Prepare release v3.5.4

Co-authored-by: Firespray-31 <147506444+Firespray-31@users.noreply.github.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,17 +1,16 @@
 <!--
 PLEASE READ THIS MESSAGE.
 
-Documentation fixes or enhancements:
-- for Traefik v2: use branch v2.11
-- for Traefik v3: use branch v3.4
+Documentation:
+- for Traefik v2: use branch v2.11 (fixes only)
+- for Traefik v3: use branch v3.5
 
-Bug fixes:
-- for Traefik v2: use branch v2.11
-- for Traefik v3: use branch v3.4
+Bug:
+- for Traefik v2: use branch v2.11 (security fixes only)
+- for Traefik v3: use branch v3.5
 
 Enhancements:
-- for Traefik v2: we only accept bug fixes
-- for Traefik v3: use branch master
+- use branch master
 
 HOW TO WRITE A GOOD PULL REQUEST? https://doc.traefik.io/traefik/contributing/submitting-pull-requests/
 

.github/workflows/build.yaml

@@ -51,7 +51,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/check_doc.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/codeql.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
 
     - name: setup go
       uses: actions/setup-go@v5

.github/workflows/documentation.yml

@@ -1,6 +1,7 @@
 name: Build and Publish Documentation
 
 on:
+  workflow_dispatch: {}
   push:
     branches:
       - master
@@ -19,7 +20,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -39,9 +40,9 @@ jobs:
         run: curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b $HOME/bin ${MIXTUS_VERSION}
 
       - name: Build documentation
-        run: $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
-        env:
-          STRUCTOR_LATEST_TAG: ${{ vars.STRUCTOR_LATEST_TAG }}
+        run: |
+          STRUCTOR_LATEST_TAG=$(curl -s https://api.github.com/repos/traefik/traefik/releases/latest | jq -r '.tag_name')
+          $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
 
       - name: Apply seo
         run: $HOME/bin/seo -path=./site -product=traefik

.github/workflows/experimental.yaml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/release.yaml

@@ -10,7 +10,7 @@ env:
   CGO_ENABLED: 0
   VERSION: ${{ github.ref_name }}
   TRAEFIKER_EMAIL: "traefiker@traefik.io"
-  CODENAME: chaource
+  CODENAME: chabichou
 
 jobs:
 
@@ -30,7 +30,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -89,7 +89,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -126,13 +126,11 @@ jobs:
           tar cfz "dist/traefik-${VERSION}.src.tar.gz" \
             --exclude-vcs \
             --exclude .idea \
-            --exclude .travis \
-            --exclude .semaphoreci \
             --exclude .github \
             --exclude dist .
           
           chown -R "$(id -u)":"$(id -g)" dist/
-          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION}
+          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION} --latest=true
           
           ./script/deploy.sh
 

.github/workflows/template-webui.yaml

@@ -8,10 +8,13 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
+      - name: Enable corepack
+        run: corepack enable
+
       - name: Setup node
         uses: actions/setup-node@v4
         with:

.github/workflows/test-conformance.yaml

@@ -30,9 +30,6 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
 
-      - name: Avoid generating webui
-        run: touch webui/static/index.html
-
       - name: K8s Gateway API conformance test and report
         run: |
           make test-gateway-api-conformance

.github/workflows/test-integration.yaml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -30,11 +30,22 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true
 
-      - name: Avoid generating webui
-        run: touch webui/static/index.html
-
       - name: Build binary
-        run: make binary
+        run: make binary-linux-amd64
+
+      - name: Save go cache build
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-cache-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
+
+      - name: Artifact traefik binary
+        uses: actions/upload-artifact@v4
+        with:
+          name: traefik
+          path: ./dist/linux/amd64/traefik
+          retention-days: 1
 
   test-integration:
     runs-on: ubuntu-latest
@@ -48,7 +59,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -58,11 +69,21 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true
 
-      - name: Avoid generating webui
-        run: touch webui/static/index.html
+      - name: Download traefik binary
+        uses: actions/download-artifact@v4
+        with:
+          name: traefik
+          path: ./dist/linux/amd64/
 
-      - name: Build binary
-        run: make binary
+      - name: Make binary executable
+        run: chmod +x ./dist/linux/amd64/traefik
+
+      - name: Restore go cache build
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-cache-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
 
       - name: Generate go test Slice
         id: test_split

.github/workflows/test-unit.yaml

@@ -13,7 +13,6 @@ env:
   GO_VERSION: '1.24'
 
 jobs:
-
   generate-packages:
     name: List Go Packages
     runs-on: ubuntu-latest
@@ -21,7 +20,7 @@ jobs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -47,7 +46,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -57,9 +56,6 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true
 
-      - name: Avoid generating webui
-        run: touch webui/static/index.html
-
       - name: Tests
         run: |
           go test -v -parallel 8 ${{ matrix.package.group }}
@@ -69,10 +65,13 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
+      - name: Enable corepack
+        run: corepack enable
+
       - name: Set up Node.js ${{ env.NODE_VERSION }}
         uses: actions/setup-node@v4
         with:
@@ -81,6 +80,9 @@ jobs:
           cache-dependency-path: webui/yarn.lock
 
       - name: UI unit tests
+        working-directory: ./webui
+        env:
+          VITE_APP_BASE_API_URL: "/api"
         run: |
-          yarn --cwd webui install
-          yarn --cwd webui test:unit:ci
+          yarn install
+          yarn test:unit:ci

.github/workflows/validate.yaml

@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -37,7 +37,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -50,9 +50,6 @@ jobs:
       - name: Install misspell ${{ env.MISSPELL_VERSION }}
         run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/HEAD/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSPELL_VERSION}
 
-      - name: Avoid generating webui
-        run: touch webui/static/index.html
-
       - name: Validate
         run: make validate-files
 
@@ -61,7 +58,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.golangci.yml

@@ -245,6 +245,10 @@ linters:
         text: Function 'buildConstructor' has too many statements
         linters:
           - funlen
+      - path: pkg/provider/kubernetes/ingress-nginx/kubernetes.go
+        text: Function 'loadConfiguration' has too many statements
+        linters:
+          - funlen
       - path: pkg/tracing/haystack/logger.go
         linters:
           - goprintffuncname
@@ -259,7 +263,7 @@ linters:
       - path: pkg/provider/kubernetes/(crd|gateway)/client.go
         linters:
           - interfacebloat
-      - path: pkg/metrics/metrics.go
+      - path: pkg/observability/metrics/metrics.go
         linters:
           - interfacebloat
       - path: integration/healthcheck_test.go
@@ -304,8 +308,6 @@ linters:
         text: 'SA1019: cfg.(SSLRedirect|SSLTemporaryRedirect|SSLHost|SSLForceHost|FeaturePolicy) is deprecated'
       - path: (.+)\.go$
         text: 'SA1019: c.Providers.(ConsulCatalog|Consul|Nomad).Namespace is deprecated'
-      - path: (.+)\.go$
-        text: 'SA1019: dockertypes.ContainerNode is deprecated'
       - path: pkg/provider/kubernetes/crd/kubernetes.go
         text: "Function 'loadConfigurationFromCRD' has too many statements"
         linters:

.semaphore/semaphore.yml

@@ -1,13 +0,0 @@
-version: v1.0
-name: Traefik Release - deprecated
-agent:
-  machine:
-    type: f1-standard-2
-    os_image: ubuntu2204
-blocks:
-  - name: 'Do nothing'
-    task:
-      jobs:
-        - name: 'Do nothing'
-          commands:
-            - echo "Do nothing"

CHANGELOG.md

@@ -1,3 +1,275 @@
+## [v3.5.4](https://github.com/traefik/traefik/tree/v3.5.4) (2025-10-28)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.3...v3.5.4)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.27.0 ([#12166](https://github.com/traefik/traefik/pull/12166) by [ldez](https://github.com/ldez))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.26.0 ([#12063](https://github.com/traefik/traefik/pull/12063) by [ldez](https://github.com/ldez))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.55.0 ([#12121](https://github.com/traefik/traefik/pull/12121) by [GreyXor](https://github.com/GreyXor))
+- **[kv]** Bump github.com/kvtools/etcdv3 to v1.0.3 ([#12163](https://github.com/traefik/traefik/pull/12163) by [kevinpollet](https://github.com/kevinpollet))
+- **[logs,metrics,tracing,accesslogs,otel]** Fix otel not working without USER ([#12103](https://github.com/traefik/traefik/pull/12103) by [mmatur](https://github.com/mmatur))
+- **[logs,otel]** Enable stdout logging when OTLP is enabled ([#12124](https://github.com/traefik/traefik/pull/12124) by [lbenguigui](https://github.com/lbenguigui))
+- **[metrics,otel]** Rename traefik_tls_certs_not_after_milliseconds to traefik_tls_certs_not_after_seconds ([#12141](https://github.com/traefik/traefik/pull/12141) by [shreealt](https://github.com/shreealt))
+- **[otel]** Update OpenTelemetry to v1.38.0 and semantic conventions to v1.37.0 ([#12099](https://github.com/traefik/traefik/pull/12099) by [rtribotte](https://github.com/rtribotte))
+- **[otel]** Do not fail when pod is not found in K8sAttributesDetector ([#12096](https://github.com/traefik/traefik/pull/12096) by [xe-leon](https://github.com/xe-leon))
+- **[tls]** Make the staple updates continuous ([#12142](https://github.com/traefik/traefik/pull/12142) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Fix version display regression ([#12111](https://github.com/traefik/traefik/pull/12111) by [mdeliatf](https://github.com/mdeliatf))
+
+**Documentation:**
+- **[accesslogs]** Fix link for accesslog.fields.names in documentation ([#12094](https://github.com/traefik/traefik/pull/12094) by [rmbruntz](https://github.com/rmbruntz))
+- **[acme]** Fix Hetzner env var name inside documentation ([#12187](https://github.com/traefik/traefik/pull/12187) by [ldez](https://github.com/ldez))
+- **[acme]** Replace internal dead links ([#12152](https://github.com/traefik/traefik/pull/12152) by [rtribotte](https://github.com/rtribotte))
+- **[acme]** Clean and avoid collisions of anchors in option tables ([#12149](https://github.com/traefik/traefik/pull/12149) by [rtribotte](https://github.com/rtribotte))
+- **[docker/swarm]** Fix swarm code example ([#12115](https://github.com/traefik/traefik/pull/12115) by [Dr4K4n](https://github.com/Dr4K4n))
+- **[healthcheck]** Clarify health check requirement for server status metric ([#12201](https://github.com/traefik/traefik/pull/12201) by [asafm](https://github.com/asafm))
+- **[k8s/crd]** Fix typo in ingressroute.md from pirority to priority ([#12112](https://github.com/traefik/traefik/pull/12112) by [miromichalicka](https://github.com/miromichalicka))
+- **[k8s]** Fix incorrect option and lint page ([#12108](https://github.com/traefik/traefik/pull/12108) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[k8s]** Add API basePath documentation and fix broken links ([#12177](https://github.com/traefik/traefik/pull/12177) by [mloiseleur](https://github.com/mloiseleur))
+- **[k8s]** Merge TLSOption/TLSStore CRD documentation page ([#12164](https://github.com/traefik/traefik/pull/12164) by [nmengin](https://github.com/nmengin))
+- **[logs]** Clarify log.filePath behavior in documentation ([#12153](https://github.com/traefik/traefik/pull/12153) by [Alanxtl](https://github.com/Alanxtl))
+- **[metrics]** Fix incorrect addInternals configuration option ([#12118](https://github.com/traefik/traefik/pull/12118) by [shreealt](https://github.com/shreealt))
+- **[middleware]** Fix anchors in basic auth configuration options ([#12168](https://github.com/traefik/traefik/pull/12168) by [homersimpsons](https://github.com/homersimpsons))
+- **[middleware]** Fix PreserveRequestMethod casing ([#12122](https://github.com/traefik/traefik/pull/12122) by [LeTamanoir](https://github.com/LeTamanoir))
+- **[middleware]** Add missing reference docs for statusRewrites in errors middleware ([#12198](https://github.com/traefik/traefik/pull/12198) by [sevensolutions](https://github.com/sevensolutions))
+- **[middleware]** Document rejectStatusCode ([#12062](https://github.com/traefik/traefik/pull/12062) by [czocher](https://github.com/czocher))
+- **[otel]** Align documentation on default otlp endpoint ([#12151](https://github.com/traefik/traefik/pull/12151) by [mloiseleur](https://github.com/mloiseleur))
+- **[otel]** Fix metric name to metrics.otlp.grpc.insecure ([#12200](https://github.com/traefik/traefik/pull/12200) by [germainlefebvre4](https://github.com/germainlefebvre4))
+- **[server,k8s/crd,k8s]** Add dedicated pages for routers and fix doc links in CRDs ([#12119](https://github.com/traefik/traefik/pull/12119) by [rtribotte](https://github.com/rtribotte))
+- **[tls]** Fix typo in TLS certificate generation description ([#12185](https://github.com/traefik/traefik/pull/12185) by [iraj-jelo](https://github.com/iraj-jelo))
+- Fix wrong references to router's pages ([#12131](https://github.com/traefik/traefik/pull/12131) by [rtribotte](https://github.com/rtribotte))
+- Fix markdown rendering for table anchors ([#12129](https://github.com/traefik/traefik/pull/12129) by [MaBauMeBad](https://github.com/MaBauMeBad))
+- Fix provider option descriptions ([#12135](https://github.com/traefik/traefik/pull/12135) by [kevinpollet](https://github.com/kevinpollet))
+- Format HTTP headers as code ([#12105](https://github.com/traefik/traefik/pull/12105) by [tyilo](https://github.com/tyilo))
+- Fix heading levels and add links ([#12084](https://github.com/traefik/traefik/pull/12084) by [Granjow](https://github.com/Granjow))
+
+**Misc:**
+- Merge branch v2.11 into v3.5 ([#12206](https://github.com/traefik/traefik/pull/12206) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.11 into v3.5 ([#12158](https://github.com/traefik/traefik/pull/12158) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.30](https://github.com/traefik/traefik/tree/v2.11.30) (2025-10-28)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.29...v2.11.30)
+
+**Bug fixes:**
+- **[http3]** Bump github.com/quic-go/quic-go to v0.55.0 ([#12156](https://github.com/traefik/traefik/pull/12156) by [kevinpollet](https://github.com/kevinpollet))
+- **[kv]** Fix KV key name used to check if connection is alive ([#12162](https://github.com/traefik/traefik/pull/12162) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Bump golang.org/x/net to v0.46.0 ([#12143](https://github.com/traefik/traefik/pull/12143) by [kevinpollet](https://github.com/kevinpollet))
+- **[tracing]** Bump gopkg.in/DataDog/dd-trace-go.v1 to v1.74.6 ([#12083](https://github.com/traefik/traefik/pull/12083) by [hannahkm](https://github.com/hannahkm))
+
+## [v3.5.3](https://github.com/traefik/traefik/tree/v3.5.3) (2025-09-26)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.2...v3.5.3)
+
+**Bug fixes:**
+- **[k8s/crd]** ServersTransport: set minimum MaxIdleConnsPerHost=-1 ([#12077](https://github.com/traefik/traefik/pull/12077) by [xe-leon](https://github.com/xe-leon))
+- **[plugins]** Refactor plugins system ([#12035](https://github.com/traefik/traefik/pull/12035) by [jspdown](https://github.com/jspdown))
+- **[server]** Use client conn to build the proxy protocol header ([#12069](https://github.com/traefik/traefik/pull/12069) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Update hub-button-app to use a local script ([#12060](https://github.com/traefik/traefik/pull/12060) by [mdeliatf](https://github.com/mdeliatf))
+
+**Documentation:**
+- **[acme,middleware]** Fix broken links in documentation ([#12057](https://github.com/traefik/traefik/pull/12057) by [mloiseleur](https://github.com/mloiseleur))
+- **[k8s]** Create Traefik Service CRD sub-resource documentation page ([#12080](https://github.com/traefik/traefik/pull/12080) by [nmengin](https://github.com/nmengin))
+- **[k8s]** Fix conflict in IngressRouteTCP documentation ([#12064](https://github.com/traefik/traefik/pull/12064) by [MatBon01](https://github.com/MatBon01))
+- Fix typo in rules and priority documentation ([#12089](https://github.com/traefik/traefik/pull/12089) by [Darkangeel-hd](https://github.com/Darkangeel-hd))
+- Add govern section ([#12067](https://github.com/traefik/traefik/pull/12067) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Fix entrypoint config examples ([#12056](https://github.com/traefik/traefik/pull/12056) by [markormesher](https://github.com/markormesher))
+- Reorganize the menu entries ([#12044](https://github.com/traefik/traefik/pull/12044) by [nmengin](https://github.com/nmengin))
+- Add New Secure Section to the Documentation ([#11978](https://github.com/traefik/traefik/pull/11978) by [sheddy-traefik](https://github.com/sheddy-traefik))
+
+## [v3.5.2](https://github.com/traefik/traefik/tree/v3.5.2) (2025-09-09)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.1...v3.5.2)
+
+**Bug fixes:**
+- **[middleware,accesslogs]** Add GenericCLF log format for access logs ([#12033](https://github.com/traefik/traefik/pull/12033) by [sdelicata](https://github.com/sdelicata))
+- **[middleware]** Fix customerrors query url replacement ([#11876](https://github.com/traefik/traefik/pull/11876) by [DorianBlues](https://github.com/DorianBlues))
+- **[tls,service]** Send proxy protocol header before TLS handshake ([#11956](https://github.com/traefik/traefik/pull/11956) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Restore empty webui/static to use traefik as library ([#12025](https://github.com/traefik/traefik/pull/12025) by [youkoulayley](https://github.com/youkoulayley))
+
+**Documentation:**
+- **[accesslogs]** Fix path for access-logs header config ([#12030](https://github.com/traefik/traefik/pull/12030) by [cgatt](https://github.com/cgatt))
+- **[acme]** Fixes typo for OCSP in CLI example ([#12039](https://github.com/traefik/traefik/pull/12039) by [mloiseleur](https://github.com/mloiseleur))
+- **[docker/swarm]** Fixes typo for Swarm mode in CLI example ([#12038](https://github.com/traefik/traefik/pull/12038) by [BilalBudhani](https://github.com/BilalBudhani))
+- **[kv]** Fix broken links in KV store documentation ([#12040](https://github.com/traefik/traefik/pull/12040) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[middleware]** Add redis options to ratelimit middleware & Include distributed rate limit middleware ([#12041](https://github.com/traefik/traefik/pull/12041) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[server]** Fix link to HTTP3 section in documentation ([#12028](https://github.com/traefik/traefik/pull/12028) by [vincentbernat](https://github.com/vincentbernat))
+- Fix migration path in documentation ([#12032](https://github.com/traefik/traefik/pull/12032) by [nmengin](https://github.com/nmengin))
+
+## [v3.5.1](https://github.com/traefik/traefik/tree/v3.5.1) (2025-08-27)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.0...v3.5.1)
+
+**Bug fixes:**
+- **[accesslogs,otel]** Provide Log Body in OTEL access Log ([#11867](https://github.com/traefik/traefik/pull/11867) by [tomMoulard](https://github.com/tomMoulard))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.25.1 ([#11882](https://github.com/traefik/traefik/pull/11882) by [ldez](https://github.com/ldez))
+- **[k8s/gatewayapi]** Make app protocol case insensitive ([#11989](https://github.com/traefik/traefik/pull/11989) by [shreealt](https://github.com/shreealt))
+- **[otel]** Fix misspelling in docs ([#11952](https://github.com/traefik/traefik/pull/11952) by [mmanciop](https://github.com/mmanciop))
+- **[server]** Bump to github.com/pires/go-proxyproto v0.8.1 ([#11991](https://github.com/traefik/traefik/pull/11991) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Silent expected errors on receiving sigterm signal ([#11838](https://github.com/traefik/traefik/pull/11838) by [Kwuray](https://github.com/Kwuray))
+- **[tracing]** Fix capturedRequestHeaders and capturedResponseHeaders headers options not being canonicalized in tracing ([#12005](https://github.com/traefik/traefik/pull/12005) by [mcuelenaere](https://github.com/mcuelenaere))
+- **[tracing]** Follow OTel semantic conventions for root span naming ([#11673](https://github.com/traefik/traefik/pull/11673) by [Alex-Waring](https://github.com/Alex-Waring))
+- **[webui]** Update Traefik Proxy dashboard UI development deps ([#11958](https://github.com/traefik/traefik/pull/11958) by [mdeliatf](https://github.com/mdeliatf))
+- Refactor to use reflect.TypeFor ([#12010](https://github.com/traefik/traefik/pull/12010) by [cuiweixie](https://github.com/cuiweixie))
+
+**Documentation:**
+- **[docker]** Fix missing middleware application for whoami service in docker guide ([#12012](https://github.com/traefik/traefik/pull/12012) by [Copilot](https://github.com/apps/copilot-swe-agent))
+- **[k8s/gatewayapi]** Fix documentation to match new gateway-api selector syntax ([#12006](https://github.com/traefik/traefik/pull/12006) by [Firespray-31](https://github.com/Firespray-31))
+- **[middleware,hub]** Add Traefik Hub Middlewares To Reference Section ([#11937](https://github.com/traefik/traefik/pull/11937) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[plugins]** Add extend documentation ([#11904](https://github.com/traefik/traefik/pull/11904) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Update Broken Links in the Migration Docs ([#12016](https://github.com/traefik/traefik/pull/12016) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Fix Documentation menu ([#12013](https://github.com/traefik/traefik/pull/12013) by [nmengin](https://github.com/nmengin))
+- Fix invalid links in documentation ([#11995](https://github.com/traefik/traefik/pull/11995) by [mloiseleur](https://github.com/mloiseleur))
+- Fix typo in index ([#11994](https://github.com/traefik/traefik/pull/11994) by [ignyx](https://github.com/ignyx))
+- Restore missing migration section ([#11973](https://github.com/traefik/traefik/pull/11973) by [rtribotte](https://github.com/rtribotte))
+- Clean Documentation ([#11945](https://github.com/traefik/traefik/pull/11945) by [nmengin](https://github.com/nmengin))
+- Add back the link to Peka's page ([#11942](https://github.com/traefik/traefik/pull/11942) by [kevinpollet](https://github.com/kevinpollet))
+
+**Misc:**
+- Merge branch v2.11 into v3.5 ([#12019](https://github.com/traefik/traefik/pull/12019) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.11 into v3.5 ([#12017](https://github.com/traefik/traefik/pull/12017) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.11 into v3.5 ([#11966](https://github.com/traefik/traefik/pull/11966) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.4 into v3.5 ([#11953](https://github.com/traefik/traefik/pull/11953) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.29](https://github.com/traefik/traefik/tree/v2.11.29) (2025-08-26)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.28...v2.11.29)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.25.2 ([#11983](https://github.com/traefik/traefik/pull/11983) by [ldez](https://github.com/ldez))
+- **[docker]** Bump github.com/docker/docker to v28.3.3 ([#12007](https://github.com/traefik/traefik/pull/12007) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- Fix invalid links in documentation ([#11960](https://github.com/traefik/traefik/pull/11960) by [mloiseleur](https://github.com/mloiseleur))
+- Update releases docs for v3.5 ([#11949](https://github.com/traefik/traefik/pull/11949) by [jnoordsij](https://github.com/jnoordsij))
+
+## [v3.5.0](https://github.com/traefik/traefik/tree/v3.5.0) (2025-07-23)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.0-rc1...v3.5.0)
+
+**Enhancements:**
+- **[acme]** OCSP stapling ([#8393](https://github.com/traefik/traefik/pull/8393) by [alekitto](https://github.com/alekitto))
+- **[acme]** Add acme.httpChallenge.delay option ([#11643](https://github.com/traefik/traefik/pull/11643) by [ldez](https://github.com/ldez))
+- **[acme]** Allow configuration of ACME provider http timeout ([#11637](https://github.com/traefik/traefik/pull/11637) by [tkw1536](https://github.com/tkw1536))
+- **[healthcheck]** Add url option to healthcheck command ([#11711](https://github.com/traefik/traefik/pull/11711) by [Nelwhix](https://github.com/Nelwhix))
+- **[healthcheck]** Add unhealthy Interval to the health check configuration ([#10610](https://github.com/traefik/traefik/pull/10610) by [sswastik02](https://github.com/sswastik02))
+- **[k8s/gatewayapi]** Bump sigs.k8s.io/gateway-api to v1.3.0 ([#11719](https://github.com/traefik/traefik/pull/11719) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress]** Make the behavior of prefix matching in Ingress consistent with Kubernetes doc ([#11203](https://github.com/traefik/traefik/pull/11203) by [charlie0129](https://github.com/charlie0129))
+- **[k8s]** NGINX Ingress Provider ([#11844](https://github.com/traefik/traefik/pull/11844) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,authentication]** Handle context canceled in ForwardAuth middleware ([#11817](https://github.com/traefik/traefik/pull/11817) by [bengentree](https://github.com/bengentree))
+- **[plugins]** Ability to enable unsafe in yaegi through plugin manifest ([#11589](https://github.com/traefik/traefik/pull/11589) by [Rydez](https://github.com/Rydez))
+- **[tls]** Introduce X25519MLKEM768 for Post-Quantum-Secure TLS ([#11731](https://github.com/traefik/traefik/pull/11731) by [fzoli](https://github.com/fzoli))
+- **[webui]** Migrate Traefik Proxy dashboard UI to React ([#11674](https://github.com/traefik/traefik/pull/11674) by [gndz07](https://github.com/gndz07))
+- **[webui]** Improve visualization for StatusRewrites option of errors middleware ([#11806](https://github.com/traefik/traefik/pull/11806) by [sevensolutions](https://github.com/sevensolutions))
+
+**Bug fixes:**
+- **[healthcheck]** Revert 11711 adding url param to healthcheck command ([#11927](https://github.com/traefik/traefik/pull/11927) by [lbenguigui](https://github.com/lbenguigui))
+- **[logs,metrics,tracing,accesslogs,otel]** Add missing resource attributes detectors ([#11874](https://github.com/traefik/traefik/pull/11874) by [rtribotte](https://github.com/rtribotte))
+- **[logs,tracing,k8s,otel]** Add k8s resource attributes automatically ([#11906](https://github.com/traefik/traefik/pull/11906) by [kevinpollet](https://github.com/kevinpollet))
+- **[metrics,otel]** Add resourceAttributes option to OTel metrics ([#11908](https://github.com/traefik/traefik/pull/11908) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware,tracing]** Introduce trace verbosity config and produce less spans by default ([#11870](https://github.com/traefik/traefik/pull/11870) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[docker,ecs,docker/swarm,consulcatalog,nomad]** Add constraints key limitations for label providers ([#11893](https://github.com/traefik/traefik/pull/11893) by [bluepuma77](https://github.com/bluepuma77))
+- **[k8s]** Add extended NGinX annotation support documentation ([#11920](https://github.com/traefik/traefik/pull/11920) by [nmengin](https://github.com/nmengin))
+- Remove dead link to Peka blog ([#11934](https://github.com/traefik/traefik/pull/11934) by [kevinpollet](https://github.com/kevinpollet))
+- Prepare release v3.5.0-rc2 ([#11899](https://github.com/traefik/traefik/pull/11899) by [kevinpollet](https://github.com/kevinpollet))
+- Prepare release v3.5.0-rc1 ([#11865](https://github.com/traefik/traefik/pull/11865) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- Merge branch v3.4 into v3.5 ([#11933](https://github.com/traefik/traefik/pull/11933) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into v3.5 ([#11898](https://github.com/traefik/traefik/pull/11898) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.4 into master ([#11863](https://github.com/traefik/traefik/pull/11863) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11861](https://github.com/traefik/traefik/pull/11861) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11857](https://github.com/traefik/traefik/pull/11857) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11855](https://github.com/traefik/traefik/pull/11855) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11813](https://github.com/traefik/traefik/pull/11813) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.4 into master ([#11758](https://github.com/traefik/traefik/pull/11758) by [mmatur](https://github.com/mmatur))
+- Merge v3.4 into master ([#11752](https://github.com/traefik/traefik/pull/11752) by [mmatur](https://github.com/mmatur))
+- Merge branch v3.4 into master ([#11708](https://github.com/traefik/traefik/pull/11708) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v3.4.5](https://github.com/traefik/traefik/tree/v3.4.5) (2025-07-23)
+[All Commits](https://github.com/traefik/traefik/compare/v3.4.4...v3.4.5)
+
+**Bug fixes:**
+- **[http3]** Bump github.com/quic-go/quic-go to v0.54.0 ([#11919](https://github.com/traefik/traefik/pull/11919) by [GreyXor](https://github.com/GreyXor))
+
+**Documentation:**
+- Fix typo in entrypoints page ([#11914](https://github.com/traefik/traefik/pull/11914) by [adk-swisstopo](https://github.com/adk-swisstopo))
+
+**Misc:**
+- Merge branch v2.11 into v3.4 ([#11930](https://github.com/traefik/traefik/pull/11930) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.11 into v3.4 ([#11926](https://github.com/traefik/traefik/pull/11926) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.28](https://github.com/traefik/traefik/tree/v2.11.28) (2025-07-23)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.27...v2.11.28)
+
+**Bug fixes:**
+- **[logs]** Redact logged install configuration ([#11907](https://github.com/traefik/traefik/pull/11907) by [jspdown](https://github.com/jspdown))
+- **[plugins]** Fix client arbitrary file access during archive extraction zipslip ([#11911](https://github.com/traefik/traefik/pull/11911) by [odaysec](https://github.com/odaysec))
+- **[server]** Disable MPTCP by default ([#11918](https://github.com/traefik/traefik/pull/11918) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[k8s/crd,k8s]** Remove all mentions of ordering for TLSOption CurvePreferences field ([#11924](https://github.com/traefik/traefik/pull/11924) by [jnoordsij](https://github.com/jnoordsij))
+
+## [v3.5.0-rc2](https://github.com/traefik/traefik/tree/v3.5.0-rc2) (2025-07-11)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.0-rc1...v3.5.0-rc2)
+
+**Bug fixes:**
+- **[logs,metrics,tracing,accesslogs,otel]** Add missing resource attributes detectors ([#11874](https://github.com/traefik/traefik/pull/11874) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- Merge branch v3.4 into v3.5 ([#11898](https://github.com/traefik/traefik/pull/11898) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v3.4.4](https://github.com/traefik/traefik/tree/v3.4.4) (2025-07-11)
+[All Commits](https://github.com/traefik/traefik/compare/v3.4.3...v3.4.4)
+
+**Bug fixes:**
+- **[k8s/gatewayapi]** Respect service.nativelb=false annotation when nativeLBByDefault is enabled ([#11847](https://github.com/traefik/traefik/pull/11847) by [sdelicata](https://github.com/sdelicata))
+- **[service]** Fix concurrent access to balancer status map in WRR and P2C strategies ([#11887](https://github.com/traefik/traefik/pull/11887) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[docker,k8s]** Add New Expose Guides ([#11760](https://github.com/traefik/traefik/pull/11760) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[docker,k8s]** Add New Setup Guides ([#11741](https://github.com/traefik/traefik/pull/11741) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[docker/swarm]** Fix label for overriding swarm network on container ([#11881](https://github.com/traefik/traefik/pull/11881) by [kevinpollet](https://github.com/kevinpollet))
+- **[logs,accesslogs]** Update Logs and Accesslogs Reference documentation with OTLP Options ([#11845](https://github.com/traefik/traefik/pull/11845) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Update what is Traefik page to include full Traefik Platform context ([#11885](https://github.com/traefik/traefik/pull/11885) by [tomatokoolaid](https://github.com/tomatokoolaid))
+
+**Misc:**
+- Merge branch v2.11 into v3.4 ([#11896](https://github.com/traefik/traefik/pull/11896) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.11.27](https://github.com/traefik/traefik/tree/v2.11.27) (2025-07-11)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.26...v2.11.27)
+
+**Bug fixes:**
+- Bump github.com/go-viper/mapstructure/v2 to v2.3.0 ([#11880](https://github.com/traefik/traefik/pull/11880) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v3.5.0-rc1](https://github.com/traefik/traefik/tree/v3.5.0-rc1) (2025-06-26)
+[All Commits](https://github.com/traefik/traefik/compare/v3.4.0-rc1...v3.5.0-rc1)
+
+**Enhancements:**
+- **[acme]** OCSP stapling ([#8393](https://github.com/traefik/traefik/pull/8393) by [alekitto](https://github.com/alekitto))
+- **[acme]** Add acme.httpChallenge.delay option ([#11643](https://github.com/traefik/traefik/pull/11643) by [ldez](https://github.com/ldez))
+- **[acme]** Allow configuration of ACME provider http timeout ([#11637](https://github.com/traefik/traefik/pull/11637) by [tkw1536](https://github.com/tkw1536))
+- **[healthcheck]** Add url option to healthcheck command ([#11711](https://github.com/traefik/traefik/pull/11711) by [Nelwhix](https://github.com/Nelwhix))
+- **[healthcheck]** Add unhealthy Interval to the health check configuration ([#10610](https://github.com/traefik/traefik/pull/10610) by [sswastik02](https://github.com/sswastik02))
+- **[k8s/gatewayapi]** Bump sigs.k8s.io/gateway-api to v1.3.0 ([#11719](https://github.com/traefik/traefik/pull/11719) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress]** Make the behavior of prefix matching in Ingress consistent with Kubernetes doc ([#11203](https://github.com/traefik/traefik/pull/11203) by [charlie0129](https://github.com/charlie0129))
+- **[k8s]** NGINX Ingress Provider ([#11844](https://github.com/traefik/traefik/pull/11844) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,authentication]** Handle context canceled in ForwardAuth middleware ([#11817](https://github.com/traefik/traefik/pull/11817) by [bengentree](https://github.com/bengentree))
+- **[plugins]** Ability to enable unsafe in yaegi through plugin manifest ([#11589](https://github.com/traefik/traefik/pull/11589) by [Rydez](https://github.com/Rydez))
+- **[tls]** Introduce X25519MLKEM768 for Post-Quantum-Secure TLS ([#11731](https://github.com/traefik/traefik/pull/11731) by [fzoli](https://github.com/fzoli))
+- **[webui]** Migrate Traefik Proxy dashboard UI to React ([#11674](https://github.com/traefik/traefik/pull/11674) by [gndz07](https://github.com/gndz07))
+- **[webui]** Improve visualization for StatusRewrites option of errors middleware ([#11806](https://github.com/traefik/traefik/pull/11806) by [sevensolutions](https://github.com/sevensolutions))
+
+**Misc:**
+- Merge branch v3.4 into master ([#11863](https://github.com/traefik/traefik/pull/11863) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11861](https://github.com/traefik/traefik/pull/11861) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11857](https://github.com/traefik/traefik/pull/11857) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11855](https://github.com/traefik/traefik/pull/11855) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.4 into master ([#11813](https://github.com/traefik/traefik/pull/11813) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.4 into master ([#11758](https://github.com/traefik/traefik/pull/11758) by [mmatur](https://github.com/mmatur))
+- Merge v3.4 into master ([#11752](https://github.com/traefik/traefik/pull/11752) by [mmatur](https://github.com/mmatur))
+- Merge branch v3.4 into master ([#11708](https://github.com/traefik/traefik/pull/11708) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v3.4.3](https://github.com/traefik/traefik/tree/v3.4.3) (2025-06-26)
+[All Commits](https://github.com/traefik/traefik/compare/v3.4.2...v3.4.3)
+
+**Bug fixes:**
+- **[http3]** Bump quic-go to v.0.49.0 ([#11848](https://github.com/traefik/traefik/pull/11848) by [joshua-siw](https://github.com/joshua-siw))
+
 ## [v3.4.2](https://github.com/traefik/traefik/tree/v3.4.2) (2025-06-26)
 [All Commits](https://github.com/traefik/traefik/compare/v3.4.1...v3.4.2)
 

