Prepare release v3.5.0-rc1

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>

.github/workflows/build.yaml

@@ -10,7 +10,7 @@ on:
       - 'script/gcg/**'
 
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
   CGO_ENABLED: 0
 
 jobs:

.github/workflows/experimental.yaml

@@ -7,7 +7,7 @@ on:
       - v*
 
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
   CGO_ENABLED: 0
 
 jobs:

.github/workflows/release.yaml

@@ -6,11 +6,11 @@ on:
       - 'v*.*.*'
 
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
   CGO_ENABLED: 0
   VERSION: ${{ github.ref_name }}
   TRAEFIKER_EMAIL: "traefiker@traefik.io"
-  CODENAME: chaource
+  CODENAME: chabichou
 
 jobs:
 

.github/workflows/template-webui.yaml

@@ -12,6 +12,9 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Enable corepack
+        run: corepack enable
+
       - name: Setup node
         uses: actions/setup-node@v4
         with:

.github/workflows/test-conformance.yaml

@@ -31,7 +31,9 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Avoid generating webui
-        run: touch webui/static/index.html
+        run: |
+          mkdir webui/static
+          touch webui/static/index.html
 
       - name: K8s Gateway API conformance test and report
         run: |

.github/workflows/test-integration.yaml

@@ -10,7 +10,7 @@ on:
       - 'script/gcg/**'
 
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
   CGO_ENABLED: 0
 
 jobs:
@@ -31,7 +31,9 @@ jobs:
           check-latest: true
 
       - name: Avoid generating webui
-        run: touch webui/static/index.html
+        run: |
+          mkdir webui/static
+          touch webui/static/index.html
 
       - name: Build binary
         run: make binary
@@ -59,7 +61,9 @@ jobs:
           check-latest: true
 
       - name: Avoid generating webui
-        run: touch webui/static/index.html
+        run: |
+          mkdir webui/static
+          touch webui/static/index.html
 
       - name: Build binary
         run: make binary

.github/workflows/test-unit.yaml

@@ -10,12 +10,39 @@ on:
       - 'script/gcg/**'
 
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
 
 jobs:
+  generate-packages:
+    name: List Go Packages
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+
+      - name: Generate matrix
+        id: set-matrix
+        run: |
+          matrix_output=$(go run ./internal/testsci/genmatrix.go)
+          echo "$matrix_output"
+          echo "$matrix_output" >> $GITHUB_OUTPUT
 
   test-unit:
     runs-on: ubuntu-latest
+    needs: generate-packages
+    strategy:
+      matrix:
+        package: ${{ fromJson(needs.generate-packages.outputs.matrix) }}
 
     steps:
       - name: Check out code
@@ -30,10 +57,13 @@ jobs:
           check-latest: true
 
       - name: Avoid generating webui
-        run: touch webui/static/index.html
+        run: |
+          mkdir webui/static
+          touch webui/static/index.html
 
       - name: Tests
-        run: make test-unit
+        run: |
+          go test -v -parallel 8 ${{ matrix.package.group }}
 
   test-ui-unit:
     runs-on: ubuntu-latest
@@ -44,6 +74,9 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Enable corepack
+        run: corepack enable
+
       - name: Set up Node.js ${{ env.NODE_VERSION }}
         uses: actions/setup-node@v4
         with:
@@ -52,6 +85,9 @@ jobs:
           cache-dependency-path: webui/yarn.lock
 
       - name: UI unit tests
+        working-directory: ./webui
+        env:
+          VITE_APP_BASE_API_URL: "/api"
         run: |
-          yarn --cwd webui install
-          yarn --cwd webui test:unit:ci
+          yarn install
+          yarn test:unit:ci

.github/workflows/validate.yaml

@@ -6,7 +6,7 @@ on:
       - '*'
 
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
   GOLANGCI_LINT_VERSION: v2.0.2
   MISSPELL_VERSION: v0.6.0
 
@@ -27,6 +27,11 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true
 
+      - name: Avoid generating webui
+        run: |
+          mkdir webui/static
+          touch webui/static/index.html
+
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v7
         with:
@@ -51,7 +56,9 @@ jobs:
         run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/HEAD/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSPELL_VERSION}
 
       - name: Avoid generating webui
-        run: touch webui/static/index.html
+        run: |
+          mkdir webui/static
+          touch webui/static/index.html
 
       - name: Validate
         run: make validate-files

.golangci.yml

@@ -245,6 +245,10 @@ linters:
         text: Function 'buildConstructor' has too many statements
         linters:
           - funlen
+      - path: pkg/provider/kubernetes/ingress-nginx/kubernetes.go
+        text: Function 'loadConfiguration' has too many statements
+        linters:
+          - funlen
       - path: pkg/tracing/haystack/logger.go
         linters:
           - goprintffuncname

CHANGELOG.md

@@ -1,3 +1,67 @@
+## [v3.5.0-rc1](https://github.com/traefik/traefik/tree/v3.5.0-rc1) (2025-06-26)
+[All Commits](https://github.com/traefik/traefik/compare/v3.4.0-rc1...v3.5.0-rc1)
+
+**Enhancements:**
+- **[acme]** OCSP stapling ([#8393](https://github.com/traefik/traefik/pull/8393) by [alekitto](https://github.com/alekitto))
+- **[acme]** Add acme.httpChallenge.delay option ([#11643](https://github.com/traefik/traefik/pull/11643) by [ldez](https://github.com/ldez))
+- **[acme]** Allow configuration of ACME provider http timeout ([#11637](https://github.com/traefik/traefik/pull/11637) by [tkw1536](https://github.com/tkw1536))
+- **[healthcheck]** Add url option to healthcheck command ([#11711](https://github.com/traefik/traefik/pull/11711) by [Nelwhix](https://github.com/Nelwhix))
+- **[healthcheck]** Add unhealthy Interval to the health check configuration ([#10610](https://github.com/traefik/traefik/pull/10610) by [sswastik02](https://github.com/sswastik02))
+- **[k8s/gatewayapi]** Bump sigs.k8s.io/gateway-api to v1.3.0 ([#11719](https://github.com/traefik/traefik/pull/11719) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress]** Make the behavior of prefix matching in Ingress consistent with Kubernetes doc ([#11203](https://github.com/traefik/traefik/pull/11203) by [charlie0129](https://github.com/charlie0129))
+- **[k8s]** NGINX Ingress Provider ([#11844](https://github.com/traefik/traefik/pull/11844) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,authentication]** Handle context canceled in ForwardAuth middleware ([#11817](https://github.com/traefik/traefik/pull/11817) by [bengentree](https://github.com/bengentree))
+- **[plugins]** Ability to enable unsafe in yaegi through plugin manifest ([#11589](https://github.com/traefik/traefik/pull/11589) by [Rydez](https://github.com/Rydez))
+- **[tls]** Introduce X25519MLKEM768 for Post-Quantum-Secure TLS ([#11731](https://github.com/traefik/traefik/pull/11731) by [fzoli](https://github.com/fzoli))
+- **[webui]** Migrate Traefik Proxy dashboard UI to React ([#11674](https://github.com/traefik/traefik/pull/11674) by [gndz07](https://github.com/gndz07))
+- **[webui]** Improve visualization for StatusRewrites option of errors middleware ([#11806](https://github.com/traefik/traefik/pull/11806) by [sevensolutions](https://github.com/sevensolutions))
+
+**Misc:**
+- Merge branch v3.4 into master ([#11863](https://github.com/traefik/traefik/pull/11863) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11861](https://github.com/traefik/traefik/pull/11861) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11857](https://github.com/traefik/traefik/pull/11857) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11855](https://github.com/traefik/traefik/pull/11855) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11813](https://github.com/traefik/traefik/pull/11813) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.4 into master ([#11758](https://github.com/traefik/traefik/pull/11758) by [mmatur](https://github.com/mmatur))
+- Merge v3.4 into master ([#11752](https://github.com/traefik/traefik/pull/11752) by [mmatur](https://github.com/mmatur))
+- Merge branch v3.4 into master ([#11708](https://github.com/traefik/traefik/pull/11708) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v3.4.3](https://github.com/traefik/traefik/tree/v3.4.3) (2025-06-26)
+[All Commits](https://github.com/traefik/traefik/compare/v3.4.2...v3.4.3)
+
+**Bug fixes:**
+- **[http3]** Bump quic-go to v.0.49.0 ([#11848](https://github.com/traefik/traefik/pull/11848) by [joshua-siw](https://github.com/joshua-siw))
+
+## [v3.4.2](https://github.com/traefik/traefik/tree/v3.4.2) (2025-06-26)
+[All Commits](https://github.com/traefik/traefik/compare/v3.4.1...v3.4.2)
+
+**Documentation:**
+- **[acme]** Add a note to certificatesDuration ([#11808](https://github.com/traefik/traefik/pull/11808) by [sMteX](https://github.com/sMteX))
+- **[docker,k8s]** Update Getting started Section with New Docker and Kubernetes Tutorial ([#11714](https://github.com/traefik/traefik/pull/11714) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[docker]** Remove obsolete version field in compose files ([#11798](https://github.com/traefik/traefik/pull/11798) by [thomas-mauran](https://github.com/thomas-mauran))
+- **[k8s]** Add a note about Ingress Backend Resource support ([#11785](https://github.com/traefik/traefik/pull/11785) by [edysli](https://github.com/edysli))
+- **[logs,metrics,tracing,accesslogs]** Update the EntryPoints Documentation ([#11856](https://github.com/traefik/traefik/pull/11856) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[logs,metrics,tracing,accesslogs]** Add New Observe Guides to the Documentation ([#11828](https://github.com/traefik/traefik/pull/11828) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[middleware]** Remove conflicting information from the CircuitBreaker documentation. ([#11835](https://github.com/traefik/traefik/pull/11835) by [adk-swisstopo](https://github.com/adk-swisstopo))
+- **[service]** Clarify mirroring service default percent value ([#11804](https://github.com/traefik/traefik/pull/11804) by [Alexy-vda](https://github.com/Alexy-vda))
+- **[websocket]** Add WebSocket guide ([#11623](https://github.com/traefik/traefik/pull/11623) by [NX211](https://github.com/NX211))
+
+**Misc:**
+- Merge branch v2.11 into v3.4 ([#11859](https://github.com/traefik/traefik/pull/11859) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.11 into v3.4 ([#11831](https://github.com/traefik/traefik/pull/11831) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.11 into v3.4 ([#11810](https://github.com/traefik/traefik/pull/11810) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.26](https://github.com/traefik/traefik/tree/v2.11.26) (2025-06-26)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.25...v2.11.26)
+
+**Bug fixes:**
+- **[middleware]** Do not log redis sentinel username and password ([#11819](https://github.com/traefik/traefik/pull/11819) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[kv]** Fix KV reference rendering ([#11815](https://github.com/traefik/traefik/pull/11815) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,k8s/crd]** Fix typo in redirect middleware documentation ([#11830](https://github.com/traefik/traefik/pull/11830) by [rtribotte](https://github.com/rtribotte))
+- Update supported versions ([#11811](https://github.com/traefik/traefik/pull/11811) by [jnoordsij](https://github.com/jnoordsij))
+
 ## [v3.4.1](https://github.com/traefik/traefik/tree/v3.4.1) (2025-05-27)
 [All Commits](https://github.com/traefik/traefik/compare/v3.4.0...v3.4.1)
 

Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.2
-FROM alpine:3.21
+FROM alpine:3.22
 
 RUN apk add --no-cache --no-progress ca-certificates tzdata
 

Makefile

@@ -30,18 +30,16 @@ dist:
 .PHONY: build-webui-image
 #? build-webui-image: Build WebUI Docker image
 build-webui-image:
-	docker build -t traefik-webui -f webui/Dockerfile webui
+	docker build -t traefik-webui -f webui/buildx.Dockerfile webui
 
 .PHONY: clean-webui
 #? clean-webui: Clean WebUI static generated assets
 clean-webui:
-	rm -r webui/static
-	mkdir -p webui/static
-	printf 'For more information see `webui/readme.md`' > webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md
+	rm -rf webui/static
 
 webui/static/index.html:
 	$(MAKE) build-webui-image
-	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui npm run build:nc
+	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui yarn build:prod
 	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ./static
 
 .PHONY: generate-webui
@@ -102,7 +100,7 @@ test-integration: binary
 #? test-gateway-api-conformance: Run the conformance tests
 test-gateway-api-conformance: build-image-dirty
 	# In case of a new Minor/Major version, the k8sConformanceTraefikVersion needs to be updated.
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.4" $(TESTFLAGS)
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.5" $(TESTFLAGS)
 
 .PHONY: test-ui-unit
 #? test-ui-unit: Run the unit tests for the webui

cmd/healthcheck/healthcheck.go

@@ -2,6 +2,7 @@ package healthcheck
 
 import (
 	"errors"
+	"flag"
 	"fmt"
 	"net/http"
 	"os"
@@ -22,11 +23,26 @@ func NewCmd(traefikConfiguration *static.Configuration, loaders []cli.ResourceLo
 	}
 }
 
-func runCmd(traefikConfiguration *static.Configuration) func(_ []string) error {
-	return func(_ []string) error {
+func runCmd(traefikConfiguration *static.Configuration) func(args []string) error {
+	return func(args []string) error {
+		fs := flag.NewFlagSet("healthcheck", flag.ContinueOnError)
+		urlFlag := fs.String("url", "", "")
+		fs.SetOutput(os.Stderr)
+		if err := fs.Parse(args); err != nil {
+			return err
+		}
+
 		traefikConfiguration.SetEffectiveConfiguration()
 
-		resp, errPing := Do(*traefikConfiguration)
+		var resp *http.Response
+		var errPing error
+		if *urlFlag != "" {
+			client := &http.Client{Timeout: 5 * time.Second}
+			resp, errPing = client.Head(*urlFlag)
+		} else {
+			resp, errPing = Do(*traefikConfiguration)
+		}
+
 		if resp != nil {
 			resp.Body.Close()
 		}

cmd/traefik/traefik.go

@@ -182,7 +182,9 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	// ACME
 
-	tlsManager := traefiktls.NewManager()
+	tlsManager := traefiktls.NewManager(staticConfiguration.OCSP)
+	routinesPool.GoCtx(tlsManager.Run)
+
 	httpChallengeProvider := acme.NewChallengeHTTP()
 
 	tlsChallengeProvider := acme.NewChallengeTLSALPN()

docs/check.Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.21
+FROM alpine:3.22
 
 RUN apk --no-cache --no-progress add \
     build-base \
@@ -9,9 +9,7 @@ RUN apk --no-cache --no-progress add \
     ruby \
     ruby-bigdecimal \
     ruby-dev \
-    ruby-etc \
     ruby-ffi \
-    ruby-json \
     zlib-dev
 
 RUN gem install nokogiri --version 1.18.6 --no-document -- --use-system-libraries

docs/content/deprecation/releases.md

@@ -6,11 +6,12 @@ Below is a non-exhaustive list of versions and their maintenance status:
 
 | Version | Release Date | Active Support     | Security Support  |
 |---------|--------------|--------------------|-------------------|
-| 3.3     | Jan 06, 2025 | Yes                | Yes               |
+| 3.4     | May 05, 2025 | Yes                | Yes               |
+| 3.3     | Jan 06, 2025 | Ended May 05, 2025 | No                |
 | 3.2     | Oct 28, 2024 | Ended Jan 06, 2025 | No                |
 | 3.1     | Jul 15, 2024 | Ended Oct 28, 2024 | No                |
 | 3.0     | Apr 29, 2024 | Ended Jul 15, 2024 | No                |
-| 2.11    | Feb 12, 2024 | Ends  Apr 29, 2025 | Ends Feb 01, 2026 |
+| 2.11    | Feb 12, 2024 | Ended Apr 29, 2025 | Ends Feb 01, 2026 |
 | 2.10    | Apr 24, 2023 | Ended Feb 12, 2024 | No                |
 | 2.9     | Oct 03, 2022 | Ended Apr 24, 2023 | No                |
 | 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 | No                |

docs/content/getting-started/configuration-overview.md

@@ -79,7 +79,7 @@ traefik --help
 # or
 
 docker run traefik[:version] --help
-# ex: docker run traefik:v3.4 --help
+# ex: docker run traefik:v3.5 --help
 ```
 
 Check the [CLI reference](../reference/static-configuration/cli.md "Link to CLI reference overview") for an overview about all available arguments.

docs/content/getting-started/docker.md

@@ -0,0 +1,162 @@
+---
+title: "Docker and Traefik Quick Start"
+description: "Deploy Traefik in Docker and expose your first service"
+---
+
+# Getting Started with Docker and Traefik
+
+Docker is a first-class citizen in Traefik, offering native support for Docker containers and services. 
+Whether you're using Docker Compose or running containers directly, Traefik provides a seamless experience for managing your Docker traffic.
+
+This guide shows you how to:
+
+- Install Traefik using Docker
+- Expose the Traefik dashboard
+- Deploy a sample application
+- Configure basic routing
+
+## Prerequisites
+
+- Docker 
+- Docker Compose (optional)
+
+## Install Traefik
+
+### Using Docker Compose
+
+Create a Docker Compose file. 
+This configuration:
+
+- Exposes ports 80 and 8080. 
+- Enables the Docker provider
+- Configures the dashboard with basic settings. Port 8080 serves the dashboard because we enabled `--api.insecure=true` (development use only)
+- Mounts the Docker socket for container discovery
+
+```yaml
+# docker-compose.yml
+services:
+  traefik:
+    image: traefik:v3.5
+    command:
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--entrypoints.web.address=:80"
+    ports:
+      - "80:80"
+      - "8080:8080"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+```
+
+Start Traefik:
+
+```bash
+docker-compose up -d
+```
+
+### Using Docker CLI
+
+Alternatively, you can run Traefik directly with Docker. 
+This command:
+
+- Exposes ports 80 and 8080 for web traffic and dashboard access
+- Mounts the configuration file and Docker socket
+- Uses the same configuration as the Docker Compose example
+
+Create a configuration file:
+
+```yaml
+# traefik.yml
+api:
+  insecure: true
+entryPoints:
+  web:
+    address: ":80"
+providers:
+  docker: {}
+```
+
+Start Traefik:
+
+```bash
+docker run -d \
+  -p 80:80 \
+  -p 8080:8080 \
+  -v $PWD/traefik.yml:/etc/traefik/traefik.yml \
+  -v /var/run/docker.sock:/var/run/docker.sock \
+  traefik:v3.5
+```
+
+## Expose the Dashboard
+
+Because we explicitly enabled insecure mode, the [dashboard](../reference/install-configuration/api-dashboard.md) is reachable on port 8080 without authentication. 
+**Do not enable this flag in production**.
+
+You can access the dashboard at:
+
+[http://localhost:8080/dashboard/](http://localhost:8080/dashboard/)
+
+![Traefik Dashboard Screenshot](../assets/img/getting-started/traefik-dashboard.png)
+
+## Deploy a Sample Application
+
+Create a whoami service:
+
+```yaml
+# whoami.yml
+services:
+  whoami:
+    image: traefik/whoami
+    labels:
+      - "traefik.http.routers.whoami.rule=Host(`whoami.localhost`)"
+```
+
+Apply the configuration:
+
+```bash
+docker-compose -f whoami.yml up -d
+```
+
+## Test Your Setup
+
+You can use the following curl command to verify that the application is correctly exposed:
+
+```bash
+curl http://whoami.localhost
+
+Hostname: 068c0a29a8b7
+IP: 127.0.0.1
+IP: ::1
+IP: 192.168.147.3
+RemoteAddr: 192.168.147.2:56006
+GET / HTTP/1.1
+Host: whoami.localhost
+User-Agent: curl/8.7.1
+Accept: */*
+Accept-Encoding: gzip
+X-Forwarded-For: 192.168.147.1
+X-Forwarded-Host: whoami.localhost
+X-Forwarded-Port: 80
+X-Forwarded-Proto: http
+X-Forwarded-Server: 9232cdd4fd6c
+X-Real-Ip: 192.168.147.1
+```
+
+You can also open [http://whoami.localhost](http://whoami.localhost) in a browser to test the application:
+
+![whoami application Screenshot](../assets/img/getting-started/whoami-localhost.png)
+
+If you navigate to the **HTTP Routers** section of the Traefik dashboard, you can see that the `whoami.localhost` route is managed by the Traefik Docker provider:
+
+![Traefik Dashboard HTTP Routers Section Screenshot](../assets/img/getting-started/docker-router.png)
+
+That's it! You've successfully deployed Traefik and configured routing in Docker.
+
+## Next Steps
+
+- [Configure TLS](../reference/routing-configuration/http/tls/overview.md)
+- [Set up Middlewares](../reference/routing-configuration/http/middlewares/overview.md)
+- [Enable Metrics](../reference/install-configuration/observability/metrics.md)
+- [Learn more about Docker provider](../reference/install-configuration/providers/docker.md)
+
+{!traefik-for-business-applications.md!}

docs/content/getting-started/index.md

@@ -0,0 +1,25 @@
+---
+title: "Getting Started with Traefik"
+description: "Quick start guides for deploying Traefik in Kubernetes and Docker environments"
+---
+
+# Getting Started with Traefik
+
+Traefik can be deployed in various environments. Choose your preferred deployment method:
+
+- [Kubernetes Quick Start](./kubernetes.md) - Deploy Traefik using Helm
+- [Docker Quick Start](./docker.md) - Deploy Traefik using Docker
+
+Each guide will help you:
+
+- Install Traefik
+- Expose the dashboard
+- Deploy a sample application
+- Configure basic routing
+
+## Before You Begin
+
+Make sure you have the necessary prerequisites for your chosen environment:
+
+- **Kubernetes**: A running Kubernetes cluster, Helm 3, and kubectl
+- **Docker**: Docker and optionally Docker Compose

docs/content/getting-started/install-traefik.md

@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:
 
 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
 
-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.4/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.4/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.5/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.5/traefik.sample.toml)
 
