Prepare release v3.6.7

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.
 
 Documentation:
 - for Traefik v2: use branch v2.11 (fixes only)
-- for Traefik v3: use branch v3.5
+- for Traefik v3: use branch v3.6
 
 Bug:
 - for Traefik v2: use branch v2.11 (security fixes only)
-- for Traefik v3: use branch v3.5
+- for Traefik v3: use branch v3.6
 
 Enhancements:
 - use branch master

.github/workflows/check_doc.yaml

@@ -0,0 +1,63 @@
+name: Check Documentation
+
+on:
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - '.github/workflows/check_doc.yaml'
+      - 'docs/**'
+
+jobs:
+
+  docs:
+    name: lint, build and verify
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Install markdownlint
+        run: |
+          npm install --global markdownlint@0.29.0 markdownlint-cli@0.35.0
+
+      - name: Lint
+        run: ./docs/scripts/lint.sh docs
+
+      - name: Setup python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+          cache-dependency-path: "./docs/requirements.txt"
+
+      - name: Build documentation
+        working-directory: ./docs
+        run: |
+          pip install -r requirements.txt
+          mkdocs build --strict
+
+      - name: Setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+
+      - name: Install html-proofer
+        run: |
+          gem install nokogiri --version 1.18.6 --no-document -- --use-system-libraries
+          gem install html-proofer --version 5.0.10 --no-document -- --use-system-libraries
+        env:
+          NOKOGIRI_USE_SYSTEM_LIBRARIES: "true"
+
+      # Comes from https://github.com/gjtorikian/html-proofer?tab=readme-ov-file#caching-with-continuous-integration
+      - name: Cache HTMLProofer
+        uses: actions/cache@v4
+        with:
+          path: tmp/.htmlproofer
+          key: ${{ runner.os }}-htmlproofer
+
+      - name: Verify
+        run: ./docs/scripts/verify.sh docs/site

.github/workflows/check_doc.yml

@@ -1,25 +0,0 @@
-name: Check Documentation
-
-on:
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-
-  docs:
-    name: Check, verify and build documentation
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-
-      - name: Check documentation
-        run: make docs-pull-images docs
-        env:
-          # These variables are not passed to workflows that are triggered by a pull request from a fork.
-          DOCS_VERIFY_SKIP: ${{ vars.DOCS_VERIFY_SKIP }}
-          DOCS_LINT_SKIP: ${{ vars.DOCS_LINT_SKIP }}

.github/workflows/release.yaml

@@ -10,7 +10,7 @@ env:
   CGO_ENABLED: 0
   VERSION: ${{ github.ref_name }}
   TRAEFIKER_EMAIL: "traefiker@traefik.io"
-  CODENAME: chabichou
+  CODENAME: ramequin
 
 jobs:
 
@@ -24,7 +24,7 @@ jobs:
 
     strategy:
       matrix:
-        os: [ linux-amd64, linux-386, linux-arm, linux-arm64, linux-ppc64le, linux-s390x, linux-riscv64, darwin, windows-amd64, windows-arm64, windows-386, freebsd, openbsd ]
+        os: [ linux-amd64, linux-386, linux-arm, linux-arm64, linux-ppc64le, linux-s390x, linux-riscv64, darwin-amd64, darwin-arm64, windows-amd64, windows-arm64, windows-386, freebsd-amd64, freebsd-386, openbsd-amd64, openbsd-386, openbsd-riscv64 ]
     needs:
       - build-webui
 
@@ -130,7 +130,7 @@ jobs:
             --exclude dist .
           
           chown -R "$(id -u)":"$(id -g)" dist/
-          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION} --latest=true
+          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION} --latest=false
           
           ./script/deploy.sh
 

.github/workflows/template-webui.yaml

@@ -1,6 +1,8 @@
 name: Build Web UI
 on:
   workflow_call: {}
+env:
+  SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 360  # 15 days
 jobs:
 
   build-webui:
@@ -22,6 +24,12 @@ jobs:
           cache: yarn
           cache-dependency-path: webui/yarn.lock
 
+      - name: Setup safe-chain
+        working-directory: ./webui
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
       - name: Build webui
         working-directory: ./webui
         run: |