Makefile

@@ -30,7 +30,7 @@ dist:
 .PHONY: build-webui-image
 #? build-webui-image: Build WebUI Docker image
 build-webui-image:
-	docker build -t traefik-webui -f webui/Dockerfile webui
+	docker build -t traefik-webui -f webui/buildx.Dockerfile webui
 
 .PHONY: clean-webui
 #? clean-webui: Clean WebUI static generated assets
@@ -41,8 +41,9 @@ clean-webui:
 
 webui/static/index.html:
 	$(MAKE) build-webui-image
-	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui npm run build:nc
+	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui yarn build:prod
 	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ./static
+	printf 'For more information see `webui/readme.md`' > webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md
 
 .PHONY: generate-webui
 #? generate-webui: Generate WebUI
@@ -95,14 +96,14 @@ test-unit:
 
 .PHONY: test-integration
 #? test-integration: Run the integration tests
-test-integration: binary
+test-integration:
 	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -test.timeout=20m -failfast -v $(TESTFLAGS)
 
 .PHONY: test-gateway-api-conformance
 #? test-gateway-api-conformance: Run the conformance tests
 test-gateway-api-conformance: build-image-dirty
 	# In case of a new Minor/Major version, the k8sConformanceTraefikVersion needs to be updated.
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.4" $(TESTFLAGS)
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.5" $(TESTFLAGS)
 
 .PHONY: test-ui-unit
 #? test-ui-unit: Run the unit tests for the webui
@@ -183,11 +184,6 @@ generate-crd:
 generate-genconf:
 	go run ./cmd/internal/gen/
 
-.PHONY: release-packages
-#? release-packages: Create packages for the release
-release-packages: generate-webui
-	$(CURDIR)/script/release-packages.sh
-
 .PHONY: fmt
 #? fmt: Format the Code
 fmt:

README.md

@@ -7,7 +7,6 @@
     </picture>
 </p>
 
-[![Build Status SemaphoreCI](https://traefik-oss.semaphoreci.com/badges/traefik/branches/master.svg?style=shields)](https://traefik-oss.semaphoreci.com/projects/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
 [![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
@@ -152,7 +151,7 @@ We use [Semantic Versioning](https://semver.org/).
 
 ## Credits
 
-Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the gopher's logo!.
+Kudos to [Peka](https://www.instagram.com/pierroks/) for his awesome work on the gopher's logo!.
 
 The gopher's logo of Traefik is licensed under the Creative Commons 3.0 Attributions license.
 

cmd/traefik/logger.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"io"
@@ -13,7 +14,7 @@ import (
 	"github.com/rs/zerolog/log"
 	"github.com/sirupsen/logrus"
 	"github.com/traefik/traefik/v3/pkg/config/static"
-	"github.com/traefik/traefik/v3/pkg/logs"
+	"github.com/traefik/traefik/v3/pkg/observability/logs"
 	"gopkg.in/natefinch/lumberjack.v2"
 )
 
@@ -22,7 +23,7 @@ func init() {
 	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
 }
 
-func setupLogger(staticConfiguration *static.Configuration) error {
+func setupLogger(ctx context.Context, staticConfiguration *static.Configuration) error {
 	// Validate that the experimental flag is set up at this point,
 	// rather than validating the static configuration before the setupLogger call.
 	// This ensures that validation messages are not logged using an un-configured logger.
@@ -39,16 +40,16 @@ func setupLogger(staticConfiguration *static.Configuration) error {
 	zerolog.SetGlobalLevel(logLevel)
 
 	// create logger
-	logCtx := zerolog.New(w).With().Timestamp()
+	logger := zerolog.New(w).With().Timestamp()
 	if logLevel <= zerolog.DebugLevel {
-		logCtx = logCtx.Caller()
+		logger = logger.Caller()
 	}
 
-	log.Logger = logCtx.Logger().Level(logLevel)
+	log.Logger = logger.Logger().Level(logLevel)
 
 	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
 		var err error
-		log.Logger, err = logs.SetupOTelLogger(log.Logger, staticConfiguration.Log.OTLP)
+		log.Logger, err = logs.SetupOTelLogger(ctx, log.Logger, staticConfiguration.Log.OTLP)
 		if err != nil {
 			return fmt.Errorf("setting up OpenTelemetry logger: %w", err)
 		}
@@ -67,10 +68,6 @@ func setupLogger(staticConfiguration *static.Configuration) error {
 }
 
 func getLogWriter(staticConfiguration *static.Configuration) io.Writer {
-	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
-		return io.Discard
-	}
-
 	var w io.Writer = os.Stdout
 	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
 		_, _ = os.OpenFile(staticConfiguration.Log.FilePath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o666)

cmd/traefik/plugins.go

@@ -2,43 +2,62 @@ package main
 
 import (
 	"fmt"
+	"net/http"
+	"path/filepath"
+	"time"
 
+	"github.com/hashicorp/go-retryablehttp"
+	"github.com/rs/zerolog/log"
 	"github.com/traefik/traefik/v3/pkg/config/static"
+	"github.com/traefik/traefik/v3/pkg/observability/logs"
 	"github.com/traefik/traefik/v3/pkg/plugins"
 )
 
 const outputDir = "./plugins-storage/"
 
 func createPluginBuilder(staticConfiguration *static.Configuration) (*plugins.Builder, error) {
-	client, plgs, localPlgs, err := initPlugins(staticConfiguration)
+	manager, plgs, localPlgs, err := initPlugins(staticConfiguration)
 	if err != nil {
 		return nil, err
 	}
 
-	return plugins.NewBuilder(client, plgs, localPlgs)
+	return plugins.NewBuilder(manager, plgs, localPlgs)
 }
 
-func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]plugins.Descriptor, map[string]plugins.LocalDescriptor, error) {
+func initPlugins(staticCfg *static.Configuration) (*plugins.Manager, map[string]plugins.Descriptor, map[string]plugins.LocalDescriptor, error) {
 	err := checkUniquePluginNames(staticCfg.Experimental)
 	if err != nil {
 		return nil, nil, nil, err
 	}
 
-	var client *plugins.Client
+	var manager *plugins.Manager
 	plgs := map[string]plugins.Descriptor{}
 
 	if hasPlugins(staticCfg) {
-		opts := plugins.ClientOptions{
+		httpClient := retryablehttp.NewClient()
+		httpClient.Logger = logs.NewRetryableHTTPLogger(log.Logger)
+		httpClient.HTTPClient = &http.Client{Timeout: 10 * time.Second}
+		httpClient.RetryMax = 3
+
+		// Create separate downloader for HTTP operations
+		archivesPath := filepath.Join(outputDir, "archives")
+		downloader, err := plugins.NewRegistryDownloader(plugins.RegistryDownloaderOptions{
+			HTTPClient:   httpClient.HTTPClient,
+			ArchivesPath: archivesPath,
+		})
+		if err != nil {
+			return nil, nil, nil, fmt.Errorf("unable to create plugin downloader: %w", err)
+		}
+
+		opts := plugins.ManagerOptions{
 			Output: outputDir,
 		}
-
-		var err error
-		client, err = plugins.NewClient(opts)
+		manager, err = plugins.NewManager(downloader, opts)
 		if err != nil {
-			return nil, nil, nil, fmt.Errorf("unable to create plugins client: %w", err)
+			return nil, nil, nil, fmt.Errorf("unable to create plugins manager: %w", err)
 		}
 
-		err = plugins.SetupRemotePlugins(client, staticCfg.Experimental.Plugins)
+		err = plugins.SetupRemotePlugins(manager, staticCfg.Experimental.Plugins)
 		if err != nil {
 			return nil, nil, nil, fmt.Errorf("unable to set up plugins environment: %w", err)
 		}
@@ -57,7 +76,7 @@ func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]p
 		localPlgs = staticCfg.Experimental.LocalPlugins
 	}
 
-	return client, plgs, localPlgs, nil
+	return manager, plgs, localPlgs, nil
 }
 
 func checkUniquePluginNames(e *static.Experimental) error {

cmd/traefik/traefik.go

@@ -3,7 +3,6 @@ package main
 import (
 	"context"
 	"crypto/x509"
-	"encoding/json"
 	"fmt"
 	"io"
 	stdlog "log"
@@ -31,23 +30,24 @@ import (
 	"github.com/traefik/traefik/v3/pkg/config/dynamic"
 	"github.com/traefik/traefik/v3/pkg/config/runtime"
 	"github.com/traefik/traefik/v3/pkg/config/static"
-	"github.com/traefik/traefik/v3/pkg/logs"
-	"github.com/traefik/traefik/v3/pkg/metrics"
 	"github.com/traefik/traefik/v3/pkg/middlewares/accesslog"
+	"github.com/traefik/traefik/v3/pkg/observability/logs"
+	"github.com/traefik/traefik/v3/pkg/observability/metrics"
+	"github.com/traefik/traefik/v3/pkg/observability/tracing"
+	otypes "github.com/traefik/traefik/v3/pkg/observability/types"
 	"github.com/traefik/traefik/v3/pkg/provider/acme"
 	"github.com/traefik/traefik/v3/pkg/provider/aggregator"
 	"github.com/traefik/traefik/v3/pkg/provider/tailscale"
 	"github.com/traefik/traefik/v3/pkg/provider/traefik"
 	"github.com/traefik/traefik/v3/pkg/proxy"
 	"github.com/traefik/traefik/v3/pkg/proxy/httputil"
+	"github.com/traefik/traefik/v3/pkg/redactor"
 	"github.com/traefik/traefik/v3/pkg/safe"
 	"github.com/traefik/traefik/v3/pkg/server"
 	"github.com/traefik/traefik/v3/pkg/server/middleware"
 	"github.com/traefik/traefik/v3/pkg/server/service"
 	"github.com/traefik/traefik/v3/pkg/tcp"
 	traefiktls "github.com/traefik/traefik/v3/pkg/tls"
-	"github.com/traefik/traefik/v3/pkg/tracing"
-	"github.com/traefik/traefik/v3/pkg/types"
 	"github.com/traefik/traefik/v3/pkg/version"
 )
 
@@ -90,7 +90,10 @@ Complete documentation is available at https://traefik.io`,
 }
 
 func runCmd(staticConfiguration *static.Configuration) error {
-	if err := setupLogger(staticConfiguration); err != nil {
+	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer cancel()
+
+	if err := setupLogger(ctx, staticConfiguration); err != nil {
 		return fmt.Errorf("setting up logger: %w", err)
 	}
 
@@ -104,12 +107,11 @@ func runCmd(staticConfiguration *static.Configuration) error {
 	log.Info().Str("version", version.Version).
 		Msgf("Traefik version %s built on %s", version.Version, version.BuildDate)
 
-	jsonConf, err := json.Marshal(staticConfiguration)
+	redactedStaticConfiguration, err := redactor.RemoveCredentials(staticConfiguration)
 	if err != nil {
-		log.Error().Err(err).Msg("Could not marshal static configuration")
-		log.Debug().Interface("staticConfiguration", staticConfiguration).Msg("Static configuration loaded [struct]")
+		log.Error().Err(err).Msg("Could not redact static configuration")
 	} else {
-		log.Debug().RawJSON("staticConfiguration", jsonConf).Msg("Static configuration loaded [json]")
+		log.Debug().RawJSON("staticConfiguration", []byte(redactedStaticConfiguration)).Msg("Static configuration loaded [json]")
 	}
 
 	if staticConfiguration.Global.CheckNewVersion {
@@ -123,8 +125,6 @@ func runCmd(staticConfiguration *static.Configuration) error {
 		return err
 	}
 
-	ctx, _ := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
-
 	if staticConfiguration.Ping != nil {
 		staticConfiguration.Ping.WithContext(ctx)
 	}
@@ -182,7 +182,9 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	// ACME
 
-	tlsManager := traefiktls.NewManager()
+	tlsManager := traefiktls.NewManager(staticConfiguration.OCSP)
+	routinesPool.GoCtx(tlsManager.Run)
+
 	httpChallengeProvider := acme.NewChallengeHTTP()
 
 	tlsChallengeProvider := acme.NewChallengeTLSALPN()
@@ -208,8 +210,8 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		}
 	}
 	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
-	accessLog := setupAccessLog(staticConfiguration.AccessLog)
-	tracer, tracerCloser := setupTracing(staticConfiguration.Tracing)
+	accessLog := setupAccessLog(ctx, staticConfiguration.AccessLog)
+	tracer, tracerCloser := setupTracing(ctx, staticConfiguration.Tracing)
 	observabilityMgr := middleware.NewObservabilityMgr(*staticConfiguration, metricsRegistry, semConvMetricRegistry, accessLog, tracer, tracerCloser)
 
 	// Entrypoints
@@ -503,7 +505,7 @@ func initTailscaleProviders(cfg *static.Configuration, providerAggregator *aggre
 	return providers
 }
 
-func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
+func registerMetricClients(metricsConfig *otypes.Metrics) []metrics.Registry {
 	if metricsConfig == nil {
 		return nil
 	}
@@ -584,12 +586,12 @@ func appendCertMetric(gauge gokitmetrics.Gauge, certificate *x509.Certificate) {
 	gauge.With(labels...).Set(notAfter)
 }
 
-func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
+func setupAccessLog(ctx context.Context, conf *otypes.AccessLog) *accesslog.Handler {
 	if conf == nil {
 		return nil
 	}
 
-	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
+	accessLoggerMiddleware, err := accesslog.NewHandler(ctx, conf)
 	if err != nil {
 		log.Warn().Err(err).Msg("Unable to create access logger")
 		return nil
@@ -598,12 +600,12 @@ func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
 	return accessLoggerMiddleware
 }
 
-func setupTracing(conf *static.Tracing) (*tracing.Tracer, io.Closer) {
+func setupTracing(ctx context.Context, conf *static.Tracing) (*tracing.Tracer, io.Closer) {
 	if conf == nil {
 		return nil, nil
 	}
 
-	tracer, closer, err := tracing.NewTracing(conf)
+	tracer, closer, err := tracing.NewTracing(ctx, conf)
 	if err != nil {
 		log.Warn().Err(err).Msg("Unable to create tracer")
 		return nil, nil

docs/content/assets/css/menu-icons.css

@@ -0,0 +1,58 @@
+/* Traefik Hub Menu icon base styles */
+.menu-icon {
+  height: 18px;
+  width: 18px;
+  vertical-align: middle;
+  margin-left: 6px;
+  transition: all 0.2s ease;
+  filter: drop-shadow(0 1px 1px rgba(0,0,0,0.1));
+  display: inline;
+  white-space: nowrap;
+}
+
+/* Ensure parent container keeps items inline */
+.nav-link-with-icon {
+  white-space: nowrap !important;
+  display: inline-flex !important;
+  align-items: center !important;
+}
+
+/* Hover effects */
+.menu-icon:hover {
+  transform: scale(1.05);
+  opacity: 0.8;
+}
+
+/* Tablet responsive */
+@media (max-width: 1024px) {
+  .menu-icon {
+    height: 14px;
+    width: 14px;
+    margin-left: 4px;
+  }
+}
+
+/* Mobile responsive */
+@media (max-width: 768px) {
+  .menu-icon {
+    height: 12px;
+    width: 12px;
+    margin-left: 3px;
+    vertical-align: middle;
+  }
+  
+  /* Keep mobile navigation items inline */
+  .nav-link-with-icon {
+    display: inline-flex !important;
+    align-items: center !important;
+    width: auto !important;
+  }
+}
+
+/* High DPI displays */
+@media (-webkit-min-device-pixel-ratio: 2), (min-resolution: 192dpi) {
+  .menu-icon {
+    image-rendering: -webkit-optimize-contrast;
+    image-rendering: crisp-edges;
+  }
+}

docs/content/contributing/documentation.md

@@ -15,7 +15,7 @@ Let's see how.
 