 ```shell
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.4
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.5
 ```
 
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip
 
     * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v3.4`
+    ex: `traefik:v3.5`
     * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
     * Any orchestrator using docker images can fetch the official Traefik docker image.
 

docs/content/getting-started/kubernetes.md

@@ -0,0 +1,331 @@
+---
+title: "Kubernetes and Traefik Quick Start"
+description: "Deploy Traefik in Kubernetes using Helm and expose your first service"
+slug: quick-start-with-kubernetes
+---
+
+# Getting Started with Kubernetes and Traefik
+
+Kubernetes is a first-class citizen in Traefik, offering native support for Kubernetes resources and the latest Kubernetes standards. 
+Whether you're using Traefik's [IngressRoute CRD](../reference/routing-configuration/kubernetes/crd/http/ingressroute.md), [Ingress](../reference/routing-configuration/kubernetes/ingress.md) or the [Kubernetes Gateway API](../reference/routing-configuration/kubernetes/gateway-api.md), 
+Traefik provides a seamless experience for managing your Kubernetes traffic.
+
+This guide shows you how to:
+
+- Create a Kubernetes cluster using k3d
+- Install Traefik using Helm
+- Expose the Traefik dashboard
+- Deploy a sample application
+- Configure basic routing with IngressRoute and Gateway API
+
+## Prerequisites
+
+- Kubernetes
+- Helm 3
+- kubectl
+- k3d (for local cluster creation)
+
+## Create a Kubernetes Cluster
+
+### Using k3d
+
+Create a cluster with the following command. This command:
+
+- Creates a k3d cluster named "traefik"
+- Maps ports 80, 443, and 8000 to the loadbalancer for accessing services
+- Disables the built-in Traefik ingress controller to avoid conflicts
+
+```bash
+k3d cluster create traefik \
+  --port 80:80@loadbalancer \
+  --port 443:443@loadbalancer \
+  --port 8000:8000@loadbalancer \
+  --k3s-arg "--disable=traefik@server:0"
+```
+
+Configure kubectl:
+
+```bash
+kubectl cluster-info --context k3d-traefik
+```
+
+## Install Traefik
+
+### Using Helm Values File
+
+Add the Traefik Helm repository:
+
+```bash
+helm repo add traefik https://traefik.github.io/charts
+helm repo update
+```
+
+Create a values file. This configuration:
+
+- Maps ports 80 and 443 to the web and websecure [entrypoints](../reference/install-configuration/entrypoints.md)
+- Enables the [dashboard](../reference/install-configuration/api-dashboard.md) with a specific hostname rule
+- Enables the [Kubernetes Gateway API provider](../reference/routing-configuration/kubernetes/gateway-api.md)
+- Allows the Gateway to expose [HTTPRoutes](https://gateway-api.sigs.k8s.io/api-types/httproute/) from all namespaces
+
+```yaml
+# values.yaml
+ingressRoute:
+  dashboard:
+    enabled: true
+    matchRule: Host(`dashboard.localhost`)
+    entryPoints:
+      - web
+providers:
+  kubernetesGateway:
+    enabled: true
+gateway:
+  namespacePolicy: All
+```
+
+!!! info
+    The [KubernetesCRD](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md) provider is enabled by default when using the Helm chart so we don't need to set it in the values file.
+
+Install Traefik:
+
+```bash
+helm install traefik traefik/traefik -f values.yaml --wait
+```
+
+### Using Helm CLI Arguments
+
+Alternatively, you can install Traefik using CLI arguments. This command:
+
+- Maps ports `30000` and `30001` to the web and websecure entrypoints
+- Enables the dashboard with a specific hostname rule
+- Enables the [Kubernetes Gateway API provider](../reference/routing-configuration/kubernetes/gateway-api.md)
+- Allows the Gateway to expose HTTPRoutes from all namespaces
+
+```bash
+helm install traefik traefik/traefik --wait \
+  --set ingressRoute.dashboard.enabled=true \
+  --set ingressRoute.dashboard.matchRule='Host(`dashboard.localhost`)' \
+  --set ingressRoute.dashboard.entryPoints={web} \
+  --set providers.kubernetesGateway.enabled=true \
+  --set gateway.namespacePolicy=All
+```
+
+!!! info
+    The [KubernetesCRD](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md) provider is enabled by default when using the Helm chart so we don't need to set it in the CLI arguments.
+
+When Traefik is installed with the Gateway API provider enabled, it automatically creates a default GatewayClass named **traefik**:
+
+```bash
+kubectl describe GatewayClass traefik
+```
+
+## Expose the Dashboard
+
+The dashboard is exposed with an [IngressRoute](../reference/routing-configuration/kubernetes/crd/http/ingressroute.md) provided by the Chart, as we defined in the helm values during installation. 
+
+Access it at:
+
+[http://dashboard.localhost/dashboard/](http://dashboard.localhost/dashboard/)
+
+![Traefik Dashboard Screenshot](../assets/img/getting-started/traefik-dashboard.png)
+
+## Deploy a Sample Application
+
+Create a deployment:
+
+```yaml
+# whoami.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: whoami
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: whoami
+  template:
+    metadata:
+      labels:
+        app: whoami
+    spec:
+      containers:
+        - name: whoami
+          image: traefik/whoami
+          ports:
+            - containerPort: 80
+```
+
+Create a service:
+
+```yaml
+# whoami-service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+spec:
+  ports:
+    - port: 80
+  selector:
+    app: whoami
+```
+
+Apply the manifests:
+
+```bash
+kubectl apply -f whoami.yaml
+kubectl apply -f whoami-service.yaml
+```
+
+## Exposing the Application Using an IngressRoute (CRD)
+
+Create an IngressRoute:
+
+```yaml
+# whoami-ingressroute.yaml
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: whoami
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`whoami.localhost`)
+      kind: Rule
+      services:
+        - name: whoami
+          port: 80
+```
+
+Apply the manifest:
+
+```bash
+kubectl apply -f whoami-ingressroute.yaml
+```
+
+### Test Your Setup
+
+You can use the following curl command to verify that the application is correctly exposed:
+
+```bash
+curl http://whoami.localhost
+
+Hostname: whoami-76c9859cfc-6v8hh
+IP: 127.0.0.1
+IP: ::1
+IP: 10.42.0.11
+IP: fe80::20ad:eeff:fe44:a63
+RemoteAddr: 10.42.0.9:38280
+GET / HTTP/1.1
+Host: whoami.localhost
+User-Agent: curl/8.7.1
+Accept: */*
+Accept-Encoding: gzip
+X-Forwarded-For: 127.0.0.1
+X-Forwarded-Host: whoami.localhost
+X-Forwarded-Port: 80
+X-Forwarded-Proto: http
+X-Forwarded-Server: traefik-598946cd7-zds59
+X-Real-Ip: 127.0.0.1
+```
+
+You can also visit [http://whoami.localhost](http://whoami.localhost) in a browser to verify that the application is exposed correctly:
+
+![whoami application Screenshot](../assets/img/getting-started/whoami-localhost.png)
+
+## Exposing the Application Using the Gateway API
+
+Traefik supports the Kubernetes Gateway API specification, which provides a more standardized way to configure ingress in Kubernetes.
+When we installed Traefik earlier, we enabled the Gateway API provider. 
+You can verify this in the providers section of the Traefik dashboard.
+
+![Providers Section Screenshot](../assets/img/getting-started/providers.png)
+
+To use the Gateway API:
+
+Install the Gateway API CRDs in your cluster:
+
+```bash
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml
+```
+
+Create an HTTPRoute. This configuration:
+
+- Creates an HTTPRoute named "whoami"
+- Attaches it to the default Gateway that Traefik created during installation
+- Configures routing for the hostname "whoami-gatewayapi.localhost"
+- Routes all traffic to the whoami service on port 80
+
+```yaml
+# httproute.yaml
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: whoami
+spec:
+  parentRefs:
+    - name: traefik-gateway
+  hostnames:
+    - "whoami-gatewayapi.localhost"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: whoami
+          port: 80
+```
+
+Apply the manifest:
+
+```bash
+kubectl apply -f httproute.yaml
+```
+
+### Test Your Setup
+
+You can use the following curl command to verify that the application is correctly exposed:
+
+```bash
+curl http://whoami-gatewayapi.localhost
+
+Hostname: whoami-76c9859cfc-6v8hh
+IP: 127.0.0.1
+IP: ::1
+IP: 10.42.0.11
+IP: fe80::20ad:eeff:fe44:a63
+RemoteAddr: 10.42.0.9:38280
+GET / HTTP/1.1
+Host: whoami.localhost
+User-Agent: curl/8.7.1
+Accept: */*
+Accept-Encoding: gzip
+X-Forwarded-For: 127.0.0.1
+X-Forwarded-Host: whoami.localhost
+X-Forwarded-Port: 80
+X-Forwarded-Proto: http
+X-Forwarded-Server: traefik-598946cd7-zds59
+X-Real-Ip: 127.0.0.1
+```
+
+You can now visit [http://whoami.localhost](http://whoami.localhost) in your browser to verify that the application is exposed correctly:
+
+![whoami application Screenshot](../assets/img/getting-started/whoami-localhost.png)
+
+If you navigate to the **HTTP Routes** section of the traefik dashboard, you can see that the `whoami.localhost` route is managed by the Traefik Kubernetes Gateway API provider:
+
+![Traefik Dashboard HTTP Routes Section Screenshot](../assets/img/getting-started/kubernetes-gateway.png)
+
+That's it! You've successfully deployed Traefik and configured routing in a Kubernetes cluster.
+
+## Next Steps
+
+- [Configure TLS](../reference/routing-configuration/http/tls/overview.md)
+- [Set up Middlewares](../reference/routing-configuration/http/middlewares/overview.md)
+- [Enable Metrics](../reference/install-configuration/observability/metrics.md)
+- [Learn more about Kubernetes CRD provider](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md)
+- [Learn more about Kubernetes Gateway API provider](../reference/install-configuration/providers/kubernetes/kubernetes-gateway.md)
+
+{!traefik-for-business-applications.md!}

docs/content/getting-started/quick-start-with-kubernetes.md

@@ -3,342 +3,4 @@ title: "Traefik Getting Started With Kubernetes"
 description: "Get started with Traefik Proxy and Kubernetes."
 ---
 
-# Quick Start
-
-A Use Case of Traefik Proxy and Kubernetes
-{: .subtitle }
-
-This guide is an introduction to using Traefik Proxy in a Kubernetes environment.  
-The objective is to learn how to run an application behind a Traefik reverse proxy in Kubernetes.  
-It presents and explains the basic blocks required to start with Traefik such as Ingress Controller, Ingresses, Deployments, static, and dynamic configuration.
-
-## Permissions and Accesses
-
-Traefik uses the Kubernetes API to discover running services.
-
-To use the Kubernetes API, Traefik needs some permissions.
-This [permission mechanism](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) is based on roles defined by the cluster administrator.  
-The role is then bound to an account used by an application, in this case, Traefik Proxy.
-
-The first step is to create the role.
-The [`ClusterRole`](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole) resource enumerates the resources and actions available for the role.
-In a file called `00-role.yml`, put the following `ClusterRole`:
-
-```yaml tab="00-role.yml"
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: traefik-role
-
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - services
-      - secrets
-      - nodes
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - discovery.k8s.io
-    resources:
-      - endpointslices
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - traefik.io
-    resources:
-      - middlewares
-      - middlewaretcps
-      - ingressroutes
-      - traefikservices
-      - ingressroutetcps
-      - ingressrouteudps
-      - tlsoptions
-      - tlsstores
-      - serverstransports
-      - serverstransporttcps
-    verbs:
-      - get
-      - list
-      - watch
-```
-
-!!! info "You can find the reference for this file [there](../../reference/dynamic-configuration/kubernetes-crd/#rbac)."
-
-The next step is to create a dedicated service account for Traefik.
-In a file called `00-account.yml`, put the following [`ServiceAccount`](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/service-account-v1/#ServiceAccount) resource:
-
-```yaml tab="00-account.yml"
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: traefik-account
-```
-
-And then, bind the role on the account to apply the permissions and rules on the latter. In a file called `01-role-binding.yml`, put the
-following [`ClusterRoleBinding`](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1/#ClusterRoleBinding) resource:
-
-```yaml tab="01-role-binding.yml"
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: traefik-role-binding
-
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: traefik-role
-subjects:
-  - kind: ServiceAccount
-    name: traefik-account
-    namespace: default # This tutorial uses the "default" K8s namespace.
-```
-
-!!! info "`roleRef` is the Kubernetes reference to the role created in `00-role.yml`."
-
-!!! info "`subjects` is the list of accounts reference."
-
-    In this guide, it only contains the account created in `00-account.yml`
-
-## Deployment and Exposition
-
-!!! info "This section can be managed with the help of the [Traefik Helm chart](../install-traefik/#use-the-helm-chart)."
-
-The [ingress controller](https://traefik.io/glossary/kubernetes-ingress-and-ingress-controller-101/#what-is-a-kubernetes-ingress-controller)
-is a software that runs in the same way as any other application on a cluster.  
-To start Traefik on the Kubernetes cluster,
-a [`Deployment`](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/) resource must exist to describe how to configure
-and scale containers horizontally to support larger workloads.
-
-Start by creating a file called `02-traefik.yml` and paste the following `Deployment` resource:
-
-```yaml tab="02-traefik.yml"
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  name: traefik-deployment
-  labels:
-    app: traefik
-
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: traefik
-  template:
-    metadata:
-      labels:
-        app: traefik
-    spec:
-      serviceAccountName: traefik-account
-      containers:
-        - name: traefik
-          image: traefik:v3.4
-          args:
-            - --api.insecure
-            - --providers.kubernetesingress
-          ports:
-            - name: web
-              containerPort: 80
-            - name: dashboard
-              containerPort: 8080
-```
-
-The deployment contains an important attribute for customizing Traefik: `args`.  
-These arguments are the static configuration for Traefik.  
-From here, it is possible to enable the dashboard,
-configure entry points,
-select dynamic configuration providers,
-and [more](../reference/static-configuration/cli.md).
-
-In this deployment,
-the static configuration enables the Traefik dashboard,
-and uses Kubernetes native Ingress resources as router definitions to route incoming requests.
-
-!!! info "When there is no entry point in the static configuration"
-
-    Traefik creates a default one called `web` using the port `80` routing HTTP requests.
-
-!!! info "When enabling the [`api.insecure`](../../operations/api/#insecure) mode, Traefik exposes the dashboard on the port `8080`."
-
-A deployment manages scaling and then can create lots of containers, called [Pods](https://kubernetes.io/docs/concepts/workloads/pods/).
-Each Pod is configured following the `spec` field in the deployment.  
-Given that, a Deployment can run multiple Traefik Proxy Pods,
-a piece is required to forward the traffic to any of the instance:
-namely a [`Service`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#Service).  
-Create a file called `02-traefik-services.yml` and insert the two `Service` resources:
-
-```yaml tab="02-traefik-services.yml"
-apiVersion: v1
-kind: Service
-metadata:
-  name: traefik-dashboard-service
-
-spec:
-  type: LoadBalancer
-  ports:
-    - port: 8080
-      targetPort: dashboard
-  selector:
-    app: traefik
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: traefik-web-service
-
-spec:
-  type: LoadBalancer
-  ports:
-    - targetPort: web
-      port: 80
-  selector:
-    app: traefik
-```
-
-!!! warning "It is possible to expose a service in different ways."
-
-    Depending on your working environment and use case, the `spec.type` might change.  
-    It is strongly recommended to understand the available [service types](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) before proceeding to the next step.
-
-It is now time to apply those files on your cluster to start Traefik.
-
-```shell
-kubectl apply -f 00-role.yml \
-              -f 00-account.yml \
-              -f 01-role-binding.yml \
-              -f 02-traefik.yml \
-              -f 02-traefik-services.yml
-```
-
-## Proxying applications
-
-The only part still missing is the business application behind the reverse proxy.  
-For this guide, we use the example application [traefik/whoami](https://github.com/traefik/whoami),
-but the principles are applicable to any other application.
-
-The `whoami` application is an HTTP server running on port 80 which answers host-related information to the incoming requests.  
-As usual, start by creating a file called `03-whoami.yml` and paste the following `Deployment` resource:
-
-```yaml tab="03-whoami.yml"
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  name: whoami
-  labels:
-    app: whoami
-
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: whoami
-  template:
-    metadata:
-      labels:
-        app: whoami
-    spec:
-      containers:
-        - name: whoami
-          image: traefik/whoami
-          ports:
-            - name: web
-              containerPort: 80
-```
-
-And continue by creating the following `Service` resource in a file called `03-whoami-services.yml`:
-
-```yaml tab="03-whoami-services.yml"
-apiVersion: v1
-kind: Service
-metadata:
-  name: whoami
-
-spec:
-  ports:
-    - name: web
-      port: 80
-      targetPort: web
-      
-  selector:
-    app: whoami
-```
-
-Thanks to the Kubernetes API,
-Traefik is notified when an Ingress resource is created, updated, or deleted.  
-This makes the process dynamic.  
-The ingresses are, in a way, the [dynamic configuration](../../providers/kubernetes-ingress/) for Traefik.
-
-!!! tip
-
-    Find more information on [ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/),
-    and [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) in the official Kubernetes documentation.
-
-Create a file called `04-whoami-ingress.yml` and insert the `Ingress` resource:
-
-```yaml tab="04-whoami-ingress.yml"
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: whoami-ingress
-spec:
-  rules:
-  - http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: whoami
-            port:
-              name: web
-```
-
-This `Ingress` configures Traefik to redirect any incoming requests starting with `/` to the `whoami:80` service.
-
-At this point, all the configurations are ready.
-It is time to apply those new files:
-
-```shell
-kubectl apply -f 03-whoami.yml \
-              -f 03-whoami-services.yml \
-              -f 04-whoami-ingress.yml
-```
-
-Now you should be able to access the `whoami` application and the Traefik dashboard.
-Load the dashboard on a web browser: [`http://localhost:8080`](http://localhost:8080).
-
-And now access the `whoami` application:
-
-```shell
-curl -v http://localhost/
-```
-
-!!! question "Going further"
-
-    - [Filter the ingresses](../providers/kubernetes-ingress.md#ingressclass) to use with [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class)
-    - Use [IngressRoute CRD](../providers/kubernetes-crd.md)
-    - Protect [ingresses with TLS](../routing/providers/kubernetes-ingress.md#enabling-tls-via-annotations)
-    
-{!traefik-for-business-applications.md!}
+--8<-- "content/getting-started/kubernetes.md"

docs/content/getting-started/quick-start.md

@@ -3,122 +3,4 @@ title: "Traefik Getting Started Quickly"
 description: "Get started with Traefik Proxy and Docker."
 ---
 
-# Quick Start
-
-A Use Case Using Docker
-{: .subtitle }
-
-![quickstart-diagram](../assets/img/quickstart-diagram.png)
-
-## Launch Traefik With the Docker Provider
-
-Create a `docker-compose.yml` file where you will define a `reverse-proxy` service that uses the official Traefik image:
-
-```yaml
-version: '3'
-
-services:
-  reverse-proxy:
-    # The official v3 Traefik docker image
-    image: traefik:v3.4
-    # Enables the web UI and tells Traefik to listen to docker
-    command: --api.insecure=true --providers.docker
-    ports:
-      # The HTTP port
-      - "80:80"
-      # The Web UI (enabled by --api.insecure=true)
-      - "8080:8080"
-    volumes:
-      # So that Traefik can listen to the Docker events
-      - /var/run/docker.sock:/var/run/docker.sock
-```
-
-**That's it. Now you can launch Traefik!**
-
-Start your `reverse-proxy` with the following command:
-
-```shell
-docker compose up -d reverse-proxy
-```
-
-You can open a browser and go to `http://localhost:8080/api/rawdata` to see Traefik's API rawdata (you'll go back there once you have launched a service in step 2).
-
-## Traefik Detects New Services and Creates the Route for You
-
-Now that you have a Traefik instance up and running, you will deploy new services.
-
-Edit your `docker-compose.yml` file and add the following at the end of your file.
-
-```yaml
-version: '3'
-
-services:
-
-  ...
-
-  whoami:
-    # A container that exposes an API to show its IP address
-    image: traefik/whoami
-    labels:
-      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
-```
-
-The above defines `whoami`: a web service that outputs information about the machine it is deployed on (its IP address, host, and others).
-
-Start the `whoami` service with the following command:
-
-```shell
-docker compose up -d whoami
-```
-
-Browse `http://localhost:8080/api/rawdata` and see that Traefik has automatically detected the new container and updated its own configuration.
-
-When Traefik detects new services, it creates the corresponding routes, so you can call them ... _let's see!_  (Here, you're using curl)
-
-```shell
-curl -H Host:whoami.docker.localhost http://127.0.0.1
-```
-
-_Shows the following output:_
-
-```yaml
-Hostname: a656c8ddca6c
-IP: 172.27.0.3
-#...
-```
-
-## More Instances? Traefik Load Balances Them
-
-Run more instances of your `whoami` service with the following command:
-
-```shell
-docker compose up -d --scale whoami=2
-```
-
-Browse to `http://localhost:8080/api/rawdata` and see that Traefik has automatically detected the new instance of the container.
-
-Finally, see that Traefik load-balances between the two instances of your service by running the following command twice:
-
-```shell
-curl -H Host:whoami.docker.localhost http://127.0.0.1
-```
-
-The output will show alternatively one of the following:
-
-```yaml
-Hostname: a656c8ddca6c
-IP: 172.27.0.3
-#...
-```
-
-```yaml
-Hostname: s458f154e1f1
-IP: 172.27.0.4
-# ...
-```
-
-!!! question "Where to Go Next?"
-
-    Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the user guides](../../user-guides/docker-compose/basic-example/ "Link to the user guides") and [the documentation](/ "Link to the docs landing page") and let Traefik work for you!
-
-{!traefik-for-business-applications.md!}
+--8<-- "content/getting-started/docker.md"

docs/content/https/acme.md

@@ -250,6 +250,34 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
 !!! info ""
     Redirection is fully compatible with the `HTTP-01` challenge.
 
+#### `Delay`
+
+The delay between the creation of the challenge and the validation.
+A value lower than or equal to zero means no delay.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      httpChallenge:
+        # ...
+        delay: 12
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.httpChallenge]
+    # ...
+    delay = 12
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.httpchallenge.delay=12
+```
+
 ### `dnsChallenge`
 
 Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record.
@@ -767,6 +795,8 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 
 _Optional, Default=2160_
 
+`certificatesDuration` specifies the duration (in hours) of the certificates issued by the CA server. It is used to determine when to renew the certificate, but it **doesn't** define the duration of the certificates, that is up to the CA server. 
+
 `certificatesDuration` is used to calculate two durations:
 
 - `Renew Period`: the period before the end of the certificate duration, during which the certificate should be renewed.
@@ -807,6 +837,71 @@ certificatesResolvers:
 # ...
 ```
 
+### `clientTimeout`
+
+_Optional, Default=2m_
+
+`clientTimeout` is the total timeout for a complete HTTP transaction (including TCP connection, sending request and receiving response) with the ACME server.
+It defaults to 2 minutes.
+
+!!! warning "This timeout encompasses the entire request-response cycle, including the response headers timeout. It must be at least `clientResponseHeaderTimeout`, otherwise the certificate resolver will fail to start."
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      clientTimeout: 1m
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  clientTimeout=1m
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.clientTimeout=1m
+# ...
+```
+
+!!! warning
+    This should not be confused with any timeouts used for validating challenges.
+
+### `clientResponseHeaderTimeout`
+
+_Optional, Default=30s_
+
+`clientResponseHeaderTimeout` defines how long the HTTP client waits for response headers when communicating with the `caServer`.
+It defaults to 30 seconds. 
+
+!!! warning "It must be lower than `clientTimeout`, otherwise the certificate resolver will fail to start."
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      clientResponseHeaderTimeout: 1m
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  clientResponseHeaderTimeout=1m
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.clientResponseHeaderTimeout=1m
+# ...
+```
+
 ### `preferredChain`
 
 _Optional, Default=""_

docs/content/https/ocsp.md

@@ -0,0 +1,71 @@
+---
+title: "Traefik OCSP Documentation"
+description: "Learn how to configure Traefik to use OCSP. Read the technical documentation."
+---
+
+# OCSP
+
+Check certificate status and perform OCSP stapling.
+{: .subtitle }
+
+## Overview
+
+### OCSP Stapling
+
+When OCSP is enabled, Traefik checks the status of every certificate in the store that provides an OCSP responder URL,
+including the default certificate, and staples the OCSP response to the TLS handshake.
+The OCSP check is performed when the certificate is loaded,
+and once every hour until it is successful at the halfway point before the update date.
+
+### Caching
+
+Traefik caches the OCSP response as long as the associated certificate is provided by the configuration.
+When a certificate is no longer provided,
+the OCSP response has a 24 hour TTL waiting to be provided again or eventually removed.
+The OCSP response is cached in memory and is not persisted between Traefik restarts.
+
+## Configuration
+
+### General
+
+Enabling OCSP is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
+It can be defined by using a file (YAML or TOML) or CLI arguments:
+
+```yaml tab="File (YAML)"
+## Static configuration
+ocsp: {}
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[ocsp]
+```
+
+```bash tab="CLI"
+## Static configuration
+--ocsp=true
+```
+
+### Responder Overrides
+
+The `responderOverrides` option defines the OCSP responder URLs to use instead of the one provided by the certificate.
+This is useful when you want to use a different OCSP responder.
+
+```yaml tab="File (YAML)"
+## Static configuration
+ocsp:
+  responderOverrides:
+    foo: bar
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[ocsp]
+  [ocsp.responderOverrides]
+    foo = "bar"
+```
+
+```bash tab="CLI"
+## Static configuration
+-ocsp.responderoverrides.foo=bar
+```

docs/content/https/ref-acme.toml

@@ -30,6 +30,20 @@
   #
   # certificatesDuration=2160
 
+  # Timeout for a complete HTTP transaction with the ACME server.
+  #
+  # Optional
+  # Default: 2m
+  #
+  # clientTimeout="2m"
+
+  # Timeout for receiving the response headers when communicating with the ACME server.
+  #
+  # Optional
+  # Default: 30s
+  #
+  # clientResponseHeaderTimeout="30s"
+
   # Preferred chain to use.
   #
   # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

docs/content/https/ref-acme.txt

@@ -29,6 +29,20 @@
 #
 --certificatesresolvers.myresolver.acme.certificatesDuration=2160
 
+# Timeout for a complete HTTP transaction with the ACME server.
+#
+# Optional
+# Default: 2m
+#
+--certificatesresolvers.myresolver.acme.clientTimeout=2m
+
+# Timeout for receiving the response headers when communicating with the ACME server.
+#
+# Optional
+# Default: 30s
+#
+--certificatesresolvers.myresolver.acme.clientResponseHeaderTimeout=30s
+
 # Preferred chain to use.
 #
 # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

docs/content/https/ref-acme.yaml

@@ -32,6 +32,20 @@ certificatesResolvers:
       #
       # certificatesDuration: 2160
 
+      # Timeout for a complete HTTP transaction with the ACME server.
+      #
+      # Optional
+      # Default: 2m
+      #
+      # clientTimeout: "2m"
+
+      # Timeout for receiving the response headers when communicating with the ACME server.
+      #
+      # Optional
+      # Default: 30s
+      #
+      # clientResponseHeaderTimeout: "30s"
+
       # Preferred chain to use.
       #
       # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

docs/content/middlewares/http/circuitbreaker.md

@@ -160,8 +160,8 @@ Here is the list of supported operators:
 
 ### Fallback mechanism
 
-The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client instead of calling the target service.
-This behavior cannot be configured.
+By default the fallback mechanism returns a `HTTP 503 Service Unavailable` to the client instead of calling the target service.
+The response code can be configured.
 