.github/workflows/test-gateway-api-conformance.yaml

@@ -5,18 +5,19 @@ on:
     branches:
       - '*'
     paths:
-      - '.github/workflows/test-conformance.yaml'
+      - '.github/workflows/test-gateway-api-conformance.yaml'
       - 'pkg/provider/kubernetes/gateway/**'
-      - 'integration/fixtures/k8s-conformance/**'
-      - 'integration/k8s_conformance_test.go'
+      - 'integration/fixtures/gateway-api-conformance/**'
+      - 'integration/gateway_api_conformance_test.go'
+      - 'integration/integration_test.go'
 
 env:
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.24'
   CGO_ENABLED: 0
 
 jobs:
 
-  test-conformance:
+  test-gateway-api-conformance:
     runs-on: ubuntu-latest
 
     steps:
@@ -30,7 +31,11 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
 
-      - name: K8s Gateway API conformance test and report
+      - name: Avoid generating webui
+        run: |
+          touch webui/static/index.html
+
+      - name: Gateway API conformance test and report
         run: |
           make test-gateway-api-conformance
           git diff --exit-code

.github/workflows/test-integration.yaml

@@ -30,6 +30,10 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true
 
+      - name: Avoid generating webui
+        run: |
+          touch webui/static/index.html
+
       - name: Build binary
         run: make binary-linux-amd64
 

.github/workflows/test-knative-conformance.yaml

@@ -0,0 +1,51 @@
+name: Test Knative conformance
+
+on:
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - '.github/workflows/test-knative-conformance.yaml'
+      - 'pkg/provider/kubernetes/knative/**'
+      - 'integration/fixtures/knative/**'
+      - 'integration/knative_conformance_test.go'
+      - 'integration/integration_test.go'
+
+env:
+  GO_VERSION: '1.24'
+  CGO_ENABLED: 0
+
+jobs:
+
+  test-knative-conformance:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Set up KO
+        uses: ko-build/setup-ko@v0.6
+        env:
+          KO_DOCKER_REPO: ko.local
+
+      - name: Upload Test Images
+        run: |
+          # Download the test image templates.
+          go mod vendor
+          ./integration/fixtures/knative/upload-test-images.sh
+
+      - name: Avoid generating webui
+        run: |
+          touch webui/static/index.html
+
+      - name: Knative conformance test
+        run: |
+          make test-knative-conformance

.github/workflows/test-unit.yaml

@@ -79,6 +79,11 @@ jobs:
           cache: 'yarn'
           cache-dependency-path: webui/yarn.lock
 
+      - name: Setup safe-chain
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
       - name: UI unit tests
         working-directory: ./webui
         env:

.github/workflows/validate.yaml

@@ -8,7 +8,7 @@ on:
 env:
   GO_VERSION: '1.24'
   GOLANGCI_LINT_VERSION: v2.0.2
-  MISSPELL_VERSION: v0.6.0
+  MISSPELL_VERSION: v0.7.0
 
 jobs:
 

.gitignore

@@ -19,4 +19,4 @@ plugins-storage/
 plugins-local/
 traefik_changelog.md
 integration/tailscale.secret
-integration/conformance-reports/**/experimental-dev-default-report.yaml
+integration/gateway-api-conformance-reports/**/experimental-dev-default-report.yaml

.golangci.yml

@@ -318,6 +318,12 @@ linters:
           - recvcheck
       - path: pkg/proxy/httputil/bufferpool.go
         text: 'SA6002: argument should be pointer-like to avoid allocations'
+      - path: integration/integration_test.go
+        text: 'var (gatewayAPIConformanceRunTest|traefikVersion) is unused'
+      - path: pkg/server/router/router.go
+        text: 'appendAssign: append result not assigned to the same slice'
+        linters:
+          - gocritic
     paths:
       - pkg/provider/kubernetes/crd/generated/
 

.goreleaser.yml.tmpl

@@ -54,10 +54,12 @@ changelog:
 archives:
   - id: traefik
     name_template: '{{ .ProjectName }}_v{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
-    format: tar.gz
+    formats:
+      - tar.gz
     format_overrides:
       - goos: windows
-        format: zip
+        formats:
+          - zip
     files:
       - LICENSE.md
       - CHANGELOG.md