 ### General
 
-This [documentation](../../ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to the website of MkDocs").
+This [documentation](../index.md "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to the website of MkDocs").
 
 ### Method 1: `Docker` and `make`
 

docs/content/deprecation/releases.md

@@ -6,7 +6,8 @@ Below is a non-exhaustive list of versions and their maintenance status:
 
 | Version | Release Date | Active Support     | Security Support  |
 |---------|--------------|--------------------|-------------------|
-| 3.4     | May 05, 2025 | Yes                | Yes               |
+| 3.5     | Jul 23, 2025 | Yes                | Yes               |
+| 3.4     | May 05, 2025 | Ended Jul 23, 2025 | No                |
 | 3.3     | Jan 06, 2025 | Ended May 05, 2025 | No                |
 | 3.2     | Oct 28, 2024 | Ended Jan 06, 2025 | No                |
 | 3.1     | Jul 15, 2024 | Ended Oct 28, 2024 | No                |
@@ -33,7 +34,7 @@ Below is a non-exhaustive list of versions and their maintenance status:
 
 This page is maintained and updated periodically to reflect our roadmap and any decisions affecting the end of support for Traefik Proxy.
 
-Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v2 to v3 migration guide](../migration/v2-to-v3.md).
+Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v2 to v3 migration guide](../migrate/v2-to-v3.md).
 
 !!! important "All target dates for end of support or feature removal announcements may be subject to change."
 

docs/content/expose/docker.md

@@ -0,0 +1,465 @@
+# Exposing Services with Traefik on Docker
+
+This guide will help you expose your services securely through Traefik Proxy using Docker. We'll cover routing HTTP and HTTPS traffic, implementing TLS, adding middlewares, Let's Encrypt integration, and sticky sessions.
+
+## Prerequisites
+
+- Docker and Docker Compose installed
+- Basic understanding of Docker concepts
+- Traefik deployed using the Traefik Docker Setup guide
+
+## Expose Your First HTTP Service
+
+Let's expose a simple HTTP service using the [whoami](https://hub.docker.com/r/traefik/whoami) application. This will demonstrate basic routing to a backend service.
+
+First, create a `docker-compose.yml` file:
+
+```yaml
+services:
+  traefik:
+    image: "traefik:v3.4"
+    container_name: "traefik"
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - proxy
+    command:
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--providers.docker.network=proxy"
+      - "--entryPoints.web.address=:80"
+    ports:
+      - "80:80"
+      - "8080:8080"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+
+  whoami:
+    image: "traefik/whoami"
+    restart: unless-stopped
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
+      - "traefik.http.routers.whoami.entrypoints=web"
+
+networks:
+  proxy:
+    name: proxy
+```
+
+Save this as `docker-compose.yml` and start the services:
+
+```bash
+docker compose up -d
+```
+
+### Verify Your Service
+
+Your service is now available at http://whoami.docker.localhost/. Test that it works:
+
+```bash
+curl -H "Host: whoami.docker.localhost" http://localhost/
+```
+
+You should see output similar to:
+
+```bash
+Hostname: whoami
+IP: 127.0.0.1
+IP: ::1
+IP: 172.18.0.3
+IP: fe80::215:5dff:fe00:c9e
+RemoteAddr: 172.18.0.2:55108
+GET / HTTP/1.1
+Host: whoami.docker.localhost
+User-Agent: curl/7.68.0
+Accept: */*
+Accept-Encoding: gzip
+X-Forwarded-For: 172.18.0.1
+X-Forwarded-Host: whoami.docker.localhost
+X-Forwarded-Port: 80
+X-Forwarded-Proto: http
+X-Forwarded-Server: 5789f594e7d5
+X-Real-Ip: 172.18.0.1
+```
+
+This confirms that Traefik is successfully routing requests to your whoami application.
+
+## Add Routing Rules
+
+Now we'll enhance our routing by directing traffic to different services based on [URL paths](../reference/routing-configuration/http/routing/rules-and-priority.md#path-pathprefix-and-pathregexp). This is useful for API versioning, frontend/backend separation, or organizing microservices.
+
+Update your `docker-compose.yml` to add another service:
+
+```yaml
+# ...
+
+# New service
+  whoami-api:
+    image: "traefik/whoami"
+    networks:
+      - proxy
+    container_name: "whoami-api"
+    environment:
+      - WHOAMI_NAME=API Service
+    labels:
+      - "traefik.enable=true"
+      # Path-based routing
+      - "traefik.http.routers.whoami-api.rule=Host(`whoami.docker.localhost`) && PathPrefix(`/api`)"
+      - "traefik.http.routers.whoami-api.entrypoints=web"
+```
+
+Apply the changes:
+
+```bash
+docker compose up -d
+```
+
+### Test the Path-Based Routing
+
+Verify that different paths route to different services:
+
+```bash
+# Root path should go to the main whoami service
+curl -H "Host: whoami.docker.localhost" http://localhost/
+
+# /api path should go to the whoami-api service
+curl -H "Host: whoami.docker.localhost" http://localhost/api
+```
+
+For the `/api` requests, you should see the response showing "API Service" in the environment variables section, confirming that your path-based routing is working correctly.
+
+## Enable TLS
+
+Let's secure our service with HTTPS by adding TLS. We'll start with a self-signed certificate for local development.
+
+### Create a Self-Signed Certificate
+
+Generate a self-signed certificate:
+
+```bash
+mkdir -p certs
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+  -keyout certs/local.key -out certs/local.crt \
+  -subj "/CN=*.docker.localhost"
+```
+
+Create a directory for dynamic configuration and add a TLS configuration file:
+
+```bash
+mkdir -p dynamic
+cat > dynamic/tls.yml << EOF
+tls:
+  certificates:
+    - certFile: /certs/local.crt
+      keyFile: /certs/local.key
+EOF
+```
+
+Update your `docker-compose.yml` file with the following changes:
+
+```yaml
+services:
+  traefik:
+    image: "traefik:v3.4"
+    container_name: "traefik"
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - proxy
+    command:
+      - "--api.insecure=false"
+      - "--api.dashboard=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--providers.docker.network=proxy"
+      - "--providers.file.directory=/etc/traefik/dynamic"
+      - "--entryPoints.web.address=:80"
+      - "--entryPoints.websecure.address=:443"
+      - "--entryPoints.websecure.http.tls=true"
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      # Add the following volumes
+      - "./certs:/certs:ro"
+      - "./dynamic:/etc/traefik/dynamic:ro"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dashboard.rule=Host(`dashboard.docker.localhost`)"
+      - "traefik.http.routers.dashboard.entrypoints=websecure"
+      - "traefik.http.routers.dashboard.service=api@internal"
+      # Add the following label
+      - "traefik.http.routers.dashboard.tls=true"
+
+  whoami:
+    image: "traefik/whoami"
+    restart: unless-stopped
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
+      - "traefik.http.routers.whoami.entrypoints=websecure"
+      # Add the following label
+      - "traefik.http.routers.whoami.tls=true"
+
+  whoami-api:
+    image: "traefik/whoami"
+    container_name: "whoami-api"
+    restart: unless-stopped
+    networks:
+      - proxy
+    environment:
+      - WHOAMI_NAME=API Service
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.whoami-api.rule=Host(`whoami.docker.localhost`) && PathPrefix(`/api`)"
+      - "traefik.http.routers.whoami-api.entrypoints=websecure"
+      # Add the following label
+      - "traefik.http.routers.whoami-api.tls=true"
+
+networks:
+  proxy:
+    name: proxy
+```
+
+Apply the changes:
+
+```bash
+docker compose up -d
+```
+
+Your browser can access https://whoami.docker.localhost/ for the service. You'll need to accept the security warning for the self-signed certificate.
+
+## Add Middlewares
+
+Middlewares allow you to modify requests or responses as they pass through Traefik. Let's add two useful middlewares: [Headers](../reference/routing-configuration/http/middlewares/headers.md) for security and [IP allowlisting](../reference/routing-configuration/http/middlewares/ipallowlist.md) for access control.
+
+Add the following labels to your whoami service in `docker-compose.yml`:
+
+```yaml
+labels:
+  
+  # Secure Headers Middleware
+  - "traefik.http.middlewares.secure-headers.headers.frameDeny=true"
+  - "traefik.http.middlewares.secure-headers.headers.sslRedirect=true"
+  - "traefik.http.middlewares.secure-headers.headers.browserXssFilter=true"
+  - "traefik.http.middlewares.secure-headers.headers.contentTypeNosniff=true"
+  - "traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains=true"
+  - "traefik.http.middlewares.secure-headers.headers.stsPreload=true"
+  - "traefik.http.middlewares.secure-headers.headers.stsSeconds=31536000"
+  
+  # IP Allowlist Middleware
+  - "traefik.http.middlewares.ip-allowlist.ipallowlist.sourceRange=127.0.0.1/32,192.168.0.0/16,10.0.0.0/8"
+  
+  # Apply middlewares to whoami router
+  - "traefik.http.routers.whoami.middlewares=secure-headers,ip-allowlist"
+```
+
+Add the same middleware to your whoami-api service:
+
+```yaml
+labels:
+  - "traefik.http.routers.whoami-api.middlewares=secure-headers,ip-allowlist"
+```
+
+Apply the changes:
+
+```bash
+docker compose up -d
+```
+
+### Test the Middlewares
+
+Now let's verify that our middlewares are working correctly:
+
+Test the Secure Headers middleware:
+
+```bash
+curl -k -I -H "Host: whoami.docker.localhost" https://localhost/
+```
+
+In the response headers, you should see security headers set by the middleware:
+
+- `X-Frame-Options: DENY` 
+- `X-Content-Type-Options: nosniff`
+- `X-XSS-Protection: 1; mode=block`
+- `Strict-Transport-Security` with the appropriate settings
+
+Test the IP Allowlist middleware:
+
+If your request comes from an IP that's in the allow list (e.g., 127.0.0.1), it should succeed:
+
+```bash
+curl -k -I -H "Host: whoami.docker.localhost" https://localhost/
+```
+
+If you try to access from an IP not in the allow list, the request will be rejected with a `403` Forbidden response. To simulate this in a local environment, you can modify the middleware configuration temporarily to exclude your IP address, then test again.
+
+## Generate Certificates with Let's Encrypt
+
+Let's Encrypt provides free, automated TLS certificates. Let's configure Traefik to automatically obtain and renew certificates for our services.
+
+Instead of using self-signed certificates, update your existing `docker-compose.yml` file with the following changes:
+
+Add the Let's Encrypt certificate resolver to the Traefik service command section:
+
+```yaml
+command:
+  - "--api.insecure=false"
+  - "--api.dashboard=true"
+  - "--providers.docker=true"
+  - "--providers.docker.exposedbydefault=false"
+  - "--providers.docker.network=proxy"
+  - "--entryPoints.web.address=:80"
+  - "--entryPoints.websecure.address=:443"
+  - "--entryPoints.websecure.http.tls=true"
+  - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
+  - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
+  # Let's Encrypt configuration
+  - "--certificatesresolvers.le.acme.email=your-email@example.com" # replace with your actual email
+  - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
+  - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
+```
+
+Add a volume for Let's Encrypt certificates:
+
+```yaml
+volumes:
+  # ...Existing volumes...
+  - "./letsencrypt:/letsencrypt"
+```
+
+Update your service labels to use the certificate resolver:
+
+```yaml
+labels:
+  - "traefik.http.routers.whoami.tls.certresolver=le"
+```
+
+Do the same for any other services you want to secure:
+
+```yaml
+labels:
+  - "traefik.http.routers.whoami-api.tls.certresolver=le"
+```
+
+Create a directory for storing Let's Encrypt certificates:
+
+```bash
+mkdir -p letsencrypt
+```
+
+Apply the changes:
+
+```bash
+docker compose up -d
+```
+
+!!! important "Public DNS Required"
+    Let's Encrypt may require a publicly accessible domain to validate domain ownership. For testing with local domains like `whoami.docker.localhost`, the certificate will remain self-signed. In production, replace it with a real domain that has a publicly accessible DNS record pointing to your Traefik instance.
+
+Once the certificate is issued, you can verify it:
+
+```bash
+# Verify the certificate chain
+curl -v https://whoami.docker.localhost/ 2>&1 | grep -i "server certificate"
+```
+
+You should see that your certificate is issued by Let's Encrypt.
+
+## Configure Sticky Sessions
+
+Sticky sessions ensure that a user's requests always go to the same backend server, which is essential for applications that maintain session state. Let's implement sticky sessions for our whoami service.
+
+### First, Add Sticky Session Labels
+
+Add the following labels to your whoami service in the `docker-compose.yml` file:
+
+```yaml
+labels:
+  - "traefik.http.services.whoami.loadbalancer.sticky.cookie=true"
+  - "traefik.http.services.whoami.loadbalancer.sticky.cookie.name=sticky_cookie"
+  - "traefik.http.services.whoami.loadbalancer.sticky.cookie.secure=true"
+  - "traefik.http.services.whoami.loadbalancer.sticky.cookie.httpOnly=true"
+```
+
+Apply the changes:
+
+```bash
+docker compose up -d
+```
+
+### Then, Scale Up the Service
+
+To demonstrate sticky sessions with Docker, use Docker Compose's scale feature:
+
+```bash
+docker compose up -d --scale whoami=3
+```
+
+This creates multiple instances of the whoami service.
+
+!!! important "Scaling After Configuration Changes"
+    If you run `docker compose up -d` after scaling, it will reset the number of whoami instances back to 1. Always scale after applying configuration changes and starting the services.
+
+### Test Sticky Sessions
+
+You can test the sticky sessions by making multiple requests and observing that they all go to the same backend container:
+
+```bash
+# First request - save cookies to a file
+curl -k -c cookies.txt -H "Host: whoami.docker.localhost" https://localhost/
+
+# Subsequent requests - use the cookies
+curl -k -b cookies.txt -H "Host: whoami.docker.localhost" https://localhost/
+curl -k -b cookies.txt -H "Host: whoami.docker.localhost" https://localhost/
+```
+
+Pay attention to the `Hostname` field in each response - it should remain the same across all requests when using the cookie file, confirming that sticky sessions are working.
+
+For comparison, try making requests without the cookie:
+
+```bash
+# Requests without cookies should be load-balanced across different containers
+curl -k -H "Host: whoami.docker.localhost" https://localhost/
+curl -k -H "Host: whoami.docker.localhost" https://localhost/
+```
+
+You should see different `Hostname` values in these responses, as each request is load-balanced to a different container.
+
+!!! important "Browser Testing"
+    When testing in browsers, you need to use the same browser session to maintain the cookie. The cookie is set with `httpOnly` and `secure` flags for security, so it will only be sent over HTTPS connections and won't be accessible via JavaScript.
+
+For more advanced configuration options, see the [reference documentation](../reference/routing-configuration/http/load-balancing/service.md).
+
+## Conclusion
+
+In this guide, you've learned how to:
+
+- Expose HTTP services through Traefik in Docker
+- Set up path-based routing to direct traffic to different backend services
+- Secure your services with TLS using self-signed certificates
+- Add security with middlewares like secure headers and IP allow listing
+- Automate certificate management with Let's Encrypt
+- Implement sticky sessions for stateful applications
+
+These fundamental capabilities provide a solid foundation for exposing any application through Traefik Proxy in Docker. Each of these can be further customized to meet your specific requirements.
+
+### Next Steps
+
+Now that you understand the basics of exposing services with Traefik Proxy, you might want to explore:
+
+- [Advanced routing options](../reference/routing-configuration/http/routing/rules-and-priority.md) like query parameter matching, header-based routing, and more
+- [Additional middlewares](../reference/routing-configuration/http/middlewares/overview.md) for authentication, rate limiting, and request modifications
+- [Observability features](../reference/install-configuration/observability/metrics.md) for monitoring and debugging your Traefik deployment
+- [TCP services](../reference/routing-configuration/tcp/service.md) for exposing TCP services
+- [UDP services](../reference/routing-configuration/udp/service.md) for exposing UDP services
+- [Docker provider documentation](../reference/install-configuration/providers/docker.md) for more details about the Docker integration

docs/content/expose/overview.md

@@ -0,0 +1,22 @@
+# Exposing Services with Traefik Proxy
+
+This section guides you through exposing services securely with Traefik Proxy. You'll learn how to route HTTP and HTTPS traffic to your services, add security features, and implement advanced load balancing.
+
+## What You'll Accomplish
+
+Following these guides, you'll learn how to:
+
+- Route HTTP traffic to your services with [Gateway API](../reference/routing-configuration/kubernetes/gateway-api.md) and [IngressRoute](../reference/routing-configuration/kubernetes/crd/http/ingressroute.md)
+- Configure routing rules to direct requests
+- Enable HTTPS with TLS
+- Add security middlewares
+- Generate certificates automatically with Let's Encrypt
+- Implement sticky sessions for session persistence
+
+## Platform-Specific Guides
+
+For detailed steps tailored to your environment, follow the guide for your platform:
+
+- [Kubernetes](./kubernetes.md)
+- [Docker](./docker.md)
+- [Docker Swarm](./swarm.md)

docs/content/expose/swarm.md

@@ -0,0 +1,401 @@
+# Exposing Services with Traefik on Docker Swarm
+
+This guide will help you expose your services securely through Traefik Proxy using Docker Swarm. We'll cover routing HTTP and HTTPS traffic, implementing TLS, adding middlewares, Let's Encrypt integration, and sticky sessions.
+
+## Prerequisites
+
+- Docker Swarm cluster initialized
+- Basic understanding of Docker Swarm concepts
+- Traefik deployed using the Traefik Docker Swarm Setup guide
+
+## Expose Your First HTTP Service
+
+Let's expose a simple HTTP service using the [whoami](https://hub.docker.com/r/traefik/whoami) application. This will demonstrate basic routing to a backend service.
+
+First, update your existing `docker-compose.yml` file if you haven't already:
+
+```yaml
+services:
+  whoami:
+    image: traefik/whoami
+    networks:
+      - traefik_proxy
+    deploy:
+      replicas: 3
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.whoami.rule=Host(`whoami.swarm.localhost`)"
+        - "traefik.http.routers.whoami.entrypoints=web,websecure"
+```
+
+Save this as `docker-compose.yml` and deploy the stack:
+
+```bash
+docker stack deploy -c docker-compose.yml traefik
+```
+
+### Verify Your Service
+
+Your service is now available at http://whoami.swarm.localhost/. Test that it works:
+
+```bash
+curl -H "Host: whoami.swarm.localhost" http://localhost/
+```
+
+You should see output similar to:
+
+```bash
+Hostname: whoami.1.7c8f7tr56q3p949rscxrkp80e
+IP: 127.0.0.1
+IP: ::1
+IP: 10.0.1.8
+IP: fe80::215:5dff:fe00:c9e
+RemoteAddr: 10.0.1.2:45098
+GET / HTTP/1.1
+Host: whoami.swarm.localhost
+User-Agent: curl/7.68.0
+Accept: */*
+Accept-Encoding: gzip
+X-Forwarded-For: 10.0.1.1
+X-Forwarded-Host: whoami.swarm.localhost
+X-Forwarded-Port: 80
+X-Forwarded-Proto: http
+X-Forwarded-Server: 5789f594e7d5
+X-Real-Ip: 10.0.1.1
+```
+
+This confirms that Traefik is successfully routing requests to your whoami application.
+
+## Add Routing Rules
+
+Now we'll enhance our routing by directing traffic to different services based on [URL paths](../reference/routing-configuration/http/routing/rules-and-priority.md#path-pathprefix-and-pathregexp). This is useful for API versioning, frontend/backend separation, or organizing microservices.
+
+Update your `docker-compose.yml` to add another service:
+
+```yaml
+# ...
+
+# New service
+  whoami-api:
+    image: traefik/whoami
+    networks:
+      - traefik_proxy
+    environment:
+      - WHOAMI_NAME=API Service
+    deploy:
+      replicas: 2
+      labels:
+        - "traefik.enable=true"
+        # Path-based routing
+        - "traefik.http.routers.whoami-api.rule=Host(`whoami.swarm.localhost`) && PathPrefix(`/api`)"
+        - "traefik.http.routers.whoami-api.entrypoints=web,websecure"
+        - "traefik.http.routers.whoami-api.service=whoami-api-svc"
+        - "traefik.http.services.whoami-api-svc.loadbalancer.server.port=80"
+
+# ...
+```
+
+Apply the changes:
+
+```bash
+docker stack deploy -c docker-compose.yml traefik
+```
+
+### Test the Path-Based Routing
+
+Verify that different paths route to different services:
+
+```bash
+# Root path should go to the main whoami service
+curl -H "Host: whoami.swarm.localhost" http://localhost/
+
+# /api path should go to the whoami-api service
+curl -H "Host: whoami.swarm.localhost" http://localhost/api
+```
+
+For the `/api` requests, you should see the response showing "API Service" in the environment variables section, confirming that your path-based routing is working correctly.
+
+## Enable TLS
+
+Let's secure our service with HTTPS by adding TLS. We'll start with a self-signed certificate for local development.
+
+### Create a Self-Signed Certificate 
+
+Generate a self-signed certificate and dynamic config file to tell Traefik where the cert lives:
+
+```bash
+mkdir -p certs
+
+# key + cert (valid for one year)
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+  -keyout certs/local.key -out certs/local.crt \
+  -subj "/CN=*.swarm.localhost"
+
+# dynamic config that tells Traefik where the cert lives
+cat > certs/tls.yml <<'EOF'
+tls:
+  certificates:
+    - certFile: /certificates/local.crt
+      keyFile:  /certificates/local.key
+EOF
+```
+
+Create a Docker config for the certificate files:
+
+```bash
+docker config create swarm-cert.crt certs/local.crt
+docker config create swarm-cert.key certs/local.key
+docker config create swarm-tls.yml certs/tls.yml
+```
+
+Update your `docker-compose.yml` file with the following changes:
+
+```yaml
+# Add to the Traefik command section:
+command:
+  # ... existing commands ...
+  - "--entryPoints.websecure.address=:443"
+  - "--entryPoints.websecure.http.tls=true"
+  - "--providers.file.directory=/etc/traefik/dynamic"
+```
+
+```yaml
+# Add to the root of your docker-compose.yml file:
+configs:
+  swarm-cert.crt:
+    file: ./certs/local.crt
+  swarm-cert.key:
+    file: ./certs/local.key
+  swarm-tls.yml:
+    file: ./certs/tls.yml
+```
+
+Deploy the stack:
+
+```bash
+docker stack deploy -c docker-compose.yml traefik
+```
+
+Your browser can access https://whoami.swarm.localhost/ for the service. You'll need to accept the security warning for the self-signed certificate.
+
+## Add Middlewares
+
+Middlewares allow you to modify requests or responses as they pass through Traefik. Let's add two useful middlewares: [Headers](../reference/routing-configuration/http/middlewares/headers.md) for security and [IP allowlisting](../reference/routing-configuration/http/middlewares/ipallowlist.md) for access control.
+
+Add the following labels to your whoami service deployment section in `docker-compose.yml`:
+
+```yaml
+deploy:
+  # ... existing configuration ...
+  labels:
+    # ... existing labels ...
+    
+    # Secure Headers Middleware
+    - "traefik.http.middlewares.secure-headers.headers.frameDeny=true"
+    - "traefik.http.middlewares.secure-headers.headers.sslRedirect=true"
+    - "traefik.http.middlewares.secure-headers.headers.browserXssFilter=true"
+    - "traefik.http.middlewares.secure-headers.headers.contentTypeNosniff=true"
+    - "traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains=true"
+    - "traefik.http.middlewares.secure-headers.headers.stsPreload=true"
+    - "traefik.http.middlewares.secure-headers.headers.stsSeconds=31536000"
+    
+    # IP Allowlist Middleware
+    - "traefik.http.middlewares.ip-allowlist.ipallowlist.sourceRange=127.0.0.1/32,192.168.0.0/16,10.0.0.0/8"
+    
+    # Apply the middlewares
+    - "traefik.http.routers.whoami.middlewares=secure-headers,ip-allowlist"
+```
+
+Add the same middleware to your whoami-api service:
+
+```yaml
+deploy:
+  # ... existing configuration ...
+  labels:
+    # ... existing labels ...
+    - "traefik.http.routers.whoami-api.middlewares=secure-headers,ip-allowlist"
+```
+
+Apply the changes:
+
+```bash
+docker stack deploy -c docker-compose.yml traefik
+```
+
+### Test the Middlewares
+
+Now let's verify that our middlewares are working correctly:
+
+Test the Secure Headers middleware:
+
+```bash
+curl -k -I -H "Host: whoami.swarm.localhost" https://localhost/
+```
+
+In the response headers, you should see security headers set by the middleware:
+
+- `X-Frame-Options: DENY`
+- `X-Content-Type-Options: nosniff`
+- `X-XSS-Protection: 1; mode=block`
+- `Strict-Transport-Security` with the appropriate settings
+
+Test the IP Allowlist middleware:
+
+If your request comes from an IP that's in the allow list (e.g., 127.0.0.1), it should succeed:
+
+```bash
+curl -k -I -H "Host: whoami.swarm.localhost" https://localhost/
+```
+
+If you try to access from an IP not in the allow list, the request will be rejected with a `403` Forbidden response. To simulate this in a local environment, you can modify the middleware configuration temporarily to exclude your IP address, then test again.
+
+## Generate Certificates with Let's Encrypt
+
+Let's Encrypt provides free, automated TLS certificates. Let's configure Traefik to automatically obtain and renew certificates for our services.
+
+Instead of using self-signed certificates, update your existing `docker-compose.yml` file with the following changes:
+
+Add the Let's Encrypt certificate resolver to the Traefik service command section:
+
+```yaml
+command:
+  # ... existing commands ...
+  # Let's Encrypt configuration
+  - "--certificatesresolvers.le.acme.email=your-email@example.com" # replace with your actual email
+  - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
+  - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
+```
+
+Add a volume for Let's Encrypt certificates:
+
+```yaml
+volumes:
+  # ...Existing volumes...
+  - letsencrypt:/letsencrypt
+```
+
+Update your service labels to use the certificate resolver:
+
+```yaml
+labels:
+  # ... existing labels ...
+  - "traefik.http.routers.whoami.tls.certresolver=le"
+```
+
+Do the same for any other services you want to secure:
+
+```yaml
+labels:
+  # ... existing labels ...
+  - "traefik.http.routers.whoami-api.tls.certresolver=le"
+```
+
+Create a named volume for storing Let's Encrypt certificates by adding to the volumes section:
+
+```yaml
+volumes:
+  # ... existing volumes ...
+  letsencrypt:
+    driver: local
+```
+
+Apply the changes:
+
+```bash
+docker stack deploy -c docker-compose.yml traefik
+```
+
+!!! important "Public DNS Required"
+    Let's Encrypt may require a publicly accessible domain to validate domain ownership. For testing with local domains like `whoami.swarm.localhost`, the certificate will remain self-signed. In production, replace it with a real domain that has a publicly accessible DNS record pointing to your Traefik instance.
+
+Once the certificate is issued, you can verify it:
+
+```bash
+# Verify the certificate chain
+curl -v https://whoami.swarm.localhost/ 2>&1 | grep -i "server certificate"
+```
+
+You should see that your certificate is issued by Let's Encrypt.
+
+## Configure Sticky Sessions
+
+Sticky sessions ensure that a user's requests always go to the same backend server, which is essential for applications that maintain session state. Let's implement sticky sessions for our whoami service.
+
+Docker Swarm already has multiple replicas running; we'll now add sticky session configuration. Update your whoami service in the `docker-compose.yml` file:
+
+### Add Sticky Session Configuration
+
+Add the following labels to your whoami service in the `docker-compose.yml` file:
+
+```yaml
+deploy:
+  # ... existing configuration ...
+  labels:
+    # ... existing labels ...
+    
+    # Sticky Sessions Configuration
+    - "traefik.http.services.whoami.loadbalancer.sticky.cookie=true"
+    - "traefik.http.services.whoami.loadbalancer.sticky.cookie.name=sticky_cookie"
+    - "traefik.http.services.whoami.loadbalancer.sticky.cookie.secure=true"
+    - "traefik.http.services.whoami.loadbalancer.sticky.cookie.httpOnly=true"
+```
+
+Apply the changes:
+
+```bash
+docker stack deploy -c docker-compose.yml traefik
+```
+
+### Test Sticky Sessions
+
+You can test the sticky sessions by making multiple requests and observing that they all go to the same backend container:
+
+```bash
+# First request - save cookies to a file
+curl -k -c cookies.txt -H "Host: whoami.swarm.localhost" https://localhost/
+
+# Subsequent requests - use the cookies
+curl -k -b cookies.txt -H "Host: whoami.swarm.localhost" https://localhost/
+curl -k -b cookies.txt -H "Host: whoami.swarm.localhost" https://localhost/
+```
+
+Pay attention to the `Hostname` field in each response - it should remain the same across all requests when using the cookie file, confirming that sticky sessions are working.
+
+For comparison, try making requests without the cookie:
+
+```bash
+# Requests without cookies should be load-balanced across different containers
+curl -k -H "Host: whoami.swarm.localhost" https://localhost/
+curl -k -H "Host: whoami.swarm.localhost" https://localhost/
+```
+
+You should see different `Hostname` values in these responses, as each request is load-balanced to a different container.
+
+!!! important "Browser Testing"
+    When testing in browsers, you need to use the same browser session to maintain the cookie. The cookie is set with `httpOnly` and `secure` flags for security, so it will only be sent over HTTPS connections and won't be accessible via JavaScript.
+
+For more advanced configuration options, see the [reference documentation](../reference/routing-configuration/http/load-balancing/service.md).
+
+## Conclusion
+
+In this guide, you've learned how to:
+
+- Expose HTTP services through Traefik in Docker Swarm
+- Set up path-based routing to direct traffic to different backend services
+- Secure your services with TLS using self-signed certificates
+- Add security with middlewares like secure headers and IP allow listing
+- Automate certificate management with Let's Encrypt
+- Implement sticky sessions for stateful applications
+
+These fundamental capabilities provide a solid foundation for exposing any application through Traefik Proxy in Docker Swarm. Each of these can be further customized to meet your specific requirements.
+
+### Next Steps
+
+Now that you understand the basics of exposing services with Traefik Proxy, you might want to explore:
+
+- [Advanced routing options](../reference/routing-configuration/http/routing/rules-and-priority.md) like query parameter matching, header-based routing, and more
+- [Additional middlewares](../reference/routing-configuration/http/middlewares/overview.md) for authentication, rate limiting, and request modifications
+- [Observability features](../reference/install-configuration/observability/metrics.md) for monitoring and debugging your Traefik deployment
+- [TCP services](../reference/routing-configuration/tcp/service.md) for exposing TCP services
+- [UDP services](../reference/routing-configuration/udp/service.md) for exposing UDP services
+- [Docker provider documentation](../reference/install-configuration/providers/docker.md) for more details about the Docker integration

