503 Service Unavailable` to the client instead of calling the target service.
-The response code can be configured.
+The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client instead of calling the target service.
+This behavior cannot be configured.
 
 ### `CheckPeriod`
 
@@ -180,9 +191,3 @@ The duration for which the circuit breaker will wait before trying to recover (f
 _Optional, Default="10s"_
 
 The duration for which the circuit breaker will try to recover (as soon as it is in recovering state).
-
-### `ResponseCode`
-
-_Optional, Default="503"_
-
-The status code that the circuit breaker will return while it is in the open state.

docs/content/middlewares/http/compress.md

@@ -5,24 +5,23 @@ description: "Traefik Proxy's HTTP middleware lets you compress responses before
 
 # Compress
 
-Compress Allows Compressing Responses before Sending them to the Client
+Compress Responses before Sending them to the Client
 {: .subtitle }
 
 ![Compress](../../assets/img/middleware/compress.png)
 
-The Compress middleware supports Gzip, Brotli and Zstandard compression.
-The activation of compression, and the compression method choice rely (among other things) on the request's `Accept-Encoding` header.
+The Compress middleware uses gzip compression.
 
 ## Configuration Examples
 
-```yaml tab="Docker & Swarm"
-# Enable compression
+```yaml tab="Docker"
+# Enable gzip compression
 labels:
   - "traefik.http.middlewares.test-compress.compress=true"
 ```
 
 ```yaml tab="Kubernetes"
-# Enable compression
+# Enable gzip compression
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -32,12 +31,24 @@ spec:
 ```
 
 ```yaml tab="Consul Catalog"
-# Enable compression
+# Enable gzip compression
 - "traefik.http.middlewares.test-compress.compress=true"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-compress.compress": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Enable gzip compression
+labels:
+  - "traefik.http.middlewares.test-compress.compress=true"
+```
+
 ```yaml tab="File (YAML)"
-# Enable compression
+# Enable gzip compression
 http:
   middlewares:
     test-compress:
@@ -45,7 +56,7 @@ http:
 ```
 
 ```toml tab="File (TOML)"
-# Enable compression
+# Enable gzip compression
 [http.middlewares]
   [http.middlewares.test-compress.compress]
 ```
@@ -54,39 +65,24 @@ http:
 
     Responses are compressed when the following criteria are all met:
 
-    * The `Accept-Encoding` request header contains `gzip`, and/or `*`, and/or `br`, and/or `zstd` with or without [quality values](https://developer.mozilla.org/en-US/docs/Glossary/Quality_values).
-    If the `Accept-Encoding` request header is absent and no [defaultEncoding](#defaultencoding) is configured, the response won't be encoded.
-    If it is present, but its value is the empty string, then compression is disabled.
+    * The response body is larger than the configured minimum amount of bytes (default is `1024`).
+    * The `Accept-Encoding` request header contains `gzip`.
     * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
-    * The response`Content-Type` header is not one among the [excludedContentTypes options](#excludedcontenttypes), or is one among the [includedContentTypes options](#includedcontenttypes).
-    * The response body is larger than the [configured minimum amount of bytes](#minresponsebodybytes) (default is `1024`).
+
+    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
+    It will also set the `Content-Type` header according to the detected MIME type.
 
 ## Configuration Options
 
 ### `excludedContentTypes`
 
-_Optional, Default=""_ 
-
 `excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests and responses before compressing.
 
 The responses with content types defined in `excludedContentTypes` are not compressed.
 
 Content types are compared in a case-insensitive, whitespace-ignored manner.
 
-!!! info 
-
-    The `excludedContentTypes` and `includedContentTypes` options are mutually exclusive.
-
-!!! info "In the case of gzip"
-
-    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
-    It will also set the `Content-Type` header according to the detected MIME type.
-
-!!! info "gRPC"
-
-    Note that `application/grpc` is never compressed.
-
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
 ```
@@ -106,6 +102,17 @@ spec:
 - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-compress.compress.excludedcontenttypes": "text/event-stream"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -121,74 +128,15 @@ http:
     excludedContentTypes = ["text/event-stream"]
 ```
 
-### `includedContentTypes`
-
-_Optional, Default=""_
-
-`includedContentTypes` specifies a list of content types to compare the `Content-Type` header of the responses before compressing.
-
-The responses with content types defined in `includedContentTypes` are compressed. 
-
-Content types are compared in a case-insensitive, whitespace-ignored manner.
-
-!!! info
-
-    The `excludedContentTypes` and `includedContentTypes` options are mutually exclusive.
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-compress.compress.includedcontenttypes=application/json,text/html,text/plain"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-compress
-spec:
-  compress:
-    includedContentTypes:
-      - application/json
-      - text/html
-      - text/plain
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-compress.compress.includedcontenttypes=application/json,text/html,text/plain"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-compress:
-      compress:
-        includedContentTypes:
-          - application/json
-          - text/html
-          - text/plain
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-compress.compress]
-    includedContentTypes = ["application/json","text/html","text/plain"]
-```
-
 ### `minResponseBodyBytes`
 
-_Optional, Default=1024_
-
 `minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.
+
+The default value is `1024`, which should be a reasonable value for most cases.
+
 Responses smaller than the specified values will not be compressed.
 
