Prepare release v2.11.32

Reject suspicious encoded characters
Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
2025-12-07 04:23:52 +03:00 · 2025-12-04 15:26:04 +01:00 · 2025-12-04 15:10:05 +01:00 · 2025-12-02 09:04:05 +01:00 · 2025-12-01 14:58:05 +01:00 · 2025-11-24 15:32:04 +01:00
158 changed files with 2670 additions and 1458 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -10,7 +10,7 @@ on:
      - 'script/gcg/**'

 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
  CGO_ENABLED: 0

 jobs:
@@ -51,7 +51,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

--- a/.github/workflows/check_doc.yml
+++ b/.github/workflows/check_doc.yml
@@ -13,7 +13,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -28,7 +28,7 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5

    - name: setup go
      uses: actions/setup-go@v5
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -1,6 +1,7 @@
 name: Build and Publish Documentation

 on:
+  workflow_dispatch: {}
  push:
    branches:
      - master
@@ -19,7 +20,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -39,9 +40,9 @@ jobs:
        run: curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b $HOME/bin ${MIXTUS_VERSION}

      - name: Build documentation
-        run: $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
-        env:
-          STRUCTOR_LATEST_TAG: ${{ vars.STRUCTOR_LATEST_TAG }}
+        run: |
+          STRUCTOR_LATEST_TAG=$(curl -s https://api.github.com/repos/traefik/traefik/releases/latest | jq -r '.tag_name')
+          $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug

      - name: Apply seo
        run: $HOME/bin/seo -path=./site -product=traefik
--- a/.github/workflows/experimental.yaml
+++ b/.github/workflows/experimental.yaml
@@ -7,7 +7,7 @@ on:
      - v*

 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
  CGO_ENABLED: 0

 jobs:
@@ -23,7 +23,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -6,7 +6,7 @@ on:
      - 'v*.*.*'

 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
  CGO_ENABLED: 0
  VERSION: ${{ github.ref_name }}
  TRAEFIKER_EMAIL: "traefiker@traefik.io"
@@ -30,7 +30,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -89,7 +89,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -126,13 +126,11 @@ jobs:
          tar cfz "dist/traefik-${VERSION}.src.tar.gz" \
            --exclude-vcs \
            --exclude .idea \
-            --exclude .travis \
-            --exclude .semaphoreci \
            --exclude .github \
            --exclude dist .
          
          chown -R "$(id -u)":"$(id -g)" dist/
-          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION}
+          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION} --latest=false
          
          ./script/deploy.sh

--- a/.github/workflows/template-webui.yaml
+++ b/.github/workflows/template-webui.yaml
@@ -1,6 +1,8 @@
 name: Build Web UI
 on:
  workflow_call: {}
+env:
+  SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 360  # 15 days
 jobs:

  build-webui:
@@ -8,7 +10,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -19,10 +21,16 @@ jobs:
          cache: yarn
          cache-dependency-path: webui/yarn.lock

+      - name: Setup safe-chain
+        working-directory: ./webui
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
      - name: Build webui
        working-directory: ./webui
        run: |
-          yarn install
+          yarn install --ignore-scripts
          yarn build

      - name: Package webui
--- a/.github/workflows/test-integration.yaml
+++ b/.github/workflows/test-integration.yaml
@@ -10,7 +10,7 @@ on:
      - 'script/gcg/**'

 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
  CGO_ENABLED: 0

 jobs:
@@ -20,7 +20,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -34,7 +34,21 @@ jobs:
        run: touch webui/static/index.html

      - name: Build binary
-        run: make binary
+        run: make binary-linux-amd64
+
+      - name: Save go cache build
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-cache-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
+
+      - name: Artifact traefik binary
+        uses: actions/upload-artifact@v4
+        with:
+          name: traefik
+          path: ./dist/linux/amd64/traefik
+          retention-days: 1

  test-integration:
    runs-on: ubuntu-latest
@@ -48,7 +62,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -61,8 +75,21 @@ jobs:
      - name: Avoid generating webui
        run: touch webui/static/index.html

-      - name: Build binary
-        run: make binary
+      - name: Download traefik binary
+        uses: actions/download-artifact@v4
+        with:
+          name: traefik
+          path: ./dist/linux/amd64/
+
+      - name: Make binary executable
+        run: chmod +x ./dist/linux/amd64/traefik
+
+      - name: Restore go cache build
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-cache-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}

      - name: Generate go test Slice
        id: test_split
--- a/.github/workflows/test-unit.yaml
+++ b/.github/workflows/test-unit.yaml
@@ -10,16 +10,44 @@ on:
      - 'script/gcg/**'

 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'

 jobs:

+  generate-packages:
+    name: List Go Packages
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - name: Generate matrix
+        id: set-matrix
+        run: |
+          matrix_output=$(go run ./internal/testsci/genmatrix.go)
+          echo "$matrix_output"
+          echo "$matrix_output" >> $GITHUB_OUTPUT
+
  test-unit:
    runs-on: ubuntu-latest
+    needs: generate-packages
+    strategy:
+      matrix:
+        package: ${{ fromJson(needs.generate-packages.outputs.matrix) }}

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -33,14 +61,15 @@ jobs:
        run: touch webui/static/index.html

      - name: Tests
-        run: make test-unit
+        run: |
+          go test -v -parallel 8 ${{ matrix.package.group }}

  test-ui-unit:
    runs-on: ubuntu-latest

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -51,7 +80,12 @@ jobs:
          cache: 'yarn'
          cache-dependency-path: webui/yarn.lock

+      - name: Setup safe-chain
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
      - name: UI unit tests
        run: |
-          yarn --cwd webui install
+          yarn --cwd webui install --ignore-scripts
          yarn --cwd webui test:unit:ci
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -6,7 +6,7 @@ on:
      - '*'

 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
  GOLANGCI_LINT_VERSION: v2.0.2
  MISSPELL_VERSION: v0.6.0

@@ -17,7 +17,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -37,7 +37,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

@@ -61,7 +61,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

--- a/.golangci.yml
+++ b/.golangci.yml
@@ -305,8 +305,6 @@ linters:
        text: 'SA1019: cfg.(SSLRedirect|SSLTemporaryRedirect|SSLHost|SSLForceHost|FeaturePolicy) is deprecated'
      - path: (.+)\.go$
        text: 'SA1019: c.Providers.(ConsulCatalog|Consul|Nomad).Namespace is deprecated'
-      - path: (.+)\.go$
-        text: 'SA1019: dockertypes.ContainerNode is deprecated'
    paths:
      - pkg/provider/kubernetes/crd/generated/

--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -1,13 +0,0 @@
-version: v1.0
-name: Traefik Release - deprecated
-agent:
-  machine:
-    type: f1-standard-2
-    os_image: ubuntu2204
-blocks:
-  - name: 'Do nothing'
-    task:
-      jobs:
-        - name: 'Do nothing'
-          commands:
-            - echo "Do nothing"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,71 @@
+## [v2.11.32](https://github.com/traefik/traefik/tree/v2.11.32) (2025-12-04)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.31...v2.11.32)
+
+  **Bug fixes:**
+- **[server]** Reject suspicious encoded characters ([#12360](https://github.com/traefik/traefik/pull/12360) by [rtribotte](https://github.com/rtribotte))
+- **[plugins]** Validate plugin module name ([#12291](https://github.com/traefik/traefik/pull/12291) by [kevinpollet](https://github.com/kevinpollet))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.1 ([#12319](https://github.com/traefik/traefik/pull/12319) by [GreyXor](https://github.com/GreyXor))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.0 ([#12308](https://github.com/traefik/traefik/pull/12308) by [GreyXor](https://github.com/GreyXor))
+- **[server]** Bump golang.org/x/crypto to v0.45.0 ([#12296](https://github.com/traefik/traefik/pull/12296) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- Update SECURITY.md to streamline information ([#12310](https://github.com/traefik/traefik/pull/12310) by [emilevauge](https://github.com/emilevauge))
+- Update SECURITY.md ([#12304](https://github.com/traefik/traefik/pull/12304) by [cwayne18](https://github.com/cwayne18))
+
+## [v2.11.31](https://github.com/traefik/traefik/tree/v2.11.31) (2025-11-13)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.30...v2.11.31)
+
+**Bug fixes:**
+- **[docker,docker/swarm]** Auto-negotiate Docker API version ([#12262](https://github.com/traefik/traefik/pull/12262) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.11.30](https://github.com/traefik/traefik/tree/v2.11.30) (2025-10-28)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.29...v2.11.30)
+
+**Bug fixes:**
+- **[http3]** Bump github.com/quic-go/quic-go to v0.55.0 ([#12156](https://github.com/traefik/traefik/pull/12156) by [kevinpollet](https://github.com/kevinpollet))
+- **[kv]** Fix KV key name used to check if connection is alive ([#12162](https://github.com/traefik/traefik/pull/12162) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Bump golang.org/x/net to v0.46.0 ([#12143](https://github.com/traefik/traefik/pull/12143) by [kevinpollet](https://github.com/kevinpollet))
+- **[tracing]** Bump gopkg.in/DataDog/dd-trace-go.v1 to v1.74.6 ([#12083](https://github.com/traefik/traefik/pull/12083) by [hannahkm](https://github.com/hannahkm))
+
+## [v2.11.29](https://github.com/traefik/traefik/tree/v2.11.29) (2025-08-26)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.28...v2.11.29)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.25.2 ([#11983](https://github.com/traefik/traefik/pull/11983) by [ldez](https://github.com/ldez))
+- **[docker]** Bump github.com/docker/docker to v28.3.3 ([#12007](https://github.com/traefik/traefik/pull/12007) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- Fix invalid links in documentation ([#11960](https://github.com/traefik/traefik/pull/11960) by [mloiseleur](https://github.com/mloiseleur))
+- Update releases docs for v3.5 ([#11949](https://github.com/traefik/traefik/pull/11949) by [jnoordsij](https://github.com/jnoordsij))
+
+## [v2.11.28](https://github.com/traefik/traefik/tree/v2.11.28) (2025-07-23)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.27...v2.11.28)
+
+**Bug fixes:**
+- **[logs]** Redact logged install configuration ([#11907](https://github.com/traefik/traefik/pull/11907) by [jspdown](https://github.com/jspdown))
+- **[plugins]** Fix client arbitrary file access during archive extraction zipslip ([#11911](https://github.com/traefik/traefik/pull/11911) by [odaysec](https://github.com/odaysec))
+- **[server]** Disable MPTCP by default ([#11918](https://github.com/traefik/traefik/pull/11918) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[k8s/crd,k8s]** Remove all mentions of ordering for TLSOption CurvePreferences field ([#11924](https://github.com/traefik/traefik/pull/11924) by [jnoordsij](https://github.com/jnoordsij))
+
+## [v2.11.27](https://github.com/traefik/traefik/tree/v2.11.27) (2025-07-11)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.26...v2.11.27)
+
+**Bug fixes:**
+- Bump github.com/go-viper/mapstructure/v2 to v2.3.0 ([#11880](https://github.com/traefik/traefik/pull/11880) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.11.26](https://github.com/traefik/traefik/tree/v2.11.26) (2025-06-26)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.25...v2.11.26)
+
+**Bug fixes:**
+- **[middleware]** Do not log redis sentinel username and password ([#11819](https://github.com/traefik/traefik/pull/11819) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[kv]** Fix KV reference rendering ([#11815](https://github.com/traefik/traefik/pull/11815) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,k8s/crd]** Fix typo in redirect middleware documentation ([#11830](https://github.com/traefik/traefik/pull/11830) by [rtribotte](https://github.com/rtribotte))
+- Update supported versions ([#11811](https://github.com/traefik/traefik/pull/11811) by [jnoordsij](https://github.com/jnoordsij))
+
 ## [v2.11.25](https://github.com/traefik/traefik/tree/v2.11.25) (2025-05-27)
 [All Commits](https://github.com/traefik/traefik/compare/v2.11.24...v2.11.25)

--- a/2
+++ b/2
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.2
-FROM alpine:3.21
+FROM alpine:3.22

 RUN apk add --no-cache --no-progress ca-certificates tzdata

--- a/7
+++ b/7
@@ -95,7 +95,7 @@ test-unit:

 .PHONY: test-integration
 #? test-integration: Run the integration tests
-test-integration: binary
+test-integration:
 	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -test.timeout=20m -failfast -v $(TESTFLAGS)

 .PHONY: test-ui-unit
@@ -177,11 +177,6 @@ generate-crd:
 generate-genconf:
 	go run ./cmd/internal/gen/

-.PHONY: release-packages
-#? release-packages: Create packages for the release
-release-packages: generate-webui
-	$(CURDIR)/script/release-packages.sh
-
 .PHONY: fmt
 #? fmt: Format the Code
 fmt:
--- a/README.md
+++ b/README.md
@@ -7,7 +7,6 @@
    </picture>
 </p>

-[![Build Status SemaphoreCI](https://traefik-oss.semaphoreci.com/badges/traefik/branches/master.svg?style=shields)](https://traefik-oss.semaphoreci.com/projects/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
 [![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,10 +1,5 @@
 # Security Policy

-You can join our security mailing list to be aware of the latest announcements from our security team.
-You can subscribe by sending an email to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
-
-Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
-
 ## Supported Versions

 - We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
@@ -17,10 +12,10 @@ We use [Semantic Versioning](https://semver.org/).

 | Version   | Supported          |
 |-----------|--------------------|
-| `2.2.x`   | :white_check_mark: |
-| `< 2.2.x` | :x:                |
-| `1.7.x`   | :white_check_mark: |
-| `< 1.7.x` | :x:                |
+| `3.6.x`   | :white_check_mark: |
+| `< 3.6.x` | :x:                |
+| `2.11.x`   | :white_check_mark: |
+| `< 2.11.x` | :x:                |

 ## Reporting a Vulnerability

@@ -28,3 +23,5 @@ We want to keep Traefik safe for everyone.
 If you've discovered a security vulnerability in Traefik,
 we appreciate your help in disclosing it to us in a responsible manner,
 by creating a [security advisory](https://github.com/traefik/traefik/security/advisories).
+
+Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -3,7 +3,6 @@ package main
 import (
 	"context"
 	"crypto/x509"
-	"encoding/json"
 	"fmt"
 	stdlog "log"
 	"net/http"
@@ -34,6 +33,7 @@ import (
 	"github.com/traefik/traefik/v2/pkg/provider/acme"
 	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
 	"github.com/traefik/traefik/v2/pkg/provider/traefik"
+	"github.com/traefik/traefik/v2/pkg/redactor"
 	"github.com/traefik/traefik/v2/pkg/safe"
 	"github.com/traefik/traefik/v2/pkg/server"
 	"github.com/traefik/traefik/v2/pkg/server/middleware"
@@ -100,12 +100,11 @@ func runCmd(staticConfiguration *static.Configuration) error {

 	log.WithoutContext().Infof("Traefik version %s built on %s", version.Version, version.BuildDate)

-	jsonConf, err := json.Marshal(staticConfiguration)
+	redactedStaticConfiguration, err := redactor.RemoveCredentials(staticConfiguration)
 	if err != nil {
-		log.WithoutContext().Errorf("Could not marshal static configuration: %v", err)
-		log.WithoutContext().Debugf("Static configuration loaded [struct] %#v", staticConfiguration)
+		log.WithoutContext().Errorf("Could not redact static configuration: %v", err)
 	} else {
-		log.WithoutContext().Debugf("Static configuration loaded %s", string(jsonConf))
+		log.WithoutContext().Debugf("Static configuration loaded %s", redactedStaticConfiguration)
 	}

 	if staticConfiguration.Global.CheckNewVersion {
--- a/docs/check.Dockerfile
+++ b/docs/check.Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.21
+FROM alpine:3.22

 RUN apk --no-cache --no-progress add \
    build-base \
@@ -9,9 +9,7 @@ RUN apk --no-cache --no-progress add \
    ruby \
    ruby-bigdecimal \
    ruby-dev \
-    ruby-etc \
    ruby-ffi \
-    ruby-json \
    zlib-dev

 RUN gem install nokogiri --version 1.18.6 --no-document -- --use-system-libraries
--- a/docs/content/deprecation/releases.md
+++ b/docs/content/deprecation/releases.md
@@ -6,11 +6,13 @@ Below is a non-exhaustive list of versions and their maintenance status:

 | Version | Release Date | Active Support     | Security Support  |
 |---------|--------------|--------------------|-------------------|
-| 3.3     | Jan 06, 2025 | Yes                | Yes               |
+| 3.5     | Jul 23, 2025 | Yes                | Yes               |
+| 3.4     | May 05, 2025 | Ended Jul 23, 2025 | No                |
+| 3.3     | Jan 06, 2025 | Ended May 05, 2025 | No                |
 | 3.2     | Oct 28, 2024 | Ended Jan 06, 2025 | No                |
 | 3.1     | Jul 15, 2024 | Ended Oct 28, 2024 | No                |
 | 3.0     | Apr 29, 2024 | Ended Jul 15, 2024 | No                |
-| 2.11    | Feb 12, 2024 | Ends  Apr 29, 2025 | Ends Feb 01, 2026 |
+| 2.11    | Feb 12, 2024 | Ended Apr 29, 2025 | Ends Feb 01, 2026 |
 | 2.10    | Apr 24, 2023 | Ended Feb 12, 2024 | No                |
 | 2.9     | Oct 03, 2022 | Ended Apr 24, 2023 | No                |
 | 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 | No                |
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -324,13 +324,14 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Auroradns](https://www.pcextreme.com/dns-health-checks)               | `auroradns`        | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)        |
 | [Autodns](https://www.internetx.com/domains/autodns/)                  | `autodns`          | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)          |
 | [Axelname](https://axelname.ru)                                        | `axelname`         | `AXELNAME_NICKNAME`, `AXELNAME_TOKEN`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/axelname)         |
-| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`                                        | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
+| [Azion](https://www.azion.com/en/products/edge-dns/)                   | `azion`            | `AZION_PERSONAL_TOKEN`                                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/azion)            |
+| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | DEPRECATED use `azuredns` instead.                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
 | [AzureDNS](https://azure.microsoft.com/services/dns/)                  | `azuredns`         | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_ENVIRONMENT]`, `[AZURE_PRIVATE_ZONE]`, `[AZURE_ZONE_NAME]` | [Additional configuration](https://go-acme.github.io/lego/dns/azuredns)         |
 | [Baidu Cloud](https://cloud.baidu.com)                                 | `baiducloud`       | `BAIDUCLOUD_ACCESS_KEY_ID`, `BAIDUCLOUD_SECRET_ACCESS_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/baiducloud)       |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)             | `bindman`          | `BINDMAN_MANAGER_ADDRESS`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)          |
 | [Blue Cat](https://www.bluecatnetworks.com/)                           | `bluecat`          | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)          |
 | [BookMyName](https://www.bookmyname.com)                               | `bookmyname`       | `BOOKMYNAME_USERNAME`, `BOOKMYNAME_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/bookmyname)       |
-| [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | `BRANDIT_API_USERNAME`, `BRANDIT_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
+| [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
 | [Bunny](https://bunny.net)                                             | `bunny`            | `BUNNY_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/bunny)            |
 | [Checkdomain](https://www.checkdomain.de/)                             | `checkdomain`      | `CHECKDOMAIN_TOKEN`,                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/)     |
 | [Civo](https://www.civo.com/)                                          | `civo`             | `CIVO_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/civo)             |
@@ -338,7 +339,8 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [CloudDNS](https://vshosting.eu/)                                      | `clouddns`         | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)         |
 | [Cloudflare](https://www.cloudflare.com)                               | `cloudflare`       | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)       |
 | [ClouDNS](https://www.cloudns.net/)                                    | `cloudns`          | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)          |
-| [CloudXNS](https://www.cloudxns.net) (DEPRECATED)                      | `cloudxns`         | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [CloudXNS](https://www.cloudxns.net) (DEPRECATED)                      | `cloudxns`         | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [ConoHa v3](https://www.conoha.jp/)                                    | `conohav3`         | `CONOHAV3_TENANT_ID`, `CONOHAV3_API_USER_ID`, `CONOHAV3_API_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conohav3)         |
 | [ConoHa](https://www.conoha.jp)                                        | `conoha`           | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)           |
 | [Constellix](https://constellix.com)                                   | `constellix`       | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)       |
 | [Core-Networks](https://www.core-networks.de)                          | `corenetworks`     | `CORENETWORKS_LOGIN`, `CORENETWORKS_PASSWORD`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/corenetworks)     |
@@ -350,12 +352,13 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [DNS Made Easy](https://dnsmadeeasy.com)                               | `dnsmadeeasy`      | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)      |
 | [dnsHome.de](https://www.dnshome.de)                                   | `dnsHomede`        | `DNSHOMEDE_CREDENTIALS`                                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnshomede)        |
 | [DNSimple](https://dnsimple.com)                                       | `dnsimple`         | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)         |
-| [DNSPod](https://www.dnspod.com/)                                      | `dnspod`           | `DNSPOD_API_KEY`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
+| [DNSPod](https://www.dnspod.com/) (DEPRECATED)                         | `dnspod`           | DEPRECATED  use `tencentcloud` instead.                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
 | [Domain Offensive (do.de)](https://www.do.de/)                         | `dode`             | `DODE_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dode)             |
 | [Domeneshop](https://domene.shop)                                      | `domeneshop`       | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)       |
 | [DreamHost](https://www.dreamhost.com/)                                | `dreamhost`        | `DREAMHOST_API_KEY`                                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)        |
 | [Duck DNS](https://www.duckdns.org/)                                   | `duckdns`          | `DUCKDNS_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)          |
 | [Dyn](https://dyn.com)                                                 | `dyn`              | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)              |
+| [DynDnsFree.de](https://www.dyndnsfree.de)                             | `dyndnsfree`       | `DYNDNSFREE_USERNAME`, `DYNDNSFREE_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dyndnsfree)       |
 | [Dynu](https://www.dynu.com)                                           | `dynu`             | `DYNU_API_KEY`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)             |
 | [EasyDNS](https://easydns.com/)                                        | `easydns`          | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)          |
 | [EdgeDNS](https://www.akamai.com/)                                     | `edgedns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
@@ -371,7 +374,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Glesys](https://glesys.com/)                                          | `glesys`           | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)           |
 | [GoDaddy](https://www.godaddy.com)                                     | `godaddy`          | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)          |
 | [Google Cloud DNS](https://cloud.google.com/dns/docs/)                 | `gcloud`           | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)           |
-| [Google Domains](https://domains.google)                               | `googledomains`    | `GOOGLE_DOMAINS_ACCESS_TOKEN`                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/googledomains)    |
+| [Google Domains](https://domains.google) (DEPRECATED)                  | `googledomains`    | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/googledomains)    |
 | [Hetzner](https://hetzner.com)                                         | `hetzner`          | `HETZNER_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)          |
 | [hosting.de](https://www.hosting.de)                                   | `hostingde`        | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)        |
 | [Hosttech](https://www.hosttech.eu)                                    | `hosttech`         | `HOSTTECH_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)         |
@@ -432,6 +435,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [RFC2136](https://tools.ietf.org/html/rfc2136)                         | `rfc2136`          | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)          |
 | [RimuHosting](https://rimuhosting.com)                                 | `rimuhosting`      | `RIMUHOSTING_API_KEY`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)      |
 | [Route 53](https://aws.amazon.com/route53/)                            | `route53`          | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/route53)          |
+| [RU Center](https://nic.ru/)                                           | `nicru`            | `NICRU_USER`, `NICRU_PASSWORD`, `NICRU_SERVICE_ID`, `NICRU_SECRET`, `NICRU_SERVICE_NAME`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/nicru)            |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                            | `sakuracloud`      | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)      |
 | [Scaleway](https://www.scaleway.com)                                   | `scaleway`         | `SCW_API_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
 | [Selectel v2](https://selectel.ru/en/)                                 | `selectelv2`       | `SELECTELV2_ACCOUNT_ID`, `SELECTELV2_PASSWORD`, `SELECTELV2_PROJECT_ID`, `SELECTELV2_USERNAME`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/selectelv2)       |
@@ -466,6 +470,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Yandex Cloud](https://cloud.yandex.com/en/)                           | `yandexcloud`      | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud)      |
 | [Yandex](https://yandex.com)                                           | `yandex`           | `YANDEX_PDD_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)           |
 | [Zone.ee](https://www.zone.ee)                                         | `zoneee`           | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)           |
+| [ZoneEdit](https://www.zoneedit.com)                                   | `zoneedit`         | `ZONEEDIT_USER`, `ZONEEDIT_AUTH_TOKEN`                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/zoneedit)         |
 | [Zonomi](https://zonomi.com)                                           | `zonomi`           | `ZONOMI_API_KEY`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)           |
 | External Program                                                       | `exec`             | `EXEC_PATH`                                                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/exec)             |
 | HTTP request                                                           | `httpreq`          | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)          |
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -242,7 +242,7 @@ The TLS options allow one to configure some parameters of the TLS connection.

 !!! important "TLSOption in Kubernetes"

-    When using the [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
+    When using the [TLSOption resource](../../routing/providers/kubernetes-crd/#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
    if not explicitly overwritten, should apply to all ingresses.  
    To achieve that, you'll have to create a TLSOption resource with the name `default`.
    There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
@@ -392,11 +392,11 @@ spec:

 ### Curve Preferences

-This option allows to set the preferred elliptic curves in a specific order.
+This option allows to set the enabled elliptic curves for key exchange.

 The names of the curves defined by [`crypto`](https://godoc.org/crypto/tls#CurveID) (e.g. `CurveP521`) and the [RFC defined names](https://tools.ietf.org/html/rfc8446#section-4.2.7) (e. g. `secp521r1`) can be used.