docs/content/extend/extend-traefik.md

@@ -0,0 +1,56 @@
+---
+title: Extend Traefik
+description: Extend Traefik with custom plugins using Yaegi and WebAssembly.
+---
+
+# Extend Traefik
+
+Plugins are a powerful feature for extending Traefik with custom features and behaviors. The [Plugin Catalog](https://plugins.traefik.io/) is a software-as-a-service (SaaS) platform that provides an exhaustive list of the existing plugins.
+
+??? note "Plugin Catalog Access"
+    You can reach the [Plugin Catalog](https://plugins.traefik.io/) from the Traefik Dashboard using the `Plugins` menu entry.
+
+## Add a new plugin to a Traefik instance
+
+To add a new plugin to a Traefik instance, you must change that instance's install (static) configuration. Each plugin's **Install** section provides an install (static) configuration example. Many plugins have their own section in the Traefik routing (dynamic) configuration.
+
+!!! danger "Experimental Features"
+    Plugins can change the behavior of Traefik in unforeseen ways. Exercise caution when adding new plugins to production Traefik instances.
+
+To learn more about how to add a new plugin to a Traefik instance, please refer to the [developer documentation](https://plugins.traefik.io/install).
+
+## Plugin Systems
+
+Traefik supports two different plugin systems, each designed for different use cases and developer preferences.
+
+### Yaegi Plugin System
+
+Traefik [Yaegi](https://github.com/traefik/yaegi) plugins are developed using the Go language. It is essentially a Go package. Unlike pre-compiled plugins, Yaegi plugins are executed on the fly by Yaegi, a Go interpreter embedded in Traefik.
+
+This approach eliminates the need for compilation and a complex toolchain, making plugin development as straightforward as creating web browser extensions. Yaegi plugins support both middleware and provider functionality.
+
+#### Key characteristics
+
+- Written in Go language
+- No compilation required
+- Executed by embedded interpreter
+- Supports full Go feature set
+- Hot-reloadable during development
+
+### WebAssembly (WASM) Plugin System
+
+Traefik WASM plugins can be developed using any language that compiles to WebAssembly (WASM). This method is based on [http-wasm](https://http-wasm.io/).
+
+WASM plugins compile to portable binary modules that execute with near-native performance while maintaining security isolation.
+
+#### Key characteristics
+
+- Multi-language support (Go, Rust, C++, etc.)
+- Compiled to WebAssembly binary
+- Near-native performance
+- Strong security isolation
+- Currently supports middleware only
+
+## Build Your Own Plugins
+
+Traefik users can create their own plugins and share them with the community using the [Plugin Catalog](https://plugins.traefik.io/). To learn more about Traefik plugin creation, please refer to the [developer documentation](https://plugins.traefik.io/create).

docs/content/getting-started/configuration-overview.md

@@ -12,10 +12,10 @@ How the Magic Happens
 
 Configuration in Traefik can refer to two different things:
 
-- The fully dynamic routing configuration (referred to as the _dynamic configuration_)
-- The startup configuration (referred to as the _static configuration_)
+- The fully dynamic routing configuration (referred to as the _routing configuration_, formerly known as the _dynamic configuration_)
+- The startup configuration (referred to as the _install configuration_, formerly known as the _static configuration_)
 
-Elements in the _static configuration_ set up connections to [providers](../providers/overview.md) and define the [entrypoints](../routing/entrypoints.md) Traefik will listen to (these elements don't change often).
+Elements in the install configuration_ set up connections to [providers](../providers/overview.md) and define the [entrypoints](../routing/entrypoints.md) Traefik will listen to (these elements don't change often).
 
 The _dynamic configuration_ contains everything that defines how the requests are handled by your system.
 This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.
@@ -32,9 +32,9 @@ Since this configuration is specific to your infrastructure choices, we invite y
 
 !!! info ""
 
-    In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers.
+    In the [Quick Start example](../getting-started/quick-start.md), the routing configuration comes from docker in the form of labels attached to your containers.
 
-!!! info "HTTPS Certificates also belong to the dynamic configuration."
+!!! info "HTTPS Certificates also belong to the routing configuration."
 
     You can add / update / remove them without restarting your Traefik instance.
 
@@ -79,14 +79,14 @@ traefik --help
 # or
 
 docker run traefik[:version] --help
-# ex: docker run traefik:v3.4 --help
+# ex: docker run traefik:v3.5 --help
 ```
 
-Check the [CLI reference](../reference/static-configuration/cli.md "Link to CLI reference overview") for an overview about all available arguments.
+Check the [CLI reference](../reference/install-configuration/configuration-options.md "Link to CLI reference overview") for an overview about all available arguments.
 
 ### Environment Variables
 
-All available environment variables can be found in the [static configuration environment overview](../reference/static-configuration/env.md).
+All available environment variables can be found in the [static configuration environment overview](../reference/install-configuration/configuration-options.md).
 
 ## Available Configuration Options
 

docs/content/getting-started/docker.md

@@ -36,7 +36,7 @@ This configuration:
 # docker-compose.yml
 services:
   traefik:
-    image: traefik:v3.4
+    image: traefik:v3.5
     command:
       - "--api.insecure=true"
       - "--providers.docker=true"
@@ -84,7 +84,7 @@ docker run -d \
   -p 8080:8080 \
   -v $PWD/traefik.yml:/etc/traefik/traefik.yml \
   -v /var/run/docker.sock:/var/run/docker.sock \
-  traefik:v3.4
+  traefik:v3.5
 ```
 
 ## Expose the Dashboard

docs/content/getting-started/faq.md

@@ -12,10 +12,10 @@ and while the documentation often demonstrates configuration options through fil
 the core feature of Traefik is its dynamic configurability,
 directly reacting to changes from providers over time.
 
-Notably, a part of the configuration is [static](../configuration-overview/#the-static-configuration),
+Notably, a part of the configuration is [static](./configuration-overview.md#the-static-configuration),
 and can be provided by a file on startup, whereas various providers,
 such as the file provider,
-contribute dynamically all along the traefik instance lifetime to its [dynamic configuration](../configuration-overview/#the-dynamic-configuration) changes.
+contribute dynamically all along the traefik instance lifetime to its [dynamic configuration](./configuration-overview.md#the-dynamic-configuration) changes.
 
 In addition, the configuration englobes concepts such as the EntryPoint which can be seen as a listener on the Transport Layer (TCP),
 as apposed to the Router which is more about the Presentation (TLS) and Application layers (HTTP).
@@ -147,13 +147,13 @@ for example, by using the `touch` command on the configuration file.
 
 By default, the following headers are automatically added when proxying requests:
 
-| Property                  | HTTP Header                |
-|---------------------------|----------------------------|
-| Client's IP               | X-Forwarded-For, X-Real-Ip |
-| Host                      | X-Forwarded-Host           |
-| Port                      | X-Forwarded-Port           |
-| Protocol                  | X-Forwarded-Proto          |
-| Proxy Server's Hostname   | X-Forwarded-Server         |
+| Property                  | HTTP Header                    |
+|---------------------------|--------------------------------|
+| Client's IP               | `X-Forwarded-For`, `X-Real-Ip` |
+| Host                      | `X-Forwarded-Host`             |
+| Port                      | `X-Forwarded-Port`             |
+| Protocol                  | `X-Forwarded-Proto`            |
+| Proxy Server's Hostname   | `X-Forwarded-Server`           |
 
 For more details,
 please check out the [forwarded header](../routing/entrypoints.md#forwarded-headers) documentation.

docs/content/getting-started/install-traefik.md

@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:
 
 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
 
-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.4/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.4/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.5/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.5/traefik.sample.toml)
 
 ```shell
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.4
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.5
 ```
 
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip
 
     * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v3.4`
+    ex: `traefik:v3.5`
     * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
     * Any orchestrator using docker images can fetch the official Traefik docker image.
 

docs/content/getting-started/kubernetes.md

@@ -79,7 +79,10 @@ providers:
   kubernetesGateway:
     enabled: true
 gateway:
-  namespacePolicy: All
+  listeners:
+    web:
+      namespacePolicy:
+        from: All
 ```
 
 !!! info
@@ -106,7 +109,7 @@ helm install traefik traefik/traefik --wait \
   --set ingressRoute.dashboard.matchRule='Host(`dashboard.localhost`)' \
   --set ingressRoute.dashboard.entryPoints={web} \
   --set providers.kubernetesGateway.enabled=true \
-  --set gateway.namespacePolicy=All
+  --set gateway.listeners.web.namespacePolicy.from=All
 ```
 
 !!! info

docs/content/govern/index.md

@@ -0,0 +1,59 @@
+---
+title: "Govern Your APIs with Traefik Hub"
+description: "Learn how Traefik Hub provides comprehensive API Gateway and API Management capabilities to govern, secure, and manage your APIs at scale."
+---
+
+# Govern Your APIs with Traefik Hub
+
+Traefik Hub transforms your API infrastructure by providing enterprise-grade API Gateway and comprehensive API Management capabilities. Built on the foundation of Traefik Proxy, Hub enables organizations to govern, secure, and manage APIs at scale across cloud-native environments.
+
+## API Gateway and API Management Capabilities
+
+Traefik Hub offers two complementary approaches to API governance:
+
+- [Traefik Hub API Gateway](https://traefik.io/solutions/api-gateway/): Enterprise-grade security, distributed features, and advanced access control for cloud-native API gateway scenarios. It includes AI Gateway capabilities for modern machine learning workloads.
+
+- [Traefik Hub API Management](https://traefik.io/solutions/api-management/): Comprehensive API lifecycle management, developer portals, and organizational features for teams managing multiple APIs across environments.
+
+## API Management Features
+
+Traefik Hub API Management provides a complete suite of features designed to streamline API governance and accelerate developer productivity:
+
+### Comprehensive API Lifecycle Management
+
+- **Centralized API Catalog**: Comprehensive API inventory providing real-time visibility and control
+- **Advanced Versioning**: Utilize the most flexible API versioning and Kubernetes-native labels to logically organize APIs, track their evolution over time, and avoid breaking changes for client applications
+- **Quality Control**: Perform error checks and change impact analysis with Traefik Hub's static analyzer to ensure compliance and prevent misconfiguration by catching errors early
+- **Resource Management**: Centralize rate limits, quotas, and policy enforcement across groups of APIs through Plans & Bundles, ensuring consistent and efficient resource management
+- **Subscription Management**: Create managed and self-serve subscriptions for enhanced ease-of-use, security, and auditability
+- **Standards Compliance**: Import, validate, and manage APIs using industry-standard OpenAPI specifications
+
+### Developer Experience & Self-Service
+
+- **Customizable Portals**: Easily create one or more dedicated API Portals for developers to discover, understand, and interact with your APIs
+- **Interactive API Testing**: Allow developers to test APIs directly within the portal for immediate feedback
+- **Branded Experience**: Customize the API portal to house API documentation, clear integration instructions, and personalized content to foster adoption and streamline development
+- **Credential Management**: Generate API access credentials, such as API keys, directly from the portal for simplified access and secure integration
+- **Auto-generated Documentation**: Automatically generated, interactive API documentation from OpenAPI specifications in the portal
+
+### Enterprise-Grade Security
+
+- **Access Control**: Implement fine-grained permissions through detailed API policies and JWT inspection to secure access to API resources
+- **Identity Integration**: Leverage existing identity and access management (IAM) solutions, such as Keycloak, Okta, Auth0, etc. through industry-standard authentication protocols, including native OIDC support
+- **Data Protection**: Advanced TLS management, supporting Let's Encrypt (ACME) and SPIFFE for robust data protection
+- **Threat Prevention**: Native Web Application Firewall (WAF) powered by OWASP Coraza to defend against known vulnerabilities
+
+### Observability
+
+- **Open Standards Monitoring**: Gain deep insights into API health and performance with OpenTelemetry integration to provide metrics and tracing capabilities without vendor lock-in
+- **Third-party Integrations**: Turnkey integration with Treblle directly on the Traefik Hub Dashboard for real-time, out-of-the-box observability without maintaining a complex monitoring infrastructure
+- **Pre-built Grafana Dashboards**: Ready-to-use monitoring dashboards with key API metrics and performance indicators
+
+## Getting Started with API Governance
+
+Transform your API infrastructure with Traefik Hub's governance capabilities:
+
+1. **Start with API Gateway**: Implement enterprise security, authentication, distributed features, and AI Gateway capabilities
+2. **Scale with API Management**: Add comprehensive lifecycle management, developer portals, and governance features
+
+Ready to govern your APIs at scale? Explore [Traefik Hub API Management](https://traefik.io/solutions/api-management/) and discover how it can transform your API strategy.

docs/content/https/acme.md

@@ -250,6 +250,34 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
 !!! info ""
     Redirection is fully compatible with the `HTTP-01` challenge.
 
+#### `Delay`
+
+The delay between the creation of the challenge and the validation.
+A value lower than or equal to zero means no delay.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      httpChallenge:
+        # ...
+        delay: 12
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.httpChallenge]
+    # ...
+    delay = 12
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.httpchallenge.delay=12
+```
+
 ### `dnsChallenge`
 
 Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record.
@@ -286,7 +314,7 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
 !!! warning "`CNAME` support"
 
     `CNAME` are supported (and sometimes even [encouraged](https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname)),
-    but there are a few cases where they can be [problematic](../../getting-started/faq/#why-does-lets-encrypt-wildcard-certificate-renewalgeneration-with-dns-challenge-fail).
+    but there are a few cases where they can be [problematic](../getting-started/faq.md#why-does-lets-encrypt-wildcard-certificate-renewalgeneration-with-dns-challenge-fail).
 
     If needed, `CNAME` support can be disabled with the following environment variable:
 