-!!! tip "Streaming"
-
-    When data is sent to the client on flush, the `minResponseBodyBytes` configuration is ignored and the data is compressed.
-    This is particularly the case when data is streamed to the client when using `Transfer-encoding: chunked` response.
-
-When chunked data is sent to the client on flush, it will be compressed by default even if the received data has not reached  
-
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
 ```
@@ -207,6 +155,17 @@ spec:
 - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-compress.compress.minresponsebodybytes": 1200
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -220,89 +179,3 @@ http:
   [http.middlewares.test-compress.compress]
     minResponseBodyBytes = 1200
 ```
-
-### `defaultEncoding`
-
-_Optional, Default=""_
-
-`defaultEncoding` specifies the default encoding if the `Accept-Encoding` header is not in the request or contains a wildcard (`*`).
-
-There is no fallback on the `defaultEncoding` when the header value is empty or unsupported.
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-compress.compress.defaultEncoding=gzip"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-compress
-spec:
-  compress:
-    defaultEncoding: gzip
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-compress.compress.defaultEncoding=gzip"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-compress:
-      compress:
-        defaultEncoding: gzip
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-compress.compress]
-    defaultEncoding = "gzip"
-```
-
-### `encodings`
-
-_Optional, Default="gzip, br, zstd"_
-
-`encodings` specifies the list of supported compression encodings.
-At least one encoding value must be specified, and valid entries are `gzip` (Gzip), `br` (Brotli), and `zstd` (Zstandard).
-The order of the list also sets the priority, the top entry has the highest priority.
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-compress.compress.encodings=zstd,br"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-compress
-spec:
-  compress:
-    encodings:
-      - zstd
-      - br
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-compress.compress.encodings=zstd,br"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-compress:
-      compress:
-        encodings:
-          - zstd
-          - br
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-compress.compress]
-    encodings = ["zstd","br"]
-```

docs/content/middlewares/http/contenttype.md

@@ -1,6 +1,6 @@
 ---
 title: "Traefik ContentType Documentation"
-description: "Traefik Proxy's HTTP middleware automatically sets the `Content-Type` header value when it is not set by the backend. Read the technical documentation."
+description: "Traefik Proxy's HTTP middleware can automatically specify the content-type header if it has not been defined by the backend. Read the technical documentation."
 ---
 
 # ContentType
@@ -8,60 +8,84 @@ description: "Traefik Proxy's HTTP middleware automatically sets the `Content-Ty
 Handling Content-Type auto-detection
 {: .subtitle }
 
-The Content-Type middleware sets the `Content-Type` header value to the media type detected from the response content,
-when it is not set by the backend.
+The Content-Type middleware - or rather its `autoDetect` option -
+specifies whether to let the `Content-Type` header,
+if it has not been defined by the backend,
+be automatically set to a value derived from the contents of the response.
+
+As a proxy, the default behavior should be to leave the header alone,
+regardless of what the backend did with it.
+However, the historic default was to always auto-detect and set the header if it was not already defined,
+and altering this behavior would be a breaking change which would impact many users.
+
+This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
 
 !!! info
 
+    As explained above, for compatibility reasons the default behavior on a router (without this middleware),
+    is still to automatically set the `Content-Type` header.
+    Therefore, given the default value of the `autoDetect` option (false),
+    simply enabling this middleware for a router switches the router's behavior.
+
     The scope of the Content-Type middleware is the MIME type detection done by the core of Traefik (the server part).
     Therefore, it has no effect against any other `Content-Type` header modifications (e.g.: in another middleware such as compress).
 
 ## Configuration Examples
 
-```yaml tab="Docker & Swarm"
-# Enable auto-detection
+```yaml tab="Docker"
+# Disable auto-detection
 labels:
-  - "traefik.http.middlewares.autodetect.contenttype=true"
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
 ```
 
 ```yaml tab="Kubernetes"
-# Enable auto-detection
+# Disable auto-detection
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
   name: autodetect
 spec:
-  contentType: {}
+  contentType:
+    autoDetect: false
 ```
 
 ```yaml tab="Consul Catalog"
-# Enable auto-detection
-- "traefik.http.middlewares.autodetect.contenttype=true"
+# Disable auto-detection
+- "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.autodetect.contenttype.autodetect": "false"
+}
+```
+
+```yaml tab="Rancher"
+# Disable auto-detection
+labels:
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
 ```
 