 ### `CheckPeriod`
 

docs/content/observability/access-logs.md

@@ -288,11 +288,9 @@ It is possible to configure the Traefik to timestamp in a specific timezone by e
 Example utilizing Docker Compose:
 
 ```yaml
-version: "3.7"
-
 services:
   traefik:
-    image: traefik:v3.4
+    image: traefik:v3.5
     environment:
       - TZ=US/Alaska
     command:

docs/content/observe/logs-and-access-logs.md

@@ -0,0 +1,179 @@
+---
+title: "Logs and Access Logs"
+description: "Logs and Access Logs in Traefik Proxy provide real-time insight into the health of your system. They enable swift error detection and intervention through alerts. By centralizing logs, you can streamline the debugging process during incident resolution."
+---
+
+## Logs
+
+Logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
+
+### Configuration Example
+
+To enable and configure logs in Traefik Proxy, you can use the static configuration file or Helm values if you are using the [Helm chart](https://github.com/traefik/traefik-helm-chart).
+
+```yaml tab="Structured (YAML)"
+log:
+  filePath: "/path/to/log-file.log"
+  format: json
+  level: INFO
+```
+
+```toml tab="Structured (TOML)"
+[log]
+  filePath = "/path/to/log-file.log"
+  format = "json"
+  level = "INFO"
+```
+
+```yaml tab="Helm Chart Values"
+logs:
+  general:
+    filePath: "/path/to/log-file.log"
+    format: json
+    level: INFO
+```
+
+## Access Logs
+
+Access logs concern everything that happens to the requests handled by Traefik.
+
+### Configuration Example
+
+To enable and configure access logs in Traefik Proxy, you can use the static configuration file or Helm values if you are using the [Helm chart](https://github.com/traefik/traefik-helm-chart).
+
+The following example enables access logs in JSON format, filters them to only include specific status codes, and customizes the fields that are kept or dropped.
+
+```yaml tab="Structured (YAML)"
+accessLog:
+  format: json
+  filters:
+    statusCodes:
+      - "200"
+      - "400-404"
+      - "500-503"
+  fields:
+    names:
+      ClientUsername: drop
+    headers:
+      defaultMode: keep
+      names:
+        User-Agent: redact
+        Content-Type: keep
+```
+
+```toml tab="Structured (TOML)"
+[accessLog]
+  format = "json"
+  [accessLog.filters]
+    statusCodes = ["200", "400-404", "500-503"]
+  [accessLog.fields]
+    [accessLog.fields.names]
+      ClientUsername = "drop"
+    [accessLog.fields.headers]
+      defaultMode = "keep"
+      [accessLog.fields.headers.names]
+        "User-Agent" = "redact"
+        "Content-Type" = "keep"
+```
+
+```yaml tab="Helm Chart Values"
+# values.yaml
+logs:
+  access:
+    enabled: true
+    format: json
+    filters:
+      statusCodes:
+        - "200"
+        - "400-404"
+        - "500-503"
+    fields:
+      names:
+        ClientUsername: drop
+      headers:
+        defaultMode: keep
+        names:
+          User-Agent: redact
+          Content-Type: keep
+```
+
+## Per-Router Access Logs
+
+You can enable or disable access logs for a specific router. This is useful for turning off logging for noisy routes while keeping it on globally.
+
+Here's an example of disabling access logs on a specific router:
+
+```yaml tab="Structured (YAML)"
+http:
+  routers:
+    my-router:
+      rule: "Host(`example.com`)"
+      service: my-service
+      observability:
+        accessLogs: false
+```
+
+```toml tab="Structured (TOML)"
+[http.routers.my-router.observability]
+  accessLogs = false
+```
+
+```yaml tab="Kubernetes"
+# ingressroute.yaml
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: my-router
+spec:
+  routes:
+    - kind: Rule
+      match: Host(`example.com`)
+      services:
+        - name: my-service
+          port: 80
+      observability:
+        accessLogs: false
+```
+
+```bash tab="Labels"
+labels:
+  - "traefik.http.routers.my-router.observability.accesslogs=false"
+```
+
+```json tab="Tags"
+{
+  // ...
+  "Tags": [
+    "traefik.http.routers.my-router.observability.accesslogs=false"
+  ]
+}
+```
+
+When the `observability` options are not defined on a router, it inherits the behavior from the [entrypoint's observability configuration](./overview.md), or the global one.
+
+## Log Formats
+
+Traefik Proxy supports the following log formats:
+
+- Common Log Format (CLF)
+- JSON
+
+## Access Log Filters
+
+You can configure Traefik Proxy to only record access logs for requests that match certain criteria. This is useful for reducing the volume of logs and focusing on specific events.
+
+The available filters are:
+
+- **Status Codes:** Keep logs only for requests with specific HTTP status codes or ranges (e.g., `200`, `400-404`).
+- **Retry Attempts:** Keep logs only when a request retry has occurred.
+- **Minimum Duration:** Keep logs only for requests that take longer than a specified duration.
+
+## Log Fields Customization
+
+When using the `json` format, you can customize which fields are included in your access logs.
+
+- **Request Fields:** You can choose to `keep`, `drop`, or `redact` any of the standard request fields. A complete list of available fields like `ClientHost`, `RequestMethod`, and `Duration` can be found in the [reference documentation](../reference/install-configuration/observability/logs-and-accesslogs.md#available-fields).
+- **Request Headers:** You can also specify which request headers should be included in the logs, and whether their values should be `kept`, `dropped`, or `redacted`.
+
+!!! info
+    For detailed configuration options, refer to the [reference documentation](../reference/install-configuration/observability/logs-and-accesslogs.md).

docs/content/observe/metrics.md

@@ -0,0 +1,104 @@
+---
+title: "Metrics"
+description: "Metrics in Traefik Proxy offer a comprehensive view of your infrastructure's health. They allow you to monitor critical indicators like incoming traffic volume. Metrics graphs and visualizations are helpful during incident triage in understanding the causes and implementing proactive measures."
+---
+
+# Metrics
+
+Metrics in Traefik Proxy offer a comprehensive view of your infrastructure's health. They allow you to monitor critical indicators like incoming traffic volume. Metrics graphs and visualizations are helpful during incident triage in understanding the causes and implementing proactive measures.
+
+## Available Metrics Providers
+
+Traefik Proxy supports the following metrics providers:
+
+- OpenTelemetry
+- Prometheus
+- Datadog
+- InfluxDB 2.X
+- StatsD
+
+## Configuration
+
+To enable metrics in Traefik Proxy, you need to configure the metrics provider in your static configuration file or helm values if you are using the [Helm chart](https://github.com/traefik/traefik-helm-chart). The following example shows how to configure the OpenTelemetry provider to send metrics to a collector.
+
+```yaml tab="Structured (YAML)"
+metrics:
+  otlp:
+    http:
+      endpoint: http://myotlpcollector:4318/v1/metrics
+```
+
+```toml tab="Structured (TOML)"
+[metrics.otlp.http]
+  endpoint = "http://myotlpcollector:4318/v1/metrics"
+```
+
+```yaml tab="Helm Chart Values"
+# values.yaml
+metrics:
+  # Disable Prometheus (enabled by default)
+  prometheus: null
+  # Enable providing OTel metrics
+  otlp:
+    enabled: true
+    http:
+      enabled: true
+      endpoint: http://myotlpcollector:4318/v1/metrics
+```
+
+## Per-Router Metrics
+
+You can enable or disable metrics collection for a specific router. This can be useful for excluding certain routes from your metrics data.
+
+Here's an example of disabling metrics on a specific router:
+
+```yaml tab="Structured (YAML)"
+http:
+  routers:
+    my-router:
+      rule: "Host(`example.com`)"
+      service: my-service
+      observability:
+        metrics: false
+```
+
+```toml tab="Structured (TOML)"
+[http.routers.my-router.observability]
+  metrics = false
+```
+
+```yaml tab="Kubernetes"
+# ingressroute.yaml
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: my-router
+spec:
+  routes:
+    - kind: Rule
+      match: Host(`example.com`)
+      services:
+        - name: my-service
+          port: 80
+      observability:
+        metrics: false
+```
+
+```bash tab="Labels"
+labels:
+  - "traefik.http.routers.my-router.observability.metrics=false"
+```
+
+```json tab="Tags"
+{
+  // ...
+  "Tags": [
+    "traefik.http.routers.my-router.observability.metrics=false"
+  ]
+}
+```
+
+When the `observability` options are not defined on a router, it inherits the behavior from the [entrypoint's observability configuration](./overview.md), or the global one.
+
+!!! info
+    For detailed configuration options, refer to the [reference documentation](../reference/install-configuration/observability/metrics.md).

docs/content/observe/overview.md

@@ -0,0 +1,80 @@
+---
+title: "Observability Overview"
+description: "Traefik Proxy provides comprehensive monitoring and observability capabilities to maintain reliability and efficiency."
+---
+
+# Observability Overview
+
+Traefik Proxy provides comprehensive monitoring and observability capabilities to maintain reliability and efficiency:
+
+- [Logs and Access Logs](./logs-and-access-logs.md) provide real-time insight into the health of your system. They enable swift error detection and intervention through alerts. By centralizing logs, you can streamline the debugging process during incident resolution.
+
+- [Metrics](./metrics.md) offer a comprehensive view of your infrastructure's health. They allow you to monitor critical indicators like incoming traffic volume. Metrics graphs and visualizations are helpful during incident triage in understanding the causes and implementing proactive measures.
+
+- [Tracing](./tracing.md) enables tracking the flow of operations within your system. Using traces and spans, you can identify performance bottlenecks and pinpoint applications causing slowdowns to optimize response times effectively.
+
+## Configuration Example
+
+You can enable access logs, metrics, and tracing globally:
+
+```yaml tab="Structured (YAML)"
+accessLog: {}
+
+metrics:
+  otlp: {}
+
+tracing: {}
+```
+
+```toml tab="Structured (TOML)"
+[accessLog]
+
+[metrics.otlp]
+
+[tracing.otlp]
+```
+
+```yaml tab="Helm Chart Values"
+# values.yaml
+accessLog:
+  enabled: true
+
+metrics:
+  otlp:
+    enabled: true
+
+tracing:
+  otlp:
+    enabled: true
+```
+
+You can disable access logs, metrics, and tracing for a specific [entrypoint](../reference/install-configuration/entrypoints.md):
+
+```yaml tab="Structured (YAML)"
+entryPoints:
+  EntryPoint0:
+    address: ':8000/udp'
+    observability:
+      accessLogs: false
+      tracing: false
+      metrics: false
+```
+
+```toml tab="Structured (TOML)"
+[entryPoints.EntryPoint0.observability]
+  accessLogs = false
+  tracing = false
+  metrics = false
+```
+
+```yaml tab="Helm Chart Values"
+additionalArguments:
+  - "--entrypoints.entrypoint0.observability.accesslogs=false"
+  - "--entrypoints.entrypoint0.observability.tracing=false"
+  - "--entrypoints.entrypoint0.observability.metrics=false"
+```
+
+!!! note
+    A router with its own observability configuration will override the global default.
+
+{!traefik-for-business-applications.md!}

docs/content/observe/tracing.md

@@ -0,0 +1,93 @@
+---
+title: "Tracing"
+description: "Tracing in Traefik Proxy allows you to track the flow of operations within your system. Using traces and spans, you can identify performance bottlenecks and pinpoint applications causing slowdowns to optimize response times effectively."
+---
+
+# Tracing
+
+Tracing in Traefik Proxy allows you to track the flow of operations within your system. Using traces and spans, you can identify performance bottlenecks and pinpoint applications causing slowdowns to optimize response times effectively.
+
+Traefik Proxy uses [OpenTelemetry](https://opentelemetry.io/) to export traces. OpenTelemetry is an open-source observability framework. You can send traces to an OpenTelemetry collector, which can then export them to a variety of backends like Jaeger, Zipkin, or Datadog.
+
+## Configuration
+
+To enable tracing in Traefik Proxy, you need to configure it in your static configuration file or Helm values if you are using the [Helm chart](https://github.com/traefik/traefik-helm-chart). The following example shows how to configure the OpenTelemetry provider to send traces to a collector via HTTP.
+
+```yaml tab="Structured (YAML)"
+tracing:
+  otlp:
+    http:
+      endpoint: http://myotlpcollector:4318/v1/traces
+```
+
+```toml tab="Structured (TOML)"
+[tracing.otlp.http]
+  endpoint = "http://myotlpcollector:4318/v1/traces"
+```
+
+```yaml tab="Helm Chart Values"
+# values.yaml
+tracing:
+  otlp:
+    enabled: true
+    http:
+      enabled: true
+      endpoint: http://myotlpcollector:4318/v1/traces
+```
+
+!!! info
+    For detailed configuration options, refer to the [tracing reference documentation](../reference/install-configuration/observability/tracing.md).
+
+## Per-Router Tracing
+
+You can enable or disable tracing for a specific router. This is useful for turning off tracing for specific routes while keeping it on globally.
+
+Here's an example of disabling tracing on a specific router:
+
+```yaml tab="Structured (YAML)"
+http:
+  routers:
+    my-router:
+      rule: "Host(`example.com`)"
+      service: my-service
+      observability:
+        tracing: false
+```
+
+```toml tab="Structured (TOML)"
+[http.routers.my-router.observability]
+  tracing = false
+```
+
+```yaml tab="Kubernetes"
+# ingressoute.yaml
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: my-router
+spec:
+  routes:
+    - kind: Rule
+      match: Host(`example.com`)
+      services:
+        - name: my-service
+          port: 80
+      observability:
+        tracing: false
+```
+
+```yaml tab="Labels"
+labels:
+  - "traefik.http.routers.my-router.observability.tracing=false"
+```
+
+```json tab="Tags"
+{
+  // ...
+  "Tags": [
+    "traefik.http.routers.my-router.observability.tracing=false"
+  ]
+}
+```
+
+When the `observability` options are not defined on a router, it inherits the behavior from the [entrypoint's observability configuration](./overview.md), or the global one.

docs/content/providers/docker.md

@@ -40,7 +40,6 @@ This provider works with [Docker (standalone) Engine](https://docs.docker.com/en
     Attaching labels to containers (in your docker compose file)
 
     ```yaml
-    version: "3"
     services:
       my-container:
         # ...
@@ -162,11 +161,9 @@ See the [Docker API Access](#docker-api-access) section for more information.
     The docker-compose file shares the docker sock with the Traefik container
 
     ```yaml
-    version: '3'
-
     services:
       traefik:
-         image: traefik:v3.4 # The official v3 Traefik docker image
+         image: traefik:v3.5 # The official v3 Traefik docker image
          ports:
            - "80:80"
          volumes:

docs/content/providers/kubernetes-crd.md

@@ -31,10 +31,10 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku
 
     ```bash
     # Install Traefik Resource Definitions:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
     
     # Install RBAC for Traefik:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
     ```
 
 ## Resource Configuration

docs/content/providers/kubernetes-gateway.md

@@ -8,11 +8,11 @@ description: "Learn how to use the Kubernetes Gateway API as a provider for conf
 The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
 specification from the Kubernetes Special Interest Groups (SIGs).
 
-This provider supports Standard version [v1.2.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.1) of the Gateway API specification. 
+This provider supports Standard version [v1.3.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.3.0) of the Gateway API specification. 
 
 It fully supports all HTTP core and some extended features, as well as the `TCPRoute` and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).
 
-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.2.1/traefik-traefik).
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.3.0/traefik-traefik).
 
 ## Requirements
 
@@ -27,14 +27,14 @@ For more details, check out the conformance [report](https://github.com/kubernet
 
     ```bash
     # Install Gateway API CRDs from the Standard channel.
-    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml
     ```
 
 2. Install the additional Traefik RBAC required for Gateway API.
 
     ```bash
     # Install Traefik RBACs.
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
     ```
 
 3. Deploy Traefik and enable the `kubernetesGateway` provider in the static configuration as detailed below:
@@ -275,7 +275,7 @@ providers:
 
     ```bash
     # Install Gateway API CRDs from the Experimental channel.
-    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/experimental-install.yaml
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml
     ```
 
 ### `labelselector`

docs/content/providers/kubernetes-ingress.md

@@ -529,9 +529,32 @@ providers:
 --providers.kubernetesingress.nativeLBByDefault=true
 ```
 
+### `strictPrefixMatching`
+
+_Optional, Default: false_
+
+Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). For example, a PathPrefix of `/foo` will match `/foo`, `/foo/`, and `/foo/bar` but not `/foobar`.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    strictPrefixMatching: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  strictPrefixMatching = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.strictPrefixMatching=true
+```
+
 ### Further
 
 To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.4/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.5/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
 
 {!traefik-for-business-applications.md!}

docs/content/providers/swarm.md

@@ -53,7 +53,6 @@ This provider works with [Docker Swarm Mode](https://docs.docker.com/engine/swar
     then that service is automatically assigned to the router.
 
     ```yaml
-    version: "3"
     services:
       my-container:
         deploy:
@@ -176,8 +175,6 @@ docker service create \
 ```
 
 ```yml tab="With Docker Compose"
-version: '3'
-
 services:
   traefik:
     # ...
@@ -208,8 +205,6 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati
     The docker-compose file shares the docker sock with the Traefik container
 
     ```yaml
-    version: '3'
-
     services:
       traefik:
          image: traefik:v3.4 # The official v3 Traefik docker image

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -209,6 +209,7 @@
 - "traefik.http.services.service02.loadbalancer.healthcheck.scheme=foobar"
 - "traefik.http.services.service02.loadbalancer.healthcheck.status=42"
 - "traefik.http.services.service02.loadbalancer.healthcheck.timeout=42s"
+- "traefik.http.services.service02.loadbalancer.healthcheck.unhealthyinterval=42s"
 - "traefik.http.services.service02.loadbalancer.passhostheader=true"
 - "traefik.http.services.service02.loadbalancer.responseforwarding.flushinterval=42s"
 - "traefik.http.services.service02.loadbalancer.serverstransport=foobar"

docs/content/reference/dynamic-configuration/file.toml

@@ -84,6 +84,7 @@
           status = 42
           port = 42
           interval = "42s"
+          unhealthyInterval = "42s"
           timeout = "42s"
           hostname = "foobar"
           followRedirects = true

docs/content/reference/dynamic-configuration/file.yaml

@@ -89,6 +89,7 @@ http:
           status: 42
           port: 42
           interval: 42s
+          unhealthyInterval: 42s
           timeout: 42s
           hostname: foobar
           followRedirects: true

docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml

@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.4/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.5/routing/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -64,12 +64,12 @@ spec:
                     match:
                       description: |-
                         Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rule
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#rule
                       type: string
                     middlewares:
                       description: |-
                         Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-middleware
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/providers/kubernetes-crd/#kind-middleware
                       items:
                         description: MiddlewareRef is a reference to a Middleware
                           resource.
@@ -89,7 +89,7 @@ spec:
                     observability:
                       description: |-
                         Observability defines the observability configuration for a router.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#observability
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#observability
                       properties:
                         accessLogs:
                           type: boolean
@@ -101,7 +101,7 @@ spec:
                     priority:
                       description: |-
                         Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#priority
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#priority
                       maximum: 9223372036854775000
                       type: integer
                     services:
@@ -136,7 +136,7 @@ spec:
                                 - type: integer
                                 - type: string
                                 description: |-
-                                  Interval defines the frequency of the health check calls.
+                                  Interval defines the frequency of the health check calls for healthy targets.
                                   Default: 30s
                                 x-kubernetes-int-or-string: true
                               method:
@@ -172,6 +172,15 @@ spec:
                                   Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
                                   Default: 5s
                                 x-kubernetes-int-or-string: true
+                              unhealthyInterval:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                                  When UnhealthyInterval is not defined, it defaults to the Interval value.
+                                  Default: 30s
+                                x-kubernetes-int-or-string: true
                             type: object
                           kind:
                             description: Kind defines the kind of the Service.
@@ -243,7 +252,7 @@ spec:
                           sticky:
                             description: |-
                               Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.5/routing/services/#sticky-sessions
                             properties:
                               cookie:
                                 description: Cookie defines the sticky cookie configuration.
@@ -312,7 +321,7 @@ spec:
                     syntax:
                       description: |-
                         Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#rulesyntax
                         Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
                       type: string
                   required:
@@ -322,18 +331,18 @@ spec:
               tls:
                 description: |-
                   TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#tls
+                  More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#tls
                 properties:
                   certResolver:
                     description: |-
                       CertResolver defines the name of the certificate resolver to use.
                       Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.4/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.5/https/acme/#certificate-resolvers
                     type: string
                   domains:
                     description: |-
                       Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -352,17 +361,17 @@ spec:
                     description: |-
                       Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                       If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.4/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.5/https/tls/#tls-options
                     properties:
                       name:
                         description: |-
                           Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.5/routing/providers/kubernetes-crd/#kind-tlsoption
                         type: string
                       namespace:
                         description: |-
                           Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.5/routing/providers/kubernetes-crd/#kind-tlsoption
                         type: string
                     required:
                     - name
@@ -379,12 +388,12 @@ spec:
                       name:
                         description: |-
                           Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.5/routing/providers/kubernetes-crd/#kind-tlsstore
                         type: string
                       namespace:
                         description: |-
                           Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.5/routing/providers/kubernetes-crd/#kind-tlsstore
                         type: string
                     required:
                     - name
@@ -444,7 +453,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.4/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.5/routing/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -457,7 +466,7 @@ spec:
                     match:
                       description: |-
                         Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rule_1
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#rule_1
                       type: string
                     middlewares:
                       description: Middlewares defines the list of references to MiddlewareTCP
@@ -481,7 +490,7 @@ spec:
                     priority:
                       description: |-
                         Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#priority_1
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#priority_1
                       maximum: 9223372036854775000
                       type: integer
                     services:
@@ -523,7 +532,7 @@ spec:
                           proxyProtocol:
                             description: |-
                               ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.4/routing/services/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.5/routing/services/#proxy-protocol
                             properties:
                               version:
                                 description: Version defines the PROXY Protocol version
@@ -564,7 +573,7 @@ spec:
                     syntax:
                       description: |-
                         Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rulesyntax_1
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#rulesyntax_1
                         Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
                       enum:
                       - v3
@@ -577,18 +586,18 @@ spec:
               tls:
                 description: |-
                   TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#tls_1
+                  More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#tls_1
                 properties:
                   certResolver:
                     description: |-
                       CertResolver defines the name of the certificate resolver to use.
                       Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.4/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.5/https/acme/#certificate-resolvers
                     type: string
                   domains:
                     description: |-
                       Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -607,7 +616,7 @@ spec:
                     description: |-
                       Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                       If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.4/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.5/https/tls/#tls-options
                     properties:
                       name:
                         description: Name defines the name of the referenced Traefik
@@ -699,7 +708,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.4/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.5/routing/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -787,7 +796,7 @@ spec:
       openAPIV3Schema:
         description: |-
           Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/overview/
+          More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/overview/
         properties:
           apiVersion:
             description: |-
@@ -813,7 +822,7 @@ spec:
                 description: |-
                   AddPrefix holds the add prefix middleware configuration.
                   This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/addprefix/
                 properties:
                   prefix:
                     description: |-
@@ -828,12 +837,12 @@ spec:
                 description: |-
                   BasicAuth holds the basic auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/basicauth/
                 properties:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/basicauth/#headerfield
                     type: string
                   realm:
                     description: |-
@@ -854,7 +863,7 @@ spec:
                 description: |-
                   Buffering holds the buffering middleware configuration.
                   This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/buffering/#maxrequestbodybytes
                 properties:
                   maxRequestBodyBytes:
                     description: |-
@@ -886,14 +895,14 @@ spec:
                     description: |-
                       RetryExpression defines the retry conditions.
                       It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/buffering/#retryexpression
                     type: string
                 type: object
               chain:
                 description: |-
                   Chain holds the configuration of the chain middleware.
                   This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/chain/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/chain/
                 properties:
                   middlewares:
                     description: Middlewares is the list of MiddlewareRef which composes
@@ -956,7 +965,7 @@ spec:
                 description: |-
                   Compress holds the compress middleware configuration.
                   This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/compress/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/compress/
                 properties:
                   defaultEncoding:
                     description: DefaultEncoding specifies the default encoding if
@@ -1006,12 +1015,12 @@ spec:
                 description: |-
                   DigestAuth holds the digest auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/digestauth/
                 properties:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/basicauth/#headerfield
                     type: string
                   realm:
                     description: |-
@@ -1031,7 +1040,7 @@ spec:
                 description: |-
                   ErrorPage holds the custom error middleware configuration.
                   This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/errorpages/
                 properties:
                   query:
                     description: |-
@@ -1043,7 +1052,7 @@ spec:
                   service:
                     description: |-
                       Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/errorpages/#service
                     properties:
                       healthCheck:
                         description: Healthcheck defines health checks for ExternalName
@@ -1069,7 +1078,7 @@ spec:
                             - type: integer
                             - type: string
                             description: |-
-                              Interval defines the frequency of the health check calls.
+                              Interval defines the frequency of the health check calls for healthy targets.
                               Default: 30s
                             x-kubernetes-int-or-string: true
                           method:
@@ -1105,6 +1114,15 @@ spec:
                               Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
                               Default: 5s
                             x-kubernetes-int-or-string: true
+                          unhealthyInterval:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                              When UnhealthyInterval is not defined, it defaults to the Interval value.
+                              Default: 30s
+                            x-kubernetes-int-or-string: true
                         type: object
                       kind:
                         description: Kind defines the kind of the Service.
@@ -1176,7 +1194,7 @@ spec:
                       sticky:
                         description: |-
                           Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.5/routing/services/#sticky-sessions
                         properties:
                           cookie:
                             description: Cookie defines the sticky cookie configuration.
@@ -1263,7 +1281,7 @@ spec:
                 description: |-
                   ForwardAuth holds the forward auth middleware configuration.
                   This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/forwardauth/
                 properties:
                   addAuthCookiesToResponse:
                     description: AddAuthCookiesToResponse defines the list of cookies
@@ -1291,7 +1309,7 @@ spec:
                   authResponseHeadersRegex:
                     description: |-
                       AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/forwardauth/#authresponseheadersregex
                     type: string
                   forwardBody:
                     description: ForwardBody defines whether to send the request body
@@ -1300,7 +1318,7 @@ spec:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/forwardauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/forwardauth/#headerfield
                     type: string
                   maxBodySize:
                     description: MaxBodySize defines the maximum body size in bytes
@@ -1362,7 +1380,7 @@ spec:
                 description: |-
                   Headers holds the headers middleware configuration.
                   This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/headers/#customrequestheaders
                 properties:
                   accessControlAllowCredentials:
                     description: AccessControlAllowCredentials defines whether the
@@ -1534,7 +1552,7 @@ spec:
                 description: |-
                   InFlightReq holds the in-flight request middleware configuration.
                   This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/inflightreq/
                 properties:
                   amount:
                     description: |-
@@ -1548,12 +1566,12 @@ spec:
                       SourceCriterion defines what criterion is used to group requests as originating from a common source.
                       If several strategies are defined at the same time, an error will be raised.
                       If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/inflightreq/#sourcecriterion
                     properties:
                       ipStrategy:
                         description: |-
                           IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
@@ -1589,12 +1607,12 @@ spec:
                 description: |-
                   IPAllowList holds the IP allowlist middleware configuration.
                   This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ipallowlist/
                 properties:
                   ipStrategy:
                     description: |-
                       IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
@@ -1632,7 +1650,7 @@ spec:
                   ipStrategy:
                     description: |-
                       IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
@@ -1663,7 +1681,7 @@ spec:
                 description: |-
                   PassTLSClientCert holds the pass TLS client cert middleware configuration.
                   This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/passtlsclientcert/
                 properties:
                   info:
                     description: Info selects the specific client certificate details
@@ -1772,7 +1790,7 @@ spec:
                 description: |-
                   RateLimit holds the rate limit configuration.
                   This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ratelimit/
                 properties:
                   average:
                     description: |-
@@ -1891,7 +1909,7 @@ spec:
                       ipStrategy:
                         description: |-
                           IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
@@ -1927,11 +1945,11 @@ spec:
                 description: |-
                   RedirectRegex holds the redirect regex middleware configuration.
                   This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/redirectregex/#regex
                 properties:
                   permanent:
                     description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                     type: boolean
                   regex:
                     description: Regex defines the regex used to match and capture
@@ -1946,11 +1964,11 @@ spec:
                 description: |-
                   RedirectScheme holds the redirect scheme middleware configuration.
                   This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/redirectscheme/
                 properties:
                   permanent:
                     description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                     type: boolean
                   port:
                     description: Port defines the port of the new URL.
@@ -1963,7 +1981,7 @@ spec:
                 description: |-
                   ReplacePath holds the replace path middleware configuration.
                   This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/replacepath/
                 properties:
                   path:
                     description: Path defines the path to use as replacement in the
@@ -1974,7 +1992,7 @@ spec:
                 description: |-
                   ReplacePathRegex holds the replace path regex middleware configuration.
                   This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/replacepathregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression used to match
@@ -1990,7 +2008,7 @@ spec:
                   Retry holds the retry middleware configuration.
                   This middleware reissues requests a given number of times to a backend server if that server does not reply.
                   As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/retry/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/retry/
                 properties:
                   attempts:
                     description: Attempts defines how many times the request should
@@ -2014,7 +2032,7 @@ spec:
                 description: |-
                   StripPrefix holds the strip prefix middleware configuration.
                   This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/stripprefix/
                 properties:
                   forceSlash:
                     description: |-
@@ -2033,7 +2051,7 @@ spec:
                 description: |-
                   StripPrefixRegex holds the strip prefix regex middleware configuration.
                   This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/stripprefixregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression to match the
@@ -2070,7 +2088,7 @@ spec:
       openAPIV3Schema:
         description: |-
           MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.4/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.5/middlewares/overview/
         properties:
           apiVersion:
             description: |-
@@ -2107,7 +2125,7 @@ spec:
                 description: |-
                   IPAllowList defines the IPAllowList middleware configuration.
                   This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/tcp/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/tcp/ipallowlist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of
@@ -2121,7 +2139,7 @@ spec:
                   IPWhiteList defines the IPWhiteList middleware configuration.
                   This middleware accepts/refuses connections based on the client IP.
                   Deprecated: please use IPAllowList instead.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/tcp/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/tcp/ipwhitelist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of
@@ -2160,7 +2178,7 @@ spec:
           ServersTransport is the CRD implementation of a ServersTransport.
           If no serversTransport is specified, the default@internal will be used.
           The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.4/routing/services/#serverstransport_1
+          More info: https://doc.traefik.io/traefik/v3.5/routing/services/#serverstransport_1
         properties:
           apiVersion:
             description: |-
@@ -2329,7 +2347,7 @@ spec:
           ServersTransportTCP is the CRD implementation of a TCPServersTransport.
           If no tcpServersTransport is specified, a default one named default@internal will be used.
           The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.4/routing/services/#serverstransport_3
+          More info: https://doc.traefik.io/traefik/v3.5/routing/services/#serverstransport_3
         properties:
           apiVersion:
             description: |-
@@ -2474,7 +2492,7 @@ spec:
       openAPIV3Schema:
         description: |-
           TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.4/https/tls/#tls-options
+          More info: https://doc.traefik.io/traefik/v3.5/https/tls/#tls-options
         properties:
           apiVersion:
             description: |-
@@ -2499,14 +2517,14 @@ spec:
               alpnProtocols:
                 description: |-
                   ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.4/https/tls/#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.5/https/tls/#alpn-protocols
                 items:
                   type: string
                 type: array
               cipherSuites:
                 description: |-
                   CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.4/https/tls/#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.5/https/tls/#cipher-suites
                 items:
                   type: string
                 type: array
@@ -2534,7 +2552,7 @@ spec:
               curvePreferences:
                 description: |-
                   CurvePreferences defines the preferred elliptic curves in a specific order.
-                  More info: https://doc.traefik.io/traefik/v3.4/https/tls/#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.5/https/tls/#curve-preferences
                 items:
                   type: string
                 type: array
@@ -2594,7 +2612,7 @@ spec:
           TLSStore is the CRD implementation of a Traefik TLS Store.
           For the time being, only the TLSStore named default is supported.
           This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.4/https/tls/#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.5/https/tls/#certificates-stores
         properties:
           apiVersion:
             description: |-
@@ -2692,7 +2710,7 @@ spec:
           TraefikService object allows to:
           - Apply weight to Services on load-balancing
           - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-traefikservice
+          More info: https://doc.traefik.io/traefik/v3.5/routing/providers/kubernetes-crd/#kind-traefikservice
         properties:
           apiVersion:
             description: |-
@@ -2741,7 +2759,7 @@ spec:
                         - type: integer
                         - type: string
                         description: |-
-                          Interval defines the frequency of the health check calls.
+                          Interval defines the frequency of the health check calls for healthy targets.
                           Default: 30s
                         x-kubernetes-int-or-string: true
                       method:
@@ -2777,6 +2795,15 @@ spec:
                           Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
                           Default: 5s
                         x-kubernetes-int-or-string: true
+                      unhealthyInterval:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                          When UnhealthyInterval is not defined, it defaults to the Interval value.
+                          Default: 30s
+                        x-kubernetes-int-or-string: true
                     type: object
                   kind:
                     description: Kind defines the kind of the Service.
@@ -2826,7 +2853,7 @@ spec:
                               - type: integer
                               - type: string
                               description: |-
-                                Interval defines the frequency of the health check calls.
+                                Interval defines the frequency of the health check calls for healthy targets.
                                 Default: 30s
                               x-kubernetes-int-or-string: true
                             method:
@@ -2862,6 +2889,15 @@ spec:
                                 Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
                                 Default: 5s
                               x-kubernetes-int-or-string: true
+                            unhealthyInterval:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                                When UnhealthyInterval is not defined, it defaults to the Interval value.
+                                Default: 30s
+                              x-kubernetes-int-or-string: true
                           type: object
                         kind:
                           description: Kind defines the kind of the Service.
@@ -2938,7 +2974,7 @@ spec:
                         sticky:
                           description: |-
                             Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.5/routing/services/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
@@ -3066,7 +3102,7 @@ spec:
                   sticky:
                     description: |-
                       Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.5/routing/services/#sticky-sessions
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.
@@ -3163,7 +3199,7 @@ spec:
                               - type: integer
                               - type: string
                               description: |-
-                                Interval defines the frequency of the health check calls.
+                                Interval defines the frequency of the health check calls for healthy targets.
                                 Default: 30s
                               x-kubernetes-int-or-string: true
                             method:
@@ -3199,6 +3235,15 @@ spec:
                                 Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
                                 Default: 5s
                               x-kubernetes-int-or-string: true
+                            unhealthyInterval:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                                When UnhealthyInterval is not defined, it defaults to the Interval value.
+                                Default: 30s
+                              x-kubernetes-int-or-string: true
                           type: object
                         kind:
                           description: Kind defines the kind of the Service.
@@ -3270,7 +3315,7 @@ spec:
                         sticky:
                           description: |-
                             Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.5/routing/services/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
@@ -3338,7 +3383,7 @@ spec:
                   sticky:
                     description: |-
                       Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.5/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.

docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml

@@ -25,7 +25,7 @@ spec:
       serviceAccountName: traefik-controller
       containers:
         - name: traefik
-          image: traefik:v3.4
+          image: traefik:v3.5
           args:
             - --entryPoints.web.address=:80
             - --entryPoints.websecure.address=:443

docs/content/reference/dynamic-configuration/kv-ref.md

@@ -2,6 +2,9 @@
 CODE GENERATED AUTOMATICALLY
 THIS FILE MUST NOT BE EDITED BY HAND
 -->
+
+| Key (Path) | Value |
+|------------|-------|
 | `traefik/http/middlewares/Middleware01/addPrefix/prefix` | `foobar` |
 | `traefik/http/middlewares/Middleware02/basicAuth/headerField` | `foobar` |
 | `traefik/http/middlewares/Middleware02/basicAuth/realm` | `foobar` |
@@ -281,6 +284,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/services/Service02/loadBalancer/healthCheck/scheme` | `foobar` |
 | `traefik/http/services/Service02/loadBalancer/healthCheck/status` | `42` |
 | `traefik/http/services/Service02/loadBalancer/healthCheck/timeout` | `42s` |
+| `traefik/http/services/Service02/loadBalancer/healthCheck/unhealthyInterval` | `42s` |
 | `traefik/http/services/Service02/loadBalancer/passHostHeader` | `true` |
 | `traefik/http/services/Service02/loadBalancer/responseForwarding/flushInterval` | `42s` |
 | `traefik/http/services/Service02/loadBalancer/servers/0/preservePath` | `true` |

docs/content/reference/dynamic-configuration/kv.md

@@ -8,6 +8,4 @@ description: "Read the technical documentation to learn the Traefik Dynamic Conf
 Dynamic configuration with KV stores.
 {: .subtitle }
 
-| Key (Path)                                                                                   | Value       |
-|----------------------------------------------------------------------------------------------|-------------|
 --8<-- "content/reference/dynamic-configuration/kv-ref.md"

docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml

@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.4/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.5/routing/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -64,12 +64,12 @@ spec:
                     match:
                       description: |-
                         Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rule
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#rule
                       type: string
                     middlewares:
                       description: |-
                         Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-middleware
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/providers/kubernetes-crd/#kind-middleware
                       items:
                         description: MiddlewareRef is a reference to a Middleware
                           resource.
@@ -89,7 +89,7 @@ spec:
                     observability:
                       description: |-
                         Observability defines the observability configuration for a router.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#observability
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#observability
                       properties:
                         accessLogs:
                           type: boolean
@@ -101,7 +101,7 @@ spec:
                     priority:
                       description: |-
                         Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#priority
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#priority
                       maximum: 9223372036854775000
                       type: integer
                     services:
@@ -136,7 +136,7 @@ spec:
                                 - type: integer
                                 - type: string
                                 description: |-
-                                  Interval defines the frequency of the health check calls.
+                                  Interval defines the frequency of the health check calls for healthy targets.
                                   Default: 30s
                                 x-kubernetes-int-or-string: true
                               method:
@@ -172,6 +172,15 @@ spec:
                                   Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
                                   Default: 5s
                                 x-kubernetes-int-or-string: true
+                              unhealthyInterval:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                                  When UnhealthyInterval is not defined, it defaults to the Interval value.
+                                  Default: 30s
+                                x-kubernetes-int-or-string: true
                             type: object
                           kind:
                             description: Kind defines the kind of the Service.
@@ -243,7 +252,7 @@ spec:
                           sticky:
                             description: |-
                               Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.5/routing/services/#sticky-sessions
                             properties:
                               cookie:
                                 description: Cookie defines the sticky cookie configuration.
@@ -312,7 +321,7 @@ spec:
                     syntax:
                       description: |-
                         Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#rulesyntax
                         Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
                       type: string
                   required:
@@ -322,18 +331,18 @@ spec:
               tls:
                 description: |-
                   TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#tls
+                  More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#tls
                 properties:
                   certResolver:
                     description: |-
                       CertResolver defines the name of the certificate resolver to use.
                       Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.4/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.5/https/acme/#certificate-resolvers
                     type: string
                   domains:
                     description: |-
                       Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -352,17 +361,17 @@ spec:
                     description: |-
                       Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                       If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.4/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.5/https/tls/#tls-options
                     properties:
                       name:
                         description: |-
                           Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.5/routing/providers/kubernetes-crd/#kind-tlsoption
                         type: string
                       namespace:
                         description: |-
                           Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.5/routing/providers/kubernetes-crd/#kind-tlsoption
                         type: string
                     required:
                     - name
@@ -379,12 +388,12 @@ spec:
                       name:
                         description: |-
                           Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.5/routing/providers/kubernetes-crd/#kind-tlsstore
                         type: string
                       namespace:
                         description: |-
                           Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.5/routing/providers/kubernetes-crd/#kind-tlsstore
                         type: string
                     required:
                     - name

docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml

@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.4/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.5/routing/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -56,7 +56,7 @@ spec:
                     match:
                       description: |-
                         Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rule_1
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#rule_1
                       type: string
                     middlewares:
                       description: Middlewares defines the list of references to MiddlewareTCP
@@ -80,7 +80,7 @@ spec:
                     priority:
                       description: |-
                         Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#priority_1
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#priority_1
                       maximum: 9223372036854775000
                       type: integer
                     services:
@@ -122,7 +122,7 @@ spec:
                           proxyProtocol:
                             description: |-
                               ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.4/routing/services/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.5/routing/services/#proxy-protocol
                             properties:
                               version:
                                 description: Version defines the PROXY Protocol version
@@ -163,7 +163,7 @@ spec:
                     syntax:
                       description: |-
                         Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rulesyntax_1
+                        More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#rulesyntax_1
                         Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
                       enum:
                       - v3
@@ -176,18 +176,18 @@ spec:
               tls:
                 description: |-
                   TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#tls_1
+                  More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#tls_1
                 properties:
                   certResolver:
                     description: |-
                       CertResolver defines the name of the certificate resolver to use.
                       Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.4/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.5/https/acme/#certificate-resolvers
                     type: string
                   domains:
                     description: |-
                       Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -206,7 +206,7 @@ spec:
                     description: |-
                       Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                       If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.4/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.5/https/tls/#tls-options
                     properties:
                       name:
                         description: Name defines the name of the referenced Traefik

docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml

@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.4/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.5/routing/entrypoints/
                   Default: all.
                 items:
                   type: string

docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml

@@ -19,7 +19,7 @@ spec:
       openAPIV3Schema:
         description: |-
           Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/overview/
+          More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/overview/
         properties:
           apiVersion:
             description: |-
@@ -45,7 +45,7 @@ spec:
                 description: |-
                   AddPrefix holds the add prefix middleware configuration.
                   This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/addprefix/
                 properties:
                   prefix:
                     description: |-
@@ -60,12 +60,12 @@ spec:
                 description: |-
                   BasicAuth holds the basic auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/basicauth/
                 properties:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/basicauth/#headerfield
                     type: string
                   realm:
                     description: |-
@@ -86,7 +86,7 @@ spec:
                 description: |-
                   Buffering holds the buffering middleware configuration.
                   This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/buffering/#maxrequestbodybytes
                 properties:
                   maxRequestBodyBytes:
                     description: |-
@@ -118,14 +118,14 @@ spec:
                     description: |-
                       RetryExpression defines the retry conditions.
                       It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/buffering/#retryexpression
                     type: string
                 type: object
               chain:
                 description: |-
                   Chain holds the configuration of the chain middleware.
                   This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/chain/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/chain/
                 properties:
                   middlewares:
                     description: Middlewares is the list of MiddlewareRef which composes
@@ -188,7 +188,7 @@ spec:
                 description: |-
                   Compress holds the compress middleware configuration.
                   This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/compress/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/compress/
                 properties:
                   defaultEncoding:
                     description: DefaultEncoding specifies the default encoding if
@@ -238,12 +238,12 @@ spec:
                 description: |-
                   DigestAuth holds the digest auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/digestauth/
                 properties:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/basicauth/#headerfield
                     type: string
                   realm:
                     description: |-
@@ -263,7 +263,7 @@ spec:
                 description: |-
                   ErrorPage holds the custom error middleware configuration.
                   This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/errorpages/
                 properties:
                   query:
                     description: |-
@@ -275,7 +275,7 @@ spec:
                   service:
                     description: |-
                       Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/errorpages/#service
                     properties:
                       healthCheck:
                         description: Healthcheck defines health checks for ExternalName
@@ -301,7 +301,7 @@ spec:
                             - type: integer
                             - type: string
                             description: |-
-                              Interval defines the frequency of the health check calls.
+                              Interval defines the frequency of the health check calls for healthy targets.
                               Default: 30s
                             x-kubernetes-int-or-string: true
                           method:
@@ -337,6 +337,15 @@ spec:
                               Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
                               Default: 5s
                             x-kubernetes-int-or-string: true
+                          unhealthyInterval:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                              When UnhealthyInterval is not defined, it defaults to the Interval value.
+                              Default: 30s
+                            x-kubernetes-int-or-string: true
                         type: object
                       kind:
                         description: Kind defines the kind of the Service.
@@ -408,7 +417,7 @@ spec:
                       sticky:
                         description: |-
                           Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.5/routing/services/#sticky-sessions
                         properties:
                           cookie:
                             description: Cookie defines the sticky cookie configuration.
@@ -495,7 +504,7 @@ spec:
                 description: |-
                   ForwardAuth holds the forward auth middleware configuration.
                   This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/forwardauth/
                 properties:
                   addAuthCookiesToResponse:
                     description: AddAuthCookiesToResponse defines the list of cookies
@@ -523,7 +532,7 @@ spec:
                   authResponseHeadersRegex:
                     description: |-
                       AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/forwardauth/#authresponseheadersregex
                     type: string
                   forwardBody:
                     description: ForwardBody defines whether to send the request body
@@ -532,7 +541,7 @@ spec:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/forwardauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/forwardauth/#headerfield
                     type: string
                   maxBodySize:
                     description: MaxBodySize defines the maximum body size in bytes
@@ -594,7 +603,7 @@ spec:
                 description: |-
                   Headers holds the headers middleware configuration.
                   This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/headers/#customrequestheaders
                 properties:
                   accessControlAllowCredentials:
                     description: AccessControlAllowCredentials defines whether the
@@ -766,7 +775,7 @@ spec:
                 description: |-
                   InFlightReq holds the in-flight request middleware configuration.
                   This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/inflightreq/
                 properties:
                   amount:
                     description: |-
@@ -780,12 +789,12 @@ spec:
                       SourceCriterion defines what criterion is used to group requests as originating from a common source.
                       If several strategies are defined at the same time, an error will be raised.
                       If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/inflightreq/#sourcecriterion
                     properties:
                       ipStrategy:
                         description: |-
                           IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
@@ -821,12 +830,12 @@ spec:
                 description: |-
                   IPAllowList holds the IP allowlist middleware configuration.
                   This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ipallowlist/
                 properties:
                   ipStrategy:
                     description: |-
                       IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
@@ -864,7 +873,7 @@ spec:
                   ipStrategy:
                     description: |-
                       IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
@@ -895,7 +904,7 @@ spec:
                 description: |-
                   PassTLSClientCert holds the pass TLS client cert middleware configuration.
                   This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/passtlsclientcert/
                 properties:
                   info:
                     description: Info selects the specific client certificate details
@@ -1004,7 +1013,7 @@ spec:
                 description: |-
                   RateLimit holds the rate limit configuration.
                   This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ratelimit/
                 properties:
                   average:
                     description: |-
@@ -1123,7 +1132,7 @@ spec:
                       ipStrategy:
                         description: |-
                           IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
@@ -1159,11 +1168,11 @@ spec:
                 description: |-
                   RedirectRegex holds the redirect regex middleware configuration.
                   This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/redirectregex/#regex
                 properties:
                   permanent:
                     description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                     type: boolean
                   regex:
                     description: Regex defines the regex used to match and capture
@@ -1178,11 +1187,11 @@ spec:
                 description: |-
                   RedirectScheme holds the redirect scheme middleware configuration.
                   This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/redirectscheme/
                 properties:
                   permanent:
                     description: Permanent defines whether the redirection is permanent
-                      (301).
+                      (308).
                     type: boolean
                   port:
                     description: Port defines the port of the new URL.
@@ -1195,7 +1204,7 @@ spec:
                 description: |-
                   ReplacePath holds the replace path middleware configuration.
                   This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/replacepath/
                 properties:
                   path:
                     description: Path defines the path to use as replacement in the
@@ -1206,7 +1215,7 @@ spec:
                 description: |-
                   ReplacePathRegex holds the replace path regex middleware configuration.
                   This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/replacepathregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression used to match
@@ -1222,7 +1231,7 @@ spec:
                   Retry holds the retry middleware configuration.
                   This middleware reissues requests a given number of times to a backend server if that server does not reply.
                   As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/retry/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/retry/
                 properties:
                   attempts:
                     description: Attempts defines how many times the request should
@@ -1246,7 +1255,7 @@ spec:
                 description: |-
                   StripPrefix holds the strip prefix middleware configuration.
                   This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/stripprefix/
                 properties:
                   forceSlash:
                     description: |-
@@ -1265,7 +1274,7 @@ spec:
                 description: |-
                   StripPrefixRegex holds the strip prefix regex middleware configuration.
                   This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/stripprefixregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression to match the

docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml

@@ -19,7 +19,7 @@ spec:
       openAPIV3Schema:
         description: |-
           MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.4/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.5/middlewares/overview/
         properties:
           apiVersion:
             description: |-
@@ -56,7 +56,7 @@ spec:
                 description: |-
                   IPAllowList defines the IPAllowList middleware configuration.
                   This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/tcp/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/tcp/ipallowlist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of
@@ -70,7 +70,7 @@ spec:
                   IPWhiteList defines the IPWhiteList middleware configuration.
                   This middleware accepts/refuses connections based on the client IP.
                   Deprecated: please use IPAllowList instead.
-                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/tcp/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/tcp/ipwhitelist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of

docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml

@@ -21,7 +21,7 @@ spec:
           ServersTransport is the CRD implementation of a ServersTransport.
           If no serversTransport is specified, the default@internal will be used.
           The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.4/routing/services/#serverstransport_1
+          More info: https://doc.traefik.io/traefik/v3.5/routing/services/#serverstransport_1
         properties:
           apiVersion:
             description: |-

docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml

@@ -21,7 +21,7 @@ spec:
           ServersTransportTCP is the CRD implementation of a TCPServersTransport.
           If no tcpServersTransport is specified, a default one named default@internal will be used.
           The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.4/routing/services/#serverstransport_3
+          More info: https://doc.traefik.io/traefik/v3.5/routing/services/#serverstransport_3
         properties:
           apiVersion:
             description: |-

docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml

@@ -19,7 +19,7 @@ spec:
       openAPIV3Schema:
         description: |-
           TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.4/https/tls/#tls-options
+          More info: https://doc.traefik.io/traefik/v3.5/https/tls/#tls-options
         properties:
           apiVersion:
             description: |-
@@ -44,14 +44,14 @@ spec:
               alpnProtocols:
                 description: |-
                   ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.4/https/tls/#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.5/https/tls/#alpn-protocols
                 items:
                   type: string
                 type: array
               cipherSuites:
                 description: |-
                   CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.4/https/tls/#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.5/https/tls/#cipher-suites
                 items:
                   type: string
                 type: array
@@ -79,7 +79,7 @@ spec:
               curvePreferences:
                 description: |-
                   CurvePreferences defines the preferred elliptic curves in a specific order.
-                  More info: https://doc.traefik.io/traefik/v3.4/https/tls/#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.5/https/tls/#curve-preferences
                 items:
                   type: string
                 type: array

docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml

@@ -21,7 +21,7 @@ spec:
           TLSStore is the CRD implementation of a Traefik TLS Store.
           For the time being, only the TLSStore named default is supported.
           This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.4/https/tls/#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.5/https/tls/#certificates-stores
         properties:
           apiVersion:
             description: |-

docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml

@@ -22,7 +22,7 @@ spec:
           TraefikService object allows to:
           - Apply weight to Services on load-balancing
           - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-traefikservice
+          More info: https://doc.traefik.io/traefik/v3.5/routing/providers/kubernetes-crd/#kind-traefikservice
         properties:
           apiVersion:
             description: |-
@@ -71,7 +71,7 @@ spec:
                         - type: integer
                         - type: string
                         description: |-
-                          Interval defines the frequency of the health check calls.
+                          Interval defines the frequency of the health check calls for healthy targets.
                           Default: 30s
                         x-kubernetes-int-or-string: true
                       method:
@@ -107,6 +107,15 @@ spec:
                           Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
                           Default: 5s
                         x-kubernetes-int-or-string: true
+                      unhealthyInterval:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                          When UnhealthyInterval is not defined, it defaults to the Interval value.
+                          Default: 30s
+                        x-kubernetes-int-or-string: true
                     type: object
                   kind:
                     description: Kind defines the kind of the Service.
@@ -156,7 +165,7 @@ spec:
                               - type: integer
                               - type: string
                               description: |-
-                                Interval defines the frequency of the health check calls.
+                                Interval defines the frequency of the health check calls for healthy targets.
                                 Default: 30s
                               x-kubernetes-int-or-string: true
                             method:
@@ -192,6 +201,15 @@ spec:
                                 Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
                                 Default: 5s
                               x-kubernetes-int-or-string: true
+                            unhealthyInterval:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                                When UnhealthyInterval is not defined, it defaults to the Interval value.
+                                Default: 30s
+                              x-kubernetes-int-or-string: true
                           type: object
                         kind:
                           description: Kind defines the kind of the Service.
@@ -268,7 +286,7 @@ spec:
                         sticky:
                           description: |-
                             Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.5/routing/services/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
@@ -396,7 +414,7 @@ spec:
                   sticky:
                     description: |-
                       Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.5/routing/services/#sticky-sessions
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.
@@ -493,7 +511,7 @@ spec:
                               - type: integer
                               - type: string
                               description: |-
-                                Interval defines the frequency of the health check calls.
+                                Interval defines the frequency of the health check calls for healthy targets.
                                 Default: 30s
                               x-kubernetes-int-or-string: true
                             method:
@@ -529,6 +547,15 @@ spec:
                                 Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
                                 Default: 5s
                               x-kubernetes-int-or-string: true
+                            unhealthyInterval:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                                When UnhealthyInterval is not defined, it defaults to the Interval value.
+                                Default: 30s
+                              x-kubernetes-int-or-string: true
                           type: object
                         kind:
                           description: Kind defines the kind of the Service.
@@ -600,7 +627,7 @@ spec:
                         sticky:
                           description: |-
                             Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.5/routing/services/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
@@ -668,7 +695,7 @@ spec:
                   sticky:
                     description: |-
                       Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.5/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.

docs/content/reference/install-configuration/entrypoints.md

@@ -18,6 +18,10 @@ entryPoints:
           to: websecure
           scheme: https
           permanent: true
+    observability:
+      accessLogs: false
+      metrics: false
+      tracing: false
 
   websecure:
     address: :443
@@ -27,6 +31,28 @@ entryPoints:
       - strip@kubernetescrd
 ```
 
+```toml tab="File (TOML)"
+[entryPoints]
+  [entryPoints.web]
+    address = ":80"
+    [entryPoints.web.http]
+      [entryPoints.web.http.redirections]
+        entryPoint = "websecure"
+        scheme = "https"
+        permanent = true
+    [entryPoints.web.observability]
+      accessLogs = false
+      metrics = false
+      tracing = false
+      
+  [entryPoints.websecure]
+    address = ":443"
+    [entryPoints.websecure.tls]
+    [entryPoints.websecure.middlewares]
+      - auth@kubernetescrd
+      - strip@kubernetescrd
+```
+
 ```yaml tab="Helm Chart Values"
 ## Values file
 ports:
@@ -43,6 +69,9 @@ additionalArguments:
   - --entryPoints.web.http.redirections.to=websecure
   - --entryPoints.web.http.redirections.scheme=https
   - --entryPoints.web.http.redirections.permanent=true
+  - --entryPoints.web.observability.accessLogs=false
+  - --entryPoints.web.observability.metrics=false
+  - --entryPoints.web.observability.tracing=false
 ```
 
 !!! tip 
@@ -54,39 +83,39 @@ additionalArguments:
 
 ## Configuration Options
 
-| Field                                                           | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Default | Required |
-|:----------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
-| `address`                                                       | Define the port, and optionally the hostname, on which to listen for incoming connections and packets.<br /> It also defines the protocol to use (TCP or UDP).<br /> If no protocol is specified, the default is TCP. The format is:`[host]:port[/tcp\|/udp]`.                                                                                                                                                                                                                                                                                                                                                                                                                      | - | Yes |
-| `accessLogs`                                                    | Defines whether a router attached to this EntryPoint produces access-logs by default. Nonetheless, a router defining its own observability configuration will opt-out from this default.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | true | No |
-| `asDefault`                                                     | Mark the `entryPoint` to be in the list of default `entryPoints`.<br /> `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br /> More information [here](#asdefault).                                                                                                                                                                                                                                                                                                                                                                                                                                       | false | No |
-| `forwardedHeaders.trustedIPs`                                   | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | - | No |
-| `forwardedHeaders.insecure`                                     | Set the insecure mode to always trust the forwarded headers information (`X-Forwarded-*`).<br />We recommend to use this option only for tests purposes, not in production.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false | No |
-| `http.redirections.`<br />`entryPoint.to`                       | The target element to enable (permanent) redirecting of all incoming requests on an entry point to another one. <br /> The target element can be an entry point name (ex: `websecure`), or a port (`:443`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | - | Yes |
-| `http.redirections.`<br />`entryPoint.scheme`                   | The target scheme to use for (permanent) redirection of all incoming requests.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | https | No |
-| `http.redirections.`<br />`entryPoint.permanent`                | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false | No |
-| `http.redirections.`<br />`entryPoint.priority`                 | Default priority applied to the routers attached to the `entryPoint`.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | MaxInt32-1 (2147483646) | No |
-| `http.encodeQuerySemicolons`                                    | Enable query semicolons encoding. <br /> Use this option to avoid non-encoded semicolons to be interpreted as query parameter separators by Traefik. <br /> When using this option, the non-encoded semicolons characters in query will be transmitted encoded to the backend.<br /> More information [here](#encodequerysemicolons).                                                                                                                                                                                                                                                                                                                                               | false | No |
-| `http.sanitizePath`                                             | Defines whether to enable the request path sanitization.<br /> More information [here](#sanitizepath).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | false | No |
-| `http.middlewares`                                              | Set the list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point. <br />More information [here](#httpmiddlewares).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | - | No |
-| `http.tls`                                                      | Enable TLS on every router attached to the `entryPoint`. <br /> If no certificate are set, a default self-signed certificate is generates by Traefik. <br /> We recommend to not use self signed certificates in production.                                                                                                                                                                                                                                                                                                                                                                                                                                                        | - | No |
-| `http.tls.options`                                              | Apply TLS options on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../../routing/providers/kubernetes-crd.md#kind-tlsoption).                                                                                                                                                                                                                                                                                                                                                                                                                                                   | - | No |
-| `http.tls.certResolver`                                         | Apply a certificate resolver on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../install-configuration/tls/certificate-resolvers/overview.md).                                                                                                                                                                                                                                                                                                                                                                                                                                  | - | No |
-| `http2.maxConcurrentStreams`                                    | Set the number of concurrent streams per connection that each client is allowed to initiate. <br /> The value must be greater than zero.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 250 | No |
-| `http3`                                                         | Enable HTTP/3 protocol on the `entryPoint`. <br /> HTTP/3 requires a TCP `entryPoint`. as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP. In most scenarios, this `entryPoint` is the same as the one used for TLS traffic.<br /> More information [here](#http3.                                                                                                                                                                                                                                                                                                                                                                                          | - | No |
-| `http3.advertisedPort`                                          | Set the UDP port to advertise as the HTTP/3 authority. <br /> It defaults to the entryPoint's address port. <br /> It can be used to override the authority in the `alt-svc` header, for example if the public facing port is different from where Traefik is listening.                                                                                                                                                                                                                                                                                                                                                                                                            | - | No |
-| `metrics`                                                       | Defines whether a router attached to this EntryPoint produces metrics by default. Nonetheless, a router defining its own observability configuration will opt-out from this default.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | true | No |
-| `proxyProtocol.trustedIPs`                                      | Enable PROXY protocol with Trusted IPs. <br /> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br /> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br /> If the PROXY protocol header is passed, then the version is determined automatically.<br /> More information [here](#proxyprotocol-and-load-balancers).                                                                                                                                                                                               | - | No |
+| Field     | Description  | Default | Required |
+|:-----------------|:--------|:--------|:---------|
+| `address`      | Define the port, and optionally the hostname, on which to listen for incoming connections and packets.<br /> It also defines the protocol to use (TCP or UDP).<br /> If no protocol is specified, the default is TCP. The format is:`[host]:port[/tcp\|/udp] | - | Yes |
+| `asDefault`     | Mark the `entryPoint` to be in the list of default `entryPoints`.<br /> `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br /> More information [here](#asdefault). | false | No |
+| `forwardedHeaders.trustedIPs`                                   | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`). | - | No |
+| `forwardedHeaders.insecure`                                     | Set the insecure mode to always trust the forwarded headers information (`X-Forwarded-*`).<br />We recommend to use this option only for tests purposes, not in production. | false | No |
+| `http.redirections.`<br />`entryPoint.to`                       | The target element to enable (permanent) redirecting of all incoming requests on an entry point to another one. <br /> The target element can be an entry point name (ex: `websecure`), or a port (`:443`). | - | Yes |
+| `http.redirections.`<br />`entryPoint.scheme`                   | The target scheme to use for (permanent) redirection of all incoming requests.  | https | No |
+| `http.redirections.`<br />`entryPoint.permanent`                | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`). | false | No |
+| `http.redirections.`<br />`entryPoint.priority`                 | Default priority applied to the routers attached to the `entryPoint`.| MaxInt32-1 (2147483646) | No |
+| `http.encodeQuerySemicolons`                                    | Enable query semicolons encoding. <br /> Use this option to avoid non-encoded semicolons to be interpreted as query parameter separators by Traefik. <br /> When using this option, the non-encoded semicolons characters in query will be transmitted encoded to the backend.<br /> More information [here](#encodequerysemicolons). | false | No |
+| `http.sanitizePath`                                             | Defines whether to enable the request path sanitization.<br /> More information [here](#sanitizepath).      | false | No |
+| `http.middlewares`                                              | Set the list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point. <br />More information [here](#httpmiddlewares).   | - | No |
+| `http.tls`                                                      | Enable TLS on every router attached to the `entryPoint`. <br /> If no certificate are set, a default self-signed certificate is generates by Traefik. <br /> We recommend to not use self signed certificates in production.| - | No |
+| `http.tls.options`                                              | Apply TLS options on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../../routing/providers/kubernetes-crd.md#kind-tlsoption). | - | No |
+| `http.tls.certResolver`                                         | Apply a certificate resolver on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../install-configuration/tls/certificate-resolvers/overview.md).   | - | No |
+| `http2.maxConcurrentStreams`                                    | Set the number of concurrent streams per connection that each client is allowed to initiate. <br /> The value must be greater than zero. | 250 | No |
+| `http3`                                                         | Enable HTTP/3 protocol on the `entryPoint`. <br /> HTTP/3 requires a TCP `entryPoint`. as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP. In most scenarios, this `entryPoint` is the same as the one used for TLS traffic.<br /> More information [here](#http3.    | - | No |
+| `http3.advertisedPort`                                          | Set the UDP port to advertise as the HTTP/3 authority. <br /> It defaults to the entryPoint's address port. <br /> It can be used to override the authority in the `alt-svc` header, for example if the public facing port is different from where Traefik is listening.  | - | No |
+| `observability.accessLogs`                                    | Defines whether a router attached to this EntryPoint produces access-logs by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
+| `observability.metrics`                                       | Defines whether a router attached to this EntryPoint produces metrics by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
+| `observability.tracing`                                       | Defines whether a router attached to this EntryPoint produces traces by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
+| `proxyProtocol.trustedIPs`                                      | Enable PROXY protocol with Trusted IPs. <br /> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br /> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br /> If the PROXY protocol header is passed, then the version is determined automatically.<br /> More information [here](#proxyprotocol-and-load-balancers).    | - | No |
 | `proxyProtocol.insecure`                                        | Enable PROXY protocol trusting every incoming connection. <br /> Every remote client address will be replaced (`trustedIPs`) won't have any effect). <br /> Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. <br /> If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. <br /> If the PROXY protocol header is passed, then the version is determined automatically.<br />We recommend to use this option only for tests purposes, not in production.<br /> More information [here](#proxyprotocol-and-load-balancers). | - | No |
-| `reusePort`                                                     | Enable `entryPoints` from the same or different processes listening on the same TCP/UDP port by utilizing the `SO_REUSEPORT` socket option. <br /> It also allows the kernel to act like a load balancer to distribute incoming connections between entry points..<br /> More information [here](#reuseport).                                                                                                                                                                                                                                                                                                                                                                       | false | No |
-| `tracing`                                                       | Defines whether a router attached to this EntryPoint produces traces by default. Nonetheless, a router defining its own observability configuration will opt-out from this default.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | true | No |
-| `transport.`<br />`respondingTimeouts.`<br />`readTimeout`      | Set the timeouts for incoming requests to the Traefik instance. This is the maximum duration for reading the entire request, including the body. Setting them has no effect for UDP `entryPoints`.<br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds.                                                                                                                                                                                                                                | 60s (seconds) | No |
-| `transport.`<br />`respondingTimeouts.`<br />`writeTimeout`     | Maximum duration before timing out writes of the response. <br /> It covers the time from the end of the request header read to the end of the response write. <br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds.                                                                                                                                                                                                                                                                   | 0s (seconds) | No |
-| `transport.`<br />`respondingTimeouts.`<br />`idleTimeout`      | Maximum duration an idle (keep-alive) connection will remain idle before closing itself. <br /> If zero, no timeout exists <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds                                                                                                                                                                                                                                                                                                                                           | 180s (seconds) | No |
-| `transport.`<br />`lifeCycle.`<br />`graceTimeOut`              | Set the duration to give active requests a chance to finish before Traefik stops. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds <br /> In this time frame no new requests are accepted.                                                                                                                                                                                                                                                                                                                            | 10s (seconds) | No |
-| `transport.`<br />`lifeCycle.`<br />`requestAcceptGraceTimeout` | Set the duration to keep accepting requests prior to initiating the graceful termination period (as defined by the `transportlifeCycle.graceTimeOut` option). <br /> This option is meant to give downstream load-balancers sufficient time to take Traefik out of rotation. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds                                                                                                                                                                                         | 0s (seconds) | No |
-| `transport.`<br />`keepAliveMaxRequests`                        | Set the maximum number of requests Traefik can handle before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). <br /> Zero means no limit.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | 0 | No |
-| `transport.`<br />`keepAliveMaxTime`                            | Set the maximum duration Traefik can handle requests before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). Zero means no limit.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 0s (seconds) | No |
-| `udp.timeout`                                                   | Define how long to wait on an idle session before releasing the related resources. <br />The Timeout value must be greater than zero.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 3s (seconds)| No |
+| `reusePort`              | Enable `entryPoints` from the same or different processes listening on the same TCP/UDP port by utilizing the `SO_REUSEPORT` socket option. <br /> It also allows the kernel to act like a load balancer to distribute incoming connections between entry points..<br /> More information [here](#reuseport).   | false | No |
+| `transport.`<br />`respondingTimeouts.`<br />`readTimeout`      | Set the timeouts for incoming requests to the Traefik instance. This is the maximum duration for reading the entire request, including the body. Setting them has no effect for UDP `entryPoints`.<br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds.   | 60s (seconds) | No |
+| `transport.`<br />`respondingTimeouts.`<br />`writeTimeout`     | Maximum duration before timing out writes of the response. <br /> It covers the time from the end of the request header read to the end of the response write. <br /> If zero, no timeout exists. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds.  | 0s (seconds) | No |
+| `transport.`<br />`respondingTimeouts.`<br />`idleTimeout`      | Maximum duration an idle (keep-alive) connection will remain idle before closing itself. <br /> If zero, no timeout exists <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds | 180s (seconds) | No |
+| `transport.`<br />`lifeCycle.`<br />`graceTimeOut`              | Set the duration to give active requests a chance to finish before Traefik stops. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds <br /> In this time frame no new requests are accepted. | 10s (seconds) | No |
+| `transport.`<br />`lifeCycle.`<br />`requestAcceptGraceTimeout` | Set the duration to keep accepting requests prior to initiating the graceful termination period (as defined by the `transportlifeCycle.graceTimeOut` option). <br /> This option is meant to give downstream load-balancers sufficient time to take Traefik out of rotation. <br />Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).<br />If no units are provided, the value is parsed assuming seconds  | 0s (seconds) | No |
+| `transport.`<br />`keepAliveMaxRequests`                        | Set the maximum number of requests Traefik can handle before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). <br /> Zero means no limit. | 0 | No |
+| `transport.`<br />`keepAliveMaxTime`                            | Set the maximum duration Traefik can handle requests before sending a `Connection: Close` header to the client (for HTTP2, Traefik sends a GOAWAY). Zero means no limit.  | 0s (seconds) | No |
+| `udp.timeout`                                                   | Define how long to wait on an idle session before releasing the related resources. <br />The Timeout value must be greater than zero. | 3s (seconds)| No |
 
 ### asDefault
 

docs/content/reference/install-configuration/observability/healthcheck.md

@@ -27,6 +27,16 @@ $ traefik healthcheck
 OK: http://:8082/ping
 ```
 