-See [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.
+See [CurvePreferences](https://godoc.org/crypto/tls#Config.CurvePreferences) and [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.

 ```yaml tab="File (YAML)"
 # Dynamic configuration
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@@ -703,3 +703,34 @@ and Traefik now keeps them encoded to avoid any ambiguity.
 | `/foo/../bar`     | PathPrefix(`/bar`)     | Match            | Match            |
 | `/foo/%2E%2E/bar` | PathPrefix(`/foo`)     | Match            | No match         |
 | `/foo/%2E%2E/bar` | PathPrefix(`/bar`)     | No match         | Match            |
+
+## v2.11.28
+
+### MultiPath TCP
+
+Since `v2.11.28`, the MultiPath TCP support introduced with `v2.11.26` has been removed.
+It appears that enabling MPTCP on some platforms can cause Traefik to stop with the following error logs message:
+
+- `set tcp X.X.X.X:X->X.X.X.X:X: setsockopt: operation not supported`
+
+However, it can be re-enabled by setting the `multipathtcp` variable in the GODEBUG environment variable, see the related [go documentation](https://go.dev/doc/godebug#go-124).
+
+## v2.11.32
+
+## Encoded Characters in Request Path
+
+Since `v2.11.32`, for security reasons Traefik now rejects requests with a path containing a specific set of encoded characters by default.
+When such a request is received, Traefik responds with a `400 Bad Request` status code.
+Here is the list of the encoded characters that are rejected by default, along with the corresponding configuration option to allow them:
+
+| Encoded Character | Character               | Config option to allow the encoded character                                         |
+|-------------------|-------------------------|--------------------------------------------------------------------------------------|
+| `%2f` or `%2F`    | `/` (slash)             | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSlash`          |
+| `%5c` or `%5C`    | `\` (backslash)         | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedBackSlash`     |
+| `%00`             | `NULL` (null character) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedNullCharacter` |
+| `%3b` or `%3B`    | `;` (semicolon)         | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSemicolon`     |
+| `%25`             | `%` (percent)           | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedPercent`       |
+| `%3f` or `%3F`    | `?` (question mark)     | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedQuestionMark`  |
+| `%23`             | `#` (hash)              | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedHash`          |
+
+Please check out the entrypoint [encodedCharacters option](../routing/entrypoints.md#encoded-characters) documentation for more details.
--- a/docs/content/operations/api.md
+++ b/docs/content/operations/api.md
@@ -46,7 +46,7 @@ And then define a routing configuration on Traefik itself with the

 --8<-- "content/operations/include-api-examples.md"

-??? warning "The router's [rule](../../routing/routers#rule) must catch requests for the URI path `/api`"
+??? warning "The router's [rule](../../routing/routers/#rule) must catch requests for the URI path `/api`"
    Using an "Host" rule is recommended, by catching all the incoming traffic on this host domain to the API.
    However, you can also use "path prefix" rule or any combination or rules.

--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
@@ -1478,7 +1478,7 @@ spec:
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                    type: boolean
                  regex:
                    description: Regex defines the regex used to match and capture
@@ -1497,7 +1497,7 @@ spec:
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                    type: boolean
                  port:
                    description: Port defines the port of the new URL.
@@ -1886,7 +1886,7 @@ spec:
                type: object
              curvePreferences:
                description: |-
-                  CurvePreferences defines the preferred elliptic curves in a specific order.
+                  CurvePreferences defines the preferred elliptic curves.
                  More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences
                items:
                  type: string
@@ -3908,7 +3908,7 @@ spec:
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                    type: boolean
                  regex:
                    description: Regex defines the regex used to match and capture
@@ -3927,7 +3927,7 @@ spec:
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                    type: boolean
                  port:
                    description: Port defines the port of the new URL.
@@ -4316,7 +4316,7 @@ spec:
                type: object
              curvePreferences:
                description: |-
-                  CurvePreferences defines the preferred elliptic curves in a specific order.
+                  CurvePreferences defines the preferred elliptic curves.
                  More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences
                items:
                  type: string
--- a/docs/content/reference/dynamic-configuration/kv-ref.md
+++ b/docs/content/reference/dynamic-configuration/kv-ref.md
@@ -2,6 +2,9 @@
 CODE GENERATED AUTOMATICALLY
 THIS FILE MUST NOT BE EDITED BY HAND
 -->
+
+| Key (Path) | Value |
+|------------|-------|
 | `traefik/http/middlewares/Middleware01/addPrefix/prefix` | `foobar` |
 | `traefik/http/middlewares/Middleware02/basicAuth/headerField` | `foobar` |
 | `traefik/http/middlewares/Middleware02/basicAuth/realm` | `foobar` |
--- a/docs/content/reference/dynamic-configuration/kv.md
+++ b/docs/content/reference/dynamic-configuration/kv.md
@@ -8,6 +8,4 @@ description: "Read the technical documentation to learn the Traefik Dynamic Conf
 Dynamic configuration with KV stores.
 {: .subtitle }

-| Key (Path)                                                                                   | Value       |
-|----------------------------------------------------------------------------------------------|-------------|
 --8<-- "content/reference/dynamic-configuration/kv-ref.md"
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
@@ -863,7 +863,7 @@ spec:
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                    type: boolean
                  regex:
                    description: Regex defines the regex used to match and capture
@@ -882,7 +882,7 @@ spec:
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                    type: boolean
                  port:
                    description: Port defines the port of the new URL.
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml
@@ -78,7 +78,7 @@ spec:
                type: object
              curvePreferences:
                description: |-
-                  CurvePreferences defines the preferred elliptic curves in a specific order.
+                  CurvePreferences defines the preferred elliptic curves.
                  More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences
                items:
                  type: string
--- a/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
@@ -863,7 +863,7 @@ spec:
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                    type: boolean
                  regex:
                    description: Regex defines the regex used to match and capture
@@ -882,7 +882,7 @@ spec:
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                    type: boolean
                  port:
                    description: Port defines the port of the new URL.
--- a/docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml
@@ -78,7 +78,7 @@ spec:
                type: object
              curvePreferences:
                description: |-
-                  CurvePreferences defines the preferred elliptic curves in a specific order.
+                  CurvePreferences defines the preferred elliptic curves.
                  More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences
                items:
                  type: string
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@@ -123,6 +123,30 @@ Trust only forwarded headers from selected IPs.
 `--entrypoints.<name>.http`:  
 HTTP configuration.

+`--entrypoints.<name>.http.encodedcharacters`:  
+Defines which encoded characters are allowed in the request path.
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedbackslash`:  
+Defines whether requests with encoded back slash characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedhash`:  
+Defines whether requests with encoded hash characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodednullcharacter`:  
+Defines whether requests with encoded null characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedpercent`:  
+Defines whether requests with encoded percent characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedquestionmark`:  
+Defines whether requests with encoded question mark characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedsemicolon`:  
+Defines whether requests with encoded semicolon characters in the path are allowed. (Default: ```false```)
+
+`--entrypoints.<name>.http.encodedcharacters.allowencodedslash`:  
+Defines whether requests with encoded slash characters in the path are allowed. (Default: ```false```)
+
 `--entrypoints.<name>.http.encodequerysemicolons`:  
 Defines whether request query semicolons should be URLEncoded. (Default: ```false```)

--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@@ -132,6 +132,30 @@ HTTP/3 configuration. (Default: ```false```)
 `TRAEFIK_ENTRYPOINTS_<NAME>_HTTP3_ADVERTISEDPORT`:  
 UDP port to advertise, on which HTTP/3 is available. (Default: ```0```)

+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS`:  
+Defines which encoded characters are allowed in the request path.
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDBACKSLASH`:  
+Defines whether requests with encoded back slash characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH`:  
+Defines whether requests with encoded hash characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDNULLCHARACTER`:  
+Defines whether requests with encoded null characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDPERCENT`:  
+Defines whether requests with encoded percent characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDQUESTIONMARK`:  
+Defines whether requests with encoded question mark characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSEMICOLON`:  
+Defines whether requests with encoded semicolon characters in the path are allowed. (Default: ```false```)
+
+`TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH`:  
+Defines whether requests with encoded slash characters in the path are allowed. (Default: ```false```)
+
 `TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_ENCODEQUERYSEMICOLONS`:  
 Defines whether request query semicolons should be URLEncoded. (Default: ```false```)

--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@@ -55,6 +55,14 @@
        [[entryPoints.EntryPoint0.http.tls.domains]]
          main = "foobar"
          sans = ["foobar", "foobar"]
+      [entryPoints.EntryPoint0.http.encodedCharacters]
+        allowEncodedSlash = true
+        allowEncodedBackSlash = true
+        allowEncodedNullCharacter = true
+        allowEncodedSemicolon = true
+        allowEncodedPercent = true
+        allowEncodedQuestionMark = true
+        allowEncodedHash = true
    [entryPoints.EntryPoint0.http2]
      maxConcurrentStreams = 42
    [entryPoints.EntryPoint0.http3]
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@@ -62,6 +62,14 @@ entryPoints:
            sans:
              - foobar
              - foobar
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedBackSlash: true
+        allowEncodedNullCharacter: true
+        allowEncodedSemicolon: true
+        allowEncodedPercent: true
+        allowEncodedQuestionMark: true
+        allowEncodedHash: true
      encodeQuerySemicolons: true
      sanitizePath: true
    http2:
--- a/docs/content/routing/entrypoints.md
+++ b/docs/content/routing/entrypoints.md
@@ -127,6 +127,14 @@ They can be defined by using a file (YAML or TOML) or CLI arguments.
          trustedIPs:
            - "127.0.0.1"
            - "192.168.0.1"
+        encodedCharacters:
+          allowEncodedSlash: true
+          allowEncodedBackSlash: true
+          allowEncodedNullCharacter: true
+          allowEncodedSemicolon: true
+          allowEncodedPercent: true
+          allowEncodedQuestionMark: true
+          allowEncodedHash: true
    ```

    ```toml tab="File (TOML)"
@@ -152,6 +160,14 @@ They can be defined by using a file (YAML or TOML) or CLI arguments.
        [entryPoints.name.forwardedHeaders]
          insecure = true
          trustedIPs = ["127.0.0.1", "192.168.0.1"]
+        [entryPoints.name.encodedCharacters]
+          allowEncodedSlash = true
+          allowEncodedBackSlash = true
+          allowEncodedNullCharacter = true
+          allowEncodedSemicolon = true
+          allowEncodedPercent = true
+          allowEncodedQuestionMark = true
+          allowEncodedHash = true
    ```

    ```bash tab="CLI"
@@ -168,6 +184,13 @@ They can be defined by using a file (YAML or TOML) or CLI arguments.
    --entryPoints.name.proxyProtocol.trustedIPs=127.0.0.1,192.168.0.1
    --entryPoints.name.forwardedHeaders.insecure=true
    --entryPoints.name.forwardedHeaders.trustedIPs=127.0.0.1,192.168.0.1
+    --entryPoints.name.encodedCharacters.allowEncodedSlash=true
+    --entryPoints.name.encodedCharacters.allowEncodedBackSlash=true
+    --entryPoints.name.encodedCharacters.allowEncodedNullCharacter=true
+    --entryPoints.name.encodedCharacters.allowEncodedSemicolon=true
+    --entryPoints.name.encodedCharacters.allowEncodedPercent=true
+    --entryPoints.name.encodedCharacters.allowEncodedQuestionMark=true
+    --entryPoints.name.encodedCharacters.allowEncodedHash=true
    ```

 ### Address
@@ -455,6 +478,232 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward
    --entryPoints.web.forwardedHeaders.connection=foobar
    ```

+### Encoded Characters
+
+You can configure Traefik to control the handling of encoded characters in request paths for security purposes.
+By default, Traefik rejects requests containing certain encoded characters that could be used in path traversal or other security attacks.
+
+!!! warning "Security Considerations"
+
+    Allowing certain encoded characters may expose your application to security vulnerabilities.
+
+??? info "`encodedCharacters.allowEncodedSlash`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded slash characters (`%2F` or `%2f`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        encodedCharacters:
+          allowEncodedSlash: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.encodedCharacters]
+          allowEncodedSlash = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.encodedCharacters.allowEncodedSlash=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedBackSlash`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded back slash characters (`%5C` or `%5c`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        encodedCharacters:
+          allowEncodedBackSlash: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.encodedCharacters]
+          allowEncodedBackSlash = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.encodedCharacters.allowEncodedBackSlash=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedNullCharacter`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded null characters (`%00`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        encodedCharacters:
+          allowEncodedNullCharacter: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.encodedCharacters]
+          allowEncodedNullCharacter = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.encodedCharacters.allowEncodedNullCharacter=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedSemicolon`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded semicolon characters (`%3B` or `%3b`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        encodedCharacters:
+          allowEncodedSemicolon: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.encodedCharacters]
+          allowEncodedSemicolon = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.encodedCharacters.allowEncodedSemicolon=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedPercent`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded percent characters (`%25`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        encodedCharacters:
+          allowEncodedPercent: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.encodedCharacters]
+          allowEncodedPercent = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.encodedCharacters.allowEncodedPercent=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedQuestionMark`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded question mark characters (`%3F` or `%3f`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        encodedCharacters:
+          allowEncodedQuestionMark: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.encodedCharacters]
+          allowEncodedQuestionMark = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.encodedCharacters.allowEncodedQuestionMark=true
+    ```
+
+??? info "`encodedCharacters.allowEncodedHash`"
+
+    _Optional, Default=false_
+
+    Controls whether requests with encoded hash characters (`%23`) in the path are allowed.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        encodedCharacters:
+          allowEncodedHash: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.encodedCharacters]
+          allowEncodedHash = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.encodedCharacters.allowEncodedHash=true
+    ```
+
 ### Transport

 #### `respondingTimeouts`
--- a/docs/content/routing/overview.md
+++ b/docs/content/routing/overview.md
@@ -10,8 +10,8 @@ What's Happening to the Requests?

 Let's zoom in on Traefik's architecture and talk about the components that enable the routes to be created.

-First, when you start Traefik, you define [entrypoints](../entrypoints) (in their most basic forms, they are port numbers).
-Then, connected to these entrypoints, [routers](../routers) analyze the incoming requests to see if they match a set of [rules](../routers#rule).
+First, when you start Traefik, you define [entrypoints](../entrypoints/) (in their most basic forms, they are port numbers).
+Then, connected to these entrypoints, [routers](../routers/) analyze the incoming requests to see if they match a set of [rules](../routers/#rule).
 If they do, the router might transform the request using pieces of [middleware](../middlewares/overview.md) before forwarding them to your [services](./services/index.md).

 ![Architecture](../assets/img/architecture-overview.png)
--- a/docs/content/routing/providers/kubernetes-crd.md
+++ b/docs/content/routing/providers/kubernetes-crd.md
@@ -1644,7 +1644,7 @@ or referencing TLS options in the [`IngressRoute`](#kind-ingressroute) / [`Ingre
 | [2]  | `minVersion`                | Defines the [minimum TLS version](../../https/tls.md#minimum-tls-version) that is acceptable.                                                                                                                              |
 | [3]  | `maxVersion`                | Defines the [maximum TLS version](../../https/tls.md#maximum-tls-version) that is acceptable.                                                                                                                              |
 | [4]  | `cipherSuites`              | list of supported [cipher suites](../../https/tls.md#cipher-suites) for TLS versions up to TLS 1.2.                                                                                                                        |
-| [5]  | `curvePreferences`          | List of the [elliptic curves references](../../https/tls.md#curve-preferences) that will be used in an ECDHE handshake, in preference order.                                                                               |
+| [5]  | `curvePreferences`          | List of the [elliptic curves references](../../https/tls.md#curve-preferences) that will be used in an ECDHE handshake.                                                                                                    |