@@ -324,13 +352,16 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Auroradns](https://www.pcextreme.com/dns-health-checks)               | `auroradns`        | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)        |
 | [Autodns](https://www.internetx.com/domains/autodns/)                  | `autodns`          | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)          |
 | [Axelname](https://axelname.ru)                                        | `axelname`         | `AXELNAME_NICKNAME`, `AXELNAME_TOKEN`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/axelname)         |
-| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`                                        | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
+| [Azion](https://www.azion.com/en/products/edge-dns/)                   | `azion`            | `AZION_PERSONAL_TOKEN`                                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/azion)            |
+| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | DEPRECATED use `azuredns` instead.                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
 | [AzureDNS](https://azure.microsoft.com/services/dns/)                  | `azuredns`         | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_ENVIRONMENT]`, `[AZURE_PRIVATE_ZONE]`, `[AZURE_ZONE_NAME]` | [Additional configuration](https://go-acme.github.io/lego/dns/azuredns)         |
 | [Baidu Cloud](https://cloud.baidu.com)                                 | `baiducloud`       | `BAIDUCLOUD_ACCESS_KEY_ID`, `BAIDUCLOUD_SECRET_ACCESS_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/baiducloud)       |
+| [Beget](https://beget.com/)                                            | `beget`            | `BEGET_USERNAME`, `BEGET_PASSWORD`                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/beget)            |
+| [Binary Lane](https://www.binarylane.com.au/)                          | `binarylane`       | `BINARYLANE_API_TOKEN`                                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/binarylane)       |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)             | `bindman`          | `BINDMAN_MANAGER_ADDRESS`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)          |
 | [Blue Cat](https://www.bluecatnetworks.com/)                           | `bluecat`          | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)          |
 | [BookMyName](https://www.bookmyname.com)                               | `bookmyname`       | `BOOKMYNAME_USERNAME`, `BOOKMYNAME_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/bookmyname)       |
-| [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | `BRANDIT_API_USERNAME`, `BRANDIT_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
+| [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
 | [Bunny](https://bunny.net)                                             | `bunny`            | `BUNNY_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/bunny)            |
 | [Checkdomain](https://www.checkdomain.de/)                             | `checkdomain`      | `CHECKDOMAIN_TOKEN`,                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/)     |
 | [Civo](https://www.civo.com/)                                          | `civo`             | `CIVO_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/civo)             |
@@ -338,7 +369,8 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [CloudDNS](https://vshosting.eu/)                                      | `clouddns`         | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)         |
 | [Cloudflare](https://www.cloudflare.com)                               | `cloudflare`       | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)       |
 | [ClouDNS](https://www.cloudns.net/)                                    | `cloudns`          | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)          |
-| [CloudXNS](https://www.cloudxns.net) (DEPRECATED)                      | `cloudxns`         | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [CloudXNS](https://www.cloudxns.net) (DEPRECATED)                      | `cloudxns`         | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [ConoHa v3](https://www.conoha.jp/)                                    | `conohav3`         | `CONOHAV3_TENANT_ID`, `CONOHAV3_API_USER_ID`, `CONOHAV3_API_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conohav3)         |
 | [ConoHa](https://www.conoha.jp)                                        | `conoha`           | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)           |
 | [Constellix](https://constellix.com)                                   | `constellix`       | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)       |
 | [Core-Networks](https://www.core-networks.de)                          | `corenetworks`     | `CORENETWORKS_LOGIN`, `CORENETWORKS_PASSWORD`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/corenetworks)     |
@@ -350,12 +382,13 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [DNS Made Easy](https://dnsmadeeasy.com)                               | `dnsmadeeasy`      | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)      |
 | [dnsHome.de](https://www.dnshome.de)                                   | `dnsHomede`        | `DNSHOMEDE_CREDENTIALS`                                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnshomede)        |
 | [DNSimple](https://dnsimple.com)                                       | `dnsimple`         | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)         |
-| [DNSPod](https://www.dnspod.com/)                                      | `dnspod`           | `DNSPOD_API_KEY`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
+| [DNSPod](https://www.dnspod.com/) (DEPRECATED)                         | `dnspod`           | DEPRECATED  use `tencentcloud` instead.                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
 | [Domain Offensive (do.de)](https://www.do.de/)                         | `dode`             | `DODE_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dode)             |
 | [Domeneshop](https://domene.shop)                                      | `domeneshop`       | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)       |
 | [DreamHost](https://www.dreamhost.com/)                                | `dreamhost`        | `DREAMHOST_API_KEY`                                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)        |
 | [Duck DNS](https://www.duckdns.org/)                                   | `duckdns`          | `DUCKDNS_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)          |
 | [Dyn](https://dyn.com)                                                 | `dyn`              | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)              |
+| [DynDnsFree.de](https://www.dyndnsfree.de)                             | `dyndnsfree`       | `DYNDNSFREE_USERNAME`, `DYNDNSFREE_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dyndnsfree)       |
 | [Dynu](https://www.dynu.com)                                           | `dynu`             | `DYNU_API_KEY`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)             |
 | [EasyDNS](https://easydns.com/)                                        | `easydns`          | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)          |
 | [EdgeDNS](https://www.akamai.com/)                                     | `edgedns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
@@ -371,9 +404,10 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Glesys](https://glesys.com/)                                          | `glesys`           | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)           |
 | [GoDaddy](https://www.godaddy.com)                                     | `godaddy`          | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)          |
 | [Google Cloud DNS](https://cloud.google.com/dns/docs/)                 | `gcloud`           | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)           |
-| [Google Domains](https://domains.google)                               | `googledomains`    | `GOOGLE_DOMAINS_ACCESS_TOKEN`                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/googledomains)    |
-| [Hetzner](https://hetzner.com)                                         | `hetzner`          | `HETZNER_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)          |
+| [Google Domains](https://domains.google) (DEPRECATED)                  | `googledomains`    | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/googledomains)    |
+| [Hetzner](https://hetzner.com)                                         | `hetzner`          | `HETZNER_API_TOKEN`                                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)          |
 | [hosting.de](https://www.hosting.de)                                   | `hostingde`        | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)        |
+| [Hostinger](https://www.hostinger.com/)                                | `hostinger`        | `HOSTINGER_API_TOKEN`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/hostinger)        |
 | [Hosttech](https://www.hosttech.eu)                                    | `hosttech`         | `HOSTTECH_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)         |
 | [http.net](https://www.http.net/)                                      | `httpnet`          | `HTTPNET_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/httpnet)          |
 | [Huawei Cloud](https://huaweicloud.com)                                | `huaweicloud`      | `HUAWEICLOUD_ACCESS_KEY_ID`, `HUAWEICLOUD_SECRET_ACCESS_KEY`, `HUAWEICLOUD_REGION`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/huaweicloud)      |
@@ -390,6 +424,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [IPv64](https://ipv64.net)                                             | `ipv64`            | `IPV64_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/ipv64)            |
 | [iwantmyname](https://iwantmyname.com)                                 | `iwantmyname`      | `IWANTMYNAME_USERNAME` , `IWANTMYNAME_PASSWORD`                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/iwantmyname)      |
 | [Joker.com](https://joker.com)                                         | `joker`            | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/joker)            |
+| [KeyHelp](https://www.keyweb.de/en/keyhelp/keyhelp/)                   | `keyhelp`          | `KEYHELP_API_KEY`, `KEYHELP_BASE_URL`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/keyhelp)          |
 | [Liara](https://liara.ir)                                              | `liara`            | `LIARA_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/liara)            |
 | [Lightsail](https://aws.amazon.com/lightsail/)                         | `lightsail`        | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)        |
 | [Lima-City](https://www.lima-city.de)                                  | `limacity`         | `LIMACITY_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/limacity)         |
@@ -417,6 +452,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Njalla](https://njal.la)                                              | `njalla`           | `NJALLA_TOKEN`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/njalla)           |
 | [Nodion](https://www.nodion.com)                                       | `nodion`           | `NODION_API_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/nodion)           |
 | [NS1](https://ns1.com/)                                                | `ns1`              | `NS1_API_KEY`                                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)              |
+| [Octenium](https://octenium.com/)                                      | `octenium`         | `OCTENIUM_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/octenium)         |
 | [Open Telekom Cloud](https://cloud.telekom.de)                         | `otc`              | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/otc)              |
 | [Openstack Designate](https://docs.openstack.org/designate)            | `designate`        | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/designate)        |
 | [Oracle Cloud](https://cloud.oracle.com/home)                          | `oraclecloud`      | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID`                                      | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)      |
@@ -432,6 +468,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [RFC2136](https://tools.ietf.org/html/rfc2136)                         | `rfc2136`          | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)          |
 | [RimuHosting](https://rimuhosting.com)                                 | `rimuhosting`      | `RIMUHOSTING_API_KEY`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)      |
 | [Route 53](https://aws.amazon.com/route53/)                            | `route53`          | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/route53)          |
+| [RU Center](https://nic.ru/)                                           | `nicru`            | `NICRU_USER`, `NICRU_PASSWORD`, `NICRU_SERVICE_ID`, `NICRU_SECRET`, `NICRU_SERVICE_NAME`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/nicru)            |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                            | `sakuracloud`      | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)      |
 | [Scaleway](https://www.scaleway.com)                                   | `scaleway`         | `SCW_API_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
 | [Selectel v2](https://selectel.ru/en/)                                 | `selectelv2`       | `SELECTELV2_ACCOUNT_ID`, `SELECTELV2_PASSWORD`, `SELECTELV2_PROJECT_ID`, `SELECTELV2_USERNAME`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/selectelv2)       |
@@ -445,6 +482,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Stackpath](https://www.stackpath.com/)                                | `stackpath`        | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)        |
 | [Technitium](https://technitium.com)                                   | `technitium`       | `TECHNITIUM_SERVER_BASE_URL`, `TECHNITIUM_API_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/technitium)       |
 | [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)             | `tencentcloud`     | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud)     |
+| [Tencent EdgeOne](https://edgeone.ai/)                                 | `edgeone`          | `EDGEONE_SECRET_ID`, `EDGEONE_SECRET_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/edgeone)          |
 | [Timeweb Cloud](https://timeweb.cloud)                                 | `timewebcloud`     | `TIMEWEBCLOUD_AUTH_TOKEN`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/timewebcloud)     |
 | [TransIP](https://www.transip.nl/)                                     | `transip`          | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/transip)          |
 | [UKFast SafeDNS](https://docs.ukfast.co.uk/domains/safedns/index.html) | `safedns`          | `SAFEDNS_AUTH_TOKEN`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/safedns)          |
@@ -466,6 +504,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Yandex Cloud](https://cloud.yandex.com/en/)                           | `yandexcloud`      | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud)      |
 | [Yandex](https://yandex.com)                                           | `yandex`           | `YANDEX_PDD_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)           |
 | [Zone.ee](https://www.zone.ee)                                         | `zoneee`           | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)           |
+| [ZoneEdit](https://www.zoneedit.com)                                   | `zoneedit`         | `ZONEEDIT_USER`, `ZONEEDIT_AUTH_TOKEN`                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/zoneedit)         |
 | [Zonomi](https://zonomi.com)                                           | `zonomi`           | `ZONOMI_API_KEY`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)           |
 | External Program                                                       | `exec`             | `EXEC_PATH`                                                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/exec)             |
 | HTTP request                                                           | `httpreq`          | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)          |
@@ -809,6 +848,71 @@ certificatesResolvers:
 # ...
 ```
 
+### `clientTimeout`
+
+_Optional, Default=2m_
+
+`clientTimeout` is the total timeout for a complete HTTP transaction (including TCP connection, sending request and receiving response) with the ACME server.
+It defaults to 2 minutes.
+
+!!! warning "This timeout encompasses the entire request-response cycle, including the response headers timeout. It must be at least `clientResponseHeaderTimeout`, otherwise the certificate resolver will fail to start."
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      clientTimeout: 1m
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  clientTimeout=1m
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.clientTimeout=1m
+# ...
+```
+
+!!! warning
+    This should not be confused with any timeouts used for validating challenges.
+
+### `clientResponseHeaderTimeout`
+
+_Optional, Default=30s_
+
+`clientResponseHeaderTimeout` defines how long the HTTP client waits for response headers when communicating with the `caServer`.
+It defaults to 30 seconds. 
+
+!!! warning "It must be lower than `clientTimeout`, otherwise the certificate resolver will fail to start."
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      clientResponseHeaderTimeout: 1m
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  clientResponseHeaderTimeout=1m
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.clientResponseHeaderTimeout=1m
+# ...
+```
+
 ### `preferredChain`
 
 _Optional, Default=""_

docs/content/https/ocsp.md

@@ -0,0 +1,71 @@
+---
+title: "Traefik OCSP Documentation"
+description: "Learn how to configure Traefik to use OCSP. Read the technical documentation."
+---
+
+# OCSP
+
+Check certificate status and perform OCSP stapling.
+{: .subtitle }
+
+## Overview
+
+### OCSP Stapling
+
+When OCSP is enabled, Traefik checks the status of every certificate in the store that provides an OCSP responder URL,
+including the default certificate, and staples the OCSP response to the TLS handshake.
+The OCSP check is performed when the certificate is loaded,
+and once every hour until it is successful at the halfway point before the update date.
+
+### Caching
+
+Traefik caches the OCSP response as long as the associated certificate is provided by the configuration.
+When a certificate is no longer provided,
+the OCSP response has a 24 hour TTL waiting to be provided again or eventually removed.
+The OCSP response is cached in memory and is not persisted between Traefik restarts.
+
+## Configuration
+
+### General
+
+Enabling OCSP is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
+It can be defined by using a file (YAML or TOML) or CLI arguments:
+
+```yaml tab="File (YAML)"
+## Static configuration
+ocsp: {}
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[ocsp]
+```
+
+```bash tab="CLI"
+## Static configuration
+--ocsp=true
+```
+
+### Responder Overrides
+
+The `responderOverrides` option defines the OCSP responder URLs to use instead of the one provided by the certificate.
+This is useful when you want to use a different OCSP responder.
+
+```yaml tab="File (YAML)"
+## Static configuration
+ocsp:
+  responderOverrides:
+    foo: bar
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[ocsp]
+  [ocsp.responderOverrides]
+    foo = "bar"
+```
+
+```bash tab="CLI"
+## Static configuration
+-ocsp.responderoverrides.foo=bar
+```

docs/content/https/ref-acme.toml

@@ -30,6 +30,20 @@
   #
   # certificatesDuration=2160
 
+  # Timeout for a complete HTTP transaction with the ACME server.
+  #
+  # Optional
+  # Default: 2m
+  #
+  # clientTimeout="2m"
+
+  # Timeout for receiving the response headers when communicating with the ACME server.
+  #
+  # Optional
+  # Default: 30s
+  #
+  # clientResponseHeaderTimeout="30s"
+
   # Preferred chain to use.
   #
   # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

docs/content/https/ref-acme.txt

@@ -29,6 +29,20 @@
 #
 --certificatesresolvers.myresolver.acme.certificatesDuration=2160
 
+# Timeout for a complete HTTP transaction with the ACME server.
+#
+# Optional
+# Default: 2m
+#
+--certificatesresolvers.myresolver.acme.clientTimeout=2m
+
+# Timeout for receiving the response headers when communicating with the ACME server.
+#
+# Optional
+# Default: 30s
+#
+--certificatesresolvers.myresolver.acme.clientResponseHeaderTimeout=30s
+
 # Preferred chain to use.
 #
 # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

docs/content/https/ref-acme.yaml

@@ -32,6 +32,20 @@ certificatesResolvers:
       #
       # certificatesDuration: 2160
 
+      # Timeout for a complete HTTP transaction with the ACME server.
+      #
+      # Optional
+      # Default: 2m
+      #
+      # clientTimeout: "2m"
+
+      # Timeout for receiving the response headers when communicating with the ACME server.
+      #
+      # Optional
+      # Default: 30s
+      #
+      # clientResponseHeaderTimeout: "30s"
+
       # Preferred chain to use.
       #
       # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

docs/content/https/tls.md

@@ -234,7 +234,7 @@ The TLS options allow one to configure some parameters of the TLS connection.
 
 !!! important "TLSOption in Kubernetes"
 
-    When using the [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
+    When using the [TLSOption resource](../routing/providers/kubernetes-crd.md#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
     if not explicitly overwritten, should apply to all ingresses.  
     To achieve that, you'll have to create a TLSOption resource with the name `default`.
     There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
@@ -384,11 +384,11 @@ spec:
 
 ### Curve Preferences
 
-This option allows to set the preferred elliptic curves in a specific order.
+This option allows to set the enabled elliptic curves for key exchange.
 
 The names of the curves defined by [`crypto`](https://godoc.org/crypto/tls#CurveID) (e.g. `CurveP521`) and the [RFC defined names](https://tools.ietf.org/html/rfc8446#section-4.2.7) (e. g. `secp521r1`) can be used.
 
-See [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.
+See [CurvePreferences](https://godoc.org/crypto/tls#Config.CurvePreferences) and [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.
 
 ```yaml tab="File (YAML)"
 # Dynamic configuration
@@ -503,7 +503,7 @@ Traefik supports mutual authentication, through the `clientAuth` section.
 
 For authentication policies that require verification of the client certificate, the certificate authority for the certificates should be set in `clientAuth.caFiles`.
 
-In Kubernetes environment, CA certificate can be set in `clientAuth.secretNames`. See [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) for more details.
+In Kubernetes environment, CA certificate can be set in `clientAuth.secretNames`. See [TLSOption resource](../routing/providers/kubernetes-crd.md#kind-tlsoption) for more details.
 
 The `clientAuth.clientAuthType` option governs the behaviour as follows:
 

docs/content/index.md

@@ -7,18 +7,15 @@ description: "Traefik Proxy, an open-source Edge Router, auto-discovers configur
 
 ![Architecture](assets/img/traefik-architecture.png)
 
-Traefik is an [open-source](https://github.com/traefik/traefik) *Application Proxy* that makes publishing your services a fun and easy experience. 
-It receives requests on behalf of your system, identifies which components are responsible for handling them, and routes them securely. 
+Traefik is an [open-source](https://github.com/traefik/traefik) Application Proxy and the core of the Traefik Hub Runtime Platform.
 
-What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
-The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request. 
+If you start with Traefik for service discovery and routing, you can seamlessly add [API management](https://traefik.io/solutions/api-management/), [API gateway](https://traefik.io/solutions/api-gateway/), [AI gateway](https://traefik.io/solutions/ai-gateway/), and [API mocking](https://traefik.io/solutions/api-mocking/) capabilities as needed.
 
-Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker Swarm, AWS, and [the list goes on](./reference/install-configuration/providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
- 
-With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions).
-With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.
+With 3.3 billion downloads and over 55k stars on GitHub, Traefik is used globally across hybrid cloud, multi-cloud, on prem, and bare metal environments running Kubernetes, Docker Swarm, AWS, [the list goes on](https://doc.traefik.io/traefik/reference/install-configuration/providers/overview/).
 
-And if your needs change, you can add API gateway and API management capabilities seamlessly to your existing Traefik deployments. It takes less than a minute, there’s no rip-and-replace, and all your configurations are preserved. See this in action in [our API gateway demo video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=docs).
+Here’s how it works—Traefik receives requests on behalf of your system, identifies which components are responsible for handling them, and routes them securely. It automatically discovers the right configuration for your services by inspecting your infrastructure to identify relevant information and which service serves which request.
+
+Because everything happens automatically, in real time (no restarts, no connection interruptions), you can focus on developing and deploying new features to your system, instead of configuring and maintaining its working state.
 
 !!! quote "From the Traefik Maintainer Team" 
     When developing Traefik, our main goal is to make it easy to use, and we're sure you'll enjoy it.
@@ -36,7 +33,7 @@ Traefik supports different needs depending on your background. We keep three use
 Traefik’s main concepts help you understand how requests flow to your services:
 
 - [Entrypoints](./reference/install-configuration/entrypoints.md) are the network entry points into Traefik. They define the port that will receive the packets and whether to listen for TCP or UDP.
-- [Routers](./reference/routing-configuration/http/router/rules-and-priority.md) are in charge of connecting incoming requests to the services that can handle them. In the process, routers may use pieces of [middleware](./reference/routing-configuration/http/middlewares/overview.md) to update the request or act before forwarding the request to the service.
+- [Routers](./reference/routing-configuration/http/routing/rules-and-priority.md) are in charge of connecting incoming requests to the services that can handle them. In the process, routers may use pieces of [middleware](./reference/routing-configuration/http/middlewares/overview.md) to update the request or act before forwarding the request to the service.
 - [Services](./reference/routing-configuration/http/load-balancing/service.md) are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
 - [Providers](./reference/install-configuration/providers/overview.md) are infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores. The idea is that Traefik queries the provider APIs in order to find relevant information about routing, and when Traefik detects a change, it dynamically updates the routes.
 
@@ -53,6 +50,6 @@ Use the sidebar to navigate to the section that is most appropriate for your nee
 
     Have a question? Join our [Community Forum](https://community.traefik.io "Link to Traefik Community Forum") to discuss, learn, and connect with the Traefik community.
 
-    Using Traefik OSS in Production? Consider our enterprise-grade [API Gateway](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc) or our [24/7/365 OSS Support](https://info.traefik.io/request-commercial-support?cta=doc).
+    Using Traefik OSS in production? Consider upgrading to our API gateway ([watch demo video](https://info.traefik.io/watch-traefik-api-gw-demo)) for better security, control, and 24/7 support.
 
-    Explore our API Gateway upgrade via [this short demo video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=doc).
+    Just need support? Explore our [24/7/365 support for Traefik OSS](https://info.traefik.io/request-commercial-support?cta=doc).

docs/content/middlewares/http/addprefix.md

@@ -8,8 +8,6 @@ description: "Learn how to implement the HTTP AddPrefix middleware in Traefik Pr
 Prefixing the Path
 {: .subtitle }
 
-![AddPrefix](../../assets/img/middleware/addprefix.png)
-
 The AddPrefix middleware updates the path of a request before forwarding it.
 
 ## Configuration Examples

docs/content/middlewares/http/basicauth.md

@@ -8,8 +8,6 @@ description: "The HTTP basic authentication (BasicAuth) middleware in Traefik Pr
 Adding Basic Authentication
 {: .subtitle }
 
-![BasicAuth](../../assets/img/middleware/basicauth.png)
-
 The BasicAuth middleware grants access to services to authorized users only.
 
 ## Configuration Examples

docs/content/middlewares/http/buffering.md

@@ -8,8 +8,6 @@ description: "The HTTP buffering middleware in Traefik Proxy limits the size of
 How to Read the Request before Forwarding It
 {: .subtitle }
 
-![Buffering](../../assets/img/middleware/buffering.png)
-
 The Buffering middleware limits the size of requests that can be forwarded to services.
 
 With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified size limit.

docs/content/middlewares/http/chain.md

@@ -8,8 +8,6 @@ description: "The HTTP chain middleware lets you define reusable combinations of
 When One Isn't Enough
 {: .subtitle }
 
-![Chain](../../assets/img/middleware/chain.png)
-
 The Chain middleware enables you to define reusable combinations of other pieces of middleware.
 It makes reusing the same groups easier.
 

docs/content/middlewares/http/circuitbreaker.md

@@ -8,8 +8,6 @@ description: "The HTTP circuit breaker in Traefik Proxy prevents stacking reques
 Don't Waste Time Calling Unhealthy Services
 {: .subtitle }
 
-![CircuitBreaker](../../assets/img/middleware/circuitbreaker.png)
-
 The circuit breaker protects your system from stacking requests to unhealthy services, resulting in cascading failures.
 
 When your system is healthy, the circuit is closed (normal operations).

docs/content/middlewares/http/compress.md

@@ -8,8 +8,6 @@ description: "Traefik Proxy's HTTP middleware lets you compress responses before
 Compress Allows Compressing Responses before Sending them to the Client
 {: .subtitle }
 
-![Compress](../../assets/img/middleware/compress.png)
-
 The Compress middleware supports Gzip, Brotli and Zstandard compression.
 The activation of compression, and the compression method choice rely (among other things) on the request's `Accept-Encoding` header.
 

docs/content/middlewares/http/digestauth.md

@@ -8,8 +8,6 @@ description: "Traefik Proxy's HTTP DigestAuth middleware restricts access to you
 Adding Digest Authentication
 {: .subtitle }
 
-![BasicAuth](../../assets/img/middleware/digestauth.png)
-
 The DigestAuth middleware grants access to services to authorized users only.
 
 ## Configuration Examples

docs/content/middlewares/http/errorpages.md

@@ -8,8 +8,6 @@ description: "In Traefik Proxy, the Errors middleware returns custom pages accor
 It Has Never Been Easier to Say That Something Went Wrong
 {: .subtitle }
 
-![Errors](../../assets/img/middleware/errorpages.png)
-
 The Errors middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
 
 !!! important

docs/content/middlewares/http/forwardauth.md

@@ -8,8 +8,6 @@ description: "In Traefik Proxy, the HTTP ForwardAuth middleware delegates authen
 Using an External Service to Forward Authentication
 {: .subtitle }
 
-![AuthForward](../../assets/img/middleware/authforward.png)
-
 The ForwardAuth middleware delegates authentication to an external service.
 If the service answers with a 2XX code, access is granted, and the original request is performed.
 Otherwise, the response from the authentication server is returned.
@@ -60,11 +58,11 @@ The following request properties are provided to the forward-auth target endpoin
 
 | Property          | Forward-Request Header |
 |-------------------|------------------------|
-| HTTP Method       | X-Forwarded-Method     |
-| Protocol          | X-Forwarded-Proto      |
-| Host              | X-Forwarded-Host       |
-| Request URI       | X-Forwarded-Uri        |
-| Source IP-Address | X-Forwarded-For        |
+| HTTP Method       | `X-Forwarded-Method`   |
+| Protocol          | `X-Forwarded-Proto`    |
+| Host              | `X-Forwarded-Host`     |
+| Request URI       | `X-Forwarded-Uri`      |
+| Source IP-Address | `X-Forwarded-For`      |
 
 ## Configuration Options
 

docs/content/middlewares/http/headers.md

@@ -8,8 +8,6 @@ description: "In Traefik Proxy, the HTTP headers middleware manages the headers
 Managing Request/Response headers
 {: .subtitle }
 
-![Headers](../../assets/img/middleware/headers.png)
-
 The Headers middleware manages the headers of requests and responses.
 
 A set of forwarded headers are automatically added by default. See the [FAQ](../../getting-started/faq.md#what-are-the-forwarded-headers-when-proxying-http-requests) for more information.

docs/content/middlewares/http/inflightreq.md

@@ -8,8 +8,6 @@ description: "Traefik Proxy's HTTP middleware lets you limit the number of simul
 Limiting the Number of Simultaneous In-Flight Requests
 {: .subtitle }
 
-![InFlightReq](../../assets/img/middleware/inflightreq.png)
-
 To proactively prevent services from being overwhelmed with high load, the number of allowed simultaneous in-flight requests can be limited.
 
 ## Configuration Examples
@@ -115,7 +113,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and select
 If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
 See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
 
-!!! example "Example of Depth & X-Forwarded-For"
+!!! example "Example of Depth & `X-Forwarded-For`"
 
     If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
 
@@ -169,7 +167,7 @@ http:
 
 !!! important "If `depth` is specified, `excludedIPs` is ignored."
 
-!!! example "Example of ExcludedIPs & X-Forwarded-For"
+!!! example "Example of ExcludedIPs & `X-Forwarded-For`"
 
     | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
     |-----------------------------------------|-----------------------|--------------|

docs/content/middlewares/http/ipallowlist.md

@@ -78,7 +78,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
 See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
 
-!!! example "Examples of Depth & X-Forwarded-For"
+!!! example "Examples of Depth & `X-Forwarded-For`"
 
     If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).
 
@@ -144,7 +144,7 @@ http:
 
 !!! important "If `depth` is specified, `excludedIPs` is ignored."
 
-!!! example "Example of ExcludedIPs & X-Forwarded-For"
+!!! example "Example of ExcludedIPs & `X-Forwarded-For`"
 
     | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
     |-----------------------------------------|-----------------------|--------------|
@@ -264,3 +264,45 @@ http:
     [http.middlewares.test-ipallowlist.ipallowlist.sourceCriterion.ipStrategy]
       ipv6Subnet = 64
 ```
+
+### `rejectStatusCode`
+
+The `rejectStatusCode` option sets HTTP status code for refused requests. If not set, the default is 403 (Forbidden).
+
+```yaml tab="Docker & Swarm"
+# Reject requests with a 404 rather than a 403
+labels:
+    - "traefik.http.middlewares.test-ipallowlist.ipallowlist.rejectstatuscode=404"
+```
+
+```yaml tab="Kubernetes"
+# Reject requests with a 404 rather than a 403
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ipallowlist
+spec:
+  ipAllowList:
+    rejectStatusCode: 404
+```
+
+```yaml tab="Consul Catalog"
+# Reject requests with a 404 rather than a 403
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.rejectstatuscode=404"
+```
+
+```yaml tab="File (YAML)"
+# Reject requests with a 404 rather than a 403
+http:
+  middlewares:
+    test-ipallowlist:
+      ipAllowList:
+        rejectStatusCode: 404
+```
+
+```toml tab="File (TOML)"
+# Reject requests with a 404 rather than a 403
+[http.middlewares]
+  [http.middlewares.test-ipallowlist.ipAllowList]
+    rejectStatusCode = 404
+```

docs/content/middlewares/http/ipwhitelist.md

@@ -8,8 +8,6 @@ description: "Learn how to use IPWhiteList in HTTP middleware for limiting clien
 Limiting Clients to Specific IPs
 {: .subtitle }
 
-![IPWhiteList](../../assets/img/middleware/ipwhitelist.png)
-
 IPWhiteList limits allowed requests based on the client IP.
 
 !!! warning
@@ -84,7 +82,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
 See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
 
-!!! example "Examples of Depth & X-Forwarded-For"
+!!! example "Examples of Depth & `X-Forwarded-For`"
 
     If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
 
@@ -150,7 +148,7 @@ http:
 
 !!! important "If `depth` is specified, `excludedIPs` is ignored."
 
-!!! example "Example of ExcludedIPs & X-Forwarded-For"
+!!! example "Example of ExcludedIPs & `X-Forwarded-For`"
 
     | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
     |-----------------------------------------|-----------------------|--------------|

docs/content/middlewares/http/overview.md

@@ -8,8 +8,6 @@ description: "Read the official Traefik Proxy documentation for an overview of t
 Controlling connections
 {: .subtitle }
 
-![Overview](../../assets/img/middleware/overview.png)
-
 ## Configuration Example
 
 ```yaml tab="Docker & Swarm"

docs/content/middlewares/http/ratelimit.md

@@ -225,7 +225,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and select
 If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
 See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
 
-!!! example "Example of Depth & X-Forwarded-For"
+!!! example "Example of Depth & `X-Forwarded-For`"
 
     If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
 
@@ -288,7 +288,7 @@ http:
 
     !!! example "Each IP as a distinct source"
 
-        | X-Forwarded-For                | excludedIPs           | clientIP     |
+        | `X-Forwarded-For`              | excludedIPs           | clientIP     |
         |--------------------------------|-----------------------|--------------|
         | `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.1"` |
         | `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.2"` |
@@ -298,7 +298,7 @@ http:
 
     !!! example "Group IPs together as same source"
 
-        |  X-Forwarded-For               |  excludedIPs | clientIP     |
+        | `X-Forwarded-For`              | excludedIPs  | clientIP     |
         |--------------------------------|--------------|--------------|
         | `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
         | `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
@@ -310,7 +310,7 @@ and the first IP that is _not_ in the pool (if any) is returned.
 