 ```yaml tab="File (YAML)"
-# Enable auto-detection
+# Disable auto-detection
 http:
   middlewares:
     autodetect:
-      contentType: {}
+      contentType:
+        autoDetect: false
 ```
 
 ```toml tab="File (TOML)"
-# Enable auto-detection
+# Disable auto-detection
 [http.middlewares]
   [http.middlewares.autodetect.contentType]
+     autoDetect=false
 ```
 
 ## Configuration Options
 
 ### `autoDetect`
 
-!!! warning
-
-    `autoDetect` option is deprecated and should not be used.
-    Moreover, it is redundant with an empty ContentType middleware declaration.
-
 `autoDetect` specifies whether to let the `Content-Type` header,
 if it has not been set by the backend,
 be automatically set to a value derived from the contents of the response.

docs/content/middlewares/http/digestauth.md

@@ -14,7 +14,7 @@ The DigestAuth middleware grants access to services to authorized users only.
 
 ## Configuration Examples
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Declaring the user list
 labels:
   - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
@@ -36,6 +36,18 @@ spec:
 - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -72,7 +84,7 @@ The `users` option is an array of authorized users. Each user will be declared u
     - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
     - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
@@ -102,6 +114,17 @@ data:
 - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -132,7 +155,7 @@ The file content is a list of `name:realm:encoded-password`.
     - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
     - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
 ```
@@ -163,6 +186,17 @@ data:
 - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.usersfile": "/path/to/my/usersfile"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -188,7 +222,7 @@ http:
 
 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
 ```
@@ -207,6 +241,17 @@ spec:
 - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.realm": "MyRealm"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -225,7 +270,7 @@ http:
 
 You can customize the header field for the authenticated user using the `headerField`option.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
 ```
@@ -245,6 +290,17 @@ spec:
 - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.my-auth.digestauth.headerField": "X-WebAuth-User"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -264,7 +320,7 @@ http:
 
 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
 ```
@@ -283,6 +339,17 @@ spec:
 - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.removeheader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:

docs/content/middlewares/http/errorpages.md

@@ -18,7 +18,7 @@ The Errors middleware returns a custom page in lieu of the default, according to
 
 ## Configuration Examples
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Dynamic Custom Error Page for 5XX Status Code
 labels:
   - "traefik.http.middlewares.test-errors.errors.status=500,501,503,505-599"
@@ -51,6 +51,22 @@ spec:
 - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-errors.errors.status": "500,501,503,505-599",
+  "traefik.http.middlewares.test-errors.errors.service": "serviceError",
+  "traefik.http.middlewares.test-errors.errors.query": "/{status}.html"
+}
+```
+
+```yaml tab="Rancher"
+# Dynamic Custom Error Page for 5XX Status Code excluding 502 and 504
+labels:
+  - "traefik.http.middlewares.test-errors.errors.status=500,501,503,505-599"
+  - "traefik.http.middlewares.test-errors.errors.service=serviceError"
+  - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
+```
+
 ```yaml tab="File (YAML)"
 # Dynamic Custom Error Page for 5XX Status Code excluding 502 and 504
 http:
@@ -102,19 +118,6 @@ The status code ranges are inclusive (`505-599` will trigger with every code bet
     The comma-separated syntax is only available for label-based providers.
     The examples above demonstrate which syntax is appropriate for each provider.
 
-### `statusRewrites`
-
-An optional mapping of status codes to be rewritten. For example, if a service returns a 418, you might want to rewrite it to a 404.
-You can map individual status codes or even ranges to a different status code. The syntax for ranges follows the same rules as the `status` option.
-
-Here is an example:
-
-```yml
-statusRewrites:
-  "500-503": 500
-  "418": 404
-```
-
 ### `service`
 
 The service that will serve the new requested error page.
@@ -136,8 +139,7 @@ There are multiple variables that can be placed in the `query` option to insert
 
 The table below lists all the available variables and their associated values.
 
-| Variable           | Value                                                                                      |
-|--------------------|--------------------------------------------------------------------------------------------|
-| `{status}`         | The response status code. It may be rewritten when using the `statusRewrites` option.      |
-| `{originalStatus}` | The original response status code, if it has been modified by the `statusRewrites` option. |
-| `{url}`            | The [escaped](https://pkg.go.dev/net/url#QueryEscape) request URL.                         |
+| Variable   | Value                                                              |
+|------------|--------------------------------------------------------------------|
+| `{status}` | The response status code.                                          |
+| `{url}`    | The [escaped](https://pkg.go.dev/net/url#QueryEscape) request URL. |

docs/content/middlewares/http/forwardauth.md

@@ -16,7 +16,7 @@ Otherwise, the response from the authentication server is returned.
 