+### URL Option
+
+The URL to check can be specified with the `--url` flag, which defaults to `http://localhost:8080/ping`.
+
+Example:
+
+```sh
+traefik healthcheck --url=http://localhost:8080/ping
+```
+
 ## Ping
 
 The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.

docs/content/reference/install-configuration/observability/logs-and-accesslogs.md

@@ -199,11 +199,9 @@ It is possible to configure the Traefik to timestamp in a specific timezone by e
 Example utilizing Docker Compose:
 
 ```yaml
-version: "3.7"
-
 services:
   traefik:
-    image: traefik:v3.4
+    image: traefik:v3.5
     environment:
       - TZ=US/Alaska
     command:

docs/content/reference/install-configuration/providers/docker.md

@@ -29,7 +29,6 @@ providers:
 Attach labels to containers (in your Docker compose file)
 
 ```yaml
-version: "3"
 services:
   my-container:
     # ...
@@ -67,8 +66,6 @@ See the [Docker API Access](#docker-api-access) section for more information.
     The docker-compose file shares the docker sock with the Traefik container
 
     ```yaml
-    version: '3'
-
     services:
       traefik:
          image: traefik:v3.1 # The official v3 Traefik docker image

docs/content/reference/install-configuration/providers/kubernetes/kubernetes-crd.md

@@ -20,10 +20,10 @@ When you install Traefik without using the Helm Chart, or when you are upgrading
 
 ```bash
 # Install Traefik Resource Definitions:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
 
 # Install RBAC for Traefik:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
 ```
 
 ## Configuration Example

docs/content/reference/install-configuration/providers/kubernetes/kubernetes-gateway.md

@@ -8,11 +8,11 @@ description: "Learn how to use the Kubernetes Gateway API as a provider for conf
 The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
 specification from the Kubernetes Special Interest Groups (SIGs).
 
-This provider supports Standard version [v1.2.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.1) of the Gateway API specification.
+This provider supports Standard version [v1.3.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.3.0) of the Gateway API specification.
 
 It fully supports all HTTP core and some extended features, as well as the `TCPRoute` and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).
 
-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.2.1/traefik-traefik).
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.3.0/traefik-traefik).
 
 !!! info "Using The Helm Chart"
 
@@ -27,14 +27,14 @@ For more details, check out the conformance [report](https://github.com/kubernet
 
     ```bash
     # Install Gateway API CRDs from the Standard channel.
-    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml
     ```
 
 2. Install/update the Traefik [RBAC](../../../dynamic-configuration/kubernetes-gateway-rbac.yml).
 
     ```bash
     # Install Traefik RBACs.
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
     ```
 
 ## Configuration Example

docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md

@@ -0,0 +1,112 @@
+---
+title: "Traefik Kubernetes Ingress NGINX Documentation"
+description: "Understand the requirements, routing configuration, and how to set up the Kubernetes Ingress NGINX provider. Read the technical documentation."
+---
+
+# Traefik & Ingresses with NGINX Annotations 
+
+The experimental Traefik Kubernetes Ingress NGINX provider is a Kubernetes Ingress controller; i.e,
+it manages access to cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.
+It also supports some of the [ingress-nginx](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/) annotations on ingresses to customize their behavior.
+
+!!! warning "Ingress Discovery"
+
+    The Kubernetes Ingress NGINX provider is discovering by default all Ingresses in the cluster,
+    which may lead to duplicated routers if you are also using the Kubernetes Ingress provider.
+    We recommend to use IngressClass for the Ingresses you want to be handled by this provider,
+    or to use the `watchNamespace` or `watchNamespaceSelector` options to limit the discovery of Ingresses to a specific namespace or set of namespaces.
+
+## Configuration Example
+
+As this provider is an experimental feature, it needs to be enabled in the experimental and in the provider sections of the configuration.
+You can enable the Kubernetes Ingress NGINX provider as detailed below:
+
+```yaml tab="File (YAML)"
+experimental:
+  kubernetesIngressNGINX: true
+
+providers:
+  kubernetesIngressNGINX: {}
+```
+
+```toml tab="File (TOML)"
+[experimental.kubernetesIngressNGINX]
+
+[providers.kubernetesIngressNGINX]
+```
+
+```bash tab="CLI"
+--experimental.kubernetesingressnginx=true
+--providers.kubernetesingressnginx=true
+```
+
+The provider then watches for incoming ingresses events, such as the example below,
+and derives the corresponding dynamic configuration from it,
+which in turn creates the resulting routers, services, handlers, etc.
+
+## Configuration Options
+<!-- markdownlint-disable MD013 -->
+
+| Field                                                       | Description                                                                                                                                                                                                                                                                                                                                                                          | Default | Required |
+|:------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| `providers.providersThrottleDuration`                       | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s      | No       |
+| `providers.kubernetesIngressNGINX.endpoint`                 | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                        | ""      | No       |
+| `providers.kubernetesIngressNGINX.token`                    | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                           | ""      | No       |
+| `providers.kubernetesIngressNGINX.certAuthFilePath`         | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                           | ""      | No       |
+| `providers.kubernetesIngressNGINX.throttleDuration`         | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                           | 0s      | No       |
+| `providers.kubernetesIngressNGINX.watchNamespace`           | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty.                                                                                                                                                                                                                                                      | ""      | No       |
+| `providers.kubernetesIngressNGINX.watchNamespaceSelector`   | Selector selects namespaces the controller watches for updates to Kubernetes objects.                                                                                                                                                                                                                                                                                                | ""      | No       |
+| `providers.kubernetesIngressNGINX.ingressClass`             | Name of the ingress class this controller satisfies.                                                                                                                                                                                                                                                                                                                                 | ""      | No       |
+| `providers.kubernetesIngressNGINX.controllerClass`          | Ingress Class Controller value this controller satisfies.                                                                                                                                                                                                                                                                                                                            | ""      | No       |
+| `providers.kubernetesIngressNGINX.watchIngressWithoutClass` | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified.                                                                                                                                                                                                                                                                    | false   | No       |
+| `providers.kubernetesIngressNGINX.ingressClassByName`       | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class.                                                                                                                                                                                                                                                                                  | false   | No       |
+| `providers.kubernetesIngressNGINX.publishService`           | Service fronting the Ingress controller. Takes the form namespace/name.                                                                                                                                                                                                                                                                                                              | ""      | No       |
+| `providers.kubernetesIngressNGINX.publishStatusAddress`     | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies.                                                                                                                                                                                                                                               | ""      | No       |
+| `providers.kubernetesIngressNGINX.defaultBackendService`    | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'.                                                                                                                                                                                                                                                                 | ""      | No       |
+| `providers.kubernetesIngressNGINX.disableSvcExternalName`   | Disable support for Services of type ExternalName.                                                                                                                                                                                                                                                                                                                                   | false   | No       |
+
+<!-- markdownlint-enable MD013 -->
+
+### `endpoint`
+
+The Kubernetes server endpoint URL.
+
+When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST`
+and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
+
+The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token`
+and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
+Both are mounted automatically when deployed inside Kubernetes.
+
+The endpoint may be specified to override the environment variable values inside
+a cluster.
+
+When the environment variables are not found, Traefik tries to connect to the 
+Kubernetes API server with an external-cluster client.
+
+In this case, the endpoint is required.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes
+cluster using the granted authentication and authorization of the associated kubeconfig.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngressNGINX:
+    endpoint: "http://localhost:8080"
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngressNGINX]
+  endpoint = "http://localhost:8080"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingressnginx.endpoint=http://localhost:8080
+```
+
+## Routing Configuration
+
+See the dedicated section in [routing](../../../routing-configuration/kubernetes/ingress-nginx.md).
+
+{!traefik-for-business-applications.md!}

docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress.md

@@ -8,6 +8,11 @@ description: "Understand the requirements, routing configuration, and how to set
 The Traefik Kubernetes Ingress provider is a Kubernetes Ingress controller; i.e,
 it manages access to cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.
 
+??? warning "Ingress Backend Resource not supported"
+
+    Referencing backend service endpoints using [`spec.rules.http.paths.backend.resource`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressBackend) is not supported.
+    Use `spec.rules.http.paths.backend.service` instead.
+
 ## Configuration Example
 
 You can enable the `kubernetesIngress` provider as detailed below:
@@ -58,6 +63,7 @@ which in turn creates the resulting routers, services, handlers, etc.
 | `providers.kubernetesIngress.allowExternalNameServices`                | Allows the `Ingress` to reference ExternalName services.                                                                                                                                                                                                                                                                                                                                                                                                               | false   | No       |
 | `providers.kubernetesIngress.nativeLBByDefault`                        | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `Ingress` by default.<br />It can br overridden in the [`ServerTransport`](../../../../routing/services/index.md#serverstransport).                                                                                                                                                                                                                | false   | No       |
 | `providers.kubernetesIngress.disableClusterScopeResources`             | Prevent from discovering cluster scope resources (`IngressClass` and `Nodes`).<br />By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.<br />Furthermore, Traefik  will not handle Ingresses with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).<br />This will also prevent from using the `NodePortLB` options on services. | false   | No       |
+| `providers.kubernetesIngress.strictPrefixMatching`                     | Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). For example, a PathPrefix of `/foo` will match `/foo`, `/foo/`, and `/foo/bar` but not `/foobar`.                                                                                                                                                                                                       | false   | No       |
 
 <!-- markdownlint-enable MD013 -->
 

docs/content/reference/install-configuration/providers/swarm.md

@@ -33,7 +33,6 @@ When there is only one service, and the router does not specify a service,
 then that service is automatically assigned to the router.
 
 ```yaml tab="Labels"
-version: "3"
 services:
   my-container:
     deploy:
@@ -73,8 +72,6 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati
     The docker-compose file shares the docker sock with the Traefik container
 
     ```yaml
-    version: '3'
-
     services:
       traefik:
          image: traefik:v3.1 # The official v3 Traefik docker image
@@ -405,8 +402,6 @@ docker service create \
 ```
 
 ```yml tab="With Docker Compose"
-version: '3'
-
 services:
   traefik:
     # ...

docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md

@@ -73,27 +73,30 @@ certificatesResolvers:
 
 ACME certificate resolvers have the following configuration options:
 
-| Field   | Description  | Default    | Required |
-|:------------------|:--------------------|:-----------------------------------------------|:---------|
-| `acme.email` | Email address used for registration. | ""  | Yes      |
-| `acme.caServer` | CA server to use. | https://acme-v02.api.letsencrypt.org/directory | No       |
-| `acme.preferredChain`  | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. | ""  | No  |
-| `acme.keyType` | KeyType to use. | "RSA4096"  | No       |
-| `acme.eab` | Enable external account binding.|   | No  |
-| `acme.eab.kid` | Key identifier from External CA. | "" | No |
-| `acme.eab.hmacEncoded`  | HMAC key from External CA, should be in Base64 URL Encoding without padding format.  | "" | No    |
-| `acme.certificatesDuration`  | The certificates' duration in hours, exclusively used to determine renewal dates. | 2160  | No       |
-| `acme.dnsChallenge`  | Enable DNS-01 challenge. More information [here](#dnschallenge).   | - | No       |
-| `acme.dnsChallenge.provider`    | DNS provider to use.  | "" | No   |
-| `acme.dnsChallenge.resolvers` | DNS servers to resolve the FQDN authority.   |  [] | No       |
-| `acme.dnsChallenge.propagation.delayBeforeChecks`  | By default, the provider will verify the TXT DNS challenge record before letting ACME verify. If `delayBeforeCheck` is greater than zero, this check is delayed for the configured duration in seconds. This is Useful if internal networks block external DNS queries. | 0s  | No  |
-| `acme.dnsChallenge.propagation.disableChecks`  | Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready. Please note that disabling checks can prevent the challenge from succeeding. | false | No  |
-| `acme.dnsChallenge.propagation.requireAllRNS`  | Enables the challenge TXT record to be propagated to all recursive nameservers. If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`), it is recommended to check all recursive nameservers instead. | false  | No  |
-| `acme.dnsChallenge.propagation.disableANSChecks`  | Disables the challenge TXT record propagation checks against authoritative nameservers. This option will skip the propagation check against the nameservers of the authority (SOA). It should be used only if the nameservers of the authority are not reachable. |  false | No  |
-| `acme.httpChallenge`    | Enable HTTP-01 challenge. More information [here](#httpchallenge).   |  | No   |
-| `acme.httpChallenge.entryPoint`  | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80 |  ""  | Yes      |
-| `acme.tlsChallenge` | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge). | -  | No   |
-| `acme.storage`  | File path used for certificates storage.  |   "acme.json"   | Yes      |
+| Field                                             | Description                                                                                                                                                                                                                                                                                                                | Default                                        | Required |
+|:--------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------|:---------|
+| `acme.email`                                      | Email address used for registration.                                                                                                                                                                                                                                                                                       | ""                                             | Yes      |
+| `acme.caServer`                                   | CA server to use.                                                                                                                                                                                                                                                                                                          | https://acme-v02.api.letsencrypt.org/directory | No       |
+| `acme.preferredChain`                             | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.                                                                                                                              | ""                                             | No       |
+| `acme.keyType`                                    | KeyType to use.                                                                                                                                                                                                                                                                                                            | "RSA4096"                                      | No       |
+| `acme.eab`                                        | Enable external account binding.                                                                                                                                                                                                                                                                                           |                                                | No       |
+| `acme.eab.kid`                                    | Key identifier from External CA.                                                                                                                                                                                                                                                                                           | ""                                             | No       |
+| `acme.eab.hmacEncoded`                            | HMAC key from External CA, should be in Base64 URL Encoding without padding format.                                                                                                                                                                                                                                        | ""                                             | No       |
+| `acme.certificatesDuration`                       | The certificates' duration in hours, exclusively used to determine renewal dates.                                                                                                                                                                                                                                          | 2160                                           | No       |
+| `acme.clientTimeout`  | Timeout for HTTP Client used to communicate with the ACME server. | 2m  | No       |
+| `acme.clientResponseHeaderTimeout`  | Timeout for response headers for HTTP Client used to communicate with the ACME server. | 30s  | No       |
+| `acme.dnsChallenge`                               | Enable DNS-01 challenge. More information [here](#dnschallenge).                                                                                                                                                                                                                                                           | -                                              | No       |
+| `acme.dnsChallenge.provider`                      | DNS provider to use.                                                                                                                                                                                                                                                                                                       | ""                                             | No       |
+| `acme.dnsChallenge.resolvers`                     | DNS servers to resolve the FQDN authority.                                                                                                                                                                                                                                                                                 | []                                             | No       |
+| `acme.dnsChallenge.propagation.delayBeforeChecks` | By default, the provider will verify the TXT DNS challenge record before letting ACME verify. If `delayBeforeCheck` is greater than zero, this check is delayed for the configured duration in seconds. This is Useful if internal networks block external DNS queries.                                                    | 0s                                             | No       |
+| `acme.dnsChallenge.propagation.disableChecks`     | Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready. Please note that disabling checks can prevent the challenge from succeeding.                                                                                                                                  | false                                          | No       |
+| `acme.dnsChallenge.propagation.requireAllRNS`     | Enables the challenge TXT record to be propagated to all recursive nameservers. If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`), it is recommended to check all recursive nameservers instead.                                                                                 | false                                          | No       |
+| `acme.dnsChallenge.propagation.disableANSChecks`  | Disables the challenge TXT record propagation checks against authoritative nameservers. This option will skip the propagation check against the nameservers of the authority (SOA). It should be used only if the nameservers of the authority are not reachable.                                                          | false                                          | No       |
+| `acme.httpChallenge`                              | Enable HTTP-01 challenge. More information [here](#httpchallenge).                                                                                                                                                                                                                                                         |                                                | No       |
+| `acme.httpChallenge.entryPoint`                   | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80                                                                                                                                                                                                                           | ""                                             | Yes      |
+| `acme.httpChallenge.delay`                        | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay.                                                                                                                                                                                                    | 0                                              | No       |
+| `acme.tlsChallenge`                               | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge).                                                                                                                                                                                         | -                                              | No       |
+| `acme.storage`                                    | File path used for certificates storage.                                                                                                                                                                                                                                                                                   | "acme.json"                                    | Yes      |
 
 ## Automatic Certificate Renewal
 

docs/content/reference/install-configuration/tls/ocsp.md

@@ -0,0 +1,71 @@
+---
+title: "Traefik OCSP Documentation"
+description: "Learn how to configure Traefik to use OCSP. Read the technical documentation."
+---
+
+# OCSP
+
+Check certificate status and perform OCSP stapling.
+{: .subtitle }
+
+## Overview
+
+### OCSP Stapling
+
+When OCSP is enabled, Traefik checks the status of every certificate in the store that provides an OCSP responder URL,
+including the default certificate, and staples the OCSP response to the TLS handshake.
+The OCSP check is performed when the certificate is loaded,
+and once every hour until it is successful at the halfway point before the update date.
+
+### Caching
+
+Traefik caches the OCSP response as long as the associated certificate is provided by the configuration.
+When a certificate is no longer provided,
+the OCSP response has a 24 hour TTL waiting to be provided again or eventually removed.
+The OCSP response is cached in memory and is not persisted between Traefik restarts.
+
+## Configuration
+
+### General
+
+Enabling OCSP is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
+It can be defined by using a file (YAML or TOML) or CLI arguments:
+
+```yaml tab="File (YAML)"
+## Static configuration
+ocsp: {}
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[ocsp]
+```
+
+```bash tab="CLI"
+## Static configuration
+--ocsp=true
+```
+
+### Responder Overrides
+
+The `responderOverrides` option defines the OCSP responder URLs to use instead of the one provided by the certificate.
+This is useful when you want to use a different OCSP responder.
+
+```yaml tab="File (YAML)"
+## Static configuration
+ocsp:
+  responderOverrides:
+    foo: bar
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[ocsp]
+  [ocsp.responderOverrides]
+    foo = "bar"
+```
+
+```bash tab="CLI"
+## Static configuration
+-ocsp.responderoverrides.foo=bar
+```

docs/content/reference/routing-configuration/dynamic-configuration-methods.md

@@ -72,8 +72,6 @@ When using Docker or Amazon ECS, you can define routing configuration using cont
     When deploying a Docker container, you can specify labels to define routing rules and services:
 
     ```yaml
-    version: '3'
-
     services:
       my-service:
         image: my-image

docs/content/reference/routing-configuration/http/load-balancing/service.md

@@ -1,7 +1,7 @@
 ---
 title: "Traefik HTTP Services Documentation"
 description: "A service is in charge of connecting incoming requests to the Servers that can handle them. Read the technical documentation."
---- 
+---
 
 ## Service Load Balancer
 
@@ -70,7 +70,6 @@ labels:
 
 ```json tab="Tags"
 {
-  // ...
   "Tags": [
     "traefik.http.services.my-service.loadBalancer.servers[0].url=http://private-ip-server-1/",
     "traefik.http.services.my-service.loadBalancer.servers[0].weight=2",
@@ -88,15 +87,15 @@ labels:
 
 ### Configuration Options
 
-| Field | Description                                 | Required |
-|----------|------------------------------------------|----------|
-|`servers`| Represents individual backend instances for your service | Yes |
-|`sticky`| Defines a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response. | No |
-|`healthcheck`| Configures health check to remove unhealthy servers from the load balancing rotation. | No |
-|`passHostHeader`| Allows forwarding of the client Host header to server. By default, `passHostHeader` is true. | No |
-|`serversTransport`| Allows to reference an [HTTP ServersTransport](./serverstransport.md) configuration for the communication between Traefik and your servers. If no `serversTransport` is specified, the `default@internal` will be used. | No |
-| `responseForwarding` | Configures how Traefik forwards the response from the backend server to the client.| No |
-| `responseForwarding.FlushInterval` | Specifies the interval in between flushes to the client while copying the response body. It is a duration in milliseconds, defaulting to 100ms. A negative value means to flush immediately after each write to the client. The `FlushInterval` is ignored when ReverseProxy recognizes a response as a streaming response; for such responses, writes are flushed to the client immediately. | No |
+| Field                              | Description                                                                                                                                                                                                                                                                                                                                                                                   | Required |
+|------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
+| `servers`                          | Represents individual backend instances for your service                                                                                                                                                                                                                                                                                                                                      | Yes      |
+| `sticky`                           | Defines a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.                                                                                                                                                                                                                                                                  | No       |
+| `healthcheck`                      | Configures health check to remove unhealthy servers from the load balancing rotation.                                                                                                                                                                                                                                                                                                         | No       |
+| `passHostHeader`                   | Allows forwarding of the client Host header to server. By default, `passHostHeader` is true.                                                                                                                                                                                                                                                                                                  | No       |
+| `serversTransport`                 | Allows to reference an [HTTP ServersTransport](./serverstransport.md) configuration for the communication between Traefik and your servers. If no `serversTransport` is specified, the `default@internal` will be used.                                                                                                                                                                       | No       |
+| `responseForwarding`               | Configures how Traefik forwards the response from the backend server to the client.                                                                                                                                                                                                                                                                                                           | No       |
+| `responseForwarding.FlushInterval` | Specifies the interval in between flushes to the client while copying the response body. It is a duration in milliseconds, defaulting to 100ms. A negative value means to flush immediately after each write to the client. The `FlushInterval` is ignored when ReverseProxy recognizes a response as a streaming response; for such responses, writes are flushed to the client immediately. | No       |
 
 #### Servers
 
@@ -104,11 +103,11 @@ Servers represent individual backend instances for your service. The [service lo
 
 ##### Configuration Options
 
-| Field | Description                                 | Required |
-|----------|------------------------------------------|----------|
-|`url`| Points to a specific instance. | Yes for File provider, No for [Docker provider](../../other-providers/docker.md) |
-|`weight`| Allows for weighted load balancing on the servers. | No |
-|`preservePath`| Allows to preserve the URL path. | No |
+| Field          | Description                                        | Required                                                                         |
+|----------------|----------------------------------------------------|----------------------------------------------------------------------------------|
+| `url`          | Points to a specific instance.                     | Yes for File provider, No for [Docker provider](../../other-providers/docker.md) |
+| `weight`       | Allows for weighted load balancing on the servers. | No                                                                               |
+| `preservePath` | Allows to preserve the URL path.                   | No                                                                               |
 
 #### Health Check
 
@@ -118,20 +117,21 @@ To propagate status changes (e.g. all servers of this service are down) upwards,
 
 Below are the available options for the health check mechanism:
 
-| Field | Description                                 | Default | Required |
-|----------|------------------------------------------|----------|--------|
-|`path`| Defines the server URL path for the health check endpoint. | "" | Yes |
-|`scheme`| Replaces the server URL scheme for the health check endpoint. | | No |
-|`mode`| If defined to `grpc`, will use the gRPC health check protocol to probe the server. | http | No |
-|`hostname`| Defines the value of hostname in the Host header of the health check request. | "" | No |
-|`port`| Replaces the server URL port for the health check endpoint. |  | No |
-|`interval`| Defines the frequency of the health check calls. | 30s | No |
-|`timeout`| Defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. | 5s | No |
-|`headers`| Defines custom headers to be sent to the health check endpoint. | | No |
-|`followRedirects`| Defines whether redirects should be followed during the health check calls. | true | No |
-|`hostname`| Defines the value of hostname in the Host header of the health check request. | "" | No |
-|`method`| Defines the HTTP method that will be used while connecting to the endpoint. | GET | No |
-|`status`| Defines the expected HTTP status code of the response to the health check request. | | No |
+| Field               | Description                                                                                                                   | Default | Required |
+|---------------------|-------------------------------------------------------------------------------------------------------------------------------|---------|----------|
+| `path`              | Defines the server URL path for the health check endpoint.                                                                    | ""      | Yes      |
+| `scheme`            | Replaces the server URL scheme for the health check endpoint.                                                                 |         | No       |
+| `mode`              | If defined to `grpc`, will use the gRPC health check protocol to probe the server.                                            | http    | No       |
+| `hostname`          | Defines the value of hostname in the Host header of the health check request.                                                 | ""      | No       |
+| `port`              | Replaces the server URL port for the health check endpoint.                                                                   |         | No       |
+| `interval`          | Defines the frequency of the health check calls for healthy targets.                                                          | 30s     | No       |
+| `unhealthyInterval` | Defines the frequency of the health check calls for unhealthy targets. When not defined, it defaults to the `interval` value. | 30s     | No       |
+| `timeout`           | Defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.            | 5s      | No       |
+| `headers`           | Defines custom headers to be sent to the health check endpoint.                                                               |         | No       |
+| `followRedirects`   | Defines whether redirects should be followed during the health check calls.                                                   | true    | No       |
+| `hostname`          | Defines the value of hostname in the Host header of the health check request.                                                 | ""      | No       |
+| `method`            | Defines the HTTP method that will be used while connecting to the endpoint.                                                   | GET     | No       |
+| `status`            | Defines the expected HTTP status code of the response to the health check request.                                            |         | No       |
 
 ## Weighted Round Robin (WRR)
 
@@ -265,6 +265,10 @@ http:
 
 The mirroring is able to mirror requests sent to a service to other services. Please note that by default the whole request is buffered in memory while it is being mirrored. See the `maxBodySize` option in the example below for how to modify this behaviour. You can also omit the request body by setting the `mirrorBody` option to false.
 