CHANGELOG.md

@@ -1,3 +1,219 @@
+## [v3.6.7](https://github.com/traefik/traefik/tree/v3.6.7) (2026-01-14)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.6...v3.6.7)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.31.0 ([#12529](https://github.com/traefik/traefik/pull/12529) by [ldez](https://github.com/ldez))
+- **[acme]** Add missing renew options ([#12467](https://github.com/traefik/traefik/pull/12467) by [ldez](https://github.com/ldez))
+- **[acme]** Replace hardcoded references to LetsEncrypt in log messages ([#12464](https://github.com/traefik/traefik/pull/12464) by [schildbach](https://github.com/schildbach))
+- **[k8s/ingress-nginx]** Fix use-regex nginx annotation ([#12531](https://github.com/traefik/traefik/pull/12531) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Prevent Ingress Nginx provider http router to attach to an entrypoint with TLS ([#12528](https://github.com/traefik/traefik/pull/12528) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress]** Fix panic for empty defaultBackend and defaultBackend without resources ([#12509](https://github.com/traefik/traefik/pull/12509) by [gndz07](https://github.com/gndz07))
+- **[k8s]** Fix condition used for serving and fenced endpoints ([#12521](https://github.com/traefik/traefik/pull/12521) by [LBF38](https://github.com/LBF38))
+- **[webui]** Validate X-Forwarded-Prefix value for dashboard redirect ([#12514](https://github.com/traefik/traefik/pull/12514) by [LBF38](https://github.com/LBF38))
+- **[acme]** Add timeout to ACME-TLS/1 challenge handshake ([#12516](https://github.com/traefik/traefik/pull/12516) by [LBF38](https://github.com/LBF38))
+- **[server]** Make encoded character options opt-in ([#12540](https://github.com/traefik/traefik/pull/12540) by [gndz07](https://github.com/gndz07))
+
+**Documentation:**
+- **[docker/swarm]** Update swarm.md traefik version ([#12508](https://github.com/traefik/traefik/pull/12508) by [DBouraoui](https://github.com/DBouraoui))
+- **[k8s/ingress-nginx]** Fix ingress-nginx annotations documentation ([#12510](https://github.com/traefik/traefik/pull/12510) by [nmengin](https://github.com/nmengin))
+- **[k8s]** Fix Kubernetes reference yml file ([#12406](https://github.com/traefik/traefik/pull/12406) by [mmatur](https://github.com/mmatur))
+- Fix code copy button positioning ([#12520](https://github.com/traefik/traefik/pull/12520) by [AnuragEkkati](https://github.com/AnuragEkkati))
+- Fix typo in kubernetes.md ([#12515](https://github.com/traefik/traefik/pull/12515) by [EdwardSalkeld](https://github.com/EdwardSalkeld))
+- Bring back security section on API & Dashboard documentation page ([#12507](https://github.com/traefik/traefik/pull/12507) by [gndz07](https://github.com/gndz07))
+- Fix link description in Traefik Proxy documentation ([#12488](https://github.com/traefik/traefik/pull/12488) by [schaerfo](https://github.com/schaerfo))
+- Add product comparison matrix and features page ([#12037](https://github.com/traefik/traefik/pull/12037) by [sheddy-traefik](https://github.com/sheddy-traefik))
+
+**Misc:**
+- Merge branch v2.11 into v3.6 ([#12552](https://github.com/traefik/traefik/pull/12552) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.11 into v3.6 ([#12533](https://github.com/traefik/traefik/pull/12533) by [mmatur](https://github.com/mmatur))
+- Merge branch v2.11 into v3.6 ([#12497](https://github.com/traefik/traefik/pull/12497) by [mmatur](https://github.com/mmatur))
+
+## [v2.11.35](https://github.com/traefik/traefik/tree/v2.11.35) (2026-01-14)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.34...v2.11.35)
+
+**Bug fixes:**
+- **[acme]** Add timeout to ACME-TLS/1 challenge handshake ([#12516](https://github.com/traefik/traefik/pull/12516) by [LBF38](https://github.com/LBF38))
+- **[server]** Make encoded character options opt-in ([#12540](https://github.com/traefik/traefik/pull/12540) by [gndz07](https://github.com/gndz07))
+
+## [v3.6.6](https://github.com/traefik/traefik/tree/v3.6.6) (2025-12-29)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.5...v3.6.6)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.30.1 ([#12432](https://github.com/traefik/traefik/pull/12432) by [ldez](https://github.com/ldez))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.58.0 ([#12448](https://github.com/traefik/traefik/pull/12448) by [GreyXor](https://github.com/GreyXor))