 ## Configuration Examples
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Forward authentication to example.com
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
@@ -38,6 +38,18 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
+}
+```
+
+```yaml tab="Rancher"
+# Forward authentication to example.com
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
+```
+
 ```yaml tab="File (YAML)"
 # Forward authentication to example.com
 http:
@@ -72,7 +84,7 @@ The following request properties are provided to the forward-auth target endpoin
 
 The `address` option defines the authentication server address.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
@@ -91,6 +103,17 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -109,7 +132,7 @@ http:
 
 Set the `trustForwardHeader` option to `true` to trust all `X-Forwarded-*` headers.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```
@@ -129,6 +152,17 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -150,7 +184,7 @@ http:
 The `authResponseHeaders` option is the list of headers to copy from the authentication server response and set on
 forwarded request, replacing any existing conflicting headers.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
 ```
@@ -172,6 +206,17 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders": "X-Auth-User,X-Secret"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -197,7 +242,7 @@ set on forwarded request, after stripping all headers that match the regex.
 It allows partial matching of the regular expression against the header key.
 The start of string (`^`) and end of string (`$`) anchors should be used to ensure a full match against the header key.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
 ```
@@ -217,6 +262,17 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex": "^X-"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -245,7 +301,7 @@ The `authRequestHeaders` option is the list of the headers to copy from the requ
 It allows filtering headers that should not be passed to the authentication server.
 If not set or empty then all request headers are passed.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
 ```
@@ -267,6 +323,17 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders": "Accept,X-CustomHeader"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -285,147 +352,6 @@ http:
     authRequestHeaders = "Accept,X-CustomHeader"
 ```
 
-### `addAuthCookiesToResponse`
-
-The `addAuthCookiesToResponse` option is the list of cookies to copy from the authentication server to the response, 
-replacing any existing conflicting cookie from the forwarded response.
-
-!!! info
-
-    Please note that all backend cookies matching the configured list will not be added to the response.
-
-```yaml tab="Docker"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.addAuthCookiesToResponse=Session-Cookie,State-Cookie"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-auth
-spec:
-  forwardAuth:
-    address: https://example.com/auth
-    addAuthCookiesToResponse:
-      - Session-Cookie
-      - State-Cookie
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.addAuthCookiesToResponse=Session-Cookie,State-Cookie"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-auth:
-      forwardAuth:
-        address: "https://example.com/auth"
-        addAuthCookiesToResponse:
-          - "Session-Cookie"
-          - "State-Cookie"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    addAuthCookiesToResponse = ["Session-Cookie", "State-Cookie"]
-```
-
-### `forwardBody`
-
-_Optional, Default=false_
-
-Set the `forwardBody` option to `true` to send Body.
-
-!!! info
-
-    As body is read inside Traefik before forwarding, this breaks streaming.
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-auth
-spec:
-  forwardAuth:
-    address: https://example.com/auth
-    forwardBody: true
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-auth:
-      forwardAuth:
-        address: "https://example.com/auth"
-        forwardBody: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    forwardBody = true
-```
-
-### `maxBodySize`
-
-_Optional, Default=-1_
-
-Set the `maxBodySize` to limit the body size in bytes.
-If body is bigger than this, it returns a 401 (unauthorized).
-Default is `-1`, which means no limit.
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-auth
-spec:
-  forwardAuth:
-    address: https://example.com/auth
-    forwardBody: true
-    maxBodySize: 1000
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-auth:
-      forwardAuth:
-        address: "https://example.com/auth"
-        maxBodySize: 1000
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    forwardBody = true
-    maxBodySize = 1000
-```
-
 ### `tls`
 
 _Optional_
@@ -439,7 +365,7 @@ _Optional_
 `ca` is the path to the certificate authority used for the secured connection to the authentication server,
 it defaults to the system bundle.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
 ```
@@ -471,6 +397,17 @@ data:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -496,7 +433,7 @@ _Optional_
 `cert` is the path to the public certificate used for the secure connection to the authentication server.
 When using this option, setting the `key` option is required.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
   - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
@@ -530,6 +467,19 @@ data:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -561,7 +511,7 @@ _Optional_
 `key` is the path to the private key used for the secure connection to the authentication server.
 When using this option, setting the `cert` option is required.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
   - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
@@ -595,6 +545,19 @@ data:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -625,7 +588,7 @@ _Optional, Default=false_
 