 | [6]  | `clientAuth`                | determines the server's policy for TLS [Client Authentication](../../https/tls.md#client-authentication-mtls).                                                                                                             |
 | [7]  | `clientAuth.secretNames`    | list of names of the referenced Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) (in TLSOption namespace). The secret must contain a certificate under either a `tls.ca` or a `ca.crt` key. |
 | [8]  | `clientAuth.clientAuthType` | defines the client authentication type to apply. The available values are: `NoClientCert`, `RequestClientCert`, `VerifyClientCertIfGiven` and `RequireAndVerifyClientCert`.                                                |
--- a/docs/content/routing/providers/kubernetes-ingress.md
+++ b/docs/content/routing/providers/kubernetes-ingress.md
@@ -907,7 +907,7 @@ TLS certificates can be managed in Secrets objects.
    whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.

    One alternative is to use an `ExternalName` service to forward requests to the Kubernetes service through DNS.
-    To do so, one must [allow external name services](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#allowexternalnameservices "Link to docs about allowing external name services").
+    To do so, one must [allow external name services](../../../providers/kubernetes-ingress/#allowexternalnameservices "Link to docs about allowing external name services").

 Traefik automatically requests endpoint information based on the service provided in the ingress spec.
 Although Traefik will connect directly to the endpoints (pods),
--- a/docs/content/security/content-length.md
+++ b/docs/content/security/content-length.md
@@ -3,7 +3,8 @@ title: "Content-Length"
 description: "Enforce strict Content‑Length validation in Traefik by streaming or full buffering to prevent truncated or over‑long requests and responses. Read the technical documentation."
 ---

-Traefik acts as a streaming proxy. By default, it checks each chunk of data against the `Content-Length` header as it passes it on to the backend or client. This live check blocks truncated or over‑long streams without holding the entire message.
+Traefik acts as a streaming proxy. By default, it checks each chunk of data against the `Content-Length` header as it passes it on to the backend or client.
+This live check blocks truncated or over‑long streams without holding the entire message.

 If you need Traefik to read and verify the full body before any data moves on, add the [buffering middleware](../middlewares/http/buffering.md):

@@ -20,5 +21,7 @@ With buffering enabled, Traefik will:
 - Compare the actual byte count to the `Content-Length` header.
 - Reject the message if the counts do not match.

-!!!warning 
-    Buffering adds overhead. Every request and response is held in full before forwarding, which can increase memory use and latency. Use it when strict content validation is critical to your security posture.
+!!! warning
+
+    Buffering adds overhead. Every request and response is held in full before forwarding, which can increase memory use and latency.
+    Use it when strict content validation is critical to your security posture.
--- a/docs/content/security/request-path.md
+++ b/docs/content/security/request-path.md
@@ -0,0 +1,129 @@
+---
+title: "Request Path Security"
+description: "Learn how Traefik processes and secures request paths through sanitization and encoded character filtering to protect against path traversal and injection attacks."
+---
+
+# Request Path
+
+Protecting Against Path-Based Attacks Through Sanitization and Filtering
+{: .subtitle }
+
+Traefik implements multiple layers of security when processing incoming request paths.
+This includes path sanitization to normalize potentially dangerous sequences and encoded character filtering to prevent attack vectors that use URL encoding.
+Understanding how Traefik handles request paths is crucial for maintaining a secure routing infrastructure.
+
+## How Traefik Processes Request Paths
+
+When Traefik receives an HTTP request, it processes the request path through several security-focused stages:
+
+### 1. Encoded Character Filtering
+
+Traefik inspects the path for potentially dangerous encoded characters and rejects requests containing them unless explicitly allowed.
+
+Here is the list of the encoded characters that are rejected by default:
+
+| Encoded Character | Character               |
+|-------------------|-------------------------|
+| `%2f` or `%2F`    | `/` (slash)             |
+| `%5c` or `%5C`    | `\` (backslash)         |
+| `%00`             | `NULL` (null character) |
+| `%3b` or `%3B`    | `;` (semicolon)         |
+| `%25`             | `%` (percent)           |
+| `%3f` or `%3F`    | `?` (question mark)     |
+| `%23`             | `#` (hash)              |
+
+### 2. Path Normalization
+
+Traefik normalizes the request path by decoding the unreserved percent-encoded characters,
+as they are equivalent to their non-encoded form (according to [rfc3986#section-2.3](https://datatracker.ietf.org/doc/html/rfc3986#section-2.3)),
+and capitalizing the percent-encoded characters (according to [rfc3986#section-6.2.2.1](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1)).
+
+### 3. Path Sanitization
+
+Traefik sanitizes request paths to prevent common attack vectors,
+by removing the `..`, `.` and duplicate slash segments from the URL (according to [rfc3986#section-6.2.2.3](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.3)).
+
+## Path Security Configuration
+
+Traefik provides two main mechanisms for path security that work together to protect your applications.
+
+### Path Sanitization
+
+Path sanitization is enabled by default and helps prevent directory traversal attacks by normalizing request paths.
+Configure it in the [EntryPoints](../routing/entrypoints.md#sanitizepath) HTTP section:
+
+```yaml tab="File (YAML)"
+entryPoints:
+  websecure:
+    address: ":443"
+    http:
+      sanitizePath: true  # Default: true (recommended)
+```
+
+```toml tab="File (TOML)"
+[entryPoints.websecure]
+  address = ":443"
+
+  [entryPoints.websecure.http]
+    sanitizePath = true
+```
+
+```bash tab="CLI"
+--entryPoints.websecure.address=:443
+--entryPoints.websecure.http.sanitizePath=true
+```
+
+**Sanitization behavior:**
+
+- `./foo/bar` → `/foo/bar` (removes relative current directory)
+- `/foo/../bar` → `/bar` (resolves parent directory traversal)
+- `/foo/bar//` → `/foo/bar/` (removes duplicate slashes)
+- `/./foo/../bar//` → `/bar/` (combines all normalizations)
+
+### Encoded Character Filtering
+
+Encoded character filtering provides an additional security layer by rejecting potentially dangerous URL-encoded characters.
+Configure it in the [EntryPoints](../routing/entrypoints.md#encoded-characters) HTTP section.
+
+This filtering occurs before path sanitization and catches attack attempts that use encoding to bypass other security controls.
+
+All encoded character filtering is enabled by default (`false` means encoded characters are rejected), providing maximum security:
+
+```yaml tab="File (YAML)"
+entryPoints:
+  websecure:
+    address: ":443"
+    encodedCharacters:
+      allowEncodedSlash: false          # %2F - Default: false (RECOMMENDED)
+      allowEncodedBackSlash: false      # %5C - Default: false (RECOMMENDED)
+      allowEncodedNullCharacter: false  # %00 - Default: false (RECOMMENDED)
+      allowEncodedSemicolon: false      # %3B - Default: false (RECOMMENDED)
+      allowEncodedPercent: false        # %25 - Default: false (RECOMMENDED)
+      allowEncodedQuestionMark: false   # %3F - Default: false (RECOMMENDED)
+      allowEncodedHash: false           # %23 - Default: false (RECOMMENDED)
+```
+
+```toml tab="File (TOML)"
+[entryPoints.websecure]
+  address = ":443"
+
+  [entryPoints.websecure.encodedCharacters]
+    allowEncodedSlash = false
+    allowEncodedBackSlash = false
+    allowEncodedNullCharacter = false
+    allowEncodedSemicolon = false
+    allowEncodedPercent = false
+    allowEncodedQuestionMark = false
+    allowEncodedHash = false
+```
+
+```bash tab="CLI"
+--entryPoints.websecure.address=:443
+--entryPoints.websecure.encodedCharacters.allowEncodedSlash=false
+--entryPoints.websecure.encodedCharacters.allowEncodedBackSlash=false
+--entryPoints.websecure.encodedCharacters.allowEncodedNullCharacter=false
+--entryPoints.websecure.encodedCharacters.allowEncodedSemicolon=false
+--entryPoints.websecure.encodedCharacters.allowEncodedPercent=false
+--entryPoints.websecure.encodedCharacters.allowEncodedQuestionMark=false
+--entryPoints.websecure.encodedCharacters.allowEncodedHash=false
+```
--- a/docs/content/user-guides/docker-compose/acme-dns/index.md
+++ b/docs/content/user-guides/docker-compose/acme-dns/index.md
@@ -6,7 +6,7 @@ description: "Learn how to create a certificate with the Let's Encrypt DNS chall
 # Docker-compose with Let's Encrypt: DNS Challenge

 This guide aims to demonstrate how to create a certificate with the Let's Encrypt DNS challenge to use https on a simple service exposed with Traefik.  
-Please also read the [basic example](../basic-example) for details on how to expose such a service.  
+Please also read the [basic example](../basic-example/) for details on how to expose such a service.  

 ## Prerequisite

--- a/docs/docs.Dockerfile
+++ b/docs/docs.Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.21
+FROM alpine:3.22

 ENV PATH="${PATH}:/venv/bin"

--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -167,6 +167,7 @@ nav:
          - 'Elastic': 'observability/tracing/elastic.md'
          - 'OpenTelemetry': 'observability/tracing/opentelemetry.md'
  - 'Security':
+        - 'Request Path': 'security/request-path.md'
        - 'Content-Length': 'security/content-length.md'
        - 'TLS in Multi-Tenant Kubernetes': 'security/tls-certs-in-multi-tenant-kubernetes.md'
  - 'User Guides':
--- a/go.mod
+++ b/go.mod
@@ -1,29 +1,29 @@
 module github.com/traefik/traefik/v2

-go 1.23.0
+go 1.24.0

 require (
 	github.com/BurntSushi/toml v1.5.0
 	github.com/ExpediaDotCom/haystack-client-go v0.0.0-20190315171017-e7edbdf53a61 // No tag on the repo.
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/abbot/go-http-auth v0.0.0-00010101000000-000000000000
-	github.com/aws/aws-sdk-go-v2 v1.36.3
-	github.com/aws/aws-sdk-go-v2/config v1.29.9
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.62
+	github.com/aws/aws-sdk-go-v2 v1.36.6
+	github.com/aws/aws-sdk-go-v2/config v1.29.18
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.71
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.203.1
 	github.com/aws/aws-sdk-go-v2/service/ecs v1.53.15
 	github.com/aws/aws-sdk-go-v2/service/ssm v1.56.13
-	github.com/aws/smithy-go v1.22.2
+	github.com/aws/smithy-go v1.22.4
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/containous/alice v0.0.0-20181107144136-d83ebdd94cbd // No tag on the repo.
 	github.com/coreos/go-systemd/v22 v22.5.0
-	github.com/docker/cli v27.1.1+incompatible
-	github.com/docker/docker v27.1.1+incompatible
+	github.com/docker/cli v28.3.3+incompatible
+	github.com/docker/docker v28.3.3+incompatible
 	github.com/docker/go-connections v0.5.0
 	github.com/fatih/structs v1.1.0
-	github.com/fsnotify/fsnotify v1.8.0
+	github.com/fsnotify/fsnotify v1.9.0
 	github.com/gambol99/go-marathon v0.0.0-20180614232016-99a156b96fb2 // No tag on the repo.
-	github.com/go-acme/lego/v4 v4.23.1
+	github.com/go-acme/lego/v4 v4.25.2
 	github.com/go-kit/kit v0.13.0
 	github.com/go-kit/log v0.2.1
 	github.com/golang/protobuf v1.5.4
@@ -38,14 +38,14 @@ require (
 	github.com/influxdata/influxdb-client-go/v2 v2.7.0
 	github.com/influxdata/influxdb1-client v0.0.0-20200827194710-b269163b24ab // No tag on the repo.
 	github.com/instana/go-sensor v1.38.3
-	github.com/klauspost/compress v1.17.11-0.20241004063537-dbd6c381492a // Required to have the content-type fix: https://github.com/klauspost/compress/pull/1013
+	github.com/klauspost/compress v1.18.0
 	github.com/kvtools/consul v1.0.2
 	github.com/kvtools/etcdv3 v1.0.2
 	github.com/kvtools/redis v1.1.0
 	github.com/kvtools/valkeyrie v1.0.0
 	github.com/kvtools/zookeeper v1.0.2
 	github.com/mailgun/ttlmap v0.0.0-20170619185759-c1c17f74874f // No tag on the repo.
-	github.com/miekg/dns v1.1.64
+	github.com/miekg/dns v1.1.67
 	github.com/mitchellh/copystructure v1.2.0
 	github.com/mitchellh/hashstructure v1.0.0
 	github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c
@@ -55,12 +55,12 @@ require (
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/pires/go-proxyproto v0.6.1
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // No tag on the repo.
-	github.com/prometheus/client_golang v1.19.1
+	github.com/prometheus/client_golang v1.22.0
 	github.com/prometheus/client_model v0.6.1
-	github.com/quic-go/quic-go v0.48.2
+	github.com/quic-go/quic-go v0.57.1
 	github.com/rancher/go-rancher-metadata v0.0.0-20200311180630-7f4c936a06ac // No tag on the repo.
 	github.com/sirupsen/logrus v1.9.3
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154 // No tag on the repo.
 	github.com/testcontainers/testcontainers-go v0.32.0
 	github.com/traefik/paerser v0.2.2
@@ -73,37 +73,37 @@ require (
 	github.com/vulcand/predicate v1.2.0
 	go.elastic.co/apm/module/apmot/v2 v2.4.8
 	go.elastic.co/apm/v2 v2.4.8
-	golang.org/x/mod v0.23.0
-	golang.org/x/net v0.38.0
-	golang.org/x/text v0.23.0
-	golang.org/x/time v0.11.0
-	golang.org/x/tools v0.30.0
-	google.golang.org/grpc v1.71.0
-	gopkg.in/DataDog/dd-trace-go.v1 v1.72.2
+	golang.org/x/mod v0.29.0
+	golang.org/x/net v0.47.0
+	golang.org/x/text v0.31.0
+	golang.org/x/time v0.12.0
+	golang.org/x/tools v0.38.0
+	google.golang.org/grpc v1.73.0
+	gopkg.in/DataDog/dd-trace-go.v1 v1.74.6
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.26.7
+	k8s.io/api v0.32.3
 	k8s.io/apiextensions-apiserver v0.26.3
-	k8s.io/apimachinery v0.26.7
-	k8s.io/client-go v0.26.7
-	k8s.io/utils v0.0.0-20230313181309-38a27ef9d749 // No tag on the repo.
+	k8s.io/apimachinery v0.32.3
+	k8s.io/client-go v0.32.3
+	k8s.io/utils v0.0.0-20241210054802-24370beab758 // No tag on the repo.
 	mvdan.cc/xurls/v2 v2.5.0
 	sigs.k8s.io/gateway-api v0.4.0
 )

 require (
-	cloud.google.com/go/auth v0.15.0 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
-	cloud.google.com/go/compute/metadata v0.6.0 // indirect
-	dario.cat/mergo v1.0.0 // indirect
+	cloud.google.com/go/auth v0.16.2 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.7.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
 	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.30 // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect
@@ -113,54 +113,66 @@ require (
 	github.com/Azure/go-autorest/autorest/to v0.4.1 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect
-	github.com/DataDog/appsec-internal-go v1.9.0 // indirect
-	github.com/DataDog/datadog-agent/pkg/obfuscate v0.58.0 // indirect
-	github.com/DataDog/datadog-agent/pkg/proto v0.58.0 // indirect
-	github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.58.0 // indirect
-	github.com/DataDog/datadog-agent/pkg/trace v0.58.0 // indirect
-	github.com/DataDog/datadog-agent/pkg/util/log v0.58.0 // indirect
-	github.com/DataDog/datadog-agent/pkg/util/scrubber v0.58.0 // indirect
-	github.com/DataDog/datadog-go/v5 v5.5.0 // indirect
-	github.com/DataDog/go-libddwaf/v3 v3.5.1 // indirect
-	github.com/DataDog/go-runtime-metrics-internal v0.0.4-0.20241206090539-a14610dc22b6 // indirect
-	github.com/DataDog/go-sqllexer v0.0.14 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
+	github.com/DataDog/appsec-internal-go v1.13.0 // indirect
+	github.com/DataDog/datadog-agent/comp/core/tagger/origindetection v0.67.0 // indirect
+	github.com/DataDog/datadog-agent/pkg/obfuscate v0.67.0 // indirect
+	github.com/DataDog/datadog-agent/pkg/proto v0.67.0 // indirect
+	github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.69.0 // indirect
+	github.com/DataDog/datadog-agent/pkg/trace v0.67.0 // indirect
+	github.com/DataDog/datadog-agent/pkg/util/log v0.67.0 // indirect
+	github.com/DataDog/datadog-agent/pkg/util/scrubber v0.67.0 // indirect
+	github.com/DataDog/datadog-agent/pkg/version v0.67.0 // indirect
+	github.com/DataDog/datadog-go/v5 v5.6.0 // indirect
+	github.com/DataDog/dd-trace-go/v2 v2.2.3 // indirect
+	github.com/DataDog/go-libddwaf/v4 v4.3.2 // indirect
+	github.com/DataDog/go-runtime-metrics-internal v0.0.4-0.20250721125240-fdf1ef85b633 // indirect
+	github.com/DataDog/go-sqllexer v0.1.6 // indirect
 	github.com/DataDog/go-tuf v1.1.0-0.5.2 // indirect
-	github.com/DataDog/opentelemetry-mapping-go/pkg/otlp/attributes v0.20.0 // indirect
-	github.com/DataDog/sketches-go v1.4.5 // indirect
+	github.com/DataDog/opentelemetry-mapping-go/pkg/otlp/attributes v0.27.0 // indirect
+	github.com/DataDog/sketches-go v1.4.7 // indirect
 	github.com/HdrHistogram/hdrhistogram-go v1.1.2 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.2.1 // indirect
+	github.com/Masterminds/semver/v3 v3.3.1 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/Microsoft/hcsshim v0.11.7 // indirect
+	github.com/Microsoft/hcsshim v0.13.0 // indirect
 	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
 	github.com/VividCortex/gohistogram v1.0.0 // indirect
 	github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.2 // indirect
-	github.com/aliyun/alibaba-cloud-sdk-go v1.63.100 // indirect
+	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
+	github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.8 // indirect
+	github.com/alibabacloud-go/debug v1.0.1 // indirect
+	github.com/alibabacloud-go/endpoint-util v1.1.0 // indirect
+	github.com/alibabacloud-go/openapi-util v0.1.1 // indirect
+	github.com/alibabacloud-go/tea v1.3.9 // indirect
+	github.com/alibabacloud-go/tea-utils/v2 v2.0.7 // indirect
+	github.com/aliyun/credentials-go v1.4.6 // indirect
 	github.com/armon/go-metrics v0.4.1 // indirect
 	github.com/armon/go-radix v1.0.1-0.20221118154546-54df44f2176c // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.33 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.37 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.37 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/lightsail v1.43.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/route53 v1.50.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 // indirect
-	github.com/baidubce/bce-sdk-go v0.9.223 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.18 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lightsail v1.43.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.53.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.34.1 // indirect
+	github.com/aziontech/azionapi-go-sdk v0.142.0 // indirect
+	github.com/baidubce/bce-sdk-go v0.9.235 // indirect
 	github.com/benbjohnson/clock v1.3.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575 // indirect
-	github.com/civo/civogo v0.3.11 // indirect
-	github.com/cloudflare/cloudflare-go v0.115.0 // indirect
-	github.com/containerd/containerd v1.7.20 // indirect
+	github.com/clbanning/mxj/v2 v2.7.0 // indirect
+	github.com/containerd/containerd v1.7.23 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/containerd/platforms v1.0.0-rc.1 // indirect
 	github.com/coreos/go-semver v0.3.0 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
@@ -168,51 +180,50 @@ require (
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/dnsimple/dnsimple-go v1.7.0 // indirect
+	github.com/dnsimple/dnsimple-go/v4 v4.0.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/donovanhide/eventsource v0.0.0-20170630084216-b8f31a59085e // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/eapache/queue/v2 v2.0.0-20230407133247-75960ed334e4 // indirect
-	github.com/ebitengine/purego v0.6.0-alpha.5 // indirect
+	github.com/ebitengine/purego v0.8.3 // indirect
 	github.com/elastic/go-sysinfo v1.7.1 // indirect
 	github.com/elastic/go-windows v1.0.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
-	github.com/exoscale/egoscale/v3 v3.1.13 // indirect
+	github.com/exoscale/egoscale/v3 v3.1.24 // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-acme/alidns-20150109/v4 v4.5.10 // indirect