+!!! warning "Default behavior of `percent`"
+
+    When configuring a `mirror` service, if the `percent` field is not set, it defaults to `0`, meaning **no traffic will be sent to the mirror**.
+    
 !!! info "Supported Providers"
 
     This strategy can be defined currently with the [File](../../../install-configuration/providers/others/file.md) or [IngressRoute](../../../install-configuration/providers/kubernetes/kubernetes-ingress.md) providers.
@@ -285,6 +289,8 @@ http:
         maxBodySize: 1024
         mirrors:
         - name: appv2
+          # Percent defines the percentage of requests that should be mirrored.
+          # Default value is 0, which means no traffic will be sent to the mirror.
           percent: 10
 
     appv1:

docs/content/reference/routing-configuration/http/middlewares/circuitbreaker.md

@@ -113,8 +113,8 @@ Here is the list of supported operators:
 
 ### Fallback mechanism
 
-The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client instead of calling the target service.  
-This behavior cannot be configured.
+By default the fallback mechanism returns a `HTTP 503 Service Unavailable` to the client instead of calling the target service.  
+The response code can be configured.
 
 ## State
 

docs/content/reference/routing-configuration/kubernetes/crd/http/ingressroute.md

@@ -74,56 +74,57 @@ spec:
 
 ## Configuration Options
 
-| Field | Description                                               | Default              | Required |
-|:------|:----------------------------------------------------------|:---------------------|:---------|
-| `entryPoints` | List of [entry points](../../../../install-configuration/entrypoints.md) names.<br />If not specified, HTTP routers will accept requests from all EntryPoints in the list of default EntryPoints. |  | No |
-| `routes`        | List of routes. | | Yes |
-| `routes[n].kind`        | Kind of router matching, only `Rule` is allowed yet. | "Rule" | No |
-| `routes[n].match`       | Defines the [rule](../../../http/router/rules-and-priority.md#rules) corresponding to an underlying router. | | Yes |
-| `routes[n].priority`    | Defines the [priority](../../../http/router/rules-and-priority.md#priority-calculation) to disambiguate rules of the same length, for route matching.<br />If not set, the priority is directly equal to the length of the rule, and so the longest length has the highest priority.<br />A value of `0` for the priority is ignored, the default rules length sorting is used. | 0  | No |
-| `routes[n].middlewares` | List of middlewares to attach to the IngressRoute. <br />More information [here](#middleware). | "" | No |
-| `routes[n].`<br />`middlewares[m].`<br />`name` | Middleware name.<br />The character `@` is not authorized. <br />More information [here](#middleware). |  | Yes |
-| `routes[n].`<br />`middlewares[m].`<br />`namespace` | Middleware namespace.<br />Can be empty if the middleware belongs to the same namespace as the IngressRoute. <br />More information [here](#middleware). | | No |
-| `routes[n].`<br />`observability.`<br />`accesslogs` | Defines whether the route will produce [access-logs](../../../../install-configuration/observability/logs-and-accesslogs.md). See [here](../../../http/router/observability.md) for more information. | false | No |
-| `routes[n].`<br />`observability.`<br />`metrics` | Defines whether the route will produce [metrics](../../../../install-configuration/observability/metrics.md). See [here](../../../http/router/observability.md) for more information. | false | No |
-| `routes[n].`<br />`observability.`<br />`tracing` | Defines whether the route will produce [traces](../../../../install-configuration/observability/tracing.md). See [here](../../../http/router/observability.md) for more information. | false | No |
-| `routes[n].`<br />`services` | List of any combination of TraefikService and [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). <br />More information [here](#externalname-service). |  | No |
-| `routes[n].`<br />`services[m].`<br />`kind` | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> **TraefikService**: Traefik Service.<br />More information [here](#externalname-service). | "Service" | No |
-| `routes[n].`<br />`services[m].`<br />`name` | Service name.<br />The character `@` is not authorized. <br />More information [here](#middleware). |  | Yes |
-| `routes[n].`<br />`services[m].`<br />`namespace` | Service namespace.<br />Can be empty if the service belongs to the same namespace as the IngressRoute. <br />More information [here](#externalname-service). | | No |
-| `routes[n].`<br />`services[m].`<br />`port` | Service port (number or port name).<br />Evaluated only if the kind is **Service**. | | No |
-| `routes[n].`<br />`services[m].`<br />`responseForwarding.`<br />`flushInterval` | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind is **Service**. | 100ms | No |
-| `routes[n].`<br />`services[m].`<br />`scheme` | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind is **Service**. | "http"<br />"https" if `port` is 443 or contains the string *https*. | No |
-| `routes[n].`<br />`services[m].`<br />`serversTransport` | Name of ServersTransport resource to use to configure the transport between Traefik and your servers.<br />Evaluated only if the kind is **Service**. | "" | No |
-| `routes[n].`<br />`services[m].`<br />`passHostHeader` | Forward client Host header to server.<br />Evaluated only if the kind is **Service**. | true | No |
-| `routes[n].`<br />`services[m].`<br />`healthCheck.scheme` | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "" | No |
-| `routes[n].`<br />`services[m].`<br />`healthCheck.mode` | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "http" | No |
-| `routes[n].`<br />`services[m].`<br />`healthCheck.path` | Server URL path for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "" | No |
-| `routes[n].`<br />`services[m].`<br />`healthCheck.interval` | Frequency of the health check calls.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "100ms" | No |
-| `routes[n].`<br />`services[m].`<br />`healthCheck.method` | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "GET" | No |
-| `routes[n].`<br />`services[m].`<br />`healthCheck.status` | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**. |  | No |
-| `routes[n].`<br />`services[m].`<br />`healthCheck.port` | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | | No |
-| `routes[n].`<br />`services[m].`<br />`healthCheck.timeout` | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "5s" | No |
-| `routes[n].`<br />`services[m].`<br />`healthCheck.hostname` | Value in the Host header of the health check request.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "" | No |
-| `routes[n].`<br />`services[m].`<br />`healthCheck.`<br />`followRedirect` | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | true | No |
-| `routes[n].`<br />`services[m].`<br />`healthCheck.headers` | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service)). |  | No |
-| `routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.name` | Name of the cookie used for the stickiness.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />Evaluated only if the kind is **Service**. | "" | No |
-| `routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.httpOnly` | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**. | false | No |
-| `routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.secure` | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**. | false | No |
-| `routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.sameSite` | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**. | "" | No |
-| `routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.maxAge` | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**. | 0 | No |
-| `routes[n].`<br />`services[m].`<br />`strategy` | Load balancing strategy between the servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind is **Service**. | "RoundRobin" | No |
-| `routes[n].`<br />`services[m].`<br />`weight` | Service weight.<br />To use only to refer to WRR TraefikService | "" | No |
-| `routes[n].`<br />`services[m].`<br />`nativeLB` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br /> Evaluated only if the kind is **Service**. | false | No |
-| `routes[n].`<br />`services[m].`<br />`nodePortLB` | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**. | false | No |
-| `tls`        | TLS configuration.<br />Can be an empty value(`{}`):<br />A self signed is generated in such a case<br />(or the [default certificate](tlsstore.md) is used if it is defined.) |  | No |
-| `tls.secretName`        | [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the same namesapce as the `IngressRoute`) | "" | No |
-| `tls.`<br />`options.name`        | Name of the [`TLSOption`](tlsoption.md) to use.<br />More information [here](#tls-options). | "" | No |
-| `tls.`<br />`options.namespace`        | Namespace of the [`TLSOption`](tlsoption.md) to use. | "" | No |
-| `tls.certResolver`        | Name of the [Certificate Resolver](../../../../install-configuration/tls/certificate-resolvers/overview.md) to use to generate automatic TLS certificates. | "" | No |
-| `tls.domains`        | List of domains to serve using the certificates generates (one `tls.domain`= one certificate).<br />More information in the [dedicated section](../../../../install-configuration/tls/certificate-resolvers/acme.md#domain-definition). | | No |
-| `tls.`<br />`domains[n].main`        | Main domain name | "" | Yes |
-| `tls.`<br />`domains[n].sans`        | List of alternative domains (SANs) |  | No |
+| Field                                                                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Default                                                              | Required |
+|:---------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
+| `entryPoints`                                                                    | List of [entry points](../../../../install-configuration/entrypoints.md) names.<br />If not specified, HTTP routers will accept requests from all EntryPoints in the list of default EntryPoints.                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                      | No       |
+| `routes`                                                                         | List of routes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |                                                                      | Yes      |
+| `routes[n].kind`                                                                 | Kind of router matching, only `Rule` is allowed yet.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | "Rule"                                                               | No       |
+| `routes[n].match`                                                                | Defines the [rule](../../../http/router/rules-and-priority.md#rules) corresponding to an underlying router.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                                      | Yes      |
+| `routes[n].priority`                                                             | Defines the [priority](../../../http/router/rules-and-priority.md#priority-calculation) to disambiguate rules of the same length, for route matching.<br />If not set, the priority is directly equal to the length of the rule, and so the longest length has the highest priority.<br />A value of `0` for the priority is ignored, the default rules length sorting is used.                                                                                                                                                                                                                                | 0                                                                    | No       |
+| `routes[n].middlewares`                                                          | List of middlewares to attach to the IngressRoute. <br />More information [here](#middleware).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | ""                                                                   | No       |
+| `routes[n].`<br />`middlewares[m].`<br />`name`                                  | Middleware name.<br />The character `@` is not authorized. <br />More information [here](#middleware).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                      | Yes      |
+| `routes[n].`<br />`middlewares[m].`<br />`namespace`                             | Middleware namespace.<br />Can be empty if the middleware belongs to the same namespace as the IngressRoute. <br />More information [here](#middleware).                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                      | No       |
+| `routes[n].`<br />`observability.`<br />`accesslogs`                             | Defines whether the route will produce [access-logs](../../../../install-configuration/observability/logs-and-accesslogs.md). See [here](../../../http/router/observability.md) for more information.                                                                                                                                                                                                                                                                                                                                                                                                          | false                                                                | No       |
+| `routes[n].`<br />`observability.`<br />`metrics`                                | Defines whether the route will produce [metrics](../../../../install-configuration/observability/metrics.md). See [here](../../../http/router/observability.md) for more information.                                                                                                                                                                                                                                                                                                                                                                                                                          | false                                                                | No       |
+| `routes[n].`<br />`observability.`<br />`tracing`                                | Defines whether the route will produce [traces](../../../../install-configuration/observability/tracing.md). See [here](../../../http/router/observability.md) for more information.                                                                                                                                                                                                                                                                                                                                                                                                                           | false                                                                | No       |
+| `routes[n].`<br />`services`                                                     | List of any combination of TraefikService and [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). <br />More information [here](#externalname-service).                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                                      | No       |
+| `routes[n].`<br />`services[m].`<br />`kind`                                     | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> **TraefikService**: Traefik Service.<br />More information [here](#externalname-service).                                                                                                                                                                                                                                                                                                                                                                                                                  | "Service"                                                            | No       |
+| `routes[n].`<br />`services[m].`<br />`name`                                     | Service name.<br />The character `@` is not authorized. <br />More information [here](#middleware).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                      | Yes      |
+| `routes[n].`<br />`services[m].`<br />`namespace`                                | Service namespace.<br />Can be empty if the service belongs to the same namespace as the IngressRoute. <br />More information [here](#externalname-service).                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                                                                      | No       |
+| `routes[n].`<br />`services[m].`<br />`port`                                     | Service port (number or port name).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                      | No       |
+| `routes[n].`<br />`services[m].`<br />`responseForwarding.`<br />`flushInterval` | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                    | 100ms                                                                | No       |
+| `routes[n].`<br />`services[m].`<br />`scheme`                                   | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | "http"<br />"https" if `port` is 443 or contains the string *https*. | No       |
+| `routes[n].`<br />`services[m].`<br />`serversTransport`                         | Name of ServersTransport resource to use to configure the transport between Traefik and your servers.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                          | ""                                                                   | No       |
+| `routes[n].`<br />`services[m].`<br />`passHostHeader`                           | Forward client Host header to server.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | true                                                                 | No       |
+| `routes[n].`<br />`services[m].`<br />`healthCheck.scheme`                       | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                                                           | ""                                                                   | No       |
+| `routes[n].`<br />`services[m].`<br />`healthCheck.mode`                         | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                  | "http"                                                               | No       |
+| `routes[n].`<br />`services[m].`<br />`healthCheck.path`                         | Server URL path for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                                                             | ""                                                                   | No       |
+| `routes[n].`<br />`services[m].`<br />`healthCheck.interval`                     | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                                                   | "100ms"                                                              | No       |
+| `routes[n].`<br />`services[m].`<br />`healthCheck.unhealthyInterval`            | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                     | "100ms"                                                              | No       |
+| `routes[n].`<br />`services[m].`<br />`healthCheck.method`                       | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                                                                 | "GET"                                                                | No       |
+| `routes[n].`<br />`services[m].`<br />`healthCheck.status`                       | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                        |                                                                      | No       |
+| `routes[n].`<br />`services[m].`<br />`healthCheck.port`                         | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                                                                    |                                                                      | No       |
+| `routes[n].`<br />`services[m].`<br />`healthCheck.timeout`                      | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                                          | "5s"                                                                 | No       |
+| `routes[n].`<br />`services[m].`<br />`healthCheck.hostname`                     | Value in the Host header of the health check request.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                                                      | ""                                                                   | No       |
+| `routes[n].`<br />`services[m].`<br />`healthCheck.`<br />`followRedirect`       | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                                                           | true                                                                 | No       |
+| `routes[n].`<br />`services[m].`<br />`healthCheck.headers`                      | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service)).                                                                                                                                                                                                                                                                                                                                                        |                                                                      | No       |
+| `routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.name`               | Name of the cookie used for the stickiness.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />Evaluated only if the kind is **Service**.                                                      | ""                                                                   | No       |
+| `routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.httpOnly`           | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | false                                                                | No       |
+| `routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.secure`             | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | false                                                                | No       |
+| `routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.sameSite`           | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                   | ""                                                                   | No       |
+| `routes[n].`<br />`services[m].`<br />`sticky.`<br />`cookie.maxAge`             | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                            | 0                                                                    | No       |
+| `routes[n].`<br />`services[m].`<br />`strategy`                                 | Load balancing strategy between the servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | "RoundRobin"                                                         | No       |
+| `routes[n].`<br />`services[m].`<br />`weight`                                   | Service weight.<br />To use only to refer to WRR TraefikService                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | ""                                                                   | No       |
+| `routes[n].`<br />`services[m].`<br />`nativeLB`                                 | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br /> Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                    | false                                                                | No       |
+| `routes[n].`<br />`services[m].`<br />`nodePortLB`                               | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                      | false                                                                | No       |
+| `tls`                                                                            | TLS configuration.<br />Can be an empty value(`{}`):<br />A self signed is generated in such a case<br />(or the [default certificate](tlsstore.md) is used if it is defined.)                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                                      | No       |
+| `tls.secretName`                                                                 | [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the same namesapce as the `IngressRoute`)                                                                                                                                                                                                                                                                                                                                                                                                                                                           | ""                                                                   | No       |
+| `tls.`<br />`options.name`                                                       | Name of the [`TLSOption`](tlsoption.md) to use.<br />More information [here](#tls-options).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                                                                   | No       |
+| `tls.`<br />`options.namespace`                                                  | Namespace of the [`TLSOption`](tlsoption.md) to use.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | ""                                                                   | No       |
+| `tls.certResolver`                                                               | Name of the [Certificate Resolver](../../../../install-configuration/tls/certificate-resolvers/overview.md) to use to generate automatic TLS certificates.                                                                                                                                                                                                                                                                                                                                                                                                                                                     | ""                                                                   | No       |
+| `tls.domains`                                                                    | List of domains to serve using the certificates generates (one `tls.domain`= one certificate).<br />More information in the [dedicated section](../../../../install-configuration/tls/certificate-resolvers/acme.md#domain-definition).                                                                                                                                                                                                                                                                                                                                                                        |                                                                      | No       |
+| `tls.`<br />`domains[n].main`                                                    | Main domain name                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | ""                                                                   | Yes      |
+| `tls.`<br />`domains[n].sans`                                                    | List of alternative domains (SANs)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |                                                                      | No       |
 
 ### ExternalName Service
 

docs/content/reference/routing-configuration/kubernetes/crd/http/traefikservice.md

@@ -148,42 +148,43 @@ data:
 
 ### Configuration Options
 
-| Field | Description                                               | Default              | Required |
-|:------|:----------------------------------------------------------|:---------------------|:---------|
-| `services` | List of any combination of TraefikService and [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). <br />. |  | No |
-| `services[m].`<br />`kind` | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> - **TraefikService**: Traefik Service. | "" | No |
-| `services[m].`<br />`name` | Service name.<br />The character `@` is not authorized. | "" | Yes |
-| `services[m].`<br />`namespace` | Service namespace. | "" | No |
-| `services[m].`<br />`port` | Service port (number or port name).<br />Evaluated only if the kind is **Service**. | "" | No |
-| `services[m].`<br />`responseForwarding.`<br />`flushInterval` | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind is **Service**. | 100ms | No |
-| `services[m].`<br />`scheme` | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind is **Service**. | "http"<br />"https" if `port` is 443 or contains the string *https*. | No |
-| `services[m].`<br />`serversTransport` | Name of ServersTransport resource to use to configure the transport between Traefik and your servers.<br />Evaluated only if the kind is **Service**. | "" | No |
-| `services[m].`<br />`passHostHeader` | Forward client Host header to server.<br />Evaluated only if the kind is **Service**. | true | No |
-| `services[m].`<br />`healthCheck.scheme` | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "" | No |
-| `services[m].`<br />`healthCheck.mode` | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "http" | No |
-| `services[m].`<br />`healthCheck.path` | Server URL path for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "" | No |
-| `services[m].`<br />`healthCheck.interval` | Frequency of the health check calls.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName]`ExternalName`. | "100ms" | No |
-| `services[m].`<br />`healthCheck.method` | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "GET" | No |
-| `services[m].`<br />`healthCheck.status` | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**. |  | No |
-| `services[m].`<br />`healthCheck.port` | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | | No |
-| `services[m].`<br />`healthCheck.timeout` | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "5s" | No |
-| `services[m].`<br />`healthCheck.hostname` | Value in the Host header of the health check request.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | "" | No |
-| `services[m].`<br />`healthCheck.`<br />`followRedirect` | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. | true | No |
-| `services[m].`<br />`healthCheck.headers` | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`. |  | No |
-| `services[m].`<br />`sticky.`<br />`cookie.name` | Name of the cookie used for the stickiness.<br />Evaluated only if the kind is **Service**. | Abbreviation of a sha1<br />(ex: `_1d52e`). | No |
-| `services[m].`<br />`sticky.`<br />`cookie.httpOnly` | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**. | false | No |
-| `services[m].`<br />`sticky.`<br />`cookie.secure` | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**. | false | No |
-| `services[m].`<br />`sticky.`<br />`cookie.sameSite` | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**. | "" | No |
-| `services[m].`<br />`sticky.`<br />`cookie.maxAge` | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**. | 0 | No |
-| `services[m].`<br />`strategy` | Load balancing strategy between the servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind is **Service**. | "RoundRobin" | No |
-| `services[m].`<br />`weight` | Service weight.<br />To use only to refer to WRR TraefikService | "" | No |
-| `services[m].`<br />`nativeLB` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br />Evaluated only if the kind is **Service**. | false | No |
-| `services[m].`<br />`nodePortLB` | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**. | false | No |
-| `sticky.`<br />`cookie.name` | Name of the cookie used for the stickiness at the WRR service level.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels) | Abbreviation of a sha1<br />(ex: `_1d52e`). | No |
-| `sticky.`<br />`cookie.httpOnly` | Allow the cookie used for the stickiness at the WRR service level to be accessed by client-side APIs, such as JavaScript.<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels) | false | No |
-| `sticky.`<br />`cookie.secure` | Allow the cookie used for the stickiness at the WRR service level to be only transmitted over an encrypted connection (i.e. HTTPS).<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels) | false | No |
-| `sticky.`<br />`cookie.sameSite` | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy for the cookie used for the stickiness at the WRR service level.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels) | "" | No |
-| `sticky.`<br />`cookie.maxAge` | Number of seconds until the cookie used for the stickiness at the WRR service level expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires. | 0 | No |
+| Field                                                          | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Default                                                              | Required |
+|:---------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
+| `services`                                                     | List of any combination of TraefikService and [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). <br />.                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                      | No       |
+| `services[m].`<br />`kind`                                     | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> - **TraefikService**: Traefik Service.                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | ""                                                                   | No       |
+| `services[m].`<br />`name`                                     | Service name.<br />The character `@` is not authorized.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | ""                                                                   | Yes      |
+| `services[m].`<br />`namespace`                                | Service namespace.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | ""                                                                   | No       |
+| `services[m].`<br />`port`                                     | Service port (number or port name).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | ""                                                                   | No       |
+| `services[m].`<br />`responseForwarding.`<br />`flushInterval` | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                          | 100ms                                                                | No       |
+| `services[m].`<br />`scheme`                                   | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | "http"<br />"https" if `port` is 443 or contains the string *https*. | No       |
+| `services[m].`<br />`serversTransport`                         | Name of ServersTransport resource to use to configure the transport between Traefik and your servers.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                | ""                                                                   | No       |
+| `services[m].`<br />`passHostHeader`                           | Forward client Host header to server.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | true                                                                 | No       |
+| `services[m].`<br />`healthCheck.scheme`                       | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                        | ""                                                                   | No       |
+| `services[m].`<br />`healthCheck.mode`                         | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                               | "http"                                                               | No       |
+| `services[m].`<br />`healthCheck.path`                         | Server URL path for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                          | ""                                                                   | No       |
+| `services[m].`<br />`healthCheck.interval`                     | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName]`ExternalName`.                                                                                                                                                                                                                                                                                                                                                                  | "100ms"                                                              | No       |
+| `services[m].`<br />`healthCheck.unhealthyInterval`            | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName]`ExternalName`.                                                                                                                                                                                                                                                                                                    | "100ms"                                                              | No       |
+| `services[m].`<br />`healthCheck.method`                       | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                              | "GET"                                                                | No       |
+| `services[m].`<br />`healthCheck.status`                       | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                              |                                                                      | No       |
+| `services[m].`<br />`healthCheck.port`                         | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                                 |                                                                      | No       |
+| `services[m].`<br />`healthCheck.timeout`                      | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                       | "5s"                                                                 | No       |
+| `services[m].`<br />`healthCheck.hostname`                     | Value in the Host header of the health check request.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                   | ""                                                                   | No       |
+| `services[m].`<br />`healthCheck.`<br />`followRedirect`       | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                        | true                                                                 | No       |
+| `services[m].`<br />`healthCheck.headers`                      | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                      |                                                                      | No       |
+| `services[m].`<br />`sticky.`<br />`cookie.name`               | Name of the cookie used for the stickiness.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Abbreviation of a sha1<br />(ex: `_1d52e`).                          | No       |
+| `services[m].`<br />`sticky.`<br />`cookie.httpOnly`           | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | false                                                                | No       |
+| `services[m].`<br />`sticky.`<br />`cookie.secure`             | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | false                                                                | No       |
+| `services[m].`<br />`sticky.`<br />`cookie.sameSite`           | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                        | ""                                                                   | No       |
+| `services[m].`<br />`sticky.`<br />`cookie.maxAge`             | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                  | 0                                                                    | No       |
+| `services[m].`<br />`strategy`                                 | Load balancing strategy between the servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | "RoundRobin"                                                         | No       |
+| `services[m].`<br />`weight`                                   | Service weight.<br />To use only to refer to WRR TraefikService                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | ""                                                                   | No       |
+| `services[m].`<br />`nativeLB`                                 | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                           | false                                                                | No       |
+| `services[m].`<br />`nodePortLB`                               | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                            | false                                                                | No       |
+| `sticky.`<br />`cookie.name`                                   | Name of the cookie used for the stickiness at the WRR service level.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels) | Abbreviation of a sha1<br />(ex: `_1d52e`).                          | No       |
+| `sticky.`<br />`cookie.httpOnly`                               | Allow the cookie used for the stickiness at the WRR service level to be accessed by client-side APIs, such as JavaScript.<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels)                                                                                                                                                                                                                                                                                                                                                                                                          | false                                                                | No       |
+| `sticky.`<br />`cookie.secure`                                 | Allow the cookie used for the stickiness at the WRR service level to be only transmitted over an encrypted connection (i.e. HTTPS).<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels)                                                                                                                                                                                                                                                                                                                                                                                                | false                                                                | No       |
+| `sticky.`<br />`cookie.sameSite`                               | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy for the cookie used for the stickiness at the WRR service level.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels)                                                                                                                                                                                                                                                                                                      | ""                                                                   | No       |
+| `sticky.`<br />`cookie.maxAge`                                 | Number of seconds until the cookie used for the stickiness at the WRR service level expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.                                                                                                                                                                                                                                                                                                                                                                                                                                 | 0                                                                    | No       |
 
 #### Stickiness on multiple levels
 
@@ -372,65 +373,67 @@ spec:
 
     The mirrored services properties are set in the `mirrors` list.
 