 !!! example "Matching for clientIP"
 
-    |  X-Forwarded-For               |  excludedIPs          | clientIP     |
+    | `X-Forwarded-For`              | excludedIPs           | clientIP     |
     |--------------------------------|-----------------------|--------------|
     | `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"11.0.0.1"`          | `"13.0.0.1"` |
     | `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |

docs/content/middlewares/http/redirectscheme.md

@@ -19,7 +19,7 @@ The RedirectScheme middleware redirects the request if the request scheme is dif
     When there is at least one other reverse-proxy between the client and Traefik, 
     the other reverse-proxy (i.e. the last hop) needs to be a [trusted](../../routing/entrypoints.md#forwarded-headers) one. 
     
-    Otherwise, Traefik would clean up the X-Forwarded headers coming from this last hop, 
+    Otherwise, Traefik would clean up the `X-Forwarded` headers coming from this last hop,
     and as the RedirectScheme middleware relies on them to determine the scheme used,
     it would not function as intended.
 

docs/content/middlewares/overview.md

@@ -8,8 +8,6 @@ description: "There are several available middleware in Traefik Proxy used to mo
 Tweaking the Request
 {: .subtitle }
 
-![Overview](../assets/img/middleware/overview.png)
-
 Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your [service](../routing/services/index.md) (or before the answer from the services are sent to the clients).
 
 There are several available middleware in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.

docs/content/middlewares/tcp/overview.md

@@ -8,8 +8,6 @@ description: "Read the official Traefik Proxy documentation for an overview of t
 Controlling connections
 {: .subtitle }
 