+	github.com/go-acme/tencentclouddnspod v1.0.1208 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-ole/go-ole v1.2.6 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.20.0 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.16.0 // indirect
+	github.com/go-playground/validator/v10 v10.23.0 // indirect
 	github.com/go-resty/resty/v2 v2.16.5 // indirect
-	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/go-zookeeper/zk v1.0.3 // indirect
-	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
-	github.com/google/gnostic v0.5.7-v3refs // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20240910150728-a0b0bb1d4134 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
-	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.2 // indirect
 	github.com/gophercloud/gophercloud v1.14.1 // indirect
 	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
 	github.com/gravitational/trace v1.1.16-0.20220114165159-14a9a7dd6aaf // indirect
@@ -220,22 +231,18 @@ require (
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
-	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 // indirect
-	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
-	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/hashicorp/serf v0.10.1 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
-	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.141 // indirect
+	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.159 // indirect
 	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839 // indirect
-	github.com/infobloxopen/infoblox-go-client/v2 v2.9.0 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/infobloxopen/infoblox-go-client/v2 v2.10.0 // indirect
 	github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 // indirect
 	github.com/jonboulle/clockwork v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -245,147 +252,156 @@ require (
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
 	github.com/labbsr0x/goh v1.0.1 // indirect
-	github.com/leodido/go-urn v1.2.4 // indirect
-	github.com/linode/linodego v1.48.1 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/linode/linodego v1.53.0 // indirect
 	github.com/liquidweb/liquidweb-cli v0.6.9 // indirect
 	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
 	github.com/looplab/fsm v0.1.0 // indirect
-	github.com/lufia/plan9stats v0.0.0-20220913051719-115f729f3c8c // indirect
+	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailgun/minheap v0.0.0-20170619185613-3dbe6c6bf55f // indirect
 	github.com/mailgun/multibuf v0.1.2 // indirect
 	github.com/mailgun/timetools v0.0.0-20141028012446-7e6055773c51 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/go-archive v0.1.0 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
-	github.com/moby/sys/sequential v0.5.0 // indirect
-	github.com/moby/sys/user v0.2.0 // indirect
-	github.com/moby/term v0.5.0 // indirect
+	github.com/moby/sys/atomicwriter v0.1.0 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
+	github.com/moby/sys/user v0.4.0 // indirect
+	github.com/moby/sys/userns v0.1.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
+	github.com/namedotcom/go/v4 v4.0.2 // indirect
 	github.com/nrdcg/auroradns v1.1.0 // indirect
-	github.com/nrdcg/bunny-go v0.0.0-20240207213615-dde5bf4577a3 // indirect
-	github.com/nrdcg/desec v0.10.0 // indirect
+	github.com/nrdcg/bunny-go v0.0.0-20250327222614-988a091fc7ea // indirect
+	github.com/nrdcg/desec v0.11.0 // indirect
 	github.com/nrdcg/dnspod-go v0.4.0 // indirect
 	github.com/nrdcg/freemyip v0.3.0 // indirect
 	github.com/nrdcg/goacmedns v0.2.0 // indirect
-	github.com/nrdcg/goinwx v0.10.0 // indirect
+	github.com/nrdcg/goinwx v0.11.0 // indirect
 	github.com/nrdcg/mailinabox v0.2.0 // indirect
 	github.com/nrdcg/namesilo v0.2.1 // indirect
 	github.com/nrdcg/nodion v0.1.0 // indirect
+	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.95.2 // indirect
+	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.95.2 // indirect
 	github.com/nrdcg/porkbun v0.4.0 // indirect
 	github.com/nzdjb/go-metaname v1.0.0 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
-	github.com/onsi/ginkgo/v2 v2.20.2 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492 // indirect
-	github.com/oracle/oci-go-sdk/v65 v65.87.0 // indirect
 	github.com/outcaste-io/ristretto v0.2.3 // indirect
-	github.com/ovh/go-ovh v1.7.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+	github.com/ovh/go-ovh v1.9.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/peterhellberg/link v1.2.0 // indirect
-	github.com/philhofer/fwd v1.1.3-0.20240612014219-fbbf4953d986 // indirect
+	github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/power-devops/perfstat v0.0.0-20220216144756-c35f1ee13d7c // indirect
-	github.com/pquerna/otp v1.4.0 // indirect
-	github.com/prometheus/common v0.54.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/redis/go-redis/v9 v9.7.3 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
+	github.com/pquerna/otp v1.5.0 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/puzpuzpuz/xsync/v3 v3.5.1 // indirect
+	github.com/quic-go/qpack v0.6.0 // indirect
+	github.com/redis/go-redis/v9 v9.8.0 // indirect
 	github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
-	github.com/ryanuber/go-glob v1.0.0 // indirect
-	github.com/sacloud/api-client-go v0.2.10 // indirect
-	github.com/sacloud/go-http v0.1.8 // indirect
-	github.com/sacloud/iaas-api-go v1.14.0 // indirect
-	github.com/sacloud/packages-go v0.0.10 // indirect
+	github.com/sacloud/api-client-go v0.3.2 // indirect
+	github.com/sacloud/go-http v0.1.9 // indirect
+	github.com/sacloud/iaas-api-go v1.16.1 // indirect
+	github.com/sacloud/packages-go v0.0.11 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
-	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.32 // indirect
-	github.com/secure-systems-lab/go-securesystemslib v0.7.0 // indirect
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.34 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
 	github.com/segmentio/fasthash v1.0.3 // indirect
 	github.com/selectel/domains-go v1.1.0 // indirect
-	github.com/selectel/go-selvpcclient/v3 v3.2.1 // indirect
+	github.com/selectel/go-selvpcclient/v4 v4.1.0 // indirect
 	github.com/shirou/gopsutil/v3 v3.24.4 // indirect
+	github.com/shirou/gopsutil/v4 v4.25.3 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
 	github.com/softlayer/softlayer-go v1.1.7 // indirect
 	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
-	github.com/sony/gobreaker v0.5.0 // indirect
+	github.com/sony/gobreaker v1.0.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/spf13/viper v1.18.2 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1128 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1128 // indirect
-	github.com/tinylib/msgp v1.2.1 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1210 // indirect
+	github.com/tinylib/msgp v1.2.5 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
-	github.com/tklauser/go-sysconf v0.3.12 // indirect
-	github.com/tklauser/numcpus v0.6.1 // indirect
+	github.com/tklauser/go-sysconf v0.3.15 // indirect
+	github.com/tklauser/numcpus v0.10.0 // indirect
 	github.com/transip/gotransip/v6 v6.26.0 // indirect
 	github.com/ultradns/ultradns-go-sdk v1.8.0-20241010134910-243eeec // indirect
 	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
-	github.com/volcengine/volc-sdk-golang v1.0.199 // indirect
-	github.com/vultr/govultr/v3 v3.17.0 // indirect
-	github.com/yandex-cloud/go-genproto v0.0.0-20250319153614-fb9d3e5eb01a // indirect
-	github.com/yandex-cloud/go-sdk v0.0.0-20250320143332-9cbcfc5de4ae // indirect
+	github.com/volcengine/volc-sdk-golang v1.0.216 // indirect
+	github.com/vultr/govultr/v3 v3.21.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/yandex-cloud/go-genproto v0.14.0 // indirect
+	github.com/yandex-cloud/go-sdk/services/dns v0.0.3 // indirect
+	github.com/yandex-cloud/go-sdk/v2 v2.0.8 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.elastic.co/apm/module/apmhttp/v2 v2.4.8 // indirect
 	go.elastic.co/fastjson v1.1.0 // indirect
 	go.etcd.io/etcd/api/v3 v3.5.10 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.5.10 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.16 // indirect
 	go.etcd.io/etcd/client/v3 v3.5.10 // indirect
 	go.mongodb.org/mongo-driver v1.13.1 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/collector/component v0.104.0 // indirect
-	go.opentelemetry.io/collector/config/configtelemetry v0.104.0 // indirect
-	go.opentelemetry.io/collector/pdata v1.11.0 // indirect
-	go.opentelemetry.io/collector/pdata/pprofile v0.104.0 // indirect
-	go.opentelemetry.io/collector/semconv v0.104.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
-	go.opentelemetry.io/otel v1.34.0 // indirect
-	go.opentelemetry.io/otel/metric v1.34.0 // indirect
-	go.opentelemetry.io/otel/trace v1.34.0 // indirect
+	go.opentelemetry.io/collector/component v1.31.0 // indirect
+	go.opentelemetry.io/collector/featuregate v1.31.0 // indirect
+	go.opentelemetry.io/collector/internal/telemetry v0.125.0 // indirect
+	go.opentelemetry.io/collector/pdata v1.31.0 // indirect
+	go.opentelemetry.io/collector/semconv v0.125.0 // indirect
+	go.opentelemetry.io/contrib/bridges/otelzap v0.10.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/log v0.11.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	go.uber.org/mock v0.4.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/ratelimit v0.3.0 // indirect
+	go.uber.org/ratelimit v0.3.1 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.36.0 // indirect
-	golang.org/x/exp v0.0.0-20241210194714-1829a127f884 // indirect
-	golang.org/x/oauth2 v0.28.0 // indirect
-	golang.org/x/sync v0.12.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/term v0.30.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
+	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
-	google.golang.org/api v0.227.0 // indirect
-	google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	google.golang.org/api v0.242.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/ns1/ns1-go.v2 v2.13.0 // indirect
+	gopkg.in/ns1/ns1-go.v2 v2.14.4 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	howett.net/plist v0.0.0-20181124034731-591f970eefbb // indirect
-	k8s.io/klog/v2 v2.90.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
-	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )

 // Containous forks
--- a/go.sum
+++ b/go.sum
--- a/integration/acme_test.go
+++ b/integration/acme_test.go
@@ -21,6 +21,7 @@ import (
 	"github.com/traefik/traefik/v2/pkg/provider/acme"
 	"github.com/traefik/traefik/v2/pkg/testhelpers"
 	"github.com/traefik/traefik/v2/pkg/types"
+	"k8s.io/utils/strings/slices"
 )

 // ACME test suites.
@@ -35,9 +36,9 @@ func TestAcmeSuite(t *testing.T) {
 }

 type subCases struct {
-	host               string
-	expectedCommonName string
-	expectedAlgorithm  x509.PublicKeyAlgorithm
+	host              string
+	expectedDomain    string
+	expectedAlgorithm x509.PublicKeyAlgorithm
 }

 type acmeTestCase struct {
@@ -142,9 +143,9 @@ func (s *AcmeSuite) TestHTTP01Domains() {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
 		subCases: []subCases{{
-			host:               acmeDomain,
-			expectedCommonName: acmeDomain,
-			expectedAlgorithm:  x509.RSA,
+			host:              acmeDomain,
+			expectedDomain:    acmeDomain,
+			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
 			Domains: []types.Domain{{
@@ -165,9 +166,9 @@ func (s *AcmeSuite) TestHTTP01StoreDomains() {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_store_domains.toml",
 		subCases: []subCases{{
-			host:               acmeDomain,
-			expectedCommonName: acmeDomain,
-			expectedAlgorithm:  x509.RSA,
+			host:              acmeDomain,
+			expectedDomain:    acmeDomain,
+			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
 			Domain: types.Domain{
@@ -188,9 +189,9 @@ func (s *AcmeSuite) TestHTTP01DomainsInSAN() {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
 		subCases: []subCases{{
-			host:               acmeDomain,
-			expectedCommonName: "acme.wtf",
-			expectedAlgorithm:  x509.RSA,
+			host:              acmeDomain,
+			expectedDomain:    "acme.wtf",
+			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
 			Domains: []types.Domain{{
@@ -212,9 +213,9 @@ func (s *AcmeSuite) TestHTTP01OnHostRule() {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
 		subCases: []subCases{{
-			host:               acmeDomain,
-			expectedCommonName: acmeDomain,
-			expectedAlgorithm:  x509.RSA,
+			host:              acmeDomain,
+			expectedDomain:    acmeDomain,
+			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
 			Acme: map[string]static.CertificateResolver{
@@ -233,14 +234,14 @@ func (s *AcmeSuite) TestMultipleResolver() {
 		traefikConfFilePath: "fixtures/acme/acme_multiple_resolvers.toml",
 		subCases: []subCases{
 			{
-				host:               acmeDomain,
-				expectedCommonName: acmeDomain,
-				expectedAlgorithm:  x509.RSA,
+				host:              acmeDomain,
+				expectedDomain:    acmeDomain,
+				expectedAlgorithm: x509.RSA,
 			},
 			{
-				host:               "tchouk.acme.wtf",
-				expectedCommonName: "tchouk.acme.wtf",
-				expectedAlgorithm:  x509.ECDSA,
+				host:              "tchouk.acme.wtf",
+				expectedDomain:    "tchouk.acme.wtf",
+				expectedAlgorithm: x509.ECDSA,
 			},
 		},
 		template: templateModel{
@@ -263,9 +264,9 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleECDSA() {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
 		subCases: []subCases{{
-			host:               acmeDomain,
-			expectedCommonName: acmeDomain,
-			expectedAlgorithm:  x509.ECDSA,
+			host:              acmeDomain,
+			expectedDomain:    acmeDomain,
+			expectedAlgorithm: x509.ECDSA,
 		}},
 		template: templateModel{
 			Acme: map[string]static.CertificateResolver{
@@ -284,9 +285,9 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleInvalidAlgo() {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
 		subCases: []subCases{{
-			host:               acmeDomain,
-			expectedCommonName: acmeDomain,
-			expectedAlgorithm:  x509.RSA,
+			host:              acmeDomain,
+			expectedDomain:    acmeDomain,
+			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
 			Acme: map[string]static.CertificateResolver{
@@ -301,13 +302,14 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleInvalidAlgo() {
 	s.retrieveAcmeCertificate(testCase)
 }

+// TODO: check why this test do not use the ACME cert resolver.
 func (s *AcmeSuite) TestHTTP01OnHostRuleDefaultDynamicCertificatesWithWildcard() {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_tls.toml",
 		subCases: []subCases{{
-			host:               acmeDomain,
-			expectedCommonName: wildcardDomain,
-			expectedAlgorithm:  x509.RSA,
+			host:              acmeDomain,
+			expectedDomain:    wildcardDomain,
+			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
 			Acme: map[string]static.CertificateResolver{
@@ -321,13 +323,14 @@ func (s *AcmeSuite) TestHTTP01OnHostRuleDefaultDynamicCertificatesWithWildcard()
 	s.retrieveAcmeCertificate(testCase)
 }

+// TODO: check why this test do not use the ACME cert resolver.
 func (s *AcmeSuite) TestHTTP01OnHostRuleDynamicCertificatesWithWildcard() {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_tls_dynamic.toml",
 		subCases: []subCases{{
-			host:               acmeDomain,
-			expectedCommonName: wildcardDomain,
-			expectedAlgorithm:  x509.RSA,
+			host:              acmeDomain,
+			expectedDomain:    wildcardDomain,
+			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
 			Acme: map[string]static.CertificateResolver{
@@ -345,9 +348,9 @@ func (s *AcmeSuite) TestTLSALPN01OnHostRuleTCP() {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_tcp.toml",
 		subCases: []subCases{{
-			host:               acmeDomain,
-			expectedCommonName: acmeDomain,
-			expectedAlgorithm:  x509.RSA,
+			host:              acmeDomain,
+			expectedDomain:    acmeDomain,
+			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
 			Acme: map[string]static.CertificateResolver{
@@ -365,9 +368,9 @@ func (s *AcmeSuite) TestTLSALPN01OnHostRule() {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_base.toml",
 		subCases: []subCases{{
-			host:               acmeDomain,
-			expectedCommonName: acmeDomain,
-			expectedAlgorithm:  x509.RSA,
+			host:              acmeDomain,
+			expectedDomain:    acmeDomain,
+			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
 			Acme: map[string]static.CertificateResolver{
@@ -385,9 +388,9 @@ func (s *AcmeSuite) TestTLSALPN01Domains() {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
 		subCases: []subCases{{
-			host:               acmeDomain,
-			expectedCommonName: acmeDomain,
-			expectedAlgorithm:  x509.RSA,
+			host:              acmeDomain,
+			expectedDomain:    acmeDomain,
+			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
 			Domains: []types.Domain{{
@@ -408,9 +411,9 @@ func (s *AcmeSuite) TestTLSALPN01DomainsInSAN() {
 	testCase := acmeTestCase{
 		traefikConfFilePath: "fixtures/acme/acme_domains.toml",
 		subCases: []subCases{{
-			host:               acmeDomain,
-			expectedCommonName: "acme.wtf",
-			expectedAlgorithm:  x509.RSA,
+			host:              acmeDomain,
+			expectedDomain:    "acme.wtf",
+			expectedAlgorithm: x509.RSA,
 		}},
 		template: templateModel{
 			Domains: []types.Domain{{
@@ -502,27 +505,38 @@ func (s *AcmeSuite) retrieveAcmeCertificate(testCase acmeTestCase) {
 		req.Header.Set("Host", sub.host)
 		req.Header.Set("Accept", "*/*")

-		var resp *http.Response
+		var (
+			gotStatusCode         int
+			gotDomains            []string
+			gotPublicKeyAlgorithm x509.PublicKeyAlgorithm
+		)

 		// Retry to send a Request which uses the LE generated certificate
 		err := try.Do(60*time.Second, func() error {
-			resp, err = client.Do(req)
+			resp, err := client.Do(req)
 			if err != nil {
 				return err
 			}

-			cn := resp.TLS.PeerCertificates[0].Subject.CommonName
-			if cn != sub.expectedCommonName {
-				return fmt.Errorf("domain %s found instead of %s", cn, sub.expectedCommonName)
+			gotStatusCode = resp.StatusCode
+			gotPublicKeyAlgorithm = resp.TLS.PeerCertificates[0].PublicKeyAlgorithm
+
+			// Here we are collecting the common name as it is used in wildcard tests.
+			gotDomains = append(gotDomains, resp.TLS.PeerCertificates[0].Subject.CommonName)
+			gotDomains = append(gotDomains, resp.TLS.PeerCertificates[0].DNSNames...)
+
+			if !slices.Contains(gotDomains, sub.expectedDomain) {
+				return fmt.Errorf("domain name %s not found in domain names: %v", sub.expectedDomain, gotDomains)
 			}

 			return nil
 		})

 		require.NoError(s.T(), err)
-		assert.Equal(s.T(), http.StatusOK, resp.StatusCode)
+		assert.Equal(s.T(), http.StatusOK, gotStatusCode)
+
 		// Check Domain into response certificate
-		assert.Equal(s.T(), sub.expectedCommonName, resp.TLS.PeerCertificates[0].Subject.CommonName)
-		assert.Equal(s.T(), sub.expectedAlgorithm, resp.TLS.PeerCertificates[0].PublicKeyAlgorithm)
+		assert.Contains(s.T(), gotDomains, sub.expectedDomain)
+		assert.Equal(s.T(), sub.expectedAlgorithm, gotPublicKeyAlgorithm)
 	}
 }
--- a/integration/fixtures/k8s/01-traefik-crd.yml
+++ b/integration/fixtures/k8s/01-traefik-crd.yml
@@ -1478,7 +1478,7 @@ spec:
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                    type: boolean
                  regex:
                    description: Regex defines the regex used to match and capture
@@ -1497,7 +1497,7 @@ spec:
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                    type: boolean
                  port:
                    description: Port defines the port of the new URL.
@@ -1886,7 +1886,7 @@ spec:
                type: object
              curvePreferences:
                description: |-
-                  CurvePreferences defines the preferred elliptic curves in a specific order.
+                  CurvePreferences defines the preferred elliptic curves.
                  More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences
                items:
                  type: string
@@ -3908,7 +3908,7 @@ spec:
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                    type: boolean
                  regex:
                    description: Regex defines the regex used to match and capture
@@ -3927,7 +3927,7 @@ spec:
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                    type: boolean
                  port:
                    description: Port defines the port of the new URL.
@@ -4316,7 +4316,7 @@ spec:
                type: object
              curvePreferences:
                description: |-
-                  CurvePreferences defines the preferred elliptic curves in a specific order.
+                  CurvePreferences defines the preferred elliptic curves.
                  More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences
                items:
                  type: string
--- a/integration/fixtures/websocket/config.toml
+++ b/integration/fixtures/websocket/config.toml
@@ -8,6 +8,8 @@
 [entryPoints]
  [entryPoints.web]
    address = ":8000"
+    [entryPoints.web.http.encodedCharacters]
+        allowEncodedSlash = true

 [api]
  insecure = true
--- a/integration/resources/compose/pebble.yml
+++ b/integration/resources/compose/pebble.yml
@@ -1,9 +1,8 @@
 version: "3.8"
 services:
  pebble:
-    image: letsencrypt/pebble:v2.3.1
+    image: ghcr.io/letsencrypt/pebble:2.8.0
    command:
-      - pebble
      - --dnsserver
      - host.docker.internal:5053
    environment:
--- a/internal/gendoc.go
+++ b/internal/gendoc.go
@@ -349,6 +349,11 @@ func genKVDynConfDoc(outputFile string) {
 CODE GENERATED AUTOMATICALLY
 THIS FILE MUST NOT BE EDITED BY HAND
 -->
+`)
+
+	_, _ = fmt.Fprintf(file, `
+| Key (Path) | Value |
+|------------|-------|
 `)

 	for _, k := range keys {
--- a/internal/testsci/genmatrix.go
+++ b/internal/testsci/genmatrix.go
@@ -0,0 +1,66 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/traefik/traefik/v2/pkg/log"
+	"golang.org/x/tools/go/packages"
+)
+
+const groupCount = 12
+
+type group struct {
+	Group string `json:"group"`
+}
+
+func main() {
+	logger := log.WithoutContext()
+
+	cfg := &packages.Config{
+		Mode: packages.NeedName,
+		Dir:  ".",
+	}
+
+	pkgs, err := packages.Load(cfg, "./cmd/...", "./pkg/...")
+	if err != nil {
+		logger.Fatalf("Loading packages: %v", err)
+	}
+
+	var packageNames []string
+	for _, pkg := range pkgs {
+		if pkg.PkgPath != "" {
+			packageNames = append(packageNames, pkg.PkgPath)
+		}
+	}
+
+	total := len(packageNames)
+	perGroup := (total + groupCount - 1) / groupCount
+
+	fmt.Fprintf(os.Stderr, "Total packages: %d\n", total)
+	fmt.Fprintf(os.Stderr, "Packages per group: %d\n", perGroup)
+
+	var matrix []group
+	for i := range groupCount {
+		start := i * perGroup
+		end := start + perGroup
+		if start >= total {
+			break
+		}
+		if end > total {
+			end = total
+		}
+		g := strings.Join(packageNames[start:end], " ")
+		matrix = append(matrix, group{Group: g})
+	}
+
+	jsonBytes, err := json.Marshal(matrix)
+	if err != nil {
+		logger.Fatalf("Failed to marshal matrix: %v", err)
+	}
+
+	// Output for GitHub Actions
+	fmt.Printf("matrix=%s\n", string(jsonBytes))
+}
--- a/pkg/api/handler_http_test.go
+++ b/pkg/api/handler_http_test.go
@@ -1,7 +1,6 @@
 package api

 import (
-	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -926,8 +925,8 @@ func TestHandler_HTTP(t *testing.T) {
 			rtConf := &test.conf
 			// To lazily initialize the Statuses.
 			rtConf.PopulateUsedBy()
-			rtConf.GetRoutersByEntryPoints(context.Background(), []string{"web"}, false)
-			rtConf.GetRoutersByEntryPoints(context.Background(), []string{"web"}, true)
+			rtConf.GetRoutersByEntryPoints(t.Context(), []string{"web"}, false)
+			rtConf.GetRoutersByEntryPoints(t.Context(), []string{"web"}, true)

 			handler := New(static.Configuration{API: &static.API{}, Global: &static.Global{}}, rtConf)
 			server := httptest.NewServer(handler.createRouter())
--- a/pkg/api/handler_tcp_test.go
+++ b/pkg/api/handler_tcp_test.go
@@ -1,7 +1,6 @@
 package api

 import (
-	"context"
 	"encoding/json"
 	"io"
 	"net/http"
@@ -797,7 +796,7 @@ func TestHandler_TCP(t *testing.T) {
 			rtConf := &test.conf
 			// To lazily initialize the Statuses.
 			rtConf.PopulateUsedBy()
-			rtConf.GetTCPRoutersByEntryPoints(context.Background(), []string{"web"})
+			rtConf.GetTCPRoutersByEntryPoints(t.Context(), []string{"web"})

 			handler := New(static.Configuration{API: &static.API{}, Global: &static.Global{}}, rtConf)
 			server := httptest.NewServer(handler.createRouter())
--- a/pkg/api/handler_udp_test.go
+++ b/pkg/api/handler_udp_test.go
@@ -1,7 +1,6 @@
 package api

 import (
-	"context"
 	"encoding/json"
 	"io"
 	"net/http"
@@ -536,7 +535,7 @@ func TestHandler_UDP(t *testing.T) {
 			rtConf := &test.conf
 			// To lazily initialize the Statuses.
 			rtConf.PopulateUsedBy()
-			rtConf.GetUDPRoutersByEntryPoints(context.Background(), []string{"web"})
+			rtConf.GetUDPRoutersByEntryPoints(t.Context(), []string{"web"})

 			handler := New(static.Configuration{API: &static.API{}, Global: &static.Global{}}, rtConf)
 			server := httptest.NewServer(handler.createRouter())
--- a/pkg/api/testdata/entrypoint-bar.json
+++ b/pkg/api/testdata/entrypoint-bar.json
@@ -1,5 +1,7 @@
 {
 	"address": ":81",
-	"http": {},
+	"http": {
+		"encodedCharacters": {}
+	},
 	"name": "bar"
-}
+}
--- a/pkg/api/testdata/entrypoint-foo-slash-bar.json
+++ b/pkg/api/testdata/entrypoint-foo-slash-bar.json
@@ -1,5 +1,7 @@
 {
 	"address": ":81",
-	"http": {},
+	"http": {
+		"encodedCharacters": {}
+	},
 	"name": "foo / bar"
 }
--- a/pkg/api/testdata/entrypoints-many-lastpage.json
+++ b/pkg/api/testdata/entrypoints-many-lastpage.json
@@ -1,27 +1,37 @@
 [
 	{
 		"address": ":14",
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "ep14"
 	},
 	{
 		"address": ":15",
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "ep15"
 	},
 	{
 		"address": ":16",
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "ep16"
 	},
 	{
 		"address": ":17",
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "ep17"
 	},
 	{
 		"address": ":18",
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "ep18"
 	}
-]
+]
--- a/pkg/api/testdata/entrypoints-page2.json
+++ b/pkg/api/testdata/entrypoints-page2.json
@@ -1,7 +1,9 @@
 [
 	{
 		"address": ":82",
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "web2"
 	}
-]
+]
--- a/pkg/api/testdata/entrypoints.json
+++ b/pkg/api/testdata/entrypoints.json
@@ -8,7 +8,9 @@
 				"192.168.1.4"
 			]
 		},
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "web",
 		"proxyProtocol": {
 			"insecure": true,
@@ -38,7 +40,9 @@
 				"192.168.1.40"
 			]
 		},
-		"http": {},
+		"http": {
+			"encodedCharacters": {}
+		},
 		"name": "websecure",
 		"proxyProtocol": {
 			"insecure": true,
--- a/pkg/config/dynamic/middlewares.go
+++ b/pkg/config/dynamic/middlewares.go
@@ -489,7 +489,7 @@ type RedirectRegex struct {
 	Regex string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty"`
 	// Replacement defines how to modify the URL to have the new target URL.
 	Replacement string `json:"replacement,omitempty" toml:"replacement,omitempty" yaml:"replacement,omitempty"`
-	// Permanent defines whether the redirection is permanent (301).
+	// Permanent defines whether the redirection is permanent (308).
 	Permanent bool `json:"permanent,omitempty" toml:"permanent,omitempty" yaml:"permanent,omitempty" export:"true"`
 }

@@ -503,7 +503,7 @@ type RedirectScheme struct {
 	Scheme string `json:"scheme,omitempty" toml:"scheme,omitempty" yaml:"scheme,omitempty" export:"true"`
 	// Port defines the port of the new URL.
 	Port string `json:"port,omitempty" toml:"port,omitempty" yaml:"port,omitempty" export:"true"`
-	// Permanent defines whether the redirection is permanent (301).
+	// Permanent defines whether the redirection is permanent (308).
 	Permanent bool `json:"permanent,omitempty" toml:"permanent,omitempty" yaml:"permanent,omitempty" export:"true"`
 }

--- a/pkg/config/runtime/runtime_http_test.go
+++ b/pkg/config/runtime/runtime_http_test.go
@@ -1,7 +1,6 @@
 package runtime

 import (
-	"context"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -211,7 +210,7 @@ func TestGetRoutersByEntryPoints(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
 			runtimeConfig := NewConfig(test.conf)
-			actual := runtimeConfig.GetRoutersByEntryPoints(context.Background(), test.entryPoints, false)
+			actual := runtimeConfig.GetRoutersByEntryPoints(t.Context(), test.entryPoints, false)
 			assert.Equal(t, test.expected, actual)
 		})
 	}
--- a/pkg/config/runtime/runtime_tcp_test.go
+++ b/pkg/config/runtime/runtime_tcp_test.go
@@ -1,7 +1,6 @@
 package runtime

 import (
-	"context"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -211,7 +210,7 @@ func TestGetTCPRoutersByEntryPoints(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
 			runtimeConfig := NewConfig(test.conf)
-			actual := runtimeConfig.GetTCPRoutersByEntryPoints(context.Background(), test.entryPoints)
+			actual := runtimeConfig.GetTCPRoutersByEntryPoints(t.Context(), test.entryPoints)
 			assert.Equal(t, test.expected, actual)
 		})
 	}
--- a/pkg/config/runtime/runtime_udp_test.go
+++ b/pkg/config/runtime/runtime_udp_test.go
@@ -1,7 +1,6 @@
 package runtime

 import (
-	"context"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -192,7 +191,7 @@ func TestGetUDPRoutersByEntryPoints(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
 			runtimeConfig := NewConfig(test.conf)
-			actual := runtimeConfig.GetUDPRoutersByEntryPoints(context.Background(), test.entryPoints)
+			actual := runtimeConfig.GetUDPRoutersByEntryPoints(t.Context(), test.entryPoints)
 			assert.Equal(t, test.expected, actual)
 		})
 	}
--- a/pkg/config/static/entrypoints.go
+++ b/pkg/config/static/entrypoints.go
@@ -59,11 +59,12 @@ func (ep *EntryPoint) SetDefaults() {

 // HTTPConfig is the HTTP configuration of an entry point.
 type HTTPConfig struct {
-	Redirections          *Redirections `description:"Set of redirection" json:"redirections,omitempty" toml:"redirections,omitempty" yaml:"redirections,omitempty" export:"true"`
-	Middlewares           []string      `description:"Default middlewares for the routers linked to the entry point." json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
-	TLS                   *TLSConfig    `description:"Default TLS configuration for the routers linked to the entry point." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
-	EncodeQuerySemicolons bool          `description:"Defines whether request query semicolons should be URLEncoded." json:"encodeQuerySemicolons,omitempty" toml:"encodeQuerySemicolons,omitempty" yaml:"encodeQuerySemicolons,omitempty" export:"true"`
-	SanitizePath          *bool         `description:"Defines whether to enable request path sanitization (removal of /./, /../ and multiple slash sequences)." json:"sanitizePath,omitempty" toml:"sanitizePath,omitempty" yaml:"sanitizePath,omitempty" export:"true"`
+	Redirections          *Redirections     `description:"Set of redirection" json:"redirections,omitempty" toml:"redirections,omitempty" yaml:"redirections,omitempty" export:"true"`
+	Middlewares           []string          `description:"Default middlewares for the routers linked to the entry point." json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
+	TLS                   *TLSConfig        `description:"Default TLS configuration for the routers linked to the entry point." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	EncodedCharacters     EncodedCharacters `description:"Defines which encoded characters are allowed in the request path." json:"encodedCharacters,omitempty" toml:"encodedCharacters,omitempty" yaml:"encodedCharacters,omitempty" export:"true"`
+	EncodeQuerySemicolons bool              `description:"Defines whether request query semicolons should be URLEncoded." json:"encodeQuerySemicolons,omitempty" toml:"encodeQuerySemicolons,omitempty" yaml:"encodeQuerySemicolons,omitempty" export:"true"`
+	SanitizePath          *bool             `description:"Defines whether to enable request path sanitization (removal of /./, /../ and multiple slash sequences)." json:"sanitizePath,omitempty" toml:"sanitizePath,omitempty" yaml:"sanitizePath,omitempty" export:"true"`
 }

 // SetDefaults sets the default values.
@@ -72,6 +73,50 @@ func (h *HTTPConfig) SetDefaults() {
 	h.SanitizePath = &sanitizePath
 }

+// EncodedCharacters configures which encoded characters are allowed in the request path.
+type EncodedCharacters struct {
+	AllowEncodedSlash         bool `description:"Defines whether requests with encoded slash characters in the path are allowed." json:"allowEncodedSlash,omitempty" toml:"allowEncodedSlash,omitempty" yaml:"allowEncodedSlash,omitempty" export:"true"`
+	AllowEncodedBackSlash     bool `description:"Defines whether requests with encoded back slash characters in the path are allowed." json:"allowEncodedBackSlash,omitempty" toml:"allowEncodedBackSlash,omitempty" yaml:"allowEncodedBackSlash,omitempty" export:"true"`
+	AllowEncodedNullCharacter bool `description:"Defines whether requests with encoded null characters in the path are allowed." json:"allowEncodedNullCharacter,omitempty" toml:"allowEncodedNullCharacter,omitempty" yaml:"allowEncodedNullCharacter,omitempty" export:"true"`
+	AllowEncodedSemicolon     bool `description:"Defines whether requests with encoded semicolon characters in the path are allowed." json:"allowEncodedSemicolon,omitempty" toml:"allowEncodedSemicolon,omitempty" yaml:"allowEncodedSemicolon,omitempty" export:"true"`
+	AllowEncodedPercent       bool `description:"Defines whether requests with encoded percent characters in the path are allowed." json:"allowEncodedPercent,omitempty" toml:"allowEncodedPercent,omitempty" yaml:"allowEncodedPercent,omitempty" export:"true"`
+	AllowEncodedQuestionMark  bool `description:"Defines whether requests with encoded question mark characters in the path are allowed." json:"allowEncodedQuestionMark,omitempty" toml:"allowEncodedQuestionMark,omitempty" yaml:"allowEncodedQuestionMark,omitempty" export:"true"`
+	AllowEncodedHash          bool `description:"Defines whether requests with encoded hash characters in the path are allowed." json:"allowEncodedHash,omitempty" toml:"allowEncodedHash,omitempty" yaml:"allowEncodedHash,omitempty" export:"true"`
+}
+
+// Map returns a map of unallowed encoded characters.
+func (h *EncodedCharacters) Map() map[string]struct{} {
+	characters := make(map[string]struct{})
+
+	if !h.AllowEncodedSlash {
+		characters["%2F"] = struct{}{}
+		characters["%2f"] = struct{}{}
+	}
+	if !h.AllowEncodedBackSlash {
+		characters["%5C"] = struct{}{}
+		characters["%5c"] = struct{}{}
+	}
+	if !h.AllowEncodedNullCharacter {
+		characters["%00"] = struct{}{}
+	}
+	if !h.AllowEncodedSemicolon {
+		characters["%3B"] = struct{}{}
+		characters["%3b"] = struct{}{}
+	}
+	if !h.AllowEncodedPercent {
+		characters["%25"] = struct{}{}
+	}
+	if !h.AllowEncodedQuestionMark {
+		characters["%3F"] = struct{}{}
+		characters["%3f"] = struct{}{}
+	}
+	if !h.AllowEncodedHash {
+		characters["%23"] = struct{}{}
+	}
+
+	return characters
+}
+
 // HTTP2Config is the HTTP2 configuration of an entry point.
 type HTTP2Config struct {
 	MaxConcurrentStreams int32 `description:"Specifies the number of concurrent streams per connection that each client is allowed to initiate." json:"maxConcurrentStreams,omitempty" toml:"maxConcurrentStreams,omitempty" yaml:"maxConcurrentStreams,omitempty" export:"true"`
--- a/pkg/config/static/entrypoints_test.go
+++ b/pkg/config/static/entrypoints_test.go
@@ -65,3 +65,161 @@ func TestEntryPointProtocol(t *testing.T) {
 		})
 	}
 }
+
+func TestEncodedCharactersMap(t *testing.T) {
+	tests := []struct {
+		name     string
+		config   EncodedCharacters
+		expected map[string]struct{}
+	}{
+		{
+			name: "Handles empty configuration",
+			expected: map[string]struct{}{
+				"%2F": {},
+				"%2f": {},
+				"%5C": {},
+				"%5c": {},
+				"%00": {},
+				"%3B": {},
+				"%3b": {},
+				"%25": {},
+				"%3F": {},
+				"%3f": {},
+				"%23": {},
+			},
+		},
+		{
+			name: "Exclude encoded slash when allowed",
+			config: EncodedCharacters{
+				AllowEncodedSlash: true,
+			},
+			expected: map[string]struct{}{
+				"%5C": {},
+				"%5c": {},
+				"%00": {},
+				"%3B": {},
+				"%3b": {},
+				"%25": {},
+				"%3F": {},
+				"%3f": {},
+				"%23": {},
+			},
+		},
+
+		{
+			name: "Exclude encoded backslash when allowed",
+			config: EncodedCharacters{
+				AllowEncodedBackSlash: true,
+			},
+			expected: map[string]struct{}{
+				"%2F": {},
+				"%2f": {},
+				"%00": {},
+				"%3B": {},
+				"%3b": {},
+				"%25": {},
+				"%3F": {},
+				"%3f": {},
+				"%23": {},
+			},
+		},
+
+		{
+			name: "Exclude encoded null character when allowed",
+			config: EncodedCharacters{
+				AllowEncodedNullCharacter: true,
+			},
+			expected: map[string]struct{}{
+				"%2F": {},
+				"%2f": {},
+				"%5C": {},
+				"%5c": {},
+				"%3B": {},
+				"%3b": {},
+				"%25": {},
+				"%3F": {},
+				"%3f": {},
+				"%23": {},
+			},
+		},
+		{
+			name: "Exclude encoded semicolon when allowed",
+			config: EncodedCharacters{
+				AllowEncodedSemicolon: true,
+			},
+			expected: map[string]struct{}{
+				"%2F": {},
+				"%2f": {},
+				"%5C": {},
+				"%5c": {},
+				"%00": {},
+				"%25": {},
+				"%3F": {},
+				"%3f": {},
+				"%23": {},
+			},
+		},
+		{
+			name: "Exclude encoded percent when allowed",
+			config: EncodedCharacters{
+				AllowEncodedPercent: true,
+			},
+			expected: map[string]struct{}{
+				"%2F": {},
+				"%2f": {},
+				"%5C": {},
+				"%5c": {},
+				"%00": {},
+				"%3B": {},
+				"%3b": {},
+				"%3F": {},
+				"%3f": {},
+				"%23": {},
+			},
+		},
+		{
+			name: "Exclude encoded question mark when allowed",
+			config: EncodedCharacters{
+				AllowEncodedQuestionMark: true,
+			},
+			expected: map[string]struct{}{
+				"%2F": {},
+				"%2f": {},
+				"%5C": {},
+				"%5c": {},
+				"%00": {},
+				"%3B": {},
+				"%3b": {},
+				"%25": {},
+				"%23": {},
+			},
+		},
+		{
+			name: "Exclude encoded hash when allowed",
+			config: EncodedCharacters{
+				AllowEncodedHash: true,
+			},
+			expected: map[string]struct{}{
+				"%2F": {},
+				"%2f": {},
+				"%5C": {},
+				"%5c": {},
+				"%00": {},
+				"%3B": {},
+				"%3b": {},
+				"%25": {},
+				"%3F": {},
+				"%3f": {},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			result := test.config.Map()
+			require.Equal(t, test.expected, result)
+		})
+	}
+}
--- a/pkg/config/static/static_config.go
+++ b/pkg/config/static/static_config.go
@@ -273,6 +273,25 @@ func (c *Configuration) SetEffectiveConfiguration() {
 		c.Providers.KubernetesGateway.EntryPoints = entryPoints
 	}

+	for _, resolver := range c.CertificatesResolvers {
+		if resolver.ACME == nil {
+			continue
+		}
+
+		if resolver.ACME.DNSChallenge == nil {
+			continue
+		}
+
+		switch resolver.ACME.DNSChallenge.Provider {
+		case "googledomains", "cloudxns", "brandit":
+			log.WithoutContext().Warnf("%s DNS provider is deprecated.", resolver.ACME.DNSChallenge.Provider)
+		case "dnspod":
+			log.WithoutContext().Warnf("%s provider is deprecated, please use 'tencentcloud' provider instead.", resolver.ACME.DNSChallenge.Provider)
+		case "azure":
+			log.WithoutContext().Warnf("%s provider is deprecated, please use 'azuredns' provider instead.", resolver.ACME.DNSChallenge.Provider)
+		}
+	}
+
 	c.initACMEProvider()
 }

--- a/pkg/healthcheck/healthcheck_test.go
+++ b/pkg/healthcheck/healthcheck_test.go
@@ -101,7 +101,7 @@ func TestSetBackendsConfiguration(t *testing.T) {

 			// The context is passed to the health check and canonically canceled by
 			// the test server once all expected requests have been received.
-			ctx, cancel := context.WithCancel(context.Background())
+			ctx, cancel := context.WithCancel(t.Context())
 			defer cancel()
 			ts := newTestServer(cancel, test.healthSequence)
 			defer ts.Close()
@@ -568,7 +568,7 @@ func TestNotFollowingRedirects(t *testing.T) {
 	}))
 	defer redirectTestServer.Close()

-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(t.Context())
 	defer cancel()

 	server := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
--- a/pkg/log/log_test.go
+++ b/pkg/log/log_test.go
@@ -2,7 +2,6 @@ package log

 import (
 	"bytes"
-	"context"
 	"strings"
 	"testing"

@@ -42,7 +41,7 @@ func TestLog(t *testing.T) {
 			var buffer bytes.Buffer
 			SetOutput(&buffer)

-			ctx := context.Background()
+			ctx := t.Context()

 			for key, value := range test.fields {
 				ctx = With(ctx, Str(key, value))
--- a/pkg/metrics/datadog_test.go
+++ b/pkg/metrics/datadog_test.go
@@ -1,7 +1,6 @@
 package metrics

 import (
-	"context"
 	"net/http"
 	"strconv"
 	"testing"
@@ -17,7 +16,7 @@ func TestDatadog(t *testing.T) {
 	// This is needed to make sure that UDP Listener listens for data a bit longer, otherwise it will quit after a millisecond