-| Field | Description                                               | Default              | Required |
-|:------|:----------------------------------------------------------|:---------------------|:---------|
-| `kind` | Kind of the main service.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br />- **TraefikService**: Traefik Service.<br />More information [here](#services) | "" | No |
-| `name` | Main service name.<br />The character `@` is not authorized. | "" | Yes |
-| `namespace` | Main service namespace.<br />More information [here](#services). | "" | No |
-| `port` | Main service port (number or port name).<br />Evaluated only if the kind of the main service is **Service**. | "" | No |
-| `responseForwarding.`<br />`flushInterval` | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind of the main service is **Service**. | 100ms | No |
-| `scheme` | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind of the main service is **Service**. | "http"<br />"https" if `port` is 443 or contains the string *https*. | No |
-| `serversTransport` | Name of ServersTransport resource to use to configure the transport between Traefik and the main service's servers.<br />Evaluated only if the kind of the main service is **Service**. | "" | No |
-| `passHostHeader` | Forward client Host header to main service's server.<br />Evaluated only if the kind of the main service is **Service**. | true | No |
-| `healthCheck.scheme` | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
-| `healthCheck.mode` | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "http" | No |
-| `healthCheck.path` | Server URL path for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
-| `healthCheck.interval` | Frequency of the health check calls.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "100ms" | No |
-| `healthCheck.method` | HTTP method for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "GET" | No |
-| `healthCheck.status` | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind of the main service is **Service**. |  | No |
-| `healthCheck.port` | URL port for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | | No |
-| `healthCheck.timeout` | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "5s" | No |
-| `healthCheck.hostname` | Value in the Host header of the health check request.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
-| `healthCheck.`<br />`followRedirect` | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | true | No |
-| `healthCheck.headers` | Map of header to send to the health check endpoint<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). |  | No |
-| `sticky.`<br />`cookie.name` | Name of the cookie used for the stickiness on the main service.<br />Evaluated only if the kind of the main service is **Service**. | Abbreviation of a sha1<br />(ex: `_1d52e`). | No |
-| `sticky.`<br />`cookie.httpOnly` | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind of the main service is **Service**. | false | No |
-| `sticky.`<br />`cookie.secure` | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind of the main service is **Service**. | false | No |
-| `sticky.`<br />`cookie.sameSite` | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind of the main service is **Service**. | "" | No |
-| `sticky.`<br />`cookie.maxAge` | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind of the main service is **Service**. | 0 | No |
-| `strategy` | Load balancing strategy between the main service's servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind of the main service is **Service**. | "RoundRobin" | No |
-| `weight` | Service weight.<br />To use only to refer to WRR TraefikService | "" | No |
-| `nativeLB` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br />Evaluated only if the kind of the main service is **Service**. | false | No |
-| `nodePortLB` | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind of the main service is **Service**. | false | No |
-| `maxBodySize` | Maximum size allowed for the body of the request.<br />If the body is larger, the request is not mirrored.<br />-1 means unlimited size. | -1 | No |
-| `mirrors` | List of mirrored services to target.<br /> It can be any combination of TraefikService and [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). <br />More information [here](#services). |  | No |
-| `mirrors[m].`<br />`kind` | Kind of the mirrored service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br />- **TraefikService**: Traefik Service.<br />More information [here](#services) | "" | No |
-| `mirrors[m].`<br />`name` | Mirrored service name.<br />The character `@` is not authorized. | "" | Yes |
-| `mirrors[m].`<br />`namespace` | Mirrored service namespace.<br />More information [here](#services). | "" | No |
-| `mirrors[m].`<br />`port` | Mirrored service port (number or port name).<br />Evaluated only if the kind of the mirrored service is **Service**. | "" | No |
-| `mirrors[m].`<br />`percent` | Part of the traffic to mirror in percent (from 0 to 100) | 0 | No |
-| `mirrors[m].`<br />`responseForwarding.`<br />`flushInterval` | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind of the mirrored service is **Service**. | 100ms | No |
-| `mirrors[m].`<br />`scheme` | Scheme to use for the request to the mirrored service.<br />Evaluated only if the kind of the mirrored service is **Service**. | "http"<br />"https" if `port` is 443 or contains the string *https*. | No |
-| `mirrors[m].`<br />`serversTransport` | Name of ServersTransport resource to use to configure the transport between Traefik and the mirrored service servers.<br />Evaluated only if the kind of the mirrored service is **Service**. | "" | No |
-| `mirrors[m].`<br />`passHostHeader` | Forward client Host header to the mirrored service servers.<br />Evaluated only if the kind of the mirrored service is **Service**. | true | No |
-| `mirrors[m].`<br />`healthCheck.scheme` | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
-| `mirrors[m].`<br />`healthCheck.mode` | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "http" | No |
-| `mirrors[m].`<br />`healthCheck.path` | Server URL path for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
-| `mirrors[m].`<br />`healthCheck.interval` | Frequency of the health check calls.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "100ms" | No |
-| `mirrors[m].`<br />`healthCheck.method` | HTTP method for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "GET" | No |
-| `mirrors[m].`<br />`healthCheck.status` | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind of the mirrored service is **Service**. |  | No |
-| `mirrors[m].`<br />`healthCheck.port` | URL port for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | | No |
-| `mirrors[m].`<br />`healthCheck.timeout` | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "5s" | No |
-| `mirrors[m].`<br />`healthCheck.hostname` | Value in the Host header of the health check request.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "" | No |
-| `mirrors[m].`<br />`healthCheck.`<br />`followRedirect` | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | true | No |
-| `mirrors[m].`<br />`healthCheck.headers` | Map of header to send to the health check endpoint<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). |  | No |
-| `mirrors[m].`<br />`sticky.`<br />`cookie.name` | Name of the cookie used for the stickiness.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />Evaluated only if the kind of the mirrored service is **Service**. | "" | No |
-| `mirrors[m].`<br />`sticky.`<br />`cookie.httpOnly` | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind of the mirrored service is **Service**. | false | No |
-| `mirrors[m].`<br />`sticky.`<br />`cookie.secure` | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind of the mirrored service is **Service**. | false | No |
-| `mirrors[m].`<br />`sticky.`<br />`cookie.sameSite` | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind of the mirrored service is **Service**. | "" | No |
-| `mirrors[m].`<br />`sticky.`<br />`cookie.maxAge` | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind of the mirrored service is **Service**. | 0 | No |
-| `mirrors[m].`<br />`strategy` | Load balancing strategy between the servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind of the mirrored service is **Service**. | "RoundRobin" | No |
-| `mirrors[m].`<br />`weight` | Service weight.<br />To use only to refer to WRR TraefikService | "" | No |
-| `mirrors[m].`<br />`nativeLB` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br />Evaluated only if the kind of the mirrored service is **Service**. | false | No |
-| `mirrors[m].`<br />`nodePortLB` | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind of the mirrored service is **Service**. | false | No |
-| `mirrorBody` | Defines whether the request body should be mirrored. | true | No |
+| Field                                                         | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | Default                                                              | Required |
+|:--------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
+| `kind`                                                        | Kind of the main service.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br />- **TraefikService**: Traefik Service.<br />More information [here](#services)                                                                                                                                                                                                                                                                                                                                                                                                     | ""                                                                   | No       |
+| `name`                                                        | Main service name.<br />The character `@` is not authorized.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | ""                                                                   | Yes      |
+| `namespace`                                                   | Main service namespace.<br />More information [here](#services).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | ""                                                                   | No       |
+| `port`                                                        | Main service port (number or port name).<br />Evaluated only if the kind of the main service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | ""                                                                   | No       |
+| `responseForwarding.`<br />`flushInterval`                    | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind of the main service is **Service**.                                                                                                                                                                                   | 100ms                                                                | No       |
+| `scheme`                                                      | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind of the main service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                             | "http"<br />"https" if `port` is 443 or contains the string *https*. | No       |
+| `serversTransport`                                            | Name of ServersTransport resource to use to configure the transport between Traefik and the main service's servers.<br />Evaluated only if the kind of the main service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                           | ""                                                                   | No       |
+| `passHostHeader`                                              | Forward client Host header to main service's server.<br />Evaluated only if the kind of the main service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                          | true                                                                 | No       |
+| `healthCheck.scheme`                                          | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                      | ""                                                                   | No       |
+| `healthCheck.mode`                                            | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                             | "http"                                                               | No       |
+| `healthCheck.path`                                            | Server URL path for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                        | ""                                                                   | No       |
+| `healthCheck.interval`                                        | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                              | "100ms"                                                              | No       |
+| `healthCheck.unhealthyInterval`                               | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                | "100ms"                                                              | No       |
+| `healthCheck.method`                                          | HTTP method for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                            | "GET"                                                                | No       |
+| `healthCheck.status`                                          | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind of the main service is **Service**.                                                                                                                                                                                                                                                       |                                                                      | No       |
+| `healthCheck.port`                                            | URL port for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                               |                                                                      | No       |
+| `healthCheck.timeout`                                         | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                     | "5s"                                                                 | No       |
+| `healthCheck.hostname`                                        | Value in the Host header of the health check request.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                 | ""                                                                   | No       |
+| `healthCheck.`<br />`followRedirect`                          | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                      | true                                                                 | No       |
+| `healthCheck.headers`                                         | Map of header to send to the health check endpoint<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                    |                                                                      | No       |
+| `sticky.`<br />`cookie.name`                                  | Name of the cookie used for the stickiness on the main service.<br />Evaluated only if the kind of the main service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                               | Abbreviation of a sha1<br />(ex: `_1d52e`).                          | No       |
+| `sticky.`<br />`cookie.httpOnly`                              | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind of the main service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                     | false                                                                | No       |
+| `sticky.`<br />`cookie.secure`                                | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind of the main service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                           | false                                                                | No       |
+| `sticky.`<br />`cookie.sameSite`                              | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind of the main service is **Service**.                                                                                                                                                                                                                                                                                                                                                 | ""                                                                   | No       |
+| `sticky.`<br />`cookie.maxAge`                                | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind of the main service is **Service**.                                                                                                                                                                                                                                                                                                                                                                           | 0                                                                    | No       |
+| `strategy`                                                    | Load balancing strategy between the main service's servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind of the main service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                  | "RoundRobin"                                                         | No       |
+| `weight`                                                      | Service weight.<br />To use only to refer to WRR TraefikService                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | ""                                                                   | No       |
+| `nativeLB`                                                    | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br />Evaluated only if the kind of the main service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                    | false                                                                | No       |
+| `nodePortLB`                                                  | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind of the main service is **Service**.                                                                                                                                                                                                                                                                                                     | false                                                                | No       |
+| `maxBodySize`                                                 | Maximum size allowed for the body of the request.<br />If the body is larger, the request is not mirrored.<br />-1 means unlimited size.                                                                                                                                                                                                                                                                                                                                                                                                                                          | -1                                                                   | No       |
+| `mirrors`                                                     | List of mirrored services to target.<br /> It can be any combination of TraefikService and [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). <br />More information [here](#services).                                                                                                                                                                                                                                                                                                                                                      |                                                                      | No       |
+| `mirrors[m].`<br />`kind`                                     | Kind of the mirrored service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br />- **TraefikService**: Traefik Service.<br />More information [here](#services)                                                                                                                                                                                                                                                                                                                                                                                        | ""                                                                   | No       |
+| `mirrors[m].`<br />`name`                                     | Mirrored service name.<br />The character `@` is not authorized.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | ""                                                                   | Yes      |
+| `mirrors[m].`<br />`namespace`                                | Mirrored service namespace.<br />More information [here](#services).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | ""                                                                   | No       |
+| `mirrors[m].`<br />`port`                                     | Mirrored service port (number or port name).<br />Evaluated only if the kind of the mirrored service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                              | ""                                                                   | No       |
+| `mirrors[m].`<br />`percent`                                  | Part of the traffic to mirror in percent (from 0 to 100)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 0                                                                    | No       |
+| `mirrors[m].`<br />`responseForwarding.`<br />`flushInterval` | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind of the mirrored service is **Service**.                                                                                                                                                                               | 100ms                                                                | No       |
+| `mirrors[m].`<br />`scheme`                                   | Scheme to use for the request to the mirrored service.<br />Evaluated only if the kind of the mirrored service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                    | "http"<br />"https" if `port` is 443 or contains the string *https*. | No       |
+| `mirrors[m].`<br />`serversTransport`                         | Name of ServersTransport resource to use to configure the transport between Traefik and the mirrored service servers.<br />Evaluated only if the kind of the mirrored service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                     | ""                                                                   | No       |
+| `mirrors[m].`<br />`passHostHeader`                           | Forward client Host header to the mirrored service servers.<br />Evaluated only if the kind of the mirrored service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                               | true                                                                 | No       |
+| `mirrors[m].`<br />`healthCheck.scheme`                       | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                  | ""                                                                   | No       |
+| `mirrors[m].`<br />`healthCheck.mode`                         | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                         | "http"                                                               | No       |
+| `mirrors[m].`<br />`healthCheck.path`                         | Server URL path for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                    | ""                                                                   | No       |
+| `mirrors[m].`<br />`healthCheck.interval`                     | Frequency of the health check calls.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                              | "100ms"                                                              | No       |
+| `mirrors[m].`<br />`healthCheck.unhealthyInterval`            | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                            | "100ms"                                                              | No       |
+| `mirrors[m].`<br />`healthCheck.method`                       | HTTP method for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                        | "GET"                                                                | No       |
+| `mirrors[m].`<br />`healthCheck.status`                       | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind of the mirrored service is **Service**.                                                                                                                                                                                                                                                   |                                                                      | No       |
+| `mirrors[m].`<br />`healthCheck.port`                         | URL port for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                           |                                                                      | No       |
+| `mirrors[m].`<br />`healthCheck.timeout`                      | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                 | "5s"                                                                 | No       |
+| `mirrors[m].`<br />`healthCheck.hostname`                     | Value in the Host header of the health check request.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                             | ""                                                                   | No       |
+| `mirrors[m].`<br />`healthCheck.`<br />`followRedirect`       | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                  | true                                                                 | No       |
+| `mirrors[m].`<br />`healthCheck.headers`                      | Map of header to send to the health check endpoint<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                |                                                                      | No       |
+| `mirrors[m].`<br />`sticky.`<br />`cookie.name`               | Name of the cookie used for the stickiness.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />Evaluated only if the kind of the mirrored service is **Service**. | ""                                                                   | No       |
+| `mirrors[m].`<br />`sticky.`<br />`cookie.httpOnly`           | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind of the mirrored service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                 | false                                                                | No       |
+| `mirrors[m].`<br />`sticky.`<br />`cookie.secure`             | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind of the mirrored service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                       | false                                                                | No       |
+| `mirrors[m].`<br />`sticky.`<br />`cookie.sameSite`           | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind of the mirrored service is **Service**.                                                                                                                                                                                                                                                                                                                                             | ""                                                                   | No       |
+| `mirrors[m].`<br />`sticky.`<br />`cookie.maxAge`             | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind of the mirrored service is **Service**.                                                                                                                                                                                                                                                                                                                                                                       | 0                                                                    | No       |
+| `mirrors[m].`<br />`strategy`                                 | Load balancing strategy between the servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind of the mirrored service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                             | "RoundRobin"                                                         | No       |
+| `mirrors[m].`<br />`weight`                                   | Service weight.<br />To use only to refer to WRR TraefikService                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | ""                                                                   | No       |
+| `mirrors[m].`<br />`nativeLB`                                 | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br />Evaluated only if the kind of the mirrored service is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                | false                                                                | No       |
+| `mirrors[m].`<br />`nodePortLB`                               | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind of the mirrored service is **Service**.                                                                                                                                                                                                                                                                                                 | false                                                                | No       |
+| `mirrorBody`                                                  | Defines whether the request body should be mirrored.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | true                                                                 | No       |

docs/content/reference/routing-configuration/kubernetes/ingress-nginx.md

@@ -0,0 +1,394 @@
+---
+title: "Traefik Kubernetes Ingress NGINX Routing Configuration"
+description: "Understand the routing configuration for the Kubernetes Ingress NGINX Controller and Traefik Proxy. Read the technical documentation."
+---
+
+# Traefik & Ingresses with NGINX Annotations
+
+The experimental Kubernetes Controller for Ingresses with NGINX annotations.
+{: .subtitle }
+
+!!! warning "Ingress Discovery"
+
+    The Kubernetes Ingress NGINX provider is discovering by default all Ingresses in the cluster,
+    which may lead to duplicated routers if you are also using the Kubernetes Ingress provider.
+    We recommend to use IngressClass for the Ingresses you want to be handled by this provider,
+    or to use the `watchNamespace` or `watchNamespaceSelector` options to limit the discovery of Ingresses to a specific namespace or set of namespaces.
+
+## Routing Configuration
+
+The Kubernetes Ingress NGINX provider watches for incoming ingresses events, such as the example below,
+and derives the corresponding dynamic configuration from it,
+which in turn will create the resulting routers, services, handlers, etc.
+
+## Configuration Example
+
+??? example "Configuring Kubernetes Ingress NGINX Controller"
+
+      ```yaml tab="RBAC"
+      ---
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRole
+      metadata:
+        name: traefik-ingress-controller
+      rules:
+        - apiGroups:
+            - ""
+          resources:
+            - namespaces
+          verbs:
+            - get
+        - apiGroups:
+            - ""
+          resources:
+            - configmaps
+            - pods
+            - secrets
+            - endpoints
+          verbs:
+            - get
+            - list
+            - watch
+        - apiGroups:
+            - ""
+          resources:
+            - services
+          verbs:
+            - get
+            - list
+            - watch
+        - apiGroups:
+            - networking.k8s.io
+          resources:
+            - ingresses
+          verbs:
+            - get
+            - list
+            - watch
+        - apiGroups:
+            - networking.k8s.io
+          resources:
+            - ingresses/status
+          verbs:
+            - update
+        - apiGroups:
+            - networking.k8s.io
+          resources:
+            - ingressclasses
+          verbs:
+            - get
+            - list
+            - watch
+        - apiGroups:
+            - ""
+          resources:
+            - events
+          verbs:
+            - create
+            - patch
+        - apiGroups:
+            - discovery.k8s.io
+          resources:
+            - endpointslices
+          verbs:
+            - list
+            - watch
+            - get
+        
+          ---
+          apiVersion: rbac.authorization.k8s.io/v1
+          kind: ClusterRoleBinding
+          metadata:
+            name: traefik-ingress-controller
+          roleRef:
+            apiGroup: rbac.authorization.k8s.io
+            kind: ClusterRole
+            name: traefik-ingress-controller
+          subjects:
+            - kind: ServiceAccount
+              name: traefik-ingress-controller
+              namespace: default
+      ```
+
+      ```yaml tab="Traefik"
+      ---
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: traefik-ingress-controller
+
+      ---
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: traefik
+        labels:
+          app: traefik
+
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: traefik
+        template:
+          metadata:
+            labels:
+              app: traefik
+          spec:
+            serviceAccountName: traefik-ingress-controller
+            containers:
+              - name: traefik
+                image: traefik:v3.5
+                args:
+                  - --entryPoints.web.address=:80
+                  - --providers.kubernetesingressnginx
+                ports:
+                  - name: web
+                    containerPort: 80
+
+      ---
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: traefik
+      spec:
+        type: LoadBalancer
+        selector:
+          app: traefik
+        ports:
+          - name: web
+            port: 80
+            targetPort: 80
+      ```
+
+      ```yaml tab="Whoami"
+      ---
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: whoami
+        labels:
+          app: whoami
+
+      spec:
+        replicas: 2
+        selector:
+          matchLabels:
+            app: whoami
+        template:
+          metadata:
+            labels:
+              app: whoami
+          spec:
+            containers:
+              - name: whoami
+                image: traefik/whoami
+                ports:
+                  - containerPort: 80
+
+      ---
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: whoami
+
+      spec:
+        selector:
+          app: whoami
+        ports:
+          - name: http
+            port: 80
+      ```
+
+      ```yaml tab="Ingress"
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: IngressClass
+      metadata:
+        name: nginx
+      spec:
+        controller: k8s.io/ingress-nginx
+
+      ---
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        name: myingress
+        
+      spec:
+        ingressClassName: nginx
+        rules:
+          - host: whoami.localhost
+            http:
+              paths:
+                - path: /bar
+                  pathType: Exact
+                  backend:
+                    service:
+                      name:  whoami
+                      port:
+                        number: 80
+                - path: /foo
+                  pathType: Exact
+                  backend:
+                    service:
+                      name:  whoami
+                      port:
+                        number: 80
+      ```
+
+## Annotations Support
+
+This section lists all known NGINX Ingress annotations, split between those currently implemented (with limitations if any) and those not implemented. 
+Limitations or behavioral differences are indicated where relevant.
+
+!!! warning "Global configuration"
+
+    Traefik does not expose all global configuration options to control default behaviors for ingresses. 
+    
+    Some behaviors that are globally configurable in NGINX (such as default SSL redirect, rate limiting, or affinity) are currently not supported and cannot be overridden per-ingress as in NGINX.
+
+### Caveats and Key Behavioral Differences
+
+- **Authentication**: Forward auth behaves differently and session caching is not supported. NGINX supports sub-request based auth, while Traefik forwards the original request.
+- **Session Affinity**: Only persistent mode is supported.
+- **Leader Election**: Not supported; no cluster mode with leader election.
+- **Default Backend**: Only `defaultBackend` in Ingress spec is supported; the annotation is ignored.
+- **Load Balancing**: Only round_robin is supported; EWMA and IP hash are not supported.
+- **CORS**: NGINX responds with all configured headers unconditionally; Traefik handles headers differently between pre-flight and regular requests.
+- **TLS/Backend Protocols**: AUTO_HTTP, FCGI and some TLS options are not supported in Traefik.
+- **Path Handling**: Traefik preserves trailing slashes by default; NGINX removes them unless configured otherwise.
+
+### Supported NGINX Annotations
+
+| Annotation                                            | Limitations / Notes                                                                        |
+|-------------------------------------------------------|--------------------------------------------------------------------------------------------|
+| `nginx.ingress.kubernetes.io/affinity`                |                                                                                            |
+| `nginx.ingress.kubernetes.io/affinity-mode`           | Only persistent mode supported; balanced/canary not supported.                             |
+| `nginx.ingress.kubernetes.io/auth-type`               |                                                                                            |
+| `nginx.ingress.kubernetes.io/auth-secret`             |                                                                                            |
+| `nginx.ingress.kubernetes.io/auth-secret-type`        |                                                                                            |
+| `nginx.ingress.kubernetes.io/auth-realm`              |                                                                                            |
+| `nginx.ingress.kubernetes.io/auth-url`                | Only URL and response headers copy supported. Forward auth behaves differently than NGINX. |
+| `nginx.ingress.kubernetes.io/auth-method`             |                                                                                            |
+| `nginx.ingress.kubernetes.io/auth-response-headers`   |                                                                                            |
+| `nginx.ingress.kubernetes.io/ssl-redirect`            | Cannot opt-out per route if enabled globally.                                              |
+| `nginx.ingress.kubernetes.io/force-ssl-redirect`      | Cannot opt-out per route if enabled globally.                                              |
+| `nginx.ingress.kubernetes.io/ssl-passthrough`         | Some differences in SNI/default backend handling.                                          |
+| `nginx.ingress.kubernetes.io/use-regex`               |                                                                                            |
+| `nginx.ingress.kubernetes.io/session-cookie-name`     |                                                                                            |
+| `nginx.ingress.kubernetes.io/session-cookie-path`     |                                                                                            |
+| `nginx.ingress.kubernetes.io/session-cookie-domain`   |                                                                                            |
+| `nginx.ingress.kubernetes.io/session-cookie-samesite` |                                                                                            |
+| `nginx.ingress.kubernetes.io/load-balance`            | Only round_robin supported; ewma and IP hash not supported.                                |
+| `nginx.ingress.kubernetes.io/backend-protocol`        | FCGI and AUTO_HTTP not supported.                                                          |
+| `nginx.ingress.kubernetes.io/enable-cors`             | Partial support.                                                                           |
+| `nginx.ingress.kubernetes.io/cors-allow-credentials`  |                                                                                            |
+| `nginx.ingress.kubernetes.io/cors-allow-headers`      |                                                                                            |
+| `nginx.ingress.kubernetes.io/cors-allow-methods`      |                                                                                            |
+| `nginx.ingress.kubernetes.io/cors-allow-origin`       |                                                                                            |
+| `nginx.ingress.kubernetes.io/cors-max-age`            |                                                                                            |
+| `nginx.ingress.kubernetes.io/proxy-ssl-server-name`   |                                                                                            |
+| `nginx.ingress.kubernetes.io/proxy-ssl-name`          |                                                                                            |
+| `nginx.ingress.kubernetes.io/proxy-ssl-verify`        |                                                                                            |
+| `nginx.ingress.kubernetes.io/proxy-ssl-secret`        |                                                                                            |
+| `nginx.ingress.kubernetes.io/service-upstream`        |                                                                                            |
+
+### Unsupported NGINX Annotations
+
+All other NGINX annotations not listed above, including but not limited to:
+
+| Annotation                                                                  | Notes                                                |
+|-----------------------------------------------------------------------------|------------------------------------------------------|
+| `nginx.ingress.kubernetes.io/app-root`                                      | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/affinity-canary-behavior`                      | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/auth-tls-secret`                               | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/auth-tls-verify-depth`                         | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/auth-tls-verify-client`                        | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/auth-tls-error-page`                           | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream`         | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/auth-tls-match-cn`                             | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/auth-cache-key`                                | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/auth-cache-duration`                           | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/auth-keepalive`                                | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/auth-keepalive-share-vars`                     | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/auth-keepalive-requests`                       | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/auth-keepalive-timeout`                        | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/auth-proxy-set-headers`                        | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/auth-snippet`                                  | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/enable-global-auth`                            | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/canary`                                        | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/canary-by-header`                              | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/canary-by-header-value`                        | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/canary-by-header-pattern`                      | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/canary-by-cookie`                              | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/canary-weight`                                 | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/canary-weight-total`                           | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/client-body-buffer-size`                       | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/configuration-snippet`                         | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/custom-http-errors`                            | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/disable-proxy-intercept-errors`                | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/default-backend`                               | Not supported; use `defaultBackend` in Ingress spec. |
+| `nginx.ingress.kubernetes.io/limit-rate-after`                              | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/limit-rate`                                    | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/limit-whitelist`                               | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/limit-rps`                                     | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/limit-rpm`                                     | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/limit-burst-multiplier`                        | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/limit-connections`                             | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/global-rate-limit`                             | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/global-rate-limit-window`                      | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/global-rate-limit-key`                         | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/global-rate-limit-ignored-cidrs`               | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/permanent-redirect`                            | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/permanent-redirect-code`                       | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/temporal-redirect`                             | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/preserve-trailing-slash`                       | Not supported; Traefik preserves by default.         |
+| `nginx.ingress.kubernetes.io/proxy-cookie-domain`                           | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-cookie-path`                             | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-connect-timeout`                         | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-send-timeout`                            | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-read-timeout`                            | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-next-upstream`                           | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-next-upstream-timeout`                   | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-next-upstream-tries`                     | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-request-buffering`                       | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-redirect-from`                           | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-redirect-to`                             | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-http-version`                            | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-ssl-ciphers`                             | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-ssl-verify-depth`                        | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-ssl-protocols`                           | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/enable-rewrite-log`                            | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/rewrite-target`                                | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/satisfy`                                       | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/server-alias`                                  | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/server-snippet`                                | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none`      | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/session-cookie-expires`                        | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/session-cookie-change-on-failure`              | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/ssl-ciphers`                                   | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/ssl-prefer-server-ciphers`                     | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/connection-proxy-header`                       | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/enable-access-log`                             | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/enable-opentracing`                            | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/opentracing-trust-incoming-span`               | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/enable-opentelemetry`                          | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/opentelemetry-trust-incoming-span`             | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/enable-modsecurity`                            | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/enable-owasp-core-rules`                       | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/modsecurity-transaction-id`                    | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/modsecurity-snippet`                           | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/mirror-request-body`                           | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/mirror-target`                                 | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/mirror-host`                                   | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/x-forwarded-prefix`                            | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/upstream-hash-by`                              | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/upstream-vhost`                                | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/denylist-source-range`                         | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/whitelist-source-range`                        | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-buffering`                               | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-buffers-number`                          | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-buffer-size`                             | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/proxy-max-temp-file-size`                      | Not supported.                                       |
+| `nginx.ingress.kubernetes.io/stream-snippet`                                | Not supported.                                       |

docs/content/reference/routing-configuration/kubernetes/ingress.md

@@ -402,7 +402,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
           serviceAccountName: traefik-ingress-controller
           containers:
             - name: traefik
-              image: traefik:v3.4
+              image: traefik:v3.5
               args:
                 - --entryPoints.websecure.address=:443
                 - --entryPoints.websecure.http.tls

docs/content/reference/routing-configuration/other-providers/consul-catalog.md

@@ -222,6 +222,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+    
+    See [health check](../http/load-balancing/service.md#health-check) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
     