-![Overview](../../assets/img/middleware/overview.png)
-
 ## Configuration Example
 
 ```yaml tab="Docker & Swarm"

docs/content/migrate/v1-to-v2.md

@@ -0,0 +1,24 @@
+---
+title: "Traefik V2 Migration Documentation"
+description: "Migrate from Traefik Proxy v1 to v2 and update all the necessary configurations to take advantage of all the improvements. Read the technical documentation."
+---
+
+# Migration Guide: From v1 to v2
+
+How to Migrate from Traefik v1 to Traefik v2.
+{: .subtitle }
+
+The version 2 of Traefik introduced a number of breaking changes,
+which require one to update their configuration when they migrate from v1 to v2.
+
+For more information about the changes in Traefik v2, please refer to the [v2 documentation](https://doc.traefik.io/traefik/v2.11/migration/v1-to-v2/).
+
+!!! info "Migration Helper"
+
+    We created a tool to help during the migration: [traefik-migration-tool](https://github.com/traefik/traefik-migration-tool)
+
+    This tool allows to:
+
+    - convert `Ingress` to Traefik `IngressRoute` resources.
+    - convert `acme.json` file from v1 to v2 format.
+    - migrate the static configuration contained in the file `traefik.toml` to a Traefik v2 file.

docs/content/migrate/v2-to-v3-details.md

@@ -5,7 +5,7 @@ description: "Configuration changes and their details to successfully migrate fr
 
 # Configuration Details for Migrating from Traefik v2 to v3
 
-## Static Configuration Changes
+## Install Configuration Changes
 
 ### SwarmMode
 
@@ -135,7 +135,7 @@ It is now unsupported and would prevent Traefik to start.
 ##### Remediation
 
 The `http3` option should be removed from the static configuration experimental section.
-To configure `http3`, please checkout the [entrypoint configuration documentation](../routing/entrypoints.md#http3_1).
+To configure `http3`, please checkout the [entrypoint configuration documentation](../reference/install-configuration/entrypoints.md#http3).
 
 ### Consul provider
 
@@ -619,7 +619,7 @@ Please take a look at the observability documentation for more information:
 In v3, the `ServiceURL` field is not an object anymore but a string representation.
 An update may be required if you index access logs.
 
-## Dynamic Configuration Changes
+## Routing Configuration Changes
 
 ### Router Rule Matchers
 
@@ -730,7 +730,7 @@ In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing
 
 ### TCP LoadBalancer `terminationDelay` option
 
-The TCP LoadBalancer `terminationDelay` option has been removed.
+The TCP LoadBalancer `terminationDelay` option has been deprecated.
 This option can now be configured directly on the `TCPServersTransport` level, please take a look at this [documentation](../routing/services/index.md#terminationdelay)
 
 ### Kubernetes CRDs API Group `traefik.containo.us`

docs/content/migrate/v2-to-v3.md

@@ -0,0 +1,161 @@
+---
+title: "Traefik V3 Migration Documentation"
+description: "Migrate from Traefik Proxy v2 to v3 and update all the necessary configurations to take advantage of all the improvements. Read the technical documentation."
+---
+
+# Migration Guide: From v2 to v3
+
+How to Migrate from Traefik v2 to Traefik v3.
+{: .subtitle }
+
+!!! success "Streamlined Migration Process"
+    Traefik v3 introduces minimal breaking changes and maintains backward compatibility with v2 syntax in dynamic configuration, offering a gradual migration path.
+
+With Traefik v3, we are introducing a streamlined transition process from v2. Minimal breaking changes have been made to specific options in the [static configuration](./v2-to-v3-details.md#install-configuration-changes "Link to install configuration changes"), and we are ensuring backward compatibility with v2 syntax in the [dynamic configuration](./v2-to-v3-details.md#routing-configuration-changes "Link to routing configuration changes"). This will offer a gradual path for adopting the v3 syntax, allowing users to progressively migrate their Kubernetes ingress resources, Docker labels, etc., to the new format.
+
+## Migration Overview
+
+The migration process consists of three progressive steps designed to minimize risk and ensure a smooth transition:
+
+!!! abstract "Migration Steps"
+    **Step 1:** [Prepare configurations and test v3](#step-1-prepare-configurations-and-test-v3)  
+    **Step 2:** [Migrate production instances to Traefik v3](#step-2-migrate-production-instances-to-traefik-v3)  
+    **Step 3:** [Progressively migrate dynamic configuration](#step-3-progressively-migrate-dynamic-configuration)
+
+---
+
+## Step 1: Prepare Configurations and Test v3
+
+!!! info "Preparation Phase"
+    This step focuses on updating static configurations and enabling backward compatibility for a safe testing environment.
+
+### Configuration Updates
+
+**Review and Update Static Configuration**
+
+Check the changes in [static configurations](./v2-to-v3-details.md#install-configuration-changes "Link to install configuration changes") and [operations](./v2-to-v3-details.md#operations-changes "Link to operations changes") brought by Traefik v3. Modify your configurations accordingly.
+
+**Enable v2 Compatibility Mode**
+
+Add the following configuration to maintain v2 syntax compatibility:
+
+```yaml
+# static configuration
+core:
+  defaultRuleSyntax: v2
+```
+
+!!! note "Backward Compatibility"
+    This snippet in the static configuration makes the [v2 format](../migrate/v2-to-v3-details.md#configure-the-default-syntax-in-static-configuration "Link to configure default syntax in static config") the default rule matchers syntax.
+
+### Testing Phase
+
+**Start Your Test Environment**
+
+1. Start Traefik v3 with the updated configuration
+2. Monitor the startup logs for any errors
+3. Test routing to your applications
+
+**Validation Checklist**
+
+- ✅ Traefik starts without error logs
+- ✅ All routes are functioning correctly  
+- ✅ Applications are accessible through Traefik
+
+!!! success "Ready for Next Step"
+    If you don't get any error logs while testing, you are good to go! Otherwise, follow the remaining migration options highlighted in the logs.
+
+Once your Traefik test instances are starting and routing to your applications, proceed to the next step.
+
+---
+
+## Step 2: Migrate Production Instances to Traefik v3
+
+!!! warning "Production Migration"
+    This is the critical step where you migrate your production environment. Proper monitoring and rollback preparation are essential.
+
+### Migration Strategy
+
+**Progressive Deployment**
+
+We strongly advise you to follow a progressive migration strategy ([Kubernetes rolling update mechanism](https://kubernetes.io/docs/tutorials/kubernetes-basics/update/update-intro/ "Link to the Kubernetes rolling update documentation"), for example) to migrate your production instances to v3.
+
+**Required Preparations**
+
+!!! danger "Critical Requirements"
+    - ✅ **Real-time monitoring solution** for ingress traffic ([monitoring guide](https://traefik.io/blog/capture-traefik-metrics-for-apps-on-kubernetes-with-prometheus/ "Link to the blog on capturing Traefik metrics with Prometheus"))
+    - ✅ **Rollback plan** ready for immediate execution
+    - ✅ **Team availability** during migration window
+
+### Migration Execution
+
+**During Migration:**
+
+1. **Monitor continuously:** Watch ingress traffic for any errors or anomalies
+2. **Be prepared to rollback:** Have your rollback procedure ready to execute immediately
+3. **Use debug logs:** Leverage debug and access logs to understand any issues that arise
+
+**Validation Steps:**
+
+- Monitor response times and error rates
+- Verify all critical application paths are working
+- Check that SSL/TLS termination is functioning correctly
+- Validate middleware behavior
+
+!!! success "Migration Complete"
+    Once every Traefik instance is updated, you will be on Traefik v3!
+
+---
+
+## Step 3: Progressively Migrate Dynamic Configuration
+
+!!! info "Optional Immediate Step"
+    This step can be done later in the process, as Traefik v3 is compatible with the v2 format for [dynamic configuration](./v2-to-v3-details.md#routing-configuration-changes "Link to routing configuration changes"). Enable Traefik logs to get some help if any deprecated option is in use.
+
+### Migration Process
+
+**Review Dynamic Configuration Changes**
+
+Check the changes in [dynamic configuration](./v2-to-v3-details.md#routing-configuration-changes "Link to routing configuration changes") to understand what updates are needed.
+
+**Progressive Router Migration**
+
+1. **Select a router** to migrate first (start with non-critical services)
+2. **[Switch to v3 syntax](./v2-to-v3-details.md#configure-the-syntax-per-router "Link to configuring the syntax per router")** for that specific router
+3. **Test thoroughly** to ensure ingress traffic is not impacted
+4. **Deploy and validate** the updated resource
+5. **Remove the old v2 resource** once validation is complete
+6. **Repeat** for each remaining router
+
+### Migration Best Practices
+
+!!! tip "Migration Strategy"
+    - Start with development or staging environments
+    - Migrate one service at a time
+    - Test each migration thoroughly before proceeding
+    - Keep detailed logs of what was changed
+
+### Final Configuration Cleanup
+
+Once all Ingress resources are migrated to v3 syntax, remove the compatibility configuration:
+
+```yaml
+# Remove this from static configuration
+core:
+  defaultRuleSyntax: v2  # ← Delete this entire section
+```
+
+!!! success "🎉 Migration Complete!"
+    You are now fully migrated to Traefik v3 and can take advantage of all the new features and improvements!
+
+### Post-Migration Verification
+
+**Final Checklist:**
+
+- ✅ All routers use v3 syntax
+- ✅ v2 compatibility mode disabled
+- ✅ No deprecated warnings in logs
+- ✅ All applications functioning correctly
+- ✅ Performance metrics stable
+
+{!traefik-for-business-applications.md!}

docs/content/migrate/v2.md

@@ -0,0 +1,11 @@
+---
+title: "Traefik V2 Migration Documentation"
+description: "Learn the steps needed to migrate to new Traefik Proxy v2 versions, i.e. v2.0 to v2.1 or v2.1 to v2.2. Read the technical documentation."
+---
+
+# Migration: Steps needed between the v2 versions
+
+The multiple minor versions of Traefik v2 introduced a number of changes,
+which may require one to update their configuration when they migrate.
+
+For more information about the changes between Traefik v2 minor versions, please refer to the [v2 documentation](https://doc.traefik.io/traefik/v2.11/migration/v2/).

docs/content/migrate/v3.md

@@ -0,0 +1,498 @@
+---
+title: "Traefik Migration Documentation"
+description: "Learn the steps needed to migrate to new Traefik Proxy v3 versions. Read the technical documentation."
+---
+
+# Migration: Steps needed between the versions
+
+This guide provides detailed migration steps for upgrading between different Traefik v3 versions. Each section covers breaking changes, deprecations, and configuration updates required for a smooth transition.
+
+---
+
+## v3.0 to v3.1
+
+### Kubernetes Provider RBACs
+
+Starting with v3.1, Traefik's Kubernetes Providers use the [EndpointSlices API](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/) (requires Kubernetes >=v1.21) for service endpoint discovery. This change also introduces NodePort load-balancing capabilities.
+
+The following RBAC updates are required for all Kubernetes providers:
+
+- Remove endpoints permissions and add endpointslices:
+
+```yaml
+# Remove this section from your RBAC
+# - apiGroups: [""]
+#   resources: ["endpoints"]
+#   verbs: ["get", "list", "watch"]
+
+# Add this section instead
+- apiGroups:
+    - discovery.k8s.io
+  resources:
+    - endpointslices
+  verbs:
+    - list
+    - watch
+```
+
+- Add nodes permissions for NodePort support:
+
+```yaml
+- apiGroups:
+    - ""
+  resources:
+    - nodes
+  verbs:
+    - get
+    - list
+    - watch
+```
+
+!!! note "Affected Providers"
+    These changes apply to:
+    
+    - [KubernetesIngress](../routing/providers/kubernetes-ingress.md#configuration-example) provider
+    - [KubernetesCRD](../reference/dynamic-configuration/kubernetes-crd.md#rbac) provider  
+    - [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider
+
+#### Gateway API: KubernetesGateway Provider
+
+The KubernetesGateway Provider is no longer experimental in v3.1 and can be enabled without the `experimental.kubernetesgateway` option.
+
+**Deprecated Configuration:**
+
+??? example "Experimental kubernetesgateway option (deprecated)"
+
+    ```yaml tab="File (YAML)"
+    experimental:
+      kubernetesgateway: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [experimental]
+        kubernetesgateway=true
+    ```
+
+    ```bash tab="CLI"
+    --experimental.kubernetesgateway=true
+    ```
+
+**Migration Steps:**
+
+1. Remove the `kubernetesgateway` option from the experimental section
+2. Configure the provider using the [KubernetesGateway Provider documentation](../providers/kubernetes-gateway.md)
+
+---
+
+## v3.1.0 to v3.1.1
+
+### IngressClass Lookup
+
+The `disableIngressClassLookup` option has been deprecated and will be removed in the next major version.
+
+**Migration Required:**
+
+- **Old:** `disableIngressClassLookup`
+- **New:** `disableClusterScopeResources`
+
+The new option provides broader control over cluster scope resources discovery, including both IngressClass and Nodes resources.
+
+---
+
+## v3.1 to v3.2
+
+### Kubernetes CRD Provider
+
+New optional fields have been added to several CRDs. These updates are backward compatible and only add new functionality.
+
+**Apply the latest CRDs:**
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+```
+
+**Updated Resources:**
+
+- [TraefikService](../routing/services/index.md#mirroring-service) ([PR #11032](https://github.com/traefik/traefik/pull/11032))
+- [RateLimit](../middlewares/http/ratelimit.md) & [InFlightReq](../middlewares/http/inflightreq.md) middlewares ([PR #9747](https://github.com/traefik/traefik/pull/9747))
+- [Compress](../middlewares/http/compress.md) middleware ([PR #10943](https://github.com/traefik/traefik/pull/10943))
+
+### Kubernetes Gateway Provider Standard Channel
+
+Starting with v3.2, the Kubernetes Gateway Provider now supports [GRPCRoute](https://gateway-api.sigs.k8s.io/api-types/grpcroute/) resources.
+
+Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
+the `grcroutes` and `grpcroutes/status` rights have to be added.
+
+**Required RBAC Updates:**
+
+```yaml
+...
+- apiGroups:
+    - gateway.networking.k8s.io
+  resources:
+    - grpcroutes
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - gateway.networking.k8s.io
+  resources:
+    - grpcroutes/status
+  verbs:
+    - update
+...
+```
+
+### Kubernetes Gateway Provider Experimental Channel
+
+Due to breaking changes in Kubernetes Gateway [v1.2.0-rc1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0-rc1), Traefik v3.3 only supports Kubernetes Gateway v1.2.x when experimental features are enabled.
+
+**New Feature: BackendTLSPolicy Support**
+
+The provider now supports [BackendTLSPolicy](https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/) resources.
+
+Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
+the `backendtlspolicies` and `backendtlspolicies/status` rights have to be added.
+
+**Required RBAC Updates:**
+
+```yaml
+  ...
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - backendtlspolicies
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - backendtlspolicies/status
+    verbs:
+      - update
+  ...
+```
+
+---
+
+## v3.2.1
+
+### `X-Forwarded-Prefix` Header Changes
+
+In v3.2.1, the `X-Forwarded-Prefix` header is now handled like other `X-Forwarded-*` headers - Traefik removes it when sent from untrusted sources.
+
+This change improves security by preventing header spoofing from untrusted clients. Refer to the [Forwarded headers documentation](../routing/entrypoints.md#forwarded-headers) for configuration details.
+
+---
+
+## v3.2.2
+
+### Swarm Provider Label Updates
+
+In v3.2.2, Swarm-specific labels have been deprecated and will be removed in a future version.
+
+**Migration Required:**
+
+| Deprecated Label | New Label |
+|------------------|-----------|
+| `traefik.docker.network` | `traefik.swarm.network` |
+| `traefik.docker.lbswarm` | `traefik.swarm.lbswarm` |
+
+---
+
+## v3.2 to v3.3
+
+### ACME DNS Certificate Resolver
+
+In v3.3, DNS challenge configuration options have been reorganized for better clarity.
+
+**Migration Required:**
+
+| Deprecated Option | New Option |
+|-------------------|------------|
+| `acme.dnsChallenge.delaybeforecheck` | `acme.dnsChallenge.propagation.delayBeforeChecks` |
+| `acme.dnsChallenge.disablepropagationcheck` | `acme.dnsChallenge.propagation.disableChecks` |
+
+### Tracing Global Attributes
+
+In v3.3, the tracing configuration has been clarified to better reflect its purpose.
+
+**Migration Required:**
+
+- **Old:** `tracing.globalAttributes`
+- **New:** `tracing.resourceAttributes`
+
+The old option name was misleading as it specifically adds resource attributes for the collector, not global span attributes.
+
+---
+
+## v3.3.4
+
+### OpenTelemetry Request Duration Metric
+
+In v3.3.4, the OpenTelemetry Request Duration metric unit has been standardized to match other providers and naming conventions.
+
+**Change Details:**
+
+- **Metric:** `traefik_(entrypoint|router|service)_request_duration_seconds`
+- **Old Unit:** Milliseconds  
+- **New Unit:** Seconds
+
+This change ensures consistency across all metrics providers and follows standard naming conventions.
+
+---
+
+## v3.3.5
+
+### Compress Middleware Default Encodings
+
+In v3.3.5, the default compression algorithms have been reordered to favor gzip compression.
+
+**New Default:** `gzip, br, zstd`
+
+This change affects requests that either:
+
+- Don't specify preferred algorithms in the `Accept-Encoding` header
+- Have no order preference in their `Accept-Encoding` header
+
+The reordering helps ensure better compatibility with older clients that may not support newer compression algorithms.
+
+---
+
+## v3.3.6
+
+### Request Path Sanitization
+
+Starting with v3.3.6, incoming request paths are now automatically cleaned before processing for security and consistency.
+
+**What's Changed:**
+
+The following path segments are now interpreted and collapsed:
+
+- `/../` (parent directory references)
+- `/./` (current directory references)  
+- Duplicate slash segments (`//`)
+
+**Disabling Sanitization:**
+
+```yaml
+# EntryPoint HTTP configuration
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      sanitizePath: false  # Not recommended
+```
+
+!!! danger "Security Warning"
+    Setting `sanitizePath: false` is not safe. This option should only be used with legacy clients that don't properly URL-encode data. Always ensure requests are properly URL-encoded instead of disabling this security feature.
+
+**Example Risk:**
+Base64 data containing "/" characters can lead to unsafe routing when path sanitization is disabled and the data isn't URL-encoded.
+
+---
+
+## v3.3 to v3.4
+
+### Kubernetes CRD Provider
+
+#### Load-Balancing Strategy Updates
+
+Starting with v3.4, HTTP service definitions now support additional load-balancing strategies for better traffic distribution.
+
+**Apply Updated CRDs:**
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+```
+
+**New Strategy Values:**
+
+- `wrr` (Weighted Round Robin)
+- `p2c` (Power of Two Choices)
+
+!!! warning "Deprecation"
+    The `RoundRobin` strategy is deprecated but still supported (equivalent to `wrr`). It will be removed in the next major release.
+
+Refer to the [HTTP Services Load Balancing documentation](../routing/services/index.md#load-balancing-strategy) for detailed information.
+
+#### ServersTransport CA Certificate Configuration
+
+A new `rootCAs` option has been added to the `ServersTransport` and `ServersTransportTCP` CRDs. It supports both ConfigMaps and Secrets for CA certificates and replaces the `rootCAsSecrets` option.
+
+**Apply Updates:**
+
+```shell
+# Update CRDs
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+
+# Update RBACs
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+```
+
+**New Configuration Format:**
+
+```yaml
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: foo
+  namespace: bar
+spec:
+  rootCAs:
+    - configMap: ca-config-map
+    - secret: ca-secret
+      
+---      
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransportTCP
+metadata:
+  name: foo
+  namespace: bar
+spec:
+  rootCAs:
+    - configMap: ca-config-map
+    - secret: ca-secret
+```
+
+!!! warning "Deprecation"
+    The `rootCAsSecrets` option (Secrets only) is still supported but deprecated. It will be removed in the next major release.
+
+### Rule Syntax Configuration
+
+In v3.4, rule syntax configuration options will be removed in the next major version.
+
+**Deprecated Options:**
+
+- `core.defaultRuleSyntax` (static configuration)
+- `ruleSyntax` (router option)
+
+These options were transitional helpers for migrating from v2 to v3 syntax. Please ensure all router rules use v3 syntax before the next major release.
+
+---
+
+## v3.4.1
+
+### Request Path Normalization
+
+Starting with v3.4.1, request paths are now normalized according to RFC 3986 standards for better consistency and security.
+
+**Normalization Process:**
+
+1. **Unreserved Character Decoding:** Characters like `%2E` (.) are decoded to their literal form
+2. **Case Normalization:** Percent-encoded characters are uppercased (`%2e` becomes `%2E`)
+
+This follows [RFC 3986 percent-encoding normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2) and [case normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1) standards.
+
+**Processing Order:**
+
+1. Path normalization (cannot be disabled)
+2. Path sanitization (if enabled)
+
+### Reserved Character Handling in Routing
+
+Starting with v3.4.1, reserved characters (per [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2)) remain encoded during router rule matching to prevent routing ambiguity.
+
+**Why This Matters:**
+Reserved characters change the meaning of request paths when decoded. Keeping them encoded during routing prevents security vulnerabilities and ensures predictable routing behavior.
+
+### Request Path Matching Examples
+
+The following table illustrates how path matching behavior has changed:
+
+| Request Path      | Router Rule                  | Traefik v3.4.0 | Traefik v3.4.1 | Explanation                                           |
+|-------------------|------------------------------|----------------|----------------|-------------------------------------------------------|
+| `/foo%2Fbar`      | ```PathPrefix(`/foo/bar`)``` | Match          | No match       | `%2F` (/) stays encoded, preventing false matches     |
+| `/foo/../bar`     | ```PathPrefix(`/foo`)```     | No match       | No match       | Path traversal is sanitized away                      |
+| `/foo/../bar`     | ```PathPrefix(`/bar`)```     | Match          | Match          | Resolves to `/bar` after sanitization                 |
+| `/foo/%2E%2E/bar` | ```PathPrefix(`/foo`)```     | Match          | No match       | Encoded dots normalized then sanitized                |
+| `/foo/%2E%2E/bar` | ```PathPrefix(`/bar`)```     | No match       | Match          | Resolves to `/bar` after normalization + sanitization |
+
+## v3.4.5
+
+### MultiPath TCP
+
+Since `v3.4.5`, the MultiPath TCP support introduced with `v3.4.2` has been removed.
+It appears that enabling MPTCP on some platforms can cause Traefik to stop with the following error logs message:
+
+- `set tcp X.X.X.X:X->X.X.X.X:X: setsockopt: operation not supported`
+
+However, it can be re-enabled by setting the `multipathtcp` variable in the GODEBUG environment variable, see the related [go documentation](https://go.dev/doc/godebug#go-124).
+
+## v3.5.0
+
+### Observability
+
+#### TraceVerbosity on Routers and Entrypoints
+
+Starting with `v3.5.0`, a new `traceVerbosity` option is available for both entrypoints and routers.
+This option allows you to control the level of detail for tracing spans.
+Routers can override the value inherited from their entrypoint.
+
+**Impact:**
+
+- If you rely on tracing, review your configuration to explicitly set the desired verbosity level.
+- Existing configurations will default to `minimal` unless overridden, which will result in fewer spans being generated than before.
+
+Possible values are:
+
+- `minimal`: produces a single server span and one client span for each request processed by a router.
+- `detailed`: enables the creation of additional spans for each middleware executed for each request processed by a router.
+
+See the updated documentation for [entrypoints](../reference/install-configuration/entrypoints.md) and [dynamic routers](../reference/routing-configuration/http/routing/observability.md#traceverbosity).
+
+#### K8s Resource Attributes
+
+Since `v3.5.0`, the semconv attributes `k8s.pod.name` and `k8s.pod.uid` are injected automatically in OTel resource attributes when OTel tracing/logs/metrics are enabled.
+
+For that purpose, the following right has to be added to the Traefik Kubernetes RBACs:
+
+```yaml
+  ...
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+  ...
+```
+
+---
+
+## v3.5.2
+
+### Deprecation of ProxyProtocol option
+
+Starting with `v3.5.2`, the `proxyProtocol` option for TCP LoadBalancer is deprecated.
+This option can now be configured at the `TCPServersTransport` level, please check out the [documentation](../reference/routing-configuration/tcp/serverstransport.md) for more details.
+
+#### Kubernetes CRD Provider
+
+To use the new `proxyprotocol` option in the Kubernetes CRD provider, you need to update your CRDs.
+
+**Apply Updated CRDs:**
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+```
+
+## v3.5.4
+
+### Certificate Metric Renamed with OpenTelemetry 
+
+Starting with `v3.5.4`, and when using OpenTelemetry, the `traefik_tls_certs_not_after_milliseconds` metric is renamed to `traefik_tls_certs_not_after_seconds`.
+This change aligns the metric name with its real unit precision, which is in seconds. 

docs/content/migration/v2-to-v3.md

@@ -1,77 +0,0 @@
----
-title: "Traefik V3 Migration Documentation"
-description: "Migrate from Traefik Proxy v2 to v3 and update all the necessary configurations to take advantage of all the improvements. Read the technical documentation."
----
-
-# Migration Guide: From v2 to v3
-
-How to Migrate from Traefik v2 to Traefik v3.
-{: .subtitle }
-
-With Traefik v3, we are introducing a streamlined transition process from v2. Minimal breaking changes have been made to specific options in the [static configuration](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes"), and we are ensuring backward compatibility with v2 syntax in the [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes"). This will offer a gradual path for adopting the v3 syntax, allowing users to progressively migrate their Kubernetes ingress resources, Docker labels, etc., to the new format.
-
-Here are the steps to progressively migrate from Traefik v2 to v3:
-
-1. [Prepare configurations and test v3](#step-1-prepare-configurations-and-test-v3)
-1. [Migrate production instances to Traefik v3](#step-2-migrate-production-instances-to-traefik-v3)
-1. [Progressively migrate dynamic configuration](#step-3-progressively-migrate-dynamic-configuration)
-
-## Step 1: Prepare Configurations and Test v3
-
-Check the changes in [static configurations](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes") and [operations](./v2-to-v3-details.md#operations-changes "Link to operations changes") brought by Traefik v3.
-Modify your configurations accordingly.
-
-Then, add the following snippet to the static configuration:
-
-```yaml
-# static configuration
-core:
-  defaultRuleSyntax: v2
-```
-
-This snippet in the static configuration makes the [v2 format](../migration/v2-to-v3-details.md#configure-the-default-syntax-in-static-configuration "Link to configure default syntax in static config") the default rule matchers syntax.
-
-Start Traefik v3 with this new configuration to test it.
-
-If you don’t get any error logs while testing, you are good to go!
-Otherwise, follow the remaining migration options highlighted in the logs.
-
-Once your Traefik test instances are starting and routing to your applications, proceed to the next step.
-
-## Step 2: Migrate Production Instances to Traefik v3
-
-We strongly advise you to follow a progressive migration strategy ([Kubernetes rolling update mechanism](https://kubernetes.io/docs/tutorials/kubernetes-basics/update/update-intro/ "Link to the Kubernetes rolling update documentation"), for example) to migrate your production instances to v3.
-
-!!! Warning
-    Ensure you have a [real-time monitoring solution](https://traefik.io/blog/capture-traefik-metrics-for-apps-on-kubernetes-with-prometheus/ "Link to the blog on capturing Traefik metrics with Prometheus") for your ingress traffic to detect issues instantly.
-
-During the progressive migration, monitor your ingress traffic for any errors. Be prepared to rollback to a working state in case of any issues.
-
-If you encounter any issues, leverage debug and access logs provided by Traefik to understand what went wrong and how to fix it.
-
-Once every Traefik instance is updated, you will be on Traefik v3!
-
-## Step 3: Progressively Migrate Dynamic Configuration
-
-!!! info
-    This step can be done later in the process, as Traefik v3 is compatible with the v2 format for [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes").
-    Enable Traefik logs to get some help if any deprecated option is in use.
-
-Check the changes in [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes").
-
-Then, progressively [switch each router to the v3 syntax](./v2-to-v3-details.md#configure-the-syntax-per-router "Link to configuring the syntax per router").
-
-Test and update each Ingress resource and ensure that ingress traffic is not impacted.
-
-Once a v3 Ingress resource migration is validated, deploy the resource and delete the v2 Ingress resource.
-Repeat it until all Ingress resources are migrated.
-
-Now, remove the following snippet added to the static configuration in Step 1:
-
-```yaml
-# static configuration
-core:
-  defaultRuleSyntax: v2
-```
-
-You are now fully migrated to Traefik v3 🎉

docs/content/migration/v2.md

@@ -1,708 +0,0 @@
----
-title: "Traefik Migration Documentation"
-description: "Learn the steps needed to migrate to new Traefik Proxy v2 versions, i.e. v2.0 to v2.1 or v2.1 to v2.2. Read the technical documentation."
----
-
-# Migration: Steps needed between the versions
-
-## v2.0 to v2.1
-
-### Kubernetes CRD
-
-In v2.1, a new Kubernetes CRD called `TraefikService` was added.
-While updating an installation to v2.1,
-one should apply that CRD, and update the existing `ClusterRole` definition to allow Traefik to use that CRD.
-
-To add that CRD and enhance the permissions, the following definitions need to be applied to the cluster.
-
-```yaml tab="TraefikService"
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: traefikservices.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: TraefikService
-    plural: traefikservices
-    singular: traefikservice
-  scope: Namespaced
-```
-
-```yaml tab="ClusterRole"
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: traefik-ingress-controller
-
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - services
-      - endpoints
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - traefik.io
-      - traefik.containo.us
-    resources:
-      - middlewares
-      - middlewaretcps
-      - ingressroutes
-      - traefikservices
-      - ingressroutetcps
-      - ingressrouteudps
-      - tlsoptions
-      - tlsstores
-      - serverstransports
-      - serverstransporttcps
-    verbs:
-      - get
-      - list
-      - watch
-```
-
-After having both resources applied, Traefik will work properly.
-
-## v2.1 to v2.2
-
-### Headers middleware: accessControlAllowOrigin
-
-`accessControlAllowOrigin` is deprecated.
-This field will be removed in future 2.x releases.
-Please configure your allowed origins in `accessControlAllowOriginList` instead.
-
-### Kubernetes CRD
-
-In v2.2, new Kubernetes CRDs called `TLSStore` and `IngressRouteUDP` were added.
-While updating an installation to v2.2,
-one should apply that CRDs, and update the existing `ClusterRole` definition to allow Traefik to use that CRDs.
-
-To add that CRDs and enhance the permissions, the following definitions need to be applied to the cluster.
-
-```yaml tab="TLSStore"
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: tlsstores.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: TLSStore
-    plural: tlsstores
-    singular: tlsstore
-  scope: Namespaced
-
-```
-
-```yaml tab="IngressRouteUDP"
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: ingressrouteudps.traefik.containo.us
-
-spec:
-  group: traefik.containo.us
-  version: v1alpha1
-  names:
-    kind: IngressRouteUDP
-    plural: ingressrouteudps
-    singular: ingressrouteudp
-  scope: Namespaced
-
-```
-
-```yaml tab="ClusterRole"
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: traefik-ingress-controller
-
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - services
-      - endpoints
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - traefik.io
-      - traefik.containo.us
-    resources:
-      - middlewares
-      - middlewaretcps
-      - ingressroutes
-      - traefikservices
-      - ingressroutetcps
-      - ingressrouteudps
-      - tlsoptions
-      - tlsstores
-      - serverstransports
-      - serverstransporttcps
-    verbs:
-      - get
-      - list
-      - watch
-```
-
-After having both resources applied, Traefik will work properly.
-
-### Kubernetes Ingress
-
-To enable HTTPS, it is not sufficient anymore to only rely on a TLS section in the Ingress.
-
-#### Expose an Ingress on 80 and 443
-
-Define the default TLS configuration on the HTTPS entry point.
-
-```yaml tab="Ingress"
-kind: Ingress
-apiVersion: networking.k8s.io/v1beta1
-metadata:
-  name: example
-
-spec:
-  tls:
-  - secretName: my-tls-secret
-
-  rules:
-  - host: example.com
-    http:
-      paths:
-      - path: "/foo"
-        backend:
-          serviceName: example-com
-          servicePort: 80
-```
-
-Entry points definition and enable Ingress provider:
-
-```yaml tab="File (YAML)"
-# Static configuration
-
-entryPoints:
-  web:
-    address: :80
-  websecure:
-    address: :443
-    http:
-      tls: {}
-
-providers:
-  kubernetesIngress: {}
-```
-
-```toml tab="File (TOML)"
-# Static configuration
-
-[entryPoints.web]
-  address = ":80"
-
-[entryPoints.websecure]
-  address = ":443"
-  [entryPoints.websecure.http]
-    [entryPoints.websecure.http.tls]
-
-[providers.kubernetesIngress]
-```
-
-```bash tab="CLI"
-# Static configuration
-
---entryPoints.web.address=:80
---entryPoints.websecure.address=:443
---entryPoints.websecure.http.tls=true
---providers.kubernetesIngress=true
-```
-
-#### Use TLS only on one Ingress
-
-Define the TLS restriction with annotations.
-
-```yaml tab="Ingress"
-kind: Ingress
-apiVersion: networking.k8s.io/v1beta1
-metadata:
-  name: example-tls
-  annotations:
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-
-spec:
-  tls:
-  - secretName: my-tls-secret
-
-  rules:
-  - host: example.com
-    http:
-      paths:
-      - path: ""
-        backend:
-          serviceName: example-com
-          servicePort: 80
-```
-
-Entry points definition and enable Ingress provider:
-
-```yaml tab="File (YAML)"
-# Static configuration
-
-entryPoints:
-  web:
-    address: :80
-  websecure:
-    address: :443
-
-providers:
-  kubernetesIngress: {}
-```
-
-```toml tab="File (TOML)"
-# Static configuration
-
-[entryPoints.web]
-  address = ":80"
-
-[entryPoints.websecure]
-  address = ":443"
-
-[providers.kubernetesIngress]
-```
-
-```bash tab="CLI"
-# Static configuration
-
---entryPoints.web.address=:80
---entryPoints.websecure.address=:443
---providers.kubernetesIngress=true
-```
-
-## v2.2.2 to v2.2.5
-
-### InsecureSNI removal
-
-In `v2.2.2` we introduced a new flag (`insecureSNI`) which was available as a global option to disable domain fronting.
-Since `v2.2.5` this global option has been removed, and you should not use it anymore.
-
-### HostSNI rule matcher removal
-
-In `v2.2.2` we introduced a new rule matcher (`HostSNI`) for HTTP routers which was allowing to match the Server Name Indication at the router level.
-Since `v2.2.5` this rule has been removed for HTTP routers, and you should not use it anymore.
-
-## v2.2 to v2.3
-
-### X.509 CommonName Deprecation
-
-The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present, is now disabled by default.
-
-It means that if one is using https with your backend servers, and a certificate with only a CommonName,
-Traefik will not try to match the server name indication with the CommonName anymore.
-
-It can be temporarily re-enabled by adding the value `x509ignoreCN=0` to the `GODEBUG` environment variable.
-
-More information: https://golang.org/doc/go1.15#commonname
-
-### File Provider
-
-The file parser has been changed, since v2.3 the unknown options/fields in a dynamic configuration file are treated as errors.
-
-### IngressClass
-
-In `v2.3`, the support of `IngressClass`, which is available since Kubernetes version `1.18`, has been introduced.
-In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated.
-
-## v2.3 to v2.4
-
-### ServersTransport
-
-In `v2.4.0`, the support of `ServersTransport` has been introduced.
-It is therefore necessary to update [RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-crd.md) definitions.
-
-## v2.4.7 to v2.4.8
-
-### Non-ASCII Domain Names
-
-In `v2.4.8`, we introduced a new check on domain names used in HTTP router rule `Host` and `HostRegexp` expressions,
-and in TCP router rule `HostSNI` expression.
-This check ensures that provided domain names don't contain non-ASCII characters.
-If not, an error is raised, and the associated router will be shown as invalid in the dashboard.
-
-This new behavior is intended to show what was failing silently previously and to help troubleshooting configuration issues.
-It doesn't change the support for non-ASCII domain names in routers rules, which is not part of the Traefik feature set so far.
-
-In order to use non-ASCII domain names in a router's rule, one should use the Punycode form of the domain name.
-For more information, please read the [HTTP routers rule](../routing/routers/index.md#rule) part or [TCP router rules](../routing/routers/index.md#rule_1) part of the documentation.
-
-## v2.4.8 to v2.4.9
-
-### Tracing Span
-
-In `v2.4.9`, we changed span error to log only server errors (>= 500).
-
-## v2.4.9 to v2.4.10
-
-### K8S CrossNamespace
-
-In `v2.4.10`, the default value for `allowCrossNamespace` has been changed to `false`.
-
-### K8S ExternalName Service
-
-In `v2.4.10`, by default, it is no longer authorized to reference Kubernetes ExternalName services.
-To allow it, the `allowExternalNameServices` option should be set to `true`.
-
-## v2.4 to v2.5
-
-### Kubernetes CRD
-
-In `v2.5`, the [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions) have been updated to support the new API version `apiextensions.k8s.io/v1`.
-As required by `apiextensions.k8s.io/v1`, we have included the OpenAPI validation schema.
-
-After deploying the new [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions), the resources will be validated only on creation or update.
-
-Please note that the unknown fields will not be pruned when migrating from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1` CRDs.
-For more details check out the official [documentation](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema).
-
-### Kubernetes Ingress
-
-Traefik v2.5 moves forward for the Ingress provider to support Kubernetes v1.22.
-
-Traefik now supports only v1.14+ Kubernetes clusters, which means the support of `extensions/v1beta1` API Version ingresses has been dropped.
-
-The `extensions/v1beta1` API Version should now be replaced either by `networking.k8s.io/v1beta1` or by `networking.k8s.io/v1` (as of Kubernetes v1.19+).
-
-The support of the `networking.k8s.io/v1beta1` API Version will stop in Kubernetes v1.22.
-
-### Headers middleware: ssl redirect options
-
-`sslRedirect`, `sslTemporaryRedirect`, `sslHost` and `sslForceHost` are deprecated in Traefik v2.5.
-
-For simple HTTP to HTTPS redirection, you may use [EntryPoints redirections](../routing/entrypoints.md#redirection).
-
-For more advanced use cases, you can use either the [RedirectScheme middleware](../middlewares/http/redirectscheme.md) or the [RedirectRegex middleware](../middlewares/http/redirectregex.md).
-
-### Headers middleware: accessControlAllowOrigin
-
-`accessControlAllowOrigin` is no longer supported in Traefik v2.5.
-
-### X.509 CommonName Deprecation Bis
-
-Following up on the deprecation started [previously](#x509-commonname-deprecation),
-as the `x509ignoreCN=0` value for the `GODEBUG` is [deprecated in Go 1.17](https://tip.golang.org/doc/go1.17#crypto/x509),
-the legacy behavior related to the CommonName field cannot be enabled at all anymore.
-
-## v2.5.3 to v2.5.4
-
-### Errors middleware
-
-In `v2.5.4`, when the errors service is configured with the [`PassHostHeader`](../routing/services/index.md#pass-host-header) option to `true` (default),
-the forwarded Host header value is now set to the client request Host value and not `0.0.0.0`.
-Check out the [Errors middleware](../middlewares/http/errorpages.md#service) documentation for more details.
-
-## v2.5 to v2.6
-
-### HTTP/3
-
-Traefik v2.6 introduces the `AdvertisedPort` option,
-which allows advertising, in the `Alt-Svc` header, a UDP port different from the one on which Traefik is actually listening (the EntryPoint's port).
-By doing so, it introduces a new configuration structure `http3`, which replaces the `enableHTTP3` option (which therefore doesn't exist anymore).
-To enable HTTP/3 on an EntryPoint, please check out the [HTTP/3 configuration](../routing/entrypoints.md#http3) documentation.
-
-### Kubernetes Gateway API Provider
-
-In `v2.6`, the [Kubernetes Gateway API provider](../providers/kubernetes-gateway.md) now only supports the version [v1alpha2](https://gateway-api.sigs.k8s.io/v1alpha2/guides/) of the specification and 
-[route namespaces](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.RouteNamespaces) selectors, which requires Traefik to fetch and watch the cluster namespaces.
-Therefore, the RBAC and CRD definitions must be updated.
-
-## v2.6.0 to v2.6.1
-
-### Metrics
-
-In `v2.6.1`, the metrics system does not support any more custom HTTP method verbs to prevent potential metrics cardinality overhead.
-In consequence, for metrics having the method label,
-if the HTTP method verb of a request is not one defined in the set of common methods for [`HTTP/1.1`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
-or the [`PRI`](https://datatracker.ietf.org/doc/html/rfc7540#section-11.6) verb (for `HTTP/2`),
-the value for the method label becomes `EXTENSION_METHOD`, instead of the request's one.
-
-### Tracing
-
-In `v2.6.1`, the Datadog tags added to a span changed from `service.name` to `traefik.service.name` and from `router.name` to `traefik.router.name`.
-
-## v2.8
-
-### TLS client authentication
-
-In `v2.8`, the `caOptional` option is deprecated as TLS client authentication is a server side option.
-This option available in the ForwardAuth middleware, as well as in the HTTP, Consul, Etcd, Redis, ZooKeeper, Marathon, Consul Catalog, and Docker providers has no effect and must not be used anymore.
-
-### Consul Enterprise Namespaces
-
-In `v2.8`, the `namespace` option of Consul and Consul Catalog providers is deprecated, please use the `namespaces` options instead.
-
-### Traefik Pilot
-
-In `v2.8`, the `pilot.token` and `pilot.dashboard` options are deprecated.
-Please check our Blog for migration instructions later this year.
-
-## v2.8.2
-
-Since `v2.5.0`, the `PreferServerCipherSuites` is [deprecated and ignored](https://tip.golang.org/doc/go1.17#crypto/tls) by Go,
-in `v2.8.2` the `preferServerCipherSuites` option is also deprecated and ignored in Traefik.
-
-In `v2.8.2`, Traefik now reject certificates signed with the SHA-1 hash function. ([details](https://tip.golang.org/doc/go1.18#sha1))
-
-## v2.9
-
-### Traefik Pilot
-
-In `v2.9`, Traefik Pilot support has been removed.
-
-## v2.10
-
-### Nomad Namespace
-
-In `v2.10`, the `namespace` option of the Nomad provider is deprecated, please use the `namespaces` options instead.
-
-### Kubernetes CRDs
-
-In `v2.10`, the Kubernetes CRDs API Group `traefik.containo.us` is deprecated, and its support will end starting with Traefik v3. Please use the API Group `traefik.io` instead.
-
-As the Kubernetes CRD provider still works with both API Versions (`traefik.io/v1alpha1` and `traefik.containo.us/v1alpha1`),
-it means that for the same kind, namespace and name, the provider will only keep the `traefik.io/v1alpha1` resource.
-
-In addition, the Kubernetes CRDs API Version `traefik.containo.us/v1alpha1` will not be supported in Traefik v3 itself.
-
-Please note that it is a requirement to update the CRDs and the RBAC in the cluster before upgrading Traefik.
-To do so, please apply the required [CRDs](https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml) and [RBAC](https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml) manifests for v2.10:
-
-```bash
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-```
-
-### Traefik Hub
-
-In `v2.10`, Traefik Hub configuration has been removed because Traefik Hub v2 doesn't require this configuration.
-
-## v2.11
-
-### IPWhiteList (HTTP)
-
-In `v2.11`, the `IPWhiteList` middleware is deprecated, please use the [IPAllowList](../middlewares/http/ipallowlist.md) middleware instead.
-
-### IPWhiteList (TCP)
-
-In `v2.11`, the `IPWhiteList` middleware is deprecated, please use the [IPAllowList](../middlewares/tcp/ipallowlist.md) middleware instead.
-
-### TLS CipherSuites
-
-> By default, cipher suites without ECDHE support are no longer offered by either clients or servers during pre-TLS 1.3 handshakes.
-> This change can be reverted with the `tlsrsakex=1 GODEBUG` setting.
-> (https://go.dev/doc/go1.22#crypto/tls)
-
-The _RSA key exchange_ cipher suites are way less secure than the modern ECDHE cipher suites and exposes to potential vulnerabilities like [the Marvin Attack](https://people.redhat.com/~hkario/marvin).
-Decision has been made to support ECDHE cipher suites only by default.
-
-The following ciphers have been removed from the default list:
-
-- `TLS_RSA_WITH_AES_128_CBC_SHA`
-- `TLS_RSA_WITH_AES_256_CBC_SHA`
-- `TLS_RSA_WITH_AES_128_GCM_SHA256`
-- `TLS_RSA_WITH_AES_256_GCM_SHA384`
-
-To enable these ciphers, please set the option `CipherSuites` in your [TLS configuration](../https/tls.md#cipher-suites) or set the environment variable `GODEBUG=tlsrsakex=1`.
-
-### Minimum TLS Version
-
-> By default, the minimum version offered by `crypto/tls` servers is now TLS 1.2 if not specified with config.MinimumVersion,
-> matching the behavior of crypto/tls clients.
-> This change can be reverted with the `tls10server=1 GODEBUG` setting.
-> (https://go.dev/doc/go1.22#crypto/tls)
-
-To enable TLS 1.0, please set the option `MinVersion` to `VersionTLS10` in your [TLS configuration](../https/tls.md#cipher-suites) or set the environment variable `GODEBUG=tls10server=1`.
-
-## v2.11.1
-
-### Maximum Router Priority Value
-
-Before v2.11.1, the maximum user-defined router priority value is:
-
-- `MaxInt32` for 32-bit platforms,
-- `MaxInt64` for 64-bit platforms.
-
-Please check out the [go documentation](https://pkg.go.dev/math#pkg-constants) for more information.
-
-In v2.11.1, Traefik reserves a range of priorities for its internal routers and now, 
-the maximum user-defined router priority value is:
-
-- `(MaxInt32 - 1000)` for 32-bit platforms,
-- `(MaxInt64 - 1000)` for 64-bit platforms.
-
-### EntryPoint.Transport.RespondingTimeouts.<Timeout>
-
-Starting with `v2.11.1` the following timeout options are deprecated:
-
-- `<entryPoint>.transport.respondingTimeouts.readTimeout`
-- `<entryPoint>.transport.respondingTimeouts.writeTimeout`
-- `<entryPoint>.transport.respondingTimeouts.idleTimeout`
-
-They have been replaced by:
-
-- `<entryPoint>.transport.respondingTimeouts.http.readTimeout`
-- `<entryPoint>.transport.respondingTimeouts.http.writeTimeout`
-- `<entryPoint>.transport.respondingTimeouts.http.idleTimeout`
-
-### EntryPoint.Transport.RespondingTimeouts.TCP.LingeringTimeout
-
-Starting with `v2.11.1` a new `lingeringTimeout` entryPoints option has been introduced, with a default value of 2s.
-
-The lingering timeout defines the maximum duration between each TCP read operation on the connection.
-As a layer 4 timeout, it applies during HTTP handling but respects the configured HTTP server `readTimeout`.
-
-This change avoids Traefik instances with the default configuration hanging while waiting for bytes to be read on the connection.
-
-We suggest to adapt this value accordingly to your situation.
-The new default value is purposely narrowed and can close the connection too early.
-
-Increasing the `lingeringTimeout` value could be the solution notably if you are dealing with the following errors:
-
-- TCP: `Error while handling TCP connection: readfrom tcp X.X.X.X:X->X.X.X.X:X: read tcp X.X.X.X:X->X.X.X.X:X: i/o timeout`
-- HTTP: `'499 Client Closed Request' caused by: context canceled`
-- HTTP: `ReverseProxy read error during body copy: read tcp X.X.X.X:X->X.X.X.X:X: use of closed network connection`
-
-## v2.11.2
-
-### LingeringTimeout
-
-Starting with `v2.11.2` the `<entrypoint>.transport.respondingTimeouts.tcp.lingeringTimeout` introduced in `v2.11.1` has been removed.
-
-### RespondingTimeouts.TCP and RespondingTimeouts.HTTP
-
-Starting with `v2.11.2` the `respondingTimeouts.tcp` and `respondingTimeouts.http` sections introduced in `v2.11.1` have been removed.
-To configure the responding timeouts, please use the [`respondingTimeouts`](../routing/entrypoints.md#respondingtimeouts) section.  
-
-### EntryPoint.Transport.RespondingTimeouts.ReadTimeout
-
-Starting with `v2.11.2` the entryPoints [`readTimeout`](../routing/entrypoints.md#respondingtimeouts) option default value changed to 60 seconds.
-
-For HTTP, this option defines the maximum duration for reading the entire request, including the body.
-For TCP, this option defines the maximum duration for the first bytes to be read on the connection.
-
-The default value was previously set to zero, which means no timeout.
-
-This change has been done to avoid Traefik instances with the default configuration to be hanging forever while waiting for bytes to be read on the connection.
-
-Increasing the `readTimeout` value could be the solution notably if you are dealing with the following errors:
-
-- TCP: `Error while handling TCP connection: readfrom tcp X.X.X.X:X->X.X.X.X:X: read tcp X.X.X.X:X->X.X.X.X:X: i/o timeout`
-- HTTP: `'499 Client Closed Request' caused by: context canceled`
-- HTTP: `ReverseProxy read error during body copy: read tcp X.X.X.X:X->X.X.X.X:X: use of closed network connection`
-
-## v2.11.3
-
-### Connection headers
-
-In `v2.11.3`, the handling of the request Connection headers directives has changed to prevent any abuse.
-Before, Traefik removed any header listed in the Connection header just before forwarding the request to the backends.
-Now, Traefik removes the headers listed in the Connection header as soon as the request is handled.
-As a consequence, middlewares do not have access to those Connection headers,
-and a new option has been introduced to specify which ones could go through the middleware chain before being removed: `<entrypoint>.forwardedHeaders.connection`.
-
-Please check out the [entrypoint forwarded headers connection option configuration](../routing/entrypoints.md#forwarded-headers) documentation.
-
-## v2.11.14
-
-### X-Forwarded-Prefix
-
-In `v2.11.14`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
-Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
-
-## v2.11.24
-
-### Request Path Sanitization
-
-Since `v2.11.24`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends.
-Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed.
-
-If you want to disable this behavior, you can set the [`sanitizePath` option](../routing/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.
-This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
-For example, as base64 uses the “/” character internally,
-if it's not url encoded,
-it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
-
-!!! warning "Security"
-
-    Setting the `sanitizePath` option to `false` is not safe.
-    Ensure every request is properly url encoded instead.
-
-## v2.11.25
-
-### Request Path Normalization
-
-Since `v2.11.25`, the request path is now normalized by decoding unreserved characters in the request path,
-and also uppercasing the percent-encoded characters.
-This follows [RFC 3986 percent-encoding normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2),
-and [RFC 3986 case normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1).
-
-The normalization happens before the request path is sanitized,
-and cannot be disabled.
-This notably helps with encoded dots characters (which are unreserved characters) to be sanitized properly.
-
-### Routing Path
-
-Since `v2.11.25`, the reserved characters [(as per RFC 3986)](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2) are kept encoded in the request path when matching the router rules.
-Those characters, when decoded, change the meaning of the request path for routing purposes,
-and Traefik now keeps them encoded to avoid any ambiguity.
-
-### Request Path Matching Examples
-
-| Request Path      | Router Rule            | Traefik v2.11.24 | Traefik v2.11.25 |
-|-------------------|------------------------|------------------|------------------|
-| `/foo%2Fbar`      | PathPrefix(`/foo/bar`) | Match            | No match         |
-| `/foo/../bar`     | PathPrefix(`/foo`)     | No match         | No match         |
-| `/foo/../bar`     | PathPrefix(`/bar`)     | Match            | Match            |
-| `/foo/%2E%2E/bar` | PathPrefix(`/foo`)     | Match            | No match         |
-| `/foo/%2E%2E/bar` | PathPrefix(`/bar`)     | No match         | Match            |

docs/content/migration/v3.md

@@ -1,321 +0,0 @@
----
-title: "Traefik Migration Documentation"
-description: "Learn the steps needed to migrate to new Traefik Proxy v3 versions. Read the technical documentation."
----
-
-# Migration: Steps needed between the versions
-
-## v3.0 to v3.1
-
-### Kubernetes Provider RBACs
-
-Starting with v3.1, the Kubernetes Providers now use the [EndpointSlices API](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/) (Kubernetes >=v1.21) to discover service endpoint addresses.
-It also brings NodePort load-balancing which requires Nodes resources lookup.
-
-Therefore, in the corresponding RBACs (see [KubernetesIngress](../routing/providers/kubernetes-ingress.md#configuration-example), [KubernetesCRD](../reference/dynamic-configuration/kubernetes-crd.md#rbac), and [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs):
-
-- the `endpoints` right has to be removed and the following `endpointslices` right has to be added:
-
-```yaml
-  ... 
-  - apiGroups:
-      - discovery.k8s.io
-    resources:
-      - endpointslices
-    verbs:
-      - list
-      - watch
-  ...
-```
-
-- the `nodes` right has to be added:
-
-```yaml
-  ...
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - get
-      - list
-      - watch
-  ...
-```
-
-#### Gateway API: KubernetesGateway Provider
-
-In v3.1, the KubernetesGateway Provider is no longer an experimental feature.
-It can be enabled without the associated `experimental.kubernetesgateway` option, which is now deprecated.
-
-??? example "An example of the experimental `kubernetesgateway` option"
-
-    ```yaml tab="File (YAML)"
-    experimental:
-      kubernetesgateway: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [experimental]
-        kubernetesgateway=true
-    ```
-
-    ```bash tab="CLI"
-    --experimental.kubernetesgateway=true
-    ```
-
-##### Remediation
-
-The `kubernetesgateway` option should be removed from the experimental section of the static configuration.
-To configure `kubernetesgateway`, please check out the [KubernetesGateway Provider documentation](../providers/kubernetes-gateway.md).
-
-## v3.1.0 to v3.1.1
-
-### IngressClass Lookup
-
-The Kubernetes Ingress provider option `disableIngressClassLookup` has been deprecated in v3.1.1, and will be removed in the next major version.
-Please use the `disableClusterScopeResources` option instead to avoid cluster scope resources discovery (IngressClass, Nodes).
-
-## v3.1 to v3.2
-
-### Kubernetes CRD Provider
-
-Starting with v3.2, the CRDs has been updated on [TraefikService](../../routing/services#mirroring-service) (PR [#11032](https://github.com/traefik/traefik/pull/11032)), on [RateLimit](../../middlewares/http/ratelimit) & [InFlightReq](../../middlewares/http/inflightreq) middlewares (PR [#9747](https://github.com/traefik/traefik/pull/9747)) and on [Compress](../../middlewares/http/compress) middleware (PR [#10943](https://github.com/traefik/traefik/pull/10943)).
-
-This update adds only new optional fields.
-CRDs can be updated with this command:
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-```
-
-### Kubernetes Gateway Provider Standard Channel
-
-Starting with v3.2, the Kubernetes Gateway Provider now supports [GRPCRoute](https://gateway-api.sigs.k8s.io/api-types/grpcroute/).
-
-Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
-the `grcroutes` and `grpcroutes/status` rights have to be added.
-
-```yaml
-  ...
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - grpcroutes
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - grpcroutes/status
-    verbs:
-      - update
-  ...
-```
-
-### Kubernetes Gateway Provider Experimental Channel
-
-!!! warning "Breaking changes"
-
-    Because of a breaking change introduced in Kubernetes Gateway [v1.2.0-rc1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0-rc1),
-    Traefik v3.3 only supports Kubernetes Gateway v1.2.x when experimental channel features are enabled.
-
-Starting with v3.2, the Kubernetes Gateway Provider now supports [BackendTLSPolicy](https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/).
-
-Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
-the `backendtlspolicies` and `backendtlspolicies/status` rights have to be added.
-
-```yaml
-  ...
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - backendtlspolicies
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - backendtlspolicies/status
-    verbs:
-      - update
-  ...
-```
-
-## v3.2.1
-
-### X-Forwarded-Prefix
-
-In `v3.2.1`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
-Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
-
-## v3.2.2
-
-### Swarm Provider
-
-In `v3.2.2`, the `traefik.docker.network` and `traefik.docker.lbswarm` labels have been deprecated,
-please use the `traefik.swarm.network` and `traefik.swarm.lbswarm` labels instead.
-
-## v3.2 to v3.3
-
-### ACME DNS Certificate Resolver
-
-In `v3.3`, the `acme.dnsChallenge.delaybeforecheck` and `acme.dnsChallenge.disablepropagationcheck` options of the ACME certificate resolver are deprecated, 
-please use respectively `acme.dnsChallenge.propagation.delayBeforeChecks` and `acme.dnsChallenge.propagation.disableChecks` options instead.
-
-### Tracing Global Attributes
-
-In `v3.3`, the `tracing.globalAttributes` option has been deprecated, please use the `tracing.resourceAttributes` option instead.
-The `tracing.globalAttributes` option is misleading as its name does not reflect the operation of adding resource attributes to be sent to the collector,
-and will be removed in the next major version.
-
-## v3.3.4
-
-### OpenTelemetry Request Duration metric
-
-In `v3.3.4`, the OpenTelemetry Request Duration metric (named `traefik_(entrypoint|router|service)_request_duration_seconds`) unit has been changed from milliseconds to seconds.
-To be consistent with the naming and other metrics providers, the metric now reports the duration in seconds.
-
-## v3.3.5
-
-### Compress Middleware
-
-In `v3.3.5`, the compress middleware `encodings` option default value is now `gzip, br, zstd`. 
-This change helps the algorithm selection to favor the `gzip` algorithm over the other algorithms.
-
-It impacts requests that do not specify their preferred algorithm,
-or has no order preference, in the `Accept-Encoding` header.
-
-## v3.3.6
-
-### Request Path Sanitization
-
-Since `v3.3.6`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends.
-Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed.
-
-If you want to disable this behavior, you can set the [`sanitizePath` option](../reference/install-configuration/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.
-This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
-For example, as base64 uses the “/” character internally,
-if it's not url encoded,
-it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
-
-!!! warning "Security"
-
-    Setting the `sanitizePath` option to `false` is not safe.
-    Ensure every request is properly url encoded instead.
-
-## v3.3 to v3.4
-
-### Kubernetes CRD Provider
-
-#### Load-Balancing
-
-In `v3.4`, the HTTP service definition has been updated.
-The strategy field now supports two new values: `wrr` and `p2c` (please refer to the [HTTP Services Load Balancing documentation](../../routing/services/#load-balancing-strategy) for more details).
-
-CRDs can be updated with this command:
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-```
-
-Please note that the `RoundRobin` strategy value is now deprecated, but still supported and equivalent to `wrr`, and will be removed in the next major release.
-
-#### ServersTransport CA Certificate
-
-In `v3.4`, a new `rootCAs` option has been added to the `ServersTransport` and `ServersTransportTCP` CRDs.
-It allows the configuration of CA certificates from both `ConfigMaps` and `Secrets`,
-and replaces the `rootCAsSecrets` option, as shown below:
-
-CRDs can be updated with this command:
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-```
-
-RBACs need to be updated with this command:
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
-```
-
-```yaml
----
-apiVersion: traefik.io/v1alpha1
-kind: ServersTransport
-metadata:
-  name: foo
-  namespace: bar
-spec:
-  rootCAs:
-    - configMap: ca-config-map
-    - secret: ca-secret
-      
----      
-apiVersion: traefik.io/v1alpha1
-kind: ServersTransportTCP
-metadata:
-  name: foo
-  namespace: bar
-spec:
-  rootCAs:
-    - configMap: ca-config-map
-    - secret: ca-secret
-```
-
-The `rootCAsSecrets` option, which allows only `Secrets` references,
-is still supported, but is now deprecated,
-and will be removed in the next major release.
-
-### Rule Syntax
-
-In `v3.4.0`, the `core.defaultRuleSyntax` static configuration option and the `ruleSyntax` router option have been deprecated,
-and will be removed in the next major version.
-
-This `core.defaultRuleSyntax` option was used to switch between the v2 and v3 syntax for the router's rules,
-and to help with the migration from v2 to v3.
-
-The `ruleSyntax` router's option was used to override the default rule syntax for a specific router.
-
-In preparation for the next major release, please remove any use of these two options and use the v3 syntax for writing the router's rules.
-
-## v3.4.1
-
-### Request Path Normalization
-
-Since `v3.4.1`, the request path is now normalized by decoding unreserved characters in the request path,
-and also uppercasing the percent-encoded characters.
-This follows [RFC 3986 percent-encoding normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2),
-and [RFC 3986 case normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1).
-
-The normalization happens before the request path is sanitized,
-and cannot be disabled.
-This notably helps with encoded dots characters (which are unreserved characters) to be sanitized properly.
-
-### Routing Path
-
-Since `v3.4.1`, the reserved characters [(as per RFC 3986)](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2) are kept encoded in the request path when matching the router rules.
-Those characters, when decoded, change the meaning of the request path for routing purposes,
-and Traefik now keeps them encoded to avoid any ambiguity.
-
-### Request Path Matching Examples
-
-| Request Path      | Router Rule            | Traefik v3.4.0 | Traefik v3.4.1 |
-|-------------------|------------------------|----------------|----------------|
-| `/foo%2Fbar`      | PathPrefix(`/foo/bar`) | Match          | No match       |
-| `/foo/../bar`     | PathPrefix(`/foo`)     | No match       | No match       |
-| `/foo/../bar`     | PathPrefix(`/bar`)     | Match          | Match          |
-| `/foo/%2E%2E/bar` | PathPrefix(`/foo`)     | Match          | No match       |
-| `/foo/%2E%2E/bar` | PathPrefix(`/bar`)     | No match       | Match          |

docs/content/observability/access-logs.md

@@ -69,27 +69,43 @@ accessLog:
 
 _Optional, Default="common"_
 
-By default, logs are written using the Common Log Format (CLF).
-To write logs in JSON, use `json` in the `format` option.
-If the given format is unsupported, the default (CLF) is used instead.
+By default, logs are written using the Traefik Common Log Format (CLF).
+The available log formats are:
 
-!!! info "Common Log Format"
+- `common` - Traefik's extended CLF format (default)
+- `genericCLF` - Generic CLF format compatible with standard log analyzers
+- `json` - JSON format for structured logging
 
+If the given format is unsupported, the default (`common`) is used instead.
+
+!!! info "Traefik Common Log Format vs Generic CLF"
+
+    **Traefik Common Log Format (`common`):**
     ```html
     <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
     ```
+    
+    **Generic CLF Format (`genericCLF`):**
+    ```html
+    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length> "<request_referrer>" "<request_user_agent>"
+    ```
+    
+    The `genericCLF` format omits Traefik-specific fields (request count, router name, service URL, and duration) for better compatibility with standard CLF parsers.
 