 	udp.Timeout = 5 * time.Second

-	datadogRegistry := RegisterDatadog(context.Background(), &types.Datadog{Address: ":18125", PushInterval: ptypes.Duration(time.Second), AddEntryPointsLabels: true, AddRoutersLabels: true, AddServicesLabels: true})
+	datadogRegistry := RegisterDatadog(t.Context(), &types.Datadog{Address: ":18125", PushInterval: ptypes.Duration(time.Second), AddEntryPointsLabels: true, AddRoutersLabels: true, AddServicesLabels: true})
 	defer StopDatadog()

 	if !datadogRegistry.IsEpEnabled() || !datadogRegistry.IsRouterEnabled() || !datadogRegistry.IsSvcEnabled() {
@@ -35,7 +34,7 @@ func TestDatadogWithPrefix(t *testing.T) {
 	// This is needed to make sure that UDP Listener listens for data a bit longer, otherwise it will quit after a millisecond
 	udp.Timeout = 5 * time.Second

-	datadogRegistry := RegisterDatadog(context.Background(), &types.Datadog{Prefix: "testPrefix", Address: ":18125", PushInterval: ptypes.Duration(time.Second), AddEntryPointsLabels: true, AddRoutersLabels: true, AddServicesLabels: true})
+	datadogRegistry := RegisterDatadog(t.Context(), &types.Datadog{Prefix: "testPrefix", Address: ":18125", PushInterval: ptypes.Duration(time.Second), AddEntryPointsLabels: true, AddRoutersLabels: true, AddServicesLabels: true})

 	testDatadogRegistry(t, "testPrefix", datadogRegistry)
 }
--- a/pkg/metrics/influxdb2_test.go
+++ b/pkg/metrics/influxdb2_test.go
@@ -1,7 +1,6 @@
 package metrics

 import (
-	"context"
 	"fmt"
 	"io"
 	"net/http"
@@ -27,7 +26,7 @@ func TestInfluxDB2(t *testing.T) {
 	}))
 	defer ts.Close()

-	influxDB2Registry := RegisterInfluxDB2(context.Background(),
+	influxDB2Registry := RegisterInfluxDB2(t.Context(),
 		&types.InfluxDB2{
 			Address:              ts.URL,
 			Token:                "test-token",
--- a/pkg/metrics/influxdb_test.go
+++ b/pkg/metrics/influxdb_test.go
@@ -1,7 +1,6 @@
 package metrics

 import (
-	"context"
 	"fmt"
 	"io"
 	"net/http"
@@ -23,7 +22,7 @@ func TestInfluxDB(t *testing.T) {
 	udp.Timeout = 5 * time.Second

 	influxDBClient = nil
-	influxDBRegistry := RegisterInfluxDB(context.Background(),
+	influxDBRegistry := RegisterInfluxDB(t.Context(),
 		&types.InfluxDB{
 			Address:              ":8089",
 			PushInterval:         ptypes.Duration(time.Second),
@@ -147,7 +146,7 @@ func TestInfluxDBHTTP(t *testing.T) {
 	defer ts.Close()

 	influxDBClient = nil
-	influxDBRegistry := RegisterInfluxDB(context.Background(),
+	influxDBRegistry := RegisterInfluxDB(t.Context(),
 		&types.InfluxDB{
 			Address:              ts.URL,
 			Protocol:             "http",
--- a/pkg/metrics/prometheus_test.go
+++ b/pkg/metrics/prometheus_test.go
@@ -1,7 +1,6 @@
 package metrics

 import (
-	"context"
 	"fmt"
 	"net/http"
 	"strconv"
@@ -70,7 +69,7 @@ func TestRegisterPromState(t *testing.T) {
 				if test.initPromState {
 					initStandardRegistry(prom)
 				}
-				if registerPromState(context.Background()) {
+				if registerPromState(t.Context()) {
 					actualNbRegistries++
 				}
 				if test.unregisterPromState {
@@ -91,7 +90,7 @@ func TestPrometheus(t *testing.T) {
 	promRegistry = prometheus.NewRegistry()
 	t.Cleanup(promState.reset)

-	prometheusRegistry := RegisterPrometheus(context.Background(), &types.Prometheus{
+	prometheusRegistry := RegisterPrometheus(t.Context(), &types.Prometheus{
 		AddEntryPointsLabels: true,
 		AddRoutersLabels:     true,
 		AddServicesLabels:    true,
@@ -443,7 +442,7 @@ func TestPrometheusMetricRemoval(t *testing.T) {
 	promRegistry = prometheus.NewRegistry()
 	t.Cleanup(promState.reset)

-	prometheusRegistry := RegisterPrometheus(context.Background(), &types.Prometheus{AddEntryPointsLabels: true, AddServicesLabels: true, AddRoutersLabels: true})
+	prometheusRegistry := RegisterPrometheus(t.Context(), &types.Prometheus{AddEntryPointsLabels: true, AddServicesLabels: true, AddRoutersLabels: true})
 	defer promRegistry.Unregister(promState)

 	conf1 := dynamic.Configuration{
@@ -534,7 +533,7 @@ func TestPrometheusMetricRemoveEndpointForRecoveredService(t *testing.T) {
 	promRegistry = prometheus.NewRegistry()
 	t.Cleanup(promState.reset)

-	prometheusRegistry := RegisterPrometheus(context.Background(), &types.Prometheus{AddServicesLabels: true})
+	prometheusRegistry := RegisterPrometheus(t.Context(), &types.Prometheus{AddServicesLabels: true})
 	defer promRegistry.Unregister(promState)

 	conf1 := dynamic.Configuration{
@@ -573,7 +572,7 @@ func TestPrometheusMetricRemoveEndpointForRecoveredService(t *testing.T) {
 func TestPrometheusRemovedMetricsReset(t *testing.T) {
 	t.Cleanup(promState.reset)

-	prometheusRegistry := RegisterPrometheus(context.Background(), &types.Prometheus{AddEntryPointsLabels: true, AddServicesLabels: true})
+	prometheusRegistry := RegisterPrometheus(t.Context(), &types.Prometheus{AddEntryPointsLabels: true, AddServicesLabels: true})
 	defer promRegistry.Unregister(promState)

 	conf1 := dynamic.Configuration{
--- a/pkg/metrics/statsd_test.go
+++ b/pkg/metrics/statsd_test.go
@@ -1,7 +1,6 @@
 package metrics

 import (
-	"context"
 	"net/http"
 	"strconv"
 	"testing"
@@ -21,7 +20,7 @@ func TestStatsD(t *testing.T) {
 	// This is needed to make sure that UDP Listener listens for data a bit longer, otherwise it will quit after a millisecond
 	udp.Timeout = 5 * time.Second

-	statsdRegistry := RegisterStatsd(context.Background(), &types.Statsd{Address: ":18125", PushInterval: ptypes.Duration(time.Second), AddEntryPointsLabels: true, AddRoutersLabels: true, AddServicesLabels: true})
+	statsdRegistry := RegisterStatsd(t.Context(), &types.Statsd{Address: ":18125", PushInterval: ptypes.Duration(time.Second), AddEntryPointsLabels: true, AddRoutersLabels: true, AddServicesLabels: true})

 	testRegistry(t, defaultMetricsPrefix, statsdRegistry)
 }
@@ -35,7 +34,7 @@ func TestStatsDWithPrefix(t *testing.T) {
 	// This is needed to make sure that UDP Listener listens for data a bit longer, otherwise it will quit after a millisecond
 	udp.Timeout = 5 * time.Second

-	statsdRegistry := RegisterStatsd(context.Background(), &types.Statsd{Address: ":18125", PushInterval: ptypes.Duration(time.Second), AddEntryPointsLabels: true, AddRoutersLabels: true, AddServicesLabels: true, Prefix: "testPrefix"})
+	statsdRegistry := RegisterStatsd(t.Context(), &types.Statsd{Address: ":18125", PushInterval: ptypes.Duration(time.Second), AddEntryPointsLabels: true, AddRoutersLabels: true, AddServicesLabels: true, Prefix: "testPrefix"})

 	testRegistry(t, "testPrefix", statsdRegistry)
 }
--- a/pkg/middlewares/accesslog/logger_test.go
+++ b/pkg/middlewares/accesslog/logger_test.go
@@ -926,7 +926,7 @@ func doLoggingWithAbortedStream(t *testing.T, config *types.AccessLog) {
 		require.NoError(t, err, "logger should create "+config.FilePath)
 	}

-	reqContext, cancelRequest := context.WithCancel(context.Background())
+	reqContext, cancelRequest := context.WithCancel(t.Context())

 	req := &http.Request{
 		Header: map[string][]string{
--- a/pkg/middlewares/addprefix/add_prefix_test.go
+++ b/pkg/middlewares/addprefix/add_prefix_test.go
@@ -1,7 +1,6 @@
 package addprefix

 import (
-	"context"
 	"net/http"
 	"testing"

@@ -34,7 +33,7 @@ func TestNewAddPrefix(t *testing.T) {

 			next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})

-			_, err := New(context.Background(), next, test.prefix, "foo-add-prefix")
+			_, err := New(t.Context(), next, test.prefix, "foo-add-prefix")
 			if test.expectsError {
 				assert.Error(t, err)
 			} else {
@@ -87,7 +86,7 @@ func TestAddPrefix(t *testing.T) {

 			req := testhelpers.MustNewRequest(http.MethodGet, "http://localhost"+test.path, nil)

-			handler, err := New(context.Background(), next, test.prefix, "foo-add-prefix")
+			handler, err := New(t.Context(), next, test.prefix, "foo-add-prefix")
 			require.NoError(t, err)

 			handler.ServeHTTP(nil, req)
--- a/pkg/middlewares/auth/basic_auth_test.go
+++ b/pkg/middlewares/auth/basic_auth_test.go
@@ -1,7 +1,6 @@
 package auth

 import (
-	"context"
 	"fmt"
 	"io"
 	"net/http"
@@ -23,13 +22,13 @@ func TestBasicAuthFail(t *testing.T) {
 	auth := dynamic.BasicAuth{
 		Users: []string{"test"},
 	}
-	_, err := NewBasic(context.Background(), next, auth, "authName")
+	_, err := NewBasic(t.Context(), next, auth, "authName")
 	require.Error(t, err)

 	auth2 := dynamic.BasicAuth{
 		Users: []string{"test:test"},
 	}
-	authMiddleware, err := NewBasic(context.Background(), next, auth2, "authTest")
+	authMiddleware, err := NewBasic(t.Context(), next, auth2, "authTest")
 	require.NoError(t, err)

 	ts := httptest.NewServer(authMiddleware)
@@ -52,7 +51,7 @@ func TestBasicAuthSuccess(t *testing.T) {
 	auth := dynamic.BasicAuth{
 		Users: []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"},
 	}
-	authMiddleware, err := NewBasic(context.Background(), next, auth, "authName")
+	authMiddleware, err := NewBasic(t.Context(), next, auth, "authName")
 	require.NoError(t, err)

 	ts := httptest.NewServer(authMiddleware)
@@ -83,7 +82,7 @@ func TestBasicAuthUserHeader(t *testing.T) {
 		Users:       []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"},
 		HeaderField: "X-Webauth-User",
 	}
-	middleware, err := NewBasic(context.Background(), next, auth, "authName")
+	middleware, err := NewBasic(t.Context(), next, auth, "authName")
 	require.NoError(t, err)

 	ts := httptest.NewServer(middleware)
@@ -114,7 +113,7 @@ func TestBasicAuthHeaderRemoved(t *testing.T) {
 		RemoveHeader: true,
 		Users:        []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"},
 	}
-	middleware, err := NewBasic(context.Background(), next, auth, "authName")
+	middleware, err := NewBasic(t.Context(), next, auth, "authName")
 	require.NoError(t, err)

 	ts := httptest.NewServer(middleware)
@@ -145,7 +144,7 @@ func TestBasicAuthHeaderPresent(t *testing.T) {
 	auth := dynamic.BasicAuth{
 		Users: []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"},
 	}
-	middleware, err := NewBasic(context.Background(), next, auth, "authName")
+	middleware, err := NewBasic(t.Context(), next, auth, "authName")
 	require.NoError(t, err)

 	ts := httptest.NewServer(middleware)
@@ -231,7 +230,7 @@ func TestBasicAuthUsersFromFile(t *testing.T) {
 				fmt.Fprintln(w, "traefik")
 			})

-			authenticator, err := NewBasic(context.Background(), next, authenticatorConfiguration, "authName")
+			authenticator, err := NewBasic(t.Context(), next, authenticatorConfiguration, "authName")
 			require.NoError(t, err)

 			ts := httptest.NewServer(authenticator)
--- a/pkg/middlewares/auth/digest_auth_test.go
+++ b/pkg/middlewares/auth/digest_auth_test.go
@@ -1,7 +1,6 @@
 package auth

 import (
-	"context"
 	"fmt"
 	"io"
 	"net/http"
@@ -23,7 +22,7 @@ func TestDigestAuthError(t *testing.T) {
 	auth := dynamic.DigestAuth{
 		Users: []string{"test"},
 	}
-	_, err := NewDigest(context.Background(), next, auth, "authName")
+	_, err := NewDigest(t.Context(), next, auth, "authName")
 	assert.Error(t, err)
 }

@@ -35,7 +34,7 @@ func TestDigestAuthFail(t *testing.T) {
 	auth := dynamic.DigestAuth{
 		Users: []string{"test:traefik:a2688e031edb4be6a3797f3882655c05"},
 	}
-	authMiddleware, err := NewDigest(context.Background(), next, auth, "authName")
+	authMiddleware, err := NewDigest(t.Context(), next, auth, "authName")
 	require.NoError(t, err)
 	assert.NotNil(t, authMiddleware, "this should not be nil")

@@ -109,7 +108,7 @@ func TestDigestAuthUsersFromFile(t *testing.T) {
 				fmt.Fprintln(w, "traefik")
 			})

-			authenticator, err := NewDigest(context.Background(), next, authenticatorConfiguration, "authName")
+			authenticator, err := NewDigest(t.Context(), next, authenticatorConfiguration, "authName")
 			require.NoError(t, err)

 			ts := httptest.NewServer(authenticator)
--- a/pkg/middlewares/auth/forward_test.go
+++ b/pkg/middlewares/auth/forward_test.go
@@ -1,7 +1,6 @@
 package auth

 import (
-	"context"
 	"fmt"
 	"io"
 	"net/http"
@@ -30,7 +29,7 @@ func TestForwardAuthFail(t *testing.T) {
 	}))
 	t.Cleanup(server.Close)

-	middleware, err := NewForward(context.Background(), next, dynamic.ForwardAuth{
+	middleware, err := NewForward(t.Context(), next, dynamic.ForwardAuth{
 		Address: server.URL,
 	}, "authTest")
 	require.NoError(t, err)
@@ -77,7 +76,7 @@ func TestForwardAuthSuccess(t *testing.T) {
 		AuthResponseHeaders:      []string{"X-Auth-User", "X-Auth-Group"},
 		AuthResponseHeadersRegex: "^Foo-",
 	}
-	middleware, err := NewForward(context.Background(), next, auth, "authTest")
+	middleware, err := NewForward(t.Context(), next, auth, "authTest")
 	require.NoError(t, err)

 	ts := httptest.NewServer(middleware)
@@ -110,7 +109,7 @@ func TestForwardAuthRedirect(t *testing.T) {

 	auth := dynamic.ForwardAuth{Address: authTs.URL}

-	authMiddleware, err := NewForward(context.Background(), next, auth, "authTest")
+	authMiddleware, err := NewForward(t.Context(), next, auth, "authTest")
 	require.NoError(t, err)

 	ts := httptest.NewServer(authMiddleware)
@@ -161,7 +160,7 @@ func TestForwardAuthRemoveHopByHopHeaders(t *testing.T) {

 	auth := dynamic.ForwardAuth{Address: authTs.URL}

-	authMiddleware, err := NewForward(context.Background(), next, auth, "authTest")
+	authMiddleware, err := NewForward(t.Context(), next, auth, "authTest")
 	require.NoError(t, err)

 	ts := httptest.NewServer(authMiddleware)
@@ -207,7 +206,7 @@ func TestForwardAuthFailResponseHeaders(t *testing.T) {
 	auth := dynamic.ForwardAuth{
 		Address: authTs.URL,
 	}
-	authMiddleware, err := NewForward(context.Background(), next, auth, "authTest")
+	authMiddleware, err := NewForward(t.Context(), next, auth, "authTest")
 	require.NoError(t, err)

 	ts := httptest.NewServer(authMiddleware)
@@ -469,10 +468,10 @@ func TestForwardAuthUsesTracing(t *testing.T) {

 	tr, _ := tracing.NewTracing("testApp", 100, &mockBackend{tracer})

-	next, err := NewForward(context.Background(), next, auth, "authTest")
+	next, err := NewForward(t.Context(), next, auth, "authTest")
 	require.NoError(t, err)

-	next = tracingMiddleware.NewEntryPoint(context.Background(), tr, "tracingTest", next)
+	next = tracingMiddleware.NewEntryPoint(t.Context(), tr, "tracingTest", next)

 	ts := httptest.NewServer(next)
 	t.Cleanup(ts.Close)
--- a/pkg/middlewares/buffering/buffering_test.go
+++ b/pkg/middlewares/buffering/buffering_test.go
@@ -2,7 +2,6 @@ package buffering

 import (
 	"bytes"
-	"context"
 	"crypto/rand"
 	"math"
 	"net/http"
@@ -57,7 +56,7 @@ func TestBuffering(t *testing.T) {
 				require.NoError(t, err)
 			})

-			buffMiddleware, err := New(context.Background(), next, test.config, "foo")
+			buffMiddleware, err := New(t.Context(), next, test.config, "foo")
 			require.NoError(t, err)

 			req := httptest.NewRequest(http.MethodPost, "http://localhost", bytes.NewBuffer(test.body))
--- a/pkg/middlewares/compress/compress_test.go
+++ b/pkg/middlewares/compress/compress_test.go
@@ -1,7 +1,6 @@
 package compress

 import (
-	"context"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -34,7 +33,7 @@ func TestShouldCompressWhenNoContentEncodingHeader(t *testing.T) {
 		_, err := rw.Write(baseBody)
 		assert.NoError(t, err)
 	})
-	handler, err := New(context.Background(), next, dynamic.Compress{}, "testing")
+	handler, err := New(t.Context(), next, dynamic.Compress{}, "testing")
 	require.NoError(t, err)

 	rw := httptest.NewRecorder()
@@ -61,7 +60,7 @@ func TestShouldNotCompressWhenContentEncodingHeader(t *testing.T) {
 			http.Error(rw, err.Error(), http.StatusInternalServerError)
 		}
 	})
-	handler, err := New(context.Background(), next, dynamic.Compress{}, "testing")
+	handler, err := New(t.Context(), next, dynamic.Compress{}, "testing")
 	require.NoError(t, err)

 	rw := httptest.NewRecorder()
@@ -83,7 +82,7 @@ func TestShouldNotCompressWhenNoAcceptEncodingHeader(t *testing.T) {
 			http.Error(rw, err.Error(), http.StatusInternalServerError)
 		}
 	})
-	handler, err := New(context.Background(), next, dynamic.Compress{}, "testing")
+	handler, err := New(t.Context(), next, dynamic.Compress{}, "testing")
 	require.NoError(t, err)

 	rw := httptest.NewRecorder()
@@ -144,7 +143,7 @@ func TestShouldNotCompressWhenSpecificContentType(t *testing.T) {
 				}
 			})

-			handler, err := New(context.Background(), next, test.conf, "test")
+			handler, err := New(t.Context(), next, test.conf, "test")
 			require.NoError(t, err)

 			rw := httptest.NewRecorder()
@@ -194,7 +193,7 @@ func TestIntegrationShouldNotCompress(t *testing.T) {

 	for _, test := range testCases {
 		t.Run(test.name, func(t *testing.T) {
-			compress, err := New(context.Background(), test.handler, dynamic.Compress{}, "testing")
+			compress, err := New(t.Context(), test.handler, dynamic.Compress{}, "testing")
 			require.NoError(t, err)

 			ts := httptest.NewServer(compress)
@@ -229,7 +228,7 @@ func TestShouldWriteHeaderWhenFlush(t *testing.T) {
 			http.Error(rw, err.Error(), http.StatusInternalServerError)
 		}
 	})
-	handler, err := New(context.Background(), next, dynamic.Compress{}, "testing")
+	handler, err := New(t.Context(), next, dynamic.Compress{}, "testing")
 	require.NoError(t, err)

 	ts := httptest.NewServer(handler)
@@ -280,7 +279,7 @@ func TestIntegrationShouldCompress(t *testing.T) {

 	for _, test := range testCases {
 		t.Run(test.name, func(t *testing.T) {
-			compress, err := New(context.Background(), test.handler, dynamic.Compress{}, "testing")
+			compress, err := New(t.Context(), test.handler, dynamic.Compress{}, "testing")
 			require.NoError(t, err)

 			ts := httptest.NewServer(compress)
@@ -337,7 +336,7 @@ func TestMinResponseBodyBytes(t *testing.T) {
 				}
 			})

-			handler, err := New(context.Background(), next, dynamic.Compress{MinResponseBodyBytes: test.minResponseBodyBytes}, "testing")
+			handler, err := New(t.Context(), next, dynamic.Compress{MinResponseBodyBytes: test.minResponseBodyBytes}, "testing")
 			require.NoError(t, err)

 			rw := httptest.NewRecorder()
@@ -373,7 +372,7 @@ func Test1xxResponses(t *testing.T) {
 		}
 	})

-	compress, err := New(context.Background(), next, dynamic.Compress{MinResponseBodyBytes: 1024}, "testing")
+	compress, err := New(t.Context(), next, dynamic.Compress{MinResponseBodyBytes: 1024}, "testing")
 	require.NoError(t, err)

 	server := httptest.NewServer(compress)
@@ -417,7 +416,7 @@ func Test1xxResponses(t *testing.T) {
 			return nil
 		},
 	}
-	req, _ := http.NewRequestWithContext(httptrace.WithClientTrace(context.Background(), trace), http.MethodGet, server.URL, nil)
+	req, _ := http.NewRequestWithContext(httptrace.WithClientTrace(t.Context(), trace), http.MethodGet, server.URL, nil)
 	req.Header.Add(acceptEncodingHeader, gzipValue)

 	res, err := frontendClient.Do(req)
@@ -478,7 +477,7 @@ func BenchmarkCompress(b *testing.B) {
 				_, err := rw.Write(baseBody)
 				assert.NoError(b, err)
 			})
-			handler, _ := New(context.Background(), next, dynamic.Compress{}, "testing")
+			handler, _ := New(b.Context(), next, dynamic.Compress{}, "testing")

 			req, _ := http.NewRequest(http.MethodGet, "/whatever", nil)
 			req.Header.Set("Accept-Encoding", "gzip")
--- a/pkg/middlewares/customerrors/custom_errors_test.go
+++ b/pkg/middlewares/customerrors/custom_errors_test.go
@@ -170,7 +170,7 @@ func TestHandler(t *testing.T) {
 				}
 				_, _ = fmt.Fprintln(w, http.StatusText(test.backendCode))
 			})
-			errorPageHandler, err := New(context.Background(), handler, *test.errorPage, serviceBuilderMock, "test")
+			errorPageHandler, err := New(t.Context(), handler, *test.errorPage, serviceBuilderMock, "test")
 			require.NoError(t, err)

 			req := testhelpers.MustNewRequest(http.MethodGet, "http://localhost/test?foo=bar&baz=buz", nil)
@@ -205,7 +205,7 @@ func Test1xxResponses(t *testing.T) {

 	config := dynamic.ErrorPage{Service: "error", Query: "/", Status: []string{"200"}}

-	errorPageHandler, err := New(context.Background(), next, config, serviceBuilderMock, "test")
+	errorPageHandler, err := New(t.Context(), next, config, serviceBuilderMock, "test")
 	require.NoError(t, err)

 	server := httptest.NewServer(errorPageHandler)
@@ -249,7 +249,7 @@ func Test1xxResponses(t *testing.T) {
 			return nil
 		},
 	}
-	req, _ := http.NewRequestWithContext(httptrace.WithClientTrace(context.Background(), trace), http.MethodGet, server.URL, nil)
+	req, _ := http.NewRequestWithContext(httptrace.WithClientTrace(t.Context(), trace), http.MethodGet, server.URL, nil)

 	res, err := frontendClient.Do(req)
 	assert.NoError(t, err)
--- a/pkg/middlewares/headers/headers_test.go
+++ b/pkg/middlewares/headers/headers_test.go