+- **[redis]** Fix mutually exclusive verification for Redis ([#12442](https://github.com/traefik/traefik/pull/12442) by [juliens](https://github.com/juliens))
+- **[server]** Fix deny encoded characters ([#12454](https://github.com/traefik/traefik/pull/12454) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[k8s/ingress,k8s]** Fix Kubernetes Ingress provider documentation ([#12443](https://github.com/traefik/traefik/pull/12443) by [nmengin](https://github.com/nmengin))
+- **[k8s/ingress-nginx]** Add RBAC documentation for Ingress NGINX provider ([#12445](https://github.com/traefik/traefik/pull/12445) by [nmn3m](https://github.com/nmn3m))
+- **[k8s]** Improve the K8S multi-tenancy security note ([#12444](https://github.com/traefik/traefik/pull/12444) by [nmengin](https://github.com/nmengin))
+- Restore documentation on http.maxHeaderBytes ([#12440](https://github.com/traefik/traefik/pull/12440) by [mloiseleur](https://github.com/mloiseleur))
+- Fix Menu Item Naming ([#12431](https://github.com/traefik/traefik/pull/12431) by [sheddy-traefik](https://github.com/sheddy-traefik))
+
+**Misc:**
+- Merge branch v2.11 into v3.6 ([#12475](https://github.com/traefik/traefik/pull/12475) by [mmatur](https://github.com/mmatur))
+- Merge branch v2.11 into v3.6 ([#12438](https://github.com/traefik/traefik/pull/12438) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.11.34](https://github.com/traefik/traefik/tree/v2.11.34) (2025-12-23)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.33...v2.11.34)
+
+**Bug fixes:**
+- **[server]** Fix deny encoded characters ([#12457](https://github.com/traefik/traefik/pull/12457) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.33](https://github.com/traefik/traefik/tree/v2.11.33) (2025-12-17)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.32...v2.11.33)
+
+**Bug fixes:**
+- **[server]** Print access logs for rejected requests and warn about new behavior ([#12426](https://github.com/traefik/traefik/pull/12426) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- Clarify doc about encoded characters rejection ([#12391](https://github.com/traefik/traefik/pull/12391) by [rtribotte](https://github.com/rtribotte))
+- Fix encoded characters entryPoint option documentation ([#12384](https://github.com/traefik/traefik/pull/12384) by [rtribotte](https://github.com/rtribotte))
+- Fix encoded characters option documentation ([#12373](https://github.com/traefik/traefik/pull/12373) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v3.6.5](https://github.com/traefik/traefik/tree/v3.6.5) (2025-12-16)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.4...v3.6.5)
+
+**Bug fixes:**
+- **[k8s/ingress-nginx]** Fix NGINX sslredirect annotation support ([#12387](https://github.com/traefik/traefik/pull/12387) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Print access logs for rejected requests and warn about new behavior ([#12424](https://github.com/traefik/traefik/pull/12424) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[k8s/ingress-nginx]** Add auth-signin to unsupported nginx annotations list ([#12370](https://github.com/traefik/traefik/pull/12370) by [fibsifan](https://github.com/fibsifan))
+- Add a Breaking change note to the changelog ([#12398](https://github.com/traefik/traefik/pull/12398) by [nmengin](https://github.com/nmengin))
+- Fix encodedCharacters entryPoint option documentation ([#12385](https://github.com/traefik/traefik/pull/12385) by [rtribotte](https://github.com/rtribotte))
+
+## [v3.6.4](https://github.com/traefik/traefik/tree/v3.6.4) (2025-12-05)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.2...v3.6.4)
+
+**CVE's fixed:**
+- [CVE-2025-66490](https://nvd.nist.gov/vuln/detail/CVE-2025-66490) (Advisory [GHSA-gm3x-23wp-hc2c](https://github.com/traefik/traefik/security/advisories/GHSA-gm3x-23wp-hc2c)): **Breaking Change** please read the [migration guide](https://doc.traefik.io/traefik/v3.6/migrate/v3/#v364).
+- [CVE-2025-66491](https://nvd.nist.gov/vuln/detail/CVE-2025-66491) (Advisory [GHSA-7vww-mvcr-x6vj](https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj))
+
+**Important:** Please read the [migration guide](https://doc.traefik.io/traefik/v3.6/migrate/v3/#v364).
+
+**Bug fixes:**
+- **[server]** Reject suspicious encoded characters ([#12360](https://github.com/traefik/traefik/pull/12360) by [rtribotte](https://github.com/rtribotte))
+- **[plugins]** Validate plugin module name ([#12291](https://github.com/traefik/traefik/pull/12291) by [kevinpollet](https://github.com/kevinpollet))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.1 ([#12319](https://github.com/traefik/traefik/pull/12319) by [GreyXor](https://github.com/GreyXor))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.0 ([#12308](https://github.com/traefik/traefik/pull/12308) by [GreyXor](https://github.com/GreyXor))
+- **[server]** Bump golang.org/x/crypto to v0.45.0 ([#12296](https://github.com/traefik/traefik/pull/12296) by [kevinpollet](https://github.com/kevinpollet))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.29.0 ([#12333](https://github.com/traefik/traefik/pull/12333) by [ldez](https://github.com/ldez))
+- **[k8s/ingress-nginx]** Fix SSL redirect to match NGINX behavior ([#12361](https://github.com/traefik/traefik/pull/12361) by [mmatur](https://github.com/mmatur))
+- **[k8s/ingress-nginx]** Fix the service name for ingress-nginx provider ([#12352](https://github.com/traefik/traefik/pull/12352) by [mmatur](https://github.com/mmatur))
+- **[k8s/ingress-nginx]** Fix nginx.ingress.kubernetes.io/proxy-ssl-verify annotation support ([#12351](https://github.com/traefik/traefik/pull/12351) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,authentication]** Change ForwardAuth error log level from DEBUG to ERROR ([#12324](https://github.com/traefik/traefik/pull/12324) by [murataslan1](https://github.com/murataslan1))
+
+**Documentation:**
+- **[api]** Fix typo in API dashboard configuration instructions ([#12335](https://github.com/traefik/traefik/pull/12335) by [NAICOLAS](https://github.com/NAICOLAS))
+- **[docker]** Add documentation for loadbalancer.server.url in Docker and Swarm providers ([#12289](https://github.com/traefik/traefik/pull/12289) by [webash](https://github.com/webash))
+- **[k8s/gatewayapi]** Fix links of Helm chart values reference to providers.kubernetesGateway.enabled ([#12315](https://github.com/traefik/traefik/pull/12315) by [shouhei](https://github.com/shouhei))
+- **[k8s/ingress-nginx]** Fix default value of ingress-nginx provider in documentation ([#12328](https://github.com/traefik/traefik/pull/12328) by [mloiseleur](https://github.com/mloiseleur))
+- **[k8s/ingress-nginx]** NGINX Ingress Controller to Traefik Migration Guide ([#12318](https://github.com/traefik/traefik/pull/12318) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[k8s/ingress-nginx]** Improve the configuration options display of the Kubernetes ingress-nginx provider ([#12297](https://github.com/traefik/traefik/pull/12297) by [mloiseleur](https://github.com/mloiseleur))
+- **[k8s/ingress-nginx]** Improve ingress-nginx provider documentation ([#12288](https://github.com/traefik/traefik/pull/12288) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[service]** Fix loadbalancer doc for highest random weight ([#12283](https://github.com/traefik/traefik/pull/12283) by [ozon2](https://github.com/ozon2))
+- Correctly Format the HTTP Service Documentation ([#12311](https://github.com/traefik/traefik/pull/12311) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Add documentation about checkNewVersion ([#12298](https://github.com/traefik/traefik/pull/12298) by [darkweaver87](https://github.com/darkweaver87))
+
+**Misc:**
+- Merge branch v2.11 into v3.6 ([#12364](https://github.com/traefik/traefik/pull/12364) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.11 into v3.6 ([#12341](https://github.com/traefik/traefik/pull/12341) by [mmatur](https://github.com/mmatur))
+- Merge branch v2.11 into v3.6 ([#12368](https://github.com/traefik/traefik/pull/12368) by [mmatur](https://github.com/mmatur))
+
+## [v3.6.3](https://github.com/traefik/traefik/tree/v3.6.3) (2025-12-04)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.2...v3.6.3)
+
+Release canceled.
+
+## [v2.11.32](https://github.com/traefik/traefik/tree/v2.11.32) (2025-12-04)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.31...v2.11.32)
+
+**Bug fixes:**
+- **[server]** Reject suspicious encoded characters ([#12360](https://github.com/traefik/traefik/pull/12360) by [rtribotte](https://github.com/rtribotte))
+- **[plugins]** Validate plugin module name ([#12291](https://github.com/traefik/traefik/pull/12291) by [kevinpollet