     See [health check](../http/load-balancing/service.md#health-check) for more information.

docs/content/reference/routing-configuration/other-providers/docker.md

@@ -35,7 +35,6 @@ With Docker, Traefik can leverage labels attached to a container to generate rou
     Attaching labels to containers (in your docker compose file)
 
     ```yaml
-    version: "3"
     services:
       my-container:
         # ...
@@ -48,7 +47,6 @@ With Docker, Traefik can leverage labels attached to a container to generate rou
     Forward requests for `http://example.com` to `http://<private IP of container>:12345`:
 
     ```yaml
-    version: "3"
     services:
       my-container:
         # ...
@@ -71,7 +69,6 @@ With Docker, Traefik can leverage labels attached to a container to generate rou
     In this example, requests are forwarded for `http://example-a.com` to `http://<private IP of container>:8000` in addition to `http://example-b.com` forwarding to `http://<private IP of container>:9000`:
 
     ```yaml
-    version: "3"
     services:
       my-container:
         # ...
@@ -327,6 +324,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
      "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10s"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+
+    See [health check](../http/load-balancing/service.md#health-check) for more information.
+
+    ```yaml
+     "traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10s"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
 
     See [health check](../http/load-balancing/service.md#health-check) for more information.

docs/content/reference/routing-configuration/other-providers/ecs.md

@@ -218,6 +218,14 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
     traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+    
+    See [health check](../http/load-balancing/service.md#health-check) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
     
     See [health check](../http/load-balancing/service.md#health-check) for more information.

docs/content/reference/routing-configuration/other-providers/kv.md

@@ -203,6 +203,14 @@ description: "Read the technical documentation to learn the Traefik Routing Conf
     |---------------------------------------------------------------------|-------|
     | `traefik/http/services/myservice/loadbalancer/healthcheck/interval` | `10`  |
 
+??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/unhealthyinterval`"
+
+    See [health check](../http/load-balancing/service.md#health-check) for more information.
+
+    | Key (Path)                                                                   | Value |
+    |------------------------------------------------------------------------------|-------|
+    | `traefik/http/services/myservice/loadbalancer/healthcheck/unhealthyinterval` | `10`  |
+
 ??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/path`"
 
     See [health check](../http/load-balancing/service.md#health-check) for more information.

docs/content/reference/routing-configuration/other-providers/nomad.md

@@ -222,6 +222,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+
+    See [health check](../http/load-balancing/service.md#health-check) for more information.
+
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
 
     See [health check](../http/load-balancing/service.md#health-check) for more information.

docs/content/reference/routing-configuration/other-providers/swarm.md

@@ -48,7 +48,6 @@ With Docker Swarm, Traefik can leverage labels attached to a service to generate
     then that service is automatically assigned to the router.
 
     ```yaml
-    version: "3"
     services:
       my-container:
         deploy:
@@ -67,7 +66,6 @@ With Docker Swarm, Traefik can leverage labels attached to a service to generate
     Forward requests for `http://example.com` to `http://<private IP of container>:12345`:
 
     ```yaml
-    version: "3"
     services:
       my-container:
         # ...
@@ -93,7 +91,6 @@ With Docker Swarm, Traefik can leverage labels attached to a service to generate
     In this example, requests are forwarded for `http://example-a.com` to `http://<private IP of container>:8000` in addition to `http://example-b.com` forwarding to `http://<private IP of container>:9000`:
 
     ```yaml
-    version: "3"
     services:
       my-container:
         # ...
@@ -351,6 +348,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10s"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+
+    See [health check](../http/load-balancing/service.md#health-check) for more information.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10s"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
 
     See [health check](../http/load-balancing/service.md#health-check) for more information.

docs/content/reference/static-configuration/cli-ref.md

@@ -129,6 +129,12 @@ Define if the certificates pool must use a copy of the system cert pool. (Defaul
 `--certificatesresolvers.<name>.acme.certificatesduration`:  
 Certificates' duration in hours. (Default: ```2160```)
 
+`--certificatesresolvers.<name>.acme.clientresponseheadertimeout`:  
+Timeout for receiving the response headers when communicating with the ACME server. (Default: ```30```)
+
+`--certificatesresolvers.<name>.acme.clienttimeout`:  
+Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```)
+
 `--certificatesresolvers.<name>.acme.dnschallenge`:  
 Activate DNS-01 Challenge. (Default: ```false```)
 
@@ -174,6 +180,9 @@ CSR email addresses to use.
 `--certificatesresolvers.<name>.acme.httpchallenge`:  
 Activate HTTP-01 Challenge. (Default: ```false```)
 
+`--certificatesresolvers.<name>.acme.httpchallenge.delay`:  
+Delay between the creation of the challenge and the validation. (Default: ```0```)
+
 `--certificatesresolvers.<name>.acme.httpchallenge.entrypoint`:  
 HTTP challenge EntryPoint
 
@@ -330,6 +339,9 @@ Enable debug mode for the FastProxy implementation. (Default: ```false```)
 `--experimental.kubernetesgateway`:  
 (Deprecated) Allow the Kubernetes gateway api provider usage. (Default: ```false```)
 
+`--experimental.kubernetesingressnginx`:  
+Allow the Kubernetes Ingress NGINX provider usage. (Default: ```false```)
+
 `--experimental.localplugins.<name>`:  
 Local plugins configuration. (Default: ```false```)
 
@@ -345,6 +357,9 @@ Environment variables to forward to the wasm guest.
 `--experimental.localplugins.<name>.settings.mounts`:  
 Directory to mount to the wasm guest.
 
+`--experimental.localplugins.<name>.settings.useunsafe`:  
+Allow the plugin to use unsafe package. (Default: ```false```)
+
 `--experimental.otlplogs`:  
 Enables the OpenTelemetry logs integration. (Default: ```false```)
 
@@ -360,6 +375,9 @@ Environment variables to forward to the wasm guest.
 `--experimental.plugins.<name>.settings.mounts`:  
 Directory to mount to the wasm guest.
 
+`--experimental.plugins.<name>.settings.useunsafe`:  
+Allow the plugin to use unsafe package. (Default: ```false```)
+
 `--experimental.plugins.<name>.version`:  
 plugin's version.
 
@@ -627,6 +645,12 @@ Prefix to use for metrics collection. (Default: ```traefik```)
 `--metrics.statsd.pushinterval`:  
 StatsD push interval. (Default: ```10```)
 
+`--ocsp`:  
+OCSP configuration. (Default: ```false```)
+
+`--ocsp.responderoverrides.<name>`:  
+Defines a map of OCSP responders to replace for querying OCSP servers.
+
 `--ping`:  
 Enable ping. (Default: ```false```)
 
@@ -1017,12 +1041,60 @@ Kubernetes namespaces.
 `--providers.kubernetesingress.nativelbbydefault`:  
 Defines whether to use Native Kubernetes load-balancing mode by default. (Default: ```false```)
 
+`--providers.kubernetesingress.strictprefixmatching`:  
+Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). (Default: ```false```)
+
 `--providers.kubernetesingress.throttleduration`:  
 Ingress refresh throttle duration (Default: ```0```)
 
 `--providers.kubernetesingress.token`:  
 Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token.
 
+`--providers.kubernetesingressnginx`:  
+Enable Kubernetes Ingress NGINX provider. (Default: ```false```)
+
+`--providers.kubernetesingressnginx.certauthfilepath`:  
+Kubernetes certificate authority file path (not needed for in-cluster client).
+
+`--providers.kubernetesingressnginx.controllerclass`:  
+Ingress Class Controller value this controller satisfies. (Default: ```k8s.io/ingress-nginx```)
+
+`--providers.kubernetesingressnginx.defaultbackendservice`:  
+Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'.
+
+`--providers.kubernetesingressnginx.disablesvcexternalname`:  
+Disable support for Services of type ExternalName. (Default: ```false```)
+
+`--providers.kubernetesingressnginx.endpoint`:  
+Kubernetes server endpoint (required for external cluster client).
+
+`--providers.kubernetesingressnginx.ingressclass`:  
+Name of the ingress class this controller satisfies. (Default: ```nginx```)
+
+`--providers.kubernetesingressnginx.ingressclassbyname`:  
+Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. (Default: ```false```)
+
+`--providers.kubernetesingressnginx.publishservice`:  
+Service fronting the Ingress controller. Takes the form 'namespace/name'.
+
+`--providers.kubernetesingressnginx.publishstatusaddress`:  
+Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies.
+
+`--providers.kubernetesingressnginx.throttleduration`:  
+Ingress refresh throttle duration. (Default: ```0```)
+
+`--providers.kubernetesingressnginx.token`:  
+Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token.
+
+`--providers.kubernetesingressnginx.watchingresswithoutclass`:  
+Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. (Default: ```false```)
+
+`--providers.kubernetesingressnginx.watchnamespace`:  
+Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty.
+
+`--providers.kubernetesingressnginx.watchnamespaceselector`:  
+Selector selects namespaces the controller watches for updates to Kubernetes objects.
+
 `--providers.nomad`:  
 Enable Nomad backend with default settings. (Default: ```false```)
 

docs/content/reference/static-configuration/env-ref.md

@@ -129,6 +129,12 @@ Define if the certificates pool must use a copy of the system cert pool. (Defaul
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CERTIFICATESDURATION`:  
 Certificates' duration in hours. (Default: ```2160```)
 
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CLIENTRESPONSEHEADERTIMEOUT`:  
+Timeout for receiving the response headers when communicating with the ACME server. (Default: ```30```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CLIENTTIMEOUT`:  
+Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```)
+
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE`:  
 Activate DNS-01 Challenge. (Default: ```false```)
 
@@ -174,6 +180,9 @@ CSR email addresses to use.
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE`:  
 Activate HTTP-01 Challenge. (Default: ```false```)
 
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE_DELAY`:  
+Delay between the creation of the challenge and the validation. (Default: ```0```)
+
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE_ENTRYPOINT`:  
 HTTP challenge EntryPoint
 
@@ -330,6 +339,9 @@ Enable debug mode for the FastProxy implementation. (Default: ```false```)
 `TRAEFIK_EXPERIMENTAL_KUBERNETESGATEWAY`:  
 (Deprecated) Allow the Kubernetes gateway api provider usage. (Default: ```false```)
 
+`TRAEFIK_EXPERIMENTAL_KUBERNETESINGRESSNGINX`:  
+Allow the Kubernetes Ingress NGINX provider usage. (Default: ```false```)
+
 `TRAEFIK_EXPERIMENTAL_LOCALPLUGINS_<NAME>`:  
 Local plugins configuration. (Default: ```false```)
 
@@ -345,6 +357,9 @@ Environment variables to forward to the wasm guest.
 `TRAEFIK_EXPERIMENTAL_LOCALPLUGINS_<NAME>_SETTINGS_MOUNTS`:  
 Directory to mount to the wasm guest.
 
+`TRAEFIK_EXPERIMENTAL_LOCALPLUGINS_<NAME>_SETTINGS_USEUNSAFE`:  
+Allow the plugin to use unsafe package. (Default: ```false```)
+
 `TRAEFIK_EXPERIMENTAL_OTLPLOGS`:  
 Enables the OpenTelemetry logs integration. (Default: ```false```)
 
@@ -360,6 +375,9 @@ Environment variables to forward to the wasm guest.
 `TRAEFIK_EXPERIMENTAL_PLUGINS_<NAME>_SETTINGS_MOUNTS`:  
 Directory to mount to the wasm guest.
 
+`TRAEFIK_EXPERIMENTAL_PLUGINS_<NAME>_SETTINGS_USEUNSAFE`:  
+Allow the plugin to use unsafe package. (Default: ```false```)
+
 `TRAEFIK_EXPERIMENTAL_PLUGINS_<NAME>_VERSION`:  
 plugin's version.
 
@@ -627,6 +645,12 @@ Prefix to use for metrics collection. (Default: ```traefik```)
 `TRAEFIK_METRICS_STATSD_PUSHINTERVAL`:  
 StatsD push interval. (Default: ```10```)
 
+`TRAEFIK_OCSP`:  
+OCSP configuration. (Default: ```false```)
+
+`TRAEFIK_OCSP_RESPONDEROVERRIDES_<NAME>`:  
+Defines a map of OCSP responders to replace for querying OCSP servers.
+
 `TRAEFIK_PING`:  
 Enable ping. (Default: ```false```)
 
@@ -978,6 +1002,51 @@ Kubernetes bearer token (not needed for in-cluster client). It accepts either a
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS`:  
 Enable Kubernetes backend with default settings. (Default: ```false```)
 
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESSNGINX`:  
+Enable Kubernetes Ingress NGINX provider. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESSNGINX_CERTAUTHFILEPATH`:  
+Kubernetes certificate authority file path (not needed for in-cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESSNGINX_CONTROLLERCLASS`:  
+Ingress Class Controller value this controller satisfies. (Default: ```k8s.io/ingress-nginx```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESSNGINX_DEFAULTBACKENDSERVICE`:  
+Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESSNGINX_DISABLESVCEXTERNALNAME`:  
+Disable support for Services of type ExternalName. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESSNGINX_ENDPOINT`:  
+Kubernetes server endpoint (required for external cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESSNGINX_INGRESSCLASS`:  
+Name of the ingress class this controller satisfies. (Default: ```nginx```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESSNGINX_INGRESSCLASSBYNAME`:  
+Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESSNGINX_PUBLISHSERVICE`:  
+Service fronting the Ingress controller. Takes the form 'namespace/name'.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESSNGINX_PUBLISHSTATUSADDRESS`:  
+Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESSNGINX_THROTTLEDURATION`:  
+Ingress refresh throttle duration. (Default: ```0```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESSNGINX_TOKEN`:  
+Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESSNGINX_WATCHINGRESSWITHOUTCLASS`:  
+Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESSNGINX_WATCHNAMESPACE`:  
+Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty.
+
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESSNGINX_WATCHNAMESPACESELECTOR`:  
+Selector selects namespaces the controller watches for updates to Kubernetes objects.
+
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS_ALLOWEMPTYSERVICES`:  
 Allow creation of services without endpoints. (Default: ```false```)
 
@@ -1017,6 +1086,9 @@ Kubernetes namespaces.
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS_NATIVELBBYDEFAULT`:  
 Defines whether to use Native Kubernetes load-balancing mode by default. (Default: ```false```)
 
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_STRICTPREFIXMATCHING`:  
+Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS_THROTTLEDURATION`:  
 Ingress refresh throttle duration (Default: ```0```)
 

docs/content/reference/static-configuration/file.toml

@@ -138,10 +138,26 @@
     disableIngressClassLookup = true
     disableClusterScopeResources = true
     nativeLBByDefault = true
+    strictPrefixMatching = true
     [providers.kubernetesIngress.ingressEndpoint]
       ip = "foobar"
       hostname = "foobar"
       publishedService = "foobar"
+  [providers.kubernetesIngressNGINX]
+    endpoint = "foobar"
+    token = "foobar"
+    certAuthFilePath = "foobar"
+    throttleDuration = "42s"
+    watchNamespace = "foobar"
+    watchNamespaceSelector = "foobar"
+    ingressClass = "foobar"
+    controllerClass = "foobar"
+    watchIngressWithoutClass = true
+    ingressClassByName = true
+    publishService = "foobar"
+    publishStatusAddress = ["foobar", "foobar"]
+    defaultBackendService = "foobar"
+    disableSvcExternalName = true
   [providers.kubernetesCRD]
     endpoint = "foobar"
     token = "foobar"
@@ -511,6 +527,8 @@
       storage = "foobar"
       keyType = "foobar"
       certificatesDuration = 42
+      clientTimeout = "42s"
+      clientResponseHeaderTimeout = "42s"
       caCertificates = ["foobar", "foobar"]
       caSystemCertPool = true
       caServerName = "foobar"
@@ -529,6 +547,7 @@
           delayBeforeChecks = "42s"
       [certificatesResolvers.CertificateResolver0.acme.httpChallenge]
         entryPoint = "foobar"
+        delay = "42s"
       [certificatesResolvers.CertificateResolver0.acme.tlsChallenge]
     [certificatesResolvers.CertificateResolver0.tailscale]
   [certificatesResolvers.CertificateResolver1]
@@ -541,6 +560,8 @@
       storage = "foobar"
       keyType = "foobar"
       certificatesDuration = 42
+      clientTimeout = "42s"
+      clientResponseHeaderTimeout = "42s"
       caCertificates = ["foobar", "foobar"]
       caSystemCertPool = true
       caServerName = "foobar"
@@ -559,12 +580,14 @@
           delayBeforeChecks = "42s"
       [certificatesResolvers.CertificateResolver1.acme.httpChallenge]
         entryPoint = "foobar"
+        delay = "42s"
       [certificatesResolvers.CertificateResolver1.acme.tlsChallenge]
     [certificatesResolvers.CertificateResolver1.tailscale]
 
 [experimental]
   abortOnPluginFailure = true
   otlplogs = true
+  kubernetesIngressNGINX = true
   kubernetesGateway = true
   [experimental.plugins]
     [experimental.plugins.Descriptor0]
@@ -573,23 +596,27 @@
       [experimental.plugins.Descriptor0.settings]
         envs = ["foobar", "foobar"]
         mounts = ["foobar", "foobar"]
+        useUnsafe = true
     [experimental.plugins.Descriptor1]
       moduleName = "foobar"
       version = "foobar"
       [experimental.plugins.Descriptor1.settings]
         envs = ["foobar", "foobar"]
         mounts = ["foobar", "foobar"]
+        useUnsafe = true
   [experimental.localPlugins]
     [experimental.localPlugins.LocalDescriptor0]
       moduleName = "foobar"
       [experimental.localPlugins.LocalDescriptor0.settings]
         envs = ["foobar", "foobar"]
         mounts = ["foobar", "foobar"]
+        useUnsafe = true
     [experimental.localPlugins.LocalDescriptor1]
       moduleName = "foobar"
       [experimental.localPlugins.LocalDescriptor1.settings]
         envs = ["foobar", "foobar"]
         mounts = ["foobar", "foobar"]
+        useUnsafe = true
   [experimental.fastProxy]
     debug = true
 
@@ -598,3 +625,8 @@
 
 [spiffe]
   workloadAPIAddr = "foobar"
+
+[ocsp]
+  [ocsp.responderOverrides]
+    name0 = "foobar"
+    name1 = "foobar"

docs/content/reference/static-configuration/file.yaml

@@ -157,6 +157,24 @@ providers:
     disableIngressClassLookup: true
     disableClusterScopeResources: true
     nativeLBByDefault: true
+    strictPrefixMatching: true
+  kubernetesIngressNGINX:
+    endpoint: foobar
+    token: foobar
+    certAuthFilePath: foobar
+    throttleDuration: 42s
+    watchNamespace: foobar
+    watchNamespaceSelector: foobar
+    ingressClass: foobar
+    controllerClass: foobar
+    watchIngressWithoutClass: true
+    ingressClassByName: true
+    publishService: foobar
+    publishStatusAddress:
+      - foobar
+      - foobar
+    defaultBackendService: foobar
+    disableSvcExternalName: true
   kubernetesCRD:
     endpoint: foobar
     token: foobar
@@ -557,6 +575,8 @@ certificatesResolvers:
         kid: foobar
         hmacEncoded: foobar
       certificatesDuration: 42
+      clientTimeout: 42s
+      clientResponseHeaderTimeout: 42s
       caCertificates:
         - foobar
         - foobar
@@ -576,6 +596,7 @@ certificatesResolvers:
         disablePropagationCheck: true
       httpChallenge:
         entryPoint: foobar
+        delay: 42s
       tlsChallenge: {}
     tailscale: {}
   CertificateResolver1:
@@ -593,6 +614,8 @@ certificatesResolvers:
         kid: foobar
         hmacEncoded: foobar
       certificatesDuration: 42
+      clientTimeout: 42s
+      clientResponseHeaderTimeout: 42s
       caCertificates:
         - foobar
         - foobar
@@ -612,6 +635,7 @@ certificatesResolvers:
         disablePropagationCheck: true
       httpChallenge:
         entryPoint: foobar
+        delay: 42s
       tlsChallenge: {}
     tailscale: {}
 experimental:
@@ -626,6 +650,7 @@ experimental:
         mounts:
           - foobar
           - foobar
+        useUnsafe: true
     Descriptor1:
       moduleName: foobar
       version: foobar
@@ -636,6 +661,7 @@ experimental:
         mounts:
           - foobar
           - foobar
+        useUnsafe: true
   localPlugins:
     LocalDescriptor0:
       moduleName: foobar
@@ -646,6 +672,7 @@ experimental:
         mounts:
           - foobar
           - foobar
+        useUnsafe: true
     LocalDescriptor1:
       moduleName: foobar
       settings:
@@ -655,12 +682,18 @@ experimental:
         mounts:
           - foobar
           - foobar
+        useUnsafe: true
   abortOnPluginFailure: true
   fastProxy:
     debug: true
   otlplogs: true
+  kubernetesIngressNGINX: true
   kubernetesGateway: true
 core:
   defaultRuleSyntax: foobar
 spiffe:
   workloadAPIAddr: foobar
+ocsp:
+  responderOverrides:
+    name0: foobar
+    name1: foobar

docs/content/routing/providers/consul-catalog.md

@@ -218,6 +218,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
     
     See [health check](../services/index.md#health-check) for more information.

docs/content/routing/providers/docker.md

@@ -42,7 +42,6 @@ With Docker, Traefik can leverage labels attached to a container to generate rou
     Attaching labels to containers (in your docker compose file)
 
     ```yaml
-    version: "3"
     services:
       my-container:
         # ...
@@ -55,7 +54,6 @@ With Docker, Traefik can leverage labels attached to a container to generate rou
     Forward requests for `http://example.com` to `http://<private IP of container>:12345`:
 
     ```yaml
-    version: "3"
     services:
       my-container:
         # ...
@@ -78,7 +76,6 @@ With Docker, Traefik can leverage labels attached to a container to generate rou
     In this example, requests are forwarded for `http://example-a.com` to `http://<private IP of container>:8000` in addition to `http://example-b.com` forwarding to `http://<private IP of container>:9000`:
 
     ```yaml
-    version: "3"
     services:
       my-container:
         # ...
@@ -333,6 +330,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10s"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10s"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
 
     See [health check](../services/index.md#health-check) for more information.

docs/content/routing/providers/ecs.md

@@ -220,6 +220,14 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
     traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
     
     See [health check](../services/index.md#health-check) for more information.

docs/content/routing/providers/kubernetes-crd.md

@@ -48,7 +48,7 @@ The Kubernetes Ingress Controller, The Custom Resource Way.
           serviceAccountName: traefik-ingress-controller
           containers:
             - name: traefik
-              image: traefik:v3.4
+              image: traefik:v3.5
               args:
                 - --log.level=DEBUG
                 - --api

docs/content/routing/providers/kubernetes-gateway.md

@@ -8,11 +8,11 @@ description: "The Kubernetes Gateway API can be used as a provider for routing a
 When using the Kubernetes Gateway API provider, Traefik leverages the Gateway API Custom Resource Definitions (CRDs) to obtain its routing configuration. 
 For detailed information on the Gateway API concepts and resources, refer to the official [documentation](https://gateway-api.sigs.k8s.io/).
 
-The Kubernetes Gateway API provider supports version [v1.2.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.1) of the specification.
+The Kubernetes Gateway API provider supports version [v1.3.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.3.0) of the specification.
 
 It fully supports all `HTTPRoute` core and some extended features, like `GRPCRoute`, as well as the `TCPRoute` and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels). 
 
-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.2.1/traefik-traefik).
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.3.0/traefik-traefik).
 
 ## Deploying a Gateway
 

docs/content/routing/providers/kubernetes-ingress.md

@@ -130,7 +130,7 @@ which in turn will create the resulting routers, services, handlers, etc.
           serviceAccountName: traefik-ingress-controller
           containers:
             - name: traefik
-              image: traefik:v3.4
+              image: traefik:v3.5
               args:
                 - --entryPoints.web.address=:80
                 - --providers.kubernetesingress
@@ -439,7 +439,7 @@ If the Kubernetes cluster version is 1.18+,
 the new `pathType` property can be leveraged to define the rules matchers:
 
 - `Exact`: This path type forces the rule matcher to `Path`
-- `Prefix`: This path type forces the rule matcher to `PathPrefix`
+- `Prefix`: This path type forces the rule matcher to `PathPrefix`. Note that if you want the matching behavior to strictly comply with Kubernetes Ingress specification (request path is matched on an element-by-element basis), consider enabling [`strictPrefixMatching`](../../providers/kubernetes-ingress.md#strictprefixmatching) in the Ingress Provider configuration.
 
 Please see [this documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) for more information.
 
@@ -593,7 +593,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
           serviceAccountName: traefik-ingress-controller
           containers:
             - name: traefik
-              image: traefik:v3.4
+              image: traefik:v3.5
               args:
                 - --entryPoints.websecure.address=:443
                 - --entryPoints.websecure.http.tls
@@ -786,7 +786,7 @@ For more options, please refer to the available [annotations](#on-ingress).
           serviceAccountName: traefik-ingress-controller
           containers:
             - name: traefik
-              image: traefik:v3.4
+              image: traefik:v3.5
               args:
                 - --entryPoints.websecure.address=:443
                 - --providers.kubernetesingress

docs/content/routing/providers/kv.md

@@ -180,6 +180,14 @@ A Story of key & values
     |---------------------------------------------------------------------|-------|
     | `traefik/http/services/myservice/loadbalancer/healthcheck/interval` | `10`  |
 
+??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/unhealthyinterval`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    | Key (Path)                                                                   | Value |
+    |------------------------------------------------------------------------------|-------|
+    | `traefik/http/services/myservice/loadbalancer/healthcheck/unhealthyinterval` | `10`  |
+
 ??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/path`"
 
     See [health check](../services/index.md#health-check) for more information.

docs/content/routing/providers/nomad.md

@@ -218,6 +218,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
 
     See [health check](../services/index.md#health-check) for more information.

docs/content/routing/providers/swarm.md

@@ -55,7 +55,6 @@ With Docker Swarm, Traefik can leverage labels attached to a service to generate
     then that service is automatically assigned to the router.
 
     ```yaml
-    version: "3"
     services:
       my-container:
         deploy:
@@ -74,7 +73,6 @@ With Docker Swarm, Traefik can leverage labels attached to a service to generate
     Forward requests for `http://example.com` to `http://<private IP of container>:12345`:
 
     ```yaml
-    version: "3"
     services:
       my-container:
         # ...
@@ -100,7 +98,6 @@ With Docker Swarm, Traefik can leverage labels attached to a service to generate
     In this example, requests are forwarded for `http://example-a.com` to `http://<private IP of container>:8000` in addition to `http://example-b.com` forwarding to `http://<private IP of container>:9000`:
 
     ```yaml
-    version: "3"
     services:
       my-container:
         # ...
@@ -347,6 +344,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10s"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10s"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
 
     See [health check](../services/index.md#health-check) for more information.