 If `insecureSkipVerify` is `true`, the TLS connection to the authentication server accepts any certificate presented by the server regardless of the hostnames it covers.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify=true"
 ```
@@ -646,6 +609,17 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -663,128 +637,4 @@ http:
     [http.middlewares.test-auth.forwardAuth.tls]
       insecureSkipVerify: true
 ```
-
-### `headerField`
-
-_Optional_
-
-You can define a header field to store the authenticated user using the `headerField`option.
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.headerField=X-WebAuth-User"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-auth
-spec:
-  forwardAuth:
-    # ...
-    headerField: X-WebAuth-User
-```
-
-```json tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.headerField=X-WebAuth-User"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-auth:
-      forwardAuth:
-        # ...
-        headerField: "X-WebAuth-User"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares.test-auth.forwardAuth]
-  # ...
-  headerField = "X-WebAuth-User"
-```
-
-### `preserveLocationHeader`
-
-_Optional, Default=false_
-
-`preserveLocationHeader` defines whether to forward the `Location` header to the client as is or prefix it with the domain name of the authentication server.
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.preserveLocationHeader=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-auth
-spec:
-  forwardAuth:
-    # ...
-    preserveLocationHeader: true
-```
-
-```json tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.preserveLocationHeader=true"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-auth:
-      forwardAuth:
-        # ...
-        preserveLocationHeader: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares.test-auth.forwardAuth]
-  # ...
-  preserveLocationHeader = true
-```
-
-### `preserveRequestMethod`
-
-_Optional, Default=false_
-
-`preserveRequestMethod` defines whether to preserve the original request method while forwarding the request to the authentication server. By default, when this option is set to `false`, incoming requests are always forwarded as `GET` requests to the authentication server.
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.preserveRequestMethod=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-auth
-spec:
-  forwardAuth:
-    # ...
-    preserveRequestMethod: true
-```
-
-```json tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.preserveRequestMethod=true"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-auth:
-      forwardAuth:
-        # ...
-        preserveRequestMethod: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares.test-auth.forwardAuth]
-  # ...
-  preserveRequestMethod = true
-```
-
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/middlewares/http/grpcweb.md

@@ -1,66 +0,0 @@
----
-title: "Traefik GrpcWeb Documentation"
-description: "In Traefik Proxy's HTTP middleware, GrpcWeb converts a gRPC Web requests to HTTP/2 gRPC requests. Read the technical documentation."
----
-
-# GrpcWeb
-
-Converting gRPC Web requests to HTTP/2 gRPC requests.
-{: .subtitle }
-
-The GrpcWeb middleware converts gRPC Web requests to HTTP/2 gRPC requests before forwarding them to the backends.
-
-!!! tip
-
-    Please note, that Traefik needs to communicate using gRPC with the backends (h2c or HTTP/2 over TLS).
-    Check out the [gRPC](../../user-guides/grpc.md) user guide for more details.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-grpcweb.grpcweb.allowOrigins=*"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-grpcweb
-spec:
-  grpcWeb:
-    allowOrigins:
-      - "*"
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-grpcweb.grpcWeb.allowOrigins=*"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-grpcweb:
-      grpcWeb:
-        allowOrigins:
-          - "*"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-grpcweb.grpcWeb]
-    allowOrigins = ["*"]
-```
-
-## Configuration Options
-
-### `allowOrigins`
-
-The `allowOrigins` contains the list of allowed origins.
-A wildcard origin `*` can also be configured to match all requests.
-
-More information including how to use the settings can be found at:
-
-- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
-- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
-- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)

docs/content/middlewares/http/headers.md

@@ -20,7 +20,7 @@ A set of forwarded headers are automatically added by default. See the [FAQ](../
 
 The following example adds the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` header to the response
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Script-Name=test"
   - "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=value"
@@ -44,6 +44,19 @@ spec:
 - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
+  "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "value"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -69,7 +82,7 @@ http:
 In the following example, requests are proxied with an extra `X-Script-Name` header while their `X-Custom-Request-Header` header gets stripped,
 and responses are stripped of their `X-Custom-Response-Header` header.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
   - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
@@ -96,6 +109,21 @@ spec:
 - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
+  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header": "",
+  "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "",
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
+  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -123,7 +151,7 @@ http:
 Security-related headers (HSTS headers, Browser XSS filter, etc) can be managed similarly to custom headers as shown above.
 This functionality makes it possible to easily use security features by adding headers.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.testHeader.headers.framedeny=true"
   - "traefik.http.middlewares.testHeader.headers.browserxssfilter=true"
@@ -145,6 +173,19 @@ spec:
 - "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.testheader.headers.framedeny": "true",
+  "traefik.http.middlewares.testheader.headers.browserxssfilter": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.testheader.headers.framedeny=true"
+  - "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -170,7 +211,7 @@ instead the response will be generated and sent back to the client directly.
 Please note that the example below is by no means authoritative or exhaustive,
 and should not be used as is for production.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
   - "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
@@ -207,6 +248,25 @@ spec:
 - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
+  "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*",
+  "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist": "https://foo.bar.org,https://example.org",
+  "traefik.http.middlewares.testheader.headers.accesscontrolmaxage": "100",
+  "traefik.http.middlewares.testheader.headers.addvaryheader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
+  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -394,10 +454,6 @@ This overrides the `BrowserXssFilter` option.
 