@@ -3,7 +3,6 @@ package headers
 // Middleware tests based on https://github.com/unrolled/secure

 import (
-	"context"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -20,7 +19,7 @@ import (
 func TestNew_withoutOptions(t *testing.T) {
 	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) })

-	mid, err := New(context.Background(), next, dynamic.Headers{}, "testing")
+	mid, err := New(t.Context(), next, dynamic.Headers{}, "testing")
 	require.Errorf(t, err, "headers configuration not valid")

 	assert.Nil(t, mid)
@@ -55,7 +54,7 @@ func TestNew_allowedHosts(t *testing.T) {
 		AllowedHosts: []string{"foo.com", "bar.com"},
 	}

-	mid, err := New(context.Background(), emptyHandler, cfg, "foo")
+	mid, err := New(t.Context(), emptyHandler, cfg, "foo")
 	require.NoError(t, err)

 	for _, test := range testCases {
@@ -86,7 +85,7 @@ func TestNew_customHeaders(t *testing.T) {
 		},
 	}

-	mid, err := New(context.Background(), next, cfg, "testing")
+	mid, err := New(t.Context(), next, cfg, "testing")
 	require.NoError(t, err)

 	req := httptest.NewRequest(http.MethodGet, "/foo", nil)
@@ -134,7 +133,7 @@ func Test1xxResponses(t *testing.T) {
 		},
 	}

-	mid, err := New(context.Background(), next, cfg, "testing")
+	mid, err := New(t.Context(), next, cfg, "testing")
 	require.NoError(t, err)

 	server := httptest.NewServer(mid)
@@ -178,7 +177,7 @@ func Test1xxResponses(t *testing.T) {
 			return nil
 		},
 	}
-	req, _ := http.NewRequestWithContext(httptrace.WithClientTrace(context.Background(), trace), http.MethodGet, server.URL, nil)
+	req, _ := http.NewRequestWithContext(httptrace.WithClientTrace(t.Context(), trace), http.MethodGet, server.URL, nil)

 	res, err := frontendClient.Do(req)
 	assert.NoError(t, err)
--- a/pkg/middlewares/ipallowlist/ip_allowlist_test.go
+++ b/pkg/middlewares/ipallowlist/ip_allowlist_test.go
@@ -1,7 +1,6 @@
 package ipallowlist

 import (
-	"context"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -37,7 +36,7 @@ func TestNewIPAllowLister(t *testing.T) {
 			t.Parallel()

 			next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
-			allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
+			allowLister, err := New(t.Context(), next, test.allowList, "traefikTest")

 			if test.expectedError {
 				assert.Error(t, err)
@@ -79,7 +78,7 @@ func TestIPAllowLister_ServeHTTP(t *testing.T) {
 			t.Parallel()

 			next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
-			allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
+			allowLister, err := New(t.Context(), next, test.allowList, "traefikTest")
 			require.NoError(t, err)

 			recorder := httptest.NewRecorder()
--- a/pkg/middlewares/ipwhitelist/ip_whitelist_test.go
+++ b/pkg/middlewares/ipwhitelist/ip_whitelist_test.go
@@ -1,7 +1,6 @@
 package ipwhitelist

 import (
-	"context"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -37,7 +36,7 @@ func TestNewIPWhiteLister(t *testing.T) {
 			t.Parallel()

 			next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
-			whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
+			whiteLister, err := New(t.Context(), next, test.whiteList, "traefikTest")

 			if test.expectedError {
 				assert.Error(t, err)
@@ -79,7 +78,7 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
 			t.Parallel()

 			next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
-			whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
+			whiteLister, err := New(t.Context(), next, test.whiteList, "traefikTest")
 			require.NoError(t, err)

 			recorder := httptest.NewRecorder()
--- a/pkg/middlewares/passtlsclientcert/pass_tls_client_cert_test.go
+++ b/pkg/middlewares/passtlsclientcert/pass_tls_client_cert_test.go
@@ -1,7 +1,6 @@
 package passtlsclientcert

 import (
-	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
@@ -313,7 +312,7 @@ func TestPassTLSClientCert_PEM(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()

-			tlsClientHeaders, err := New(context.Background(), next, test.config, "foo")
+			tlsClientHeaders, err := New(t.Context(), next, test.config, "foo")
 			require.NoError(t, err)

 			res := httptest.NewRecorder()
@@ -535,7 +534,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()

-			tlsClientHeaders, err := New(context.Background(), next, test.config, "foo")
+			tlsClientHeaders, err := New(t.Context(), next, test.config, "foo")
 			require.NoError(t, err)

 			res := httptest.NewRecorder()
--- a/pkg/middlewares/pipelining/pipelining_test.go
+++ b/pkg/middlewares/pipelining/pipelining_test.go
@@ -1,7 +1,6 @@
 package pipelining

 import (
-	"context"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -62,7 +61,7 @@ func TestNew(t *testing.T) {
 				assert.Equal(t, test.implementCloseNotifier, ok)
 				w.WriteHeader(http.StatusOK)
 			})
-			handler := New(context.Background(), nextHandler, "pipe")
+			handler := New(t.Context(), nextHandler, "pipe")

 			req := httptest.NewRequest(test.HTTPMethod, "http://localhost", nil)

@@ -87,7 +86,7 @@ func Test1xxResponses(t *testing.T) {
 		_, _ = w.Write([]byte("Hello"))
 	})

-	pipe := New(context.Background(), next, "pipe")
+	pipe := New(t.Context(), next, "pipe")

 	server := httptest.NewServer(pipe)
 	t.Cleanup(server.Close)
@@ -130,7 +129,7 @@ func Test1xxResponses(t *testing.T) {
 			return nil
 		},
 	}
-	req, _ := http.NewRequestWithContext(httptrace.WithClientTrace(context.Background(), trace), http.MethodGet, server.URL, nil)
+	req, _ := http.NewRequestWithContext(httptrace.WithClientTrace(t.Context(), trace), http.MethodGet, server.URL, nil)

 	res, err := frontendClient.Do(req)
 	assert.NoError(t, err)
--- a/pkg/middlewares/ratelimiter/rate_limiter_test.go
+++ b/pkg/middlewares/ratelimiter/rate_limiter_test.go
@@ -1,7 +1,6 @@
 package ratelimiter

 import (
-	"context"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
@@ -94,7 +93,7 @@ func TestNewRateLimiter(t *testing.T) {

 			next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})

-			h, err := New(context.Background(), next, test.config, "rate-limiter")
+			h, err := New(t.Context(), next, test.config, "rate-limiter")
 			if test.expectedError != "" {
 				assert.EqualError(t, err, test.expectedError)
 			} else {
@@ -258,7 +257,7 @@ func TestRateLimit(t *testing.T) {
 			next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				reqCount++
 			})
-			h, err := New(context.Background(), next, test.config, "rate-limiter")
+			h, err := New(t.Context(), next, test.config, "rate-limiter")
 			require.NoError(t, err)

 			loadPeriod := time.Duration(1e9 / test.incomingLoad)
--- a/pkg/middlewares/recovery/recovery_test.go
+++ b/pkg/middlewares/recovery/recovery_test.go
@@ -1,7 +1,6 @@
 package recovery

 import (
-	"context"
 	"errors"
 	"io"
 	"net/http"
@@ -47,7 +46,7 @@ func TestRecoverHandler(t *testing.T) {
 				}
 				panic(test.panicErr)
 			}
-			recovery, err := New(context.Background(), http.HandlerFunc(fn))
+			recovery, err := New(t.Context(), http.HandlerFunc(fn))
 			require.NoError(t, err)

 			server := httptest.NewServer(recovery)
--- a/pkg/middlewares/redirect/redirect_regex_test.go
+++ b/pkg/middlewares/redirect/redirect_regex_test.go
@@ -1,7 +1,6 @@
 package redirect

 import (
-	"context"
 	"crypto/tls"
 	"net/http"
 	"net/http/httptest"
@@ -158,7 +157,7 @@ func TestRedirectRegexHandler(t *testing.T) {
 			t.Parallel()

 			next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
-			handler, err := NewRedirectRegex(context.Background(), next, test.config, "traefikTest")
+			handler, err := NewRedirectRegex(t.Context(), next, test.config, "traefikTest")

 			if test.errorExpected {
 				require.Error(t, err)
--- a/pkg/middlewares/redirect/redirect_scheme_test.go
+++ b/pkg/middlewares/redirect/redirect_scheme_test.go
@@ -1,7 +1,6 @@
 package redirect

 import (
-	"context"
 	"crypto/tls"
 	"net/http"
 	"net/http/httptest"
@@ -287,7 +286,7 @@ func TestRedirectSchemeHandler(t *testing.T) {
 			t.Parallel()

 			next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
-			handler, err := NewRedirectScheme(context.Background(), next, test.config, "traefikTest")
+			handler, err := NewRedirectScheme(t.Context(), next, test.config, "traefikTest")

 			if test.errorExpected {
 				require.Error(t, err)
--- a/pkg/middlewares/replacepath/replace_path_test.go
+++ b/pkg/middlewares/replacepath/replace_path_test.go
@@ -1,7 +1,6 @@
 package replacepath

 import (
-	"context"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -82,7 +81,7 @@ func TestReplacePath(t *testing.T) {
 				requestURI = r.RequestURI
 			})

-			handler, err := New(context.Background(), next, test.config, "foo-replace-path")
+			handler, err := New(t.Context(), next, test.config, "foo-replace-path")
 			require.NoError(t, err)

 			server := httptest.NewServer(handler)
--- a/pkg/middlewares/replacepathregex/replace_path_regex_test.go
+++ b/pkg/middlewares/replacepathregex/replace_path_regex_test.go
@@ -1,7 +1,6 @@
 package replacepathregex

 import (
-	"context"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -150,7 +149,7 @@ func TestReplacePathRegex(t *testing.T) {
 				requestURI = r.RequestURI
 			})

-			handler, err := New(context.Background(), next, test.config, "foo-replace-path-regexp")
+			handler, err := New(t.Context(), next, test.config, "foo-replace-path-regexp")
 			if test.expectsError {
 				require.Error(t, err)
 				return
--- a/pkg/middlewares/requestdecorator/hostresolver_test.go
+++ b/pkg/middlewares/requestdecorator/hostresolver_test.go
@@ -1,7 +1,6 @@
 package requestdecorator

 import (
-	"context"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -43,7 +42,7 @@ func TestCNAMEFlatten(t *testing.T) {
 				ResolvDepth:  5,
 			}

-			flatH := hostResolver.CNAMEFlatten(context.Background(), test.domain)
+			flatH := hostResolver.CNAMEFlatten(t.Context(), test.domain)
 			assert.Equal(t, test.expectedDomain, flatH)
 		})
 	}
--- a/pkg/middlewares/retry/retry_test.go
+++ b/pkg/middlewares/retry/retry_test.go
@@ -1,7 +1,6 @@
 package retry

 import (
-	"context"
 	"fmt"
 	"io"
 	"net/http"
@@ -129,7 +128,7 @@ func TestRetry(t *testing.T) {
 			})

 			retryListener := &countingRetryListener{}
-			retry, err := New(context.Background(), next, test.config, retryListener, "traefikTest")
+			retry, err := New(t.Context(), next, test.config, retryListener, "traefikTest")
 			require.NoError(t, err)

 			recorder := httptest.NewRecorder()
@@ -149,7 +148,7 @@ func TestRetryEmptyServerList(t *testing.T) {
 	})

 	retryListener := &countingRetryListener{}
-	retry, err := New(context.Background(), next, dynamic.Retry{Attempts: 3}, retryListener, "traefikTest")
+	retry, err := New(t.Context(), next, dynamic.Retry{Attempts: 3}, retryListener, "traefikTest")
 	require.NoError(t, err)

 	recorder := httptest.NewRecorder()
@@ -185,7 +184,7 @@ func TestMultipleRetriesShouldNotLooseHeaders(t *testing.T) {
 		rw.WriteHeader(http.StatusNoContent)
 	})

-	retry, err := New(context.Background(), next, dynamic.Retry{Attempts: 3}, &countingRetryListener{}, "traefikTest")
+	retry, err := New(t.Context(), next, dynamic.Retry{Attempts: 3}, &countingRetryListener{}, "traefikTest")
 	require.NoError(t, err)

 	res := httptest.NewRecorder()
@@ -219,7 +218,7 @@ func TestRetryShouldNotLooseHeadersOnWrite(t *testing.T) {
 		require.NoError(t, err)
 	})

-	retry, err := New(context.Background(), next, dynamic.Retry{Attempts: 3}, &countingRetryListener{}, "traefikTest")
+	retry, err := New(t.Context(), next, dynamic.Retry{Attempts: 3}, &countingRetryListener{}, "traefikTest")
 	require.NoError(t, err)

 	res := httptest.NewRecorder()
@@ -243,7 +242,7 @@ func TestRetryWithFlush(t *testing.T) {
 		}
 	})

-	retry, err := New(context.Background(), next, dynamic.Retry{Attempts: 1}, &countingRetryListener{}, "traefikTest")
+	retry, err := New(t.Context(), next, dynamic.Retry{Attempts: 1}, &countingRetryListener{}, "traefikTest")
 	require.NoError(t, err)

 	responseRecorder := httptest.NewRecorder()
@@ -312,7 +311,7 @@ func TestRetryWebsocket(t *testing.T) {
 			})

 			retryListener := &countingRetryListener{}
-			retryH, err := New(context.Background(), next, dynamic.Retry{Attempts: test.maxRequestAttempts}, retryListener, "traefikTest")
+			retryH, err := New(t.Context(), next, dynamic.Retry{Attempts: test.maxRequestAttempts}, retryListener, "traefikTest")
 			require.NoError(t, err)

 			retryServer := httptest.NewServer(retryH)
@@ -345,7 +344,7 @@ func Test1xxResponses(t *testing.T) {
 	})

 	retryListener := &countingRetryListener{}
-	retry, err := New(context.Background(), next, dynamic.Retry{Attempts: 1}, retryListener, "traefikTest")
+	retry, err := New(t.Context(), next, dynamic.Retry{Attempts: 1}, retryListener, "traefikTest")
 	require.NoError(t, err)

 	server := httptest.NewServer(retry)
@@ -389,7 +388,7 @@ func Test1xxResponses(t *testing.T) {
 			return nil
 		},
 	}
-	req, _ := http.NewRequestWithContext(httptrace.WithClientTrace(context.Background(), trace), http.MethodGet, server.URL, nil)
+	req, _ := http.NewRequestWithContext(httptrace.WithClientTrace(t.Context(), trace), http.MethodGet, server.URL, nil)

 	res, err := frontendClient.Do(req)
 	assert.NoError(t, err)
--- a/pkg/middlewares/stripprefix/strip_prefix_test.go
+++ b/pkg/middlewares/stripprefix/strip_prefix_test.go
@@ -1,7 +1,6 @@
 package stripprefix

 import (
-	"context"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -189,7 +188,7 @@ func TestStripPrefix(t *testing.T) {
 				requestURI = r.RequestURI
 			})

-			handler, err := New(context.Background(), next, test.config, "foo-strip-prefix")
+			handler, err := New(t.Context(), next, test.config, "foo-strip-prefix")
 			require.NoError(t, err)

 			req := testhelpers.MustNewRequest(http.MethodGet, "http://localhost"+test.path, nil)
--- a/pkg/middlewares/stripprefixregex/strip_prefix_regex_test.go
+++ b/pkg/middlewares/stripprefixregex/strip_prefix_regex_test.go
@@ -1,7 +1,6 @@
 package stripprefixregex

 import (
-	"context"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -118,7 +117,7 @@ func TestStripPrefixRegex(t *testing.T) {
 				actualHeader = r.Header.Get(stripprefix.ForwardedPrefixHeader)
 				requestURI = r.RequestURI
 			})
-			handler, err := New(context.Background(), handlerPath, testPrefixRegex, "foo-strip-prefix-regex")
+			handler, err := New(t.Context(), handlerPath, testPrefixRegex, "foo-strip-prefix-regex")
 			require.NoError(t, err)

 			req := testhelpers.MustNewRequest(http.MethodGet, "http://localhost"+test.path, nil)
--- a/pkg/middlewares/tcp/inflightconn/inflight_conn_test.go
+++ b/pkg/middlewares/tcp/inflightconn/inflight_conn_test.go
@@ -1,7 +1,6 @@
 package tcpinflightconn

 import (
-	"context"
 	"net"
 	"testing"
 	"time"
@@ -27,7 +26,7 @@ func TestInFlightConn_ServeTCP(t *testing.T) {
 		finishCh <- struct{}{}
 	})

-	middleware, err := New(context.Background(), next, dynamic.TCPInFlightConn{Amount: 1}, "foo")
+	middleware, err := New(t.Context(), next, dynamic.TCPInFlightConn{Amount: 1}, "foo")
 	require.NoError(t, err)

 	// The first connection should succeed and wait.
--- a/pkg/middlewares/tcp/ipallowlist/ip_allowlist_test.go
+++ b/pkg/middlewares/tcp/ipallowlist/ip_allowlist_test.go
@@ -43,7 +43,7 @@ func TestNewIPAllowLister(t *testing.T) {
 			t.Parallel()

 			next := tcp.HandlerFunc(func(conn tcp.WriteCloser) {})
-			allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
+			allowLister, err := New(t.Context(), next, test.allowList, "traefikTest")

 			if test.expectedError {
 				assert.Error(t, err)
@@ -92,7 +92,7 @@ func TestIPAllowLister_ServeHTTP(t *testing.T) {
 				require.NoError(t, err)
 			})

-			allowLister, err := New(context.Background(), next, test.allowList, "traefikTest")
+			allowLister, err := New(t.Context(), next, test.allowList, "traefikTest")
 			require.NoError(t, err)

 			server, client := net.Pipe()
--- a/pkg/middlewares/tcp/ipwhitelist/ip_whitelist_test.go
+++ b/pkg/middlewares/tcp/ipwhitelist/ip_whitelist_test.go
@@ -43,7 +43,7 @@ func TestNewIPWhiteLister(t *testing.T) {
 			t.Parallel()

 			next := tcp.HandlerFunc(func(conn tcp.WriteCloser) {})
-			whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
+			whiteLister, err := New(t.Context(), next, test.whiteList, "traefikTest")

 			if test.expectedError {
 				assert.Error(t, err)
@@ -92,7 +92,7 @@ func TestIPWhiteLister_ServeHTTP(t *testing.T) {
 				require.NoError(t, err)
 			})

-			whiteLister, err := New(context.Background(), next, test.whiteList, "traefikTest")
+			whiteLister, err := New(t.Context(), next, test.whiteList, "traefikTest")
 			require.NoError(t, err)

 			server, client := net.Pipe()
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Romain	63a6172ec4	Prepare release v2.11.32	2025-12-04 15:26:04 +01:00
Romain	4d7d627319	Reject suspicious encoded characters Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2025-12-04 15:10:05 +01:00
GreyXor	0b6438b7c0	Bump github.com/quic-go/quic-go to v0.57.1	2025-12-02 09:04:05 +01:00
Michel Loiseleur	e15c11961f	Protect CI against supply chain attack on nodejs	2025-12-01 14:58:05 +01:00
Emile Vauge	042feacf3e	Update SECURITY.md to streamline information	2025-11-24 15:32:04 +01:00
Chris Wayne	759e82c3c8	Update SECURITY.md	2025-11-24 11:56:04 +01:00
GreyXor	2d7262515d	Bump github.com/quic-go/quic-go to v0.57.0	2025-11-24 10:44:04 +01:00
Kevin Pollet	f3e199cd47	Bump golang.org/x/crypto to v0.45.0	2025-11-20 11:30:05 +01:00
Kevin Pollet	9232535cf6	Validate plugin module name Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2025-11-20 10:50:04 +01:00
Kevin Pollet	79bb320f4c	Prepare release v2.11.31	2025-11-13 10:42:16 +01:00
Kevin Pollet	058b194604	Auto-negotiate Docker API version	2025-11-12 16:32:06 +01:00
Kevin Pollet	effca0a603	Update letsencrypt/pebble to use ghcr image	2025-11-07 11:58:04 +01:00
Romain	998868450f	Prepare release v2.11.30	2025-10-28 09:44:04 +01:00
Kevin Pollet	ffd82c92cb	Fix KV key name used to check if connection is alive	2025-10-16 16:50:05 +02:00
Kevin Pollet	34d7091f31	Bump github.com/quic-go/quic-go to v0.55.0	2025-10-14 15:48:05 +02:00
Kevin Pollet	b04759a80b	Bump golang.org/x/net to v0.46.0	2025-10-10 17:22:04 +02:00
Hannah Kim	8441c476f1	Bump gopkg.in/DataDog/dd-trace-go.v1 to v1.74.6	2025-10-03 09:44:04 +01:00
Romain	4ff8eca572	Fix Swarm unit test for the nodeIP property	2025-08-27 09:40:05 +02:00
Romain	1986610363	Prepare release v2.11.29	2025-08-26 14:50:08 +02:00
Kevin Pollet	5cc2a8344c	Bump github.com/docker/docker to v28.3.3	2025-08-20 15:52:06 +02:00
Michael	fc5359b6f6	Remove Semaphore CI	2025-08-13 10:30:06 +02:00
Michael	c5d448fba9	chore: upgrade actions/checkout to v5	2025-08-13 09:22:04 +02:00
Ludovic Fernandez	c820d18ada	Bump github.com/go-acme/lego/v4 to v4.25.2	2025-08-11 14:44:05 +02:00
Michael	19a2e2efc5	Allow maintainers to run deploy documentation	2025-08-01 12:10:05 +02:00
Michel Loiseleur	bcdb70b689	Fix invalid links in documentation	2025-08-01 11:34:05 +02:00
Jesper Noordsij	9896192efb	Update releases docs for v3.5	2025-07-29 16:00:06 +02:00
Romain	c6daab54e3	Prepare release v2.11.28	2025-07-23 10:34:04 +02:00
Michael	a59bcb29b5	Improve integration tests	2025-07-23 09:56:04 +02:00
Jesper Noordsij	50931813f2	Remove all mentions of ordering for TLSOption CurvePreferences field	2025-07-22 15:44:05 +02:00
Zeroday BYTE	5ef853a0c5	Fix client arbitrary file access during archive extraction zipslip	2025-07-22 14:24:05 +02:00
Romain	b2b4b66b08	Disable MPTCP by default Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2025-07-22 11:10:05 +02:00
Harold Ozouf	27326e6569	Redact logged install configuration	2025-07-18 17:16:04 +02:00
Kevin Pollet	7ca90a4b18	Prepare release v2.11.27	2025-07-11 09:30:05 +02:00
Kevin Pollet	a3685ee9fa	Bump github.com/go-viper/mapstructure/v2 to v2.3.0	2025-07-10 16:10:05 +02:00
Romain	8ae0379171	Prepare release v2.11.26	2025-06-26 11:50:04 +02:00
Romain	b0d8e08e2b	Fix typo in redirect middleware documentation	2025-06-11 09:46:05 +02:00
Kevin Pollet	ae79d4e5f0	Do not log redis sentinel username and password	2025-06-04 12:08:04 +02:00
Romain	bfcef58a4f	Fix KV reference rendering	2025-06-03 16:56:04 +02:00
Jesper Noordsij	f7a6f32784	Update Dockerfiles to Alpine 3.22	2025-06-03 11:24:05 +02:00
Jesper Noordsij	92f798dfcd	Update supported versions	2025-06-02 16:08:04 +02:00
Michael	f174014d96	feat: parallelise unit tests	2025-06-02 11:00:05 +02:00
Kevin Pollet	cd16321dd9	Bump to go1.24 Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2025-06-02 10:36:05 +02:00