 ```yaml tab="File (YAML)"
+# JSON format
 accessLog:
   format: "json"
 ```
 
 ```toml tab="File (TOML)"
+# JSON format
 [accessLog]
   format = "json"
 ```
 
 ```bash tab="CLI"
+# JSON format
 --accesslog.format=json
 ```
 
@@ -290,7 +306,7 @@ Example utilizing Docker Compose:
 ```yaml
 services:
   traefik:
-    image: traefik:v3.4
+    image: traefik:v3.5
     environment:
       - TZ=US/Alaska
     command:
@@ -340,6 +356,54 @@ accesslog:
 
     The OpenTelemetry Logger exporter will export access logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.
 
+### `serviceName`
+
+_Optional, Default="traefik"_
+
+Defines the service name resource attribute.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    serviceName: name
+```
+
+```toml tab="File (TOML)"
+[accesslog]
+  [accesslog.otlp]
+    serviceName = "name"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.serviceName=name
+```
+
+### `resourceAttributes`
+
+_Optional, Default=empty_
+
+Defines additional resource attributes to be sent to the collector.
+
+```yaml tab="File (YAML)"
+accesslog:
+  otlp:
+    resourceAttributes:
+      attr1: foo
+      attr2: bar
+```
+
+```toml tab="File (TOML)"
+[accesslog]
+  [accesslog.otlp.resourceAttributes]
+    attr1 = "foo"
+    attr2 = "bar"
+```
+
+```bash tab="CLI"
+--accesslog.otlp.resourceAttributes.attr1=foo
+--accesslog.otlp.resourceAttributes.attr2=bar
+```
+
 ### HTTP configuration
 
 _Optional_

docs/content/observability/logs.md

@@ -20,6 +20,7 @@ Traefik logs concern everything that happens to Traefik itself (startup, configu
 
 By default, the logs are written to the standard output.
 You can configure a file path instead using the `filePath` option.
+When `filePath` is specified, Traefik will write logs only to that file (not to standard output).
 
 ```yaml tab="File (YAML)"
 # Writing Logs to a File
@@ -219,6 +220,54 @@ log:
 
     The OpenTelemetry Logger exporter will export logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.
 
+### `serviceName`
+
+_Optional, Default="traefik"_
+
+Defines the service name resource attribute.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    serviceName: name
+```
+
+```toml tab="File (TOML)"
+[log]
+  [log.otlp]
+    serviceName = "name"
+```
+
+```bash tab="CLI"
+--log.otlp.serviceName=name
+```
+
+### `resourceAttributes`
+
+_Optional, Default=empty_
+
+Defines additional resource attributes to be sent to the collector.
+
+```yaml tab="File (YAML)"
+log:
+  otlp:
+    resourceAttributes:
+      attr1: foo
+      attr2: bar
+```
+
+```toml tab="File (TOML)"
+[log]
+  [log.otlp.resourceAttributes]
+    attr1 = "foo"
+    attr2 = "bar"
+```
+
+```bash tab="CLI"
+--log.otlp.resourceAttributes.attr1=foo
+--log.otlp.resourceAttributes.attr2=bar
+```
+
 ### HTTP configuration
 
 _Optional_

docs/content/observability/metrics/opentelemetry.md

@@ -143,7 +143,7 @@ metrics:
 
 _Optional, Default="traefik"_
 
-OTEL service name to use.
+Defines the service name resource attribute.
 
 ```yaml tab="File (YAML)"
 metrics:
@@ -160,6 +160,31 @@ metrics:
 ```bash tab="CLI"
 --metrics.otlp.serviceName=name
 ```
+#### `resourceAttributes`
+
+_Optional, Default=empty_
+
+Defines additional resource attributes to be sent to the collector.
+
+```yaml tab="File (YAML)"
+metrics:
+  otlp:
+    resourceAttributes:
+      attr1: foo
+      attr2: bar
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.otlp.resourceAttributes]
+    attr1 = "foo"
+    attr2 = "bar"
+```
+
+```bash tab="CLI"
+--metrics.otlp.resourceAttributes.attr1=foo
+--metrics.otlp.resourceAttributes.attr2=bar
+```
 
 ### HTTP configuration
 

docs/content/observability/tracing/opentelemetry.md

@@ -5,7 +5,7 @@ description: "Traefik supports several tracing backends, including OpenTelemetry
 
 # OpenTelemetry
 
-Traefik Proxy follows [official OpenTelemetry semantic conventions v1.26.0](https://github.com/open-telemetry/semantic-conventions/blob/v1.26.0/docs/http/http-spans.md).
+Traefik Proxy follows [official OpenTelemetry semantic conventions v1.37.0](https://github.com/open-telemetry/semantic-conventions/blob/v1.37.0/docs/http/http-spans.md).
 
 To enable the OpenTelemetry tracer:
 

docs/content/observe/logs-and-access-logs.md

@@ -155,8 +155,9 @@ When the `observability` options are not defined on a router, it inherits the be
 
 Traefik Proxy supports the following log formats:
 
-- Common Log Format (CLF)
-- JSON
+- `common` - Traefik's extended CLF format (default)
+- `genericCLF` - Generic CLF format compatible with standard log analyzers
+- `json` - JSON format for structured logging
 
 ## Access Log Filters
 
@@ -172,7 +173,7 @@ The available filters are:
 
 When using the `json` format, you can customize which fields are included in your access logs.
 
-- **Request Fields:** You can choose to `keep`, `drop`, or `redact` any of the standard request fields. A complete list of available fields like `ClientHost`, `RequestMethod`, and `Duration` can be found in the [reference documentation](../reference/install-configuration/observability/logs-and-accesslogs.md#available-fields).
+- **Request Fields:** You can choose to `keep`, `drop`, or `redact` any of the standard request fields. A complete list of available fields like `ClientHost`, `RequestMethod`, and `Duration` can be found in the [reference documentation](../reference/install-configuration/observability/logs-and-accesslogs.md#json-format-fields).
 - **Request Headers:** You can also specify which request headers should be included in the logs, and whether their values should be `kept`, `dropped`, or `redacted`.
 
 !!! info

docs/content/operations/api.md

@@ -46,7 +46,7 @@ And then define a routing configuration on Traefik itself with the
 
 --8<-- "content/operations/include-api-examples.md"
 
-??? warning "The router's [rule](../../routing/routers#rule) must catch requests for the URI path `/api`"
+??? warning "The router's [rule](../routing/routers/index.md#rule) must catch requests for the URI path `/api`"
     Using an "Host" rule is recommended, by catching all the incoming traffic on this host domain to the API.
     However, you can also use "path prefix" rule or any combination or rules.
 
@@ -109,7 +109,7 @@ api:
 --api.dashboard=true
 ```
 
-!!! warning "With Dashboard enabled, the router [rule](../../routing/routers#rule) must catch requests for both `/api` and `/dashboard`"
+!!! warning "With Dashboard enabled, the router [rule](../routing/routers/index.md#rule) must catch requests for both `/api` and `/dashboard`"
     Please check the [Dashboard documentation](./dashboard.md#dashboard-router-rule) to learn more about this and to get examples.
 
 ### `debug`

docs/content/operations/cli.md

@@ -31,7 +31,7 @@ traefik [--flag=flag_argument] [-f [flag_argument]]
 traefik [--flag[=true|false| ]] [-f [true|false| ]]
 ```
 
-All flags are documented in the [(static configuration) CLI reference](../reference/static-configuration/cli.md).
+All flags are documented in the [(static configuration) CLI reference](../reference/install-configuration/configuration-options.md).
 
 !!! info "Flags are case-insensitive."
 

docs/content/operations/dashboard.md

@@ -11,7 +11,7 @@ See What's Going On
 The dashboard is the central place that shows you the current active routes handled by Traefik.
 
 <figure>
-    <img src="../../assets/img/webui-dashboard.png" alt="Dashboard - Providers" />
+    <img src="../assets/img/webui-dashboard.png" alt="Dashboard - Providers" />
     <figcaption>The dashboard in action</figcaption>
 </figure>
 

docs/content/providers/consul-catalog.md

@@ -477,7 +477,7 @@ _Optional, Default=true_
 Expose Consul Catalog services by default in Traefik.
 If set to `false`, services that don't have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.
 
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -672,7 +672,7 @@ providers:
 # ...
 ```
 
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 
 ### `namespaces`
 

docs/content/providers/docker.md

@@ -163,7 +163,7 @@ See the [Docker API Access](#docker-api-access) section for more information.
     ```yaml
     services:
       traefik:
-         image: traefik:v3.4 # The official v3 Traefik docker image
+         image: traefik:v3.5 # The official v3 Traefik docker image
          ports:
            - "80:80"
          volumes:
@@ -380,7 +380,7 @@ _Optional, Default=true_
 Expose containers by default through Traefik.
 If set to `false`, containers that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
 
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 
 ```yaml tab="File (YAML)"
 providers:
@@ -554,7 +554,7 @@ as well as the usual boolean logic, as shown in examples below.
     constraints = "LabelRegex(`a.label.name`, `a.+`)"
     ```
 
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 
 ```yaml tab="File (YAML)"
 providers:

docs/content/providers/ecs.md

@@ -214,7 +214,7 @@ as well as the usual boolean logic, as shown in examples below.
     constraints = "LabelRegex(`a.label.name`, `a.+`)"
     ```
 
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 
 ```yaml tab="File (YAML)"
 providers:

docs/content/providers/file.md

@@ -103,7 +103,7 @@ It supports providing configuration through a [single configuration file](#filen
 
 ## Provider Configuration
 
-For an overview of all the options that can be set with the file provider, see the [dynamic configuration](../reference/dynamic-configuration/file.md) and [static configuration](../reference/static-configuration/overview.md) references.
+For an overview of all the options that can be set with the file provider, see the [routing configuration](../reference/routing-configuration/other-providers/file.md) and [install configuration](../reference/install-configuration/configuration-options.md) references.
 
 !!! warning "Limitations"