 The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.
 
-### `contentSecurityPolicyReportOnly`
-
-The `contentSecurityPolicyReportOnly` option allows the `Content-Security-Policy-Report-Only` header value to be set with a custom value.
-
 ### `publicKey`
 
 The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
@@ -410,7 +466,7 @@ The `referrerPolicy` allows sites to control whether browsers forward the `Refer
 
 !!! warning
 
-    Deprecated in favor of [`permissionsPolicy`](#permissionsPolicy)
+    Deprecated in favor of `permissionsPolicy`
 
 The `featurePolicy` allows sites to control browser features.
 
@@ -424,4 +480,4 @@ Set `isDevelopment` to `true` when developing to mitigate the unwanted effects o
 Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.
 If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false`.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/middlewares/http/inflightreq.md

@@ -14,7 +14,7 @@ To proactively prevent services from being overwhelmed with high load, the numbe
 
 ## Configuration Examples
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
@@ -34,6 +34,18 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
+}
+```
+
+```yaml tab="Rancher"
+# Limiting to 10 simultaneous connections
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
 ```yaml tab="File (YAML)"
 # Limiting to 10 simultaneous connections
 http:
@@ -57,7 +69,7 @@ http:
 The `amount` option defines the maximum amount of allowed simultaneous in-flight request.
 The middleware responds with `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
@@ -77,6 +89,18 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
+}
+```
+
+```yaml tab="Rancher"
+# Limiting to 10 simultaneous connections
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
 ```yaml tab="File (YAML)"
 # Limiting to 10 simultaneous connections
 http:
@@ -101,7 +125,7 @@ If none are set, the default is to use the `requestHost`.
 
 #### `sourceCriterion.ipStrategy`
 
-The `ipStrategy` option defines three parameters that configures how Traefik determines the client IP: `depth`, `excludedIPs` and `ipv6Subnet`.
+The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.
 
 !!! important "As a middleware, InFlightReq happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through the middleware. Therefore, during InFlightReq, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be used and/or relied upon."
 
@@ -112,9 +136,6 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and select
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
 - `depth` is ignored if its value is less than or equal to 0.
 
-If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
-See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
-
 !!! example "Example of Depth & X-Forwarded-For"
 
     If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
@@ -125,7 +146,7 @@ See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
 ```
@@ -146,6 +167,17 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -179,7 +211,7 @@ http:
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
     | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
@@ -202,6 +234,17 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -221,68 +264,11 @@ http:
       excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
 
-##### `ipStrategy.ipv6Subnet`
-
-This strategy applies to `Depth` and `RemoteAddr` strategy only.
-If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
-
-This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
-
-- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
-
-!!! example "Example of ipv6Subnet"
-
-    If `ipv6Subnet` is provided, the IP is transformed in the following way.
-
-    | `IP`                      | `ipv6Subnet` | clientIP              |
-    |---------------------------|--------------|-----------------------|
-    | `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
-    | `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
-    | `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-inflightreq
-spec:
-  inFlightReq:
-    sourceCriterion:
-      ipStrategy:
-        ipv6Subnet: 64
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-inflightreq:
-      inFlightReq:
-        sourceCriterion:
-          ipStrategy:
-            ipv6Subnet: 64
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-inflightreq.inflightreq]
-    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
-      ipv6Subnet = 64
-```
-
 #### `sourceCriterion.requestHeaderName`
 
 Name of the header used to group incoming requests.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
 ```
@@ -302,6 +288,17 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername": "username"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:
@@ -322,7 +319,7 @@ http:
 
 Whether to consider the request host as the source.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```
@@ -342,6 +339,17 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
+```
+
 ```yaml tab="File (YAML)"
 http:
   middlewares:

docs/content/middlewares/http/ipallowlist.md

@@ -35,6 +35,18 @@ spec:
 - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+# Accepts request from defined IP
+labels:
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
 ```yaml tab="File (YAML)"
 # Accepts request from defined IP
 http:
@@ -75,9 +87,6 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
 - `depth` is ignored if its value is less than or equal to 0.
 
-If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
-See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
-
 !!! example "Examples of Depth & X-Forwarded-For"
 
     If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).
@@ -116,6 +125,20 @@ spec:
 - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+labels:
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
+```
+
 ```yaml tab="File (YAML)"
 # Allowlisting Based on `X-Forwarded-For` with `depth=2`
 http:
@@ -184,6 +207,20 @@ spec:
 - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+# Exclude from `X-Forwarded-For`
+labels:
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```yaml tab="File (YAML)"
 # Exclude from `X-Forwarded-For`
 http:
@@ -207,60 +244,3 @@ http:
     [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
       excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
-
-#### `ipStrategy.ipv6Subnet`
-
-This strategy applies to `Depth` and `RemoteAddr` strategy only.
-If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
-
-This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
-
-- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
-
-!!! example "Example of ipv6Subnet"
-
-    If `ipv6Subnet` is provided, the IP is transformed in the following way.
-
-    | `IP`                      | `ipv6Subnet` | clientIP              |
-    |---------------------------|--------------|-----------------------|
-    | `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
-    | `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
-    | `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-ipallowlist
-spec:
-  ipallowlist:
-    sourceCriterion:
-      ipStrategy:
-        ipv6Subnet: 64
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-ipallowlist:
-      ipallowlist:
-        sourceCriterion:
-          ipStrategy:
-            ipv6Subnet: 64
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ipallowlist.ipallowlist]
-    [http.middlewares.test-ipallowlist.ipallowlist.sourceCriterion.ipStrategy]
-      ipv6Subnet = 64
-```

docs/content/middlewares/http/ipwhitelist.md

@@ -41,6 +41,18 @@ spec:
 - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+# Accepts request from defined IP
+labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
 ```yaml tab="File (YAML)"
 # Accepts request from defined IP
 http:
@@ -81,9 +93,6 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
 - `depth` is ignored if its value is less than or equal to 0.
 
-If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
-See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
-
 !!! example "Examples of Depth & X-Forwarded-For"
 
     If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
@@ -122,6 +131,20 @@ spec:
 - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+```
+
 ```yaml tab="File (YAML)"
 # Whitelisting Based on `X-Forwarded-For` with `depth=2`
 http:
@@ -190,6 +213,20 @@ spec:
 - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+# Exclude from `X-Forwarded-For`
+labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```yaml tab="File (YAML)"
 # Exclude from `X-Forwarded-For`
 http:
@@ -213,60 +250,3 @@ http:
     [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
       excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
-
-#### `ipStrategy.ipv6Subnet`
-
-This strategy applies to `Depth` and `RemoteAddr` strategy only.
-If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
-
-This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
-
-- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
-
-!!! example "Example of ipv6Subnet"
-
-    If `ipv6Subnet` is provided, the IP is transformed in the following way.
-
-    | `IP`                      | `ipv6Subnet` | clientIP              |
-    |---------------------------|--------------|-----------------------|
-    | `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
-    | `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
-    | `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-ipWhiteList.ipWhiteList.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-ipWhiteList
-spec:
-  ipWhiteList:
-    sourceCriterion:
-      ipStrategy:
-        ipv6Subnet: 64
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ipWhiteList.ipWhiteList.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-ipWhiteList:
-      ipWhiteList:
-        sourceCriterion:
-          ipStrategy:
-            ipv6Subnet: 64
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ipWhiteList.ipWhiteList]
-    [http.middlewares.test-ipWhiteList.ipWhiteList.sourceCriterion.ipStrategy]
-      ipv6Subnet = 64
-```

docs/content/middlewares/http/overview.md

@@ -12,7 +12,7 @@ Controlling connections
 
 ## Configuration Example
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # As a Docker Label
 whoami:
   #  A container that exposes an API to show its IP address
@@ -26,6 +26,19 @@ whoami:
 
 ```yaml tab="IngressRoute"
 # As a Kubernetes Traefik IngressRoute
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: middlewares.traefik.io
+spec:
+  group: traefik.io
+  version: v1alpha1
+  names:
+    kind: Middleware
+    plural: middlewares
+    singular: middleware
+  scope: Namespaced
+
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
@@ -56,6 +69,22 @@ spec:
 - "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
+  "traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
+}
+```
+
+```yaml tab="Rancher"
+# As a Rancher Label
+labels:
+  # Create a middleware named `foo-add-prefix`
+  - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+  # Apply the middleware named `foo-add-prefix` to the router named `router1`
+  - "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
+```
+
 ```toml tab="File (TOML)"
 # As TOML Configuration File
 [http.routers]
@@ -113,7 +142,7 @@ http:
 | [Errors](errorpages.md)                   | Defines custom error pages                        | Request Lifecycle           |
 | [ForwardAuth](forwardauth.md)             | Delegates Authentication                          | Security, Authentication    |
 | [Headers](headers.md)                     | Adds / Updates headers                            | Security                    |
-| [IPAllowList](ipallowlist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
+| [IPWhiteList](ipwhitelist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
 | [InFlightReq](inflightreq.md)             | Limits the number of simultaneous connections     | Security, Request lifecycle |
 | [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header              | Security                    |
 | [RateLimit](ratelimit.md)                 | Limits the call frequency                         | Security, Request lifecycle |
@@ -129,4 +158,4 @@ http:
 
 Please take a look at the community-contributed plugins in the [plugin catalog](https://plugins.traefik.io/plugins).
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/middlewares/http/passtlsclientcert.md

@@ -18,7 +18,7 @@ PassTLSClientCert adds the selected data from the passed client TLS certificate
 
 Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 labels:
   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
@@ -39,6 +39,18 @@ spec:
 - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
+labels:
+  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
+```
+
 ```yaml tab="File (YAML)"
 # Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 http:
@@ -57,7 +69,7 @@ http:
 
 ??? example "Pass the pem in the `X-Forwarded-Tls-Client-Cert` header"
 
-    ```yaml tab="Docker & Swarm"
+    ```yaml tab="Docker"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
     labels:
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
@@ -134,6 +146,52 @@ http:
     - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
     ```
 
+    ```json tab="Marathon"
+    "labels": {
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
+    }
+    ```
+
+    ```yaml tab="Rancher"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    labels:
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
+    ```
+
     ```yaml tab="File (YAML)"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
     http:

docs/content/middlewares/http/redirectregex.md

@@ -16,7 +16,7 @@ The RedirectRegex redirects a request using regex matching and replacement.
 
 ## Configuration Examples
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Redirect with domain replacement
 # Note: all dollar signs need to be doubled for escaping.
 labels:
@@ -43,6 +43,21 @@ spec:
 - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-redirectregex.redirectregex.regex": "^http://localhost/(.*)",
+  "traefik.http.middlewares.test-redirectregex.redirectregex.replacement": "http://mydomain/${1}"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect with domain replacement
+# Note: all dollar signs need to be doubled for escaping.
+labels:
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
+```
+
 ```yaml tab="File (YAML)"
 # Redirect with domain replacement
 http:
@@ -85,4 +100,4 @@ The `replacement` option defines how to modify the URL to have the new target UR
 
     Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/middlewares/http/redirectscheme.md

@@ -25,7 +25,7 @@ The RedirectScheme middleware redirects the request if the request scheme is dif
 
 ## Configuration Examples
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Redirect to https
 labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
@@ -51,6 +51,20 @@ labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -75,7 +89,7 @@ http:
 
 Set the `permanent` option to `true` to apply a permanent redirection.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Redirect to https
 labels:
   # ...
@@ -101,6 +115,20 @@ labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
 ```
 
+```json tab="Marathon"
+"labels": {
+
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -123,7 +151,7 @@ http:
 
 The `scheme` option defines the scheme of the new URL.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Redirect to https
 labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
@@ -146,6 +174,18 @@ labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+```
+
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -166,7 +206,7 @@ http:
 
 The `port` option defines the port of the new URL.
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Redirect to https
 labels:
   # ...
@@ -192,6 +232,20 @@ labels:
   - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
 ```
 
+```json tab="Marathon"
+"labels": {
+
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.port": "443"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:

docs/content/middlewares/http/replacepath.md

@@ -16,7 +16,7 @@ Replace the path of the request URL.
 
 ## Configuration Examples
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Replace the path with /foo
 labels:
   - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
@@ -38,6 +38,18 @@ spec:
 - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-replacepath.replacepath.path": "/foo"
+}
+```
+
+```yaml tab="Rancher"
+# Replace the path with /foo
+labels:
+  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
+```
+
 ```yaml tab="File (YAML)"
 # Replace the path with /foo
 http:

docs/content/middlewares/http/replacepathregex.md

@@ -16,7 +16,7 @@ The ReplaceRegex replaces the path of a URL using regex matching and replacement
 
 ## Configuration Examples
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Replace path with regex
 labels:
   - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
@@ -41,6 +41,20 @@ spec:
 - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex": "^/foo/(.*)",
+  "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement": "/bar/$1"
+}
+```
+
+```yaml tab="Rancher"
+# Replace path with regex
+labels:
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
+```
+
 ```yaml tab="File (YAML)"
 # Replace path with regex
 http:

docs/content/middlewares/http/retry.md

@@ -21,7 +21,7 @@ The Retry middleware has an optional configuration to enable an exponential back
 
 ## Configuration Examples
 
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Retry 4 times with exponential backoff
 labels:
   - "traefik.http.middlewares.test-retry.retry.attempts=4"
@@ -46,6 +46,20 @@ spec:
 - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
 ```
 
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-retry.retry.attempts": "4",
+  "traefik.http.middlewares.test-retry.retry.initialinterval": "100ms",
+}
+```
+
+```yaml tab="Rancher"
+# Retry 4 times with exponential backoff
+labels:
+  - "traefik.http.middlewares.test-retry.retry.attempts=4"
+  - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
+```
+
 ```yaml tab="File (YAML)"
 # Retry 4 times with exponential backoff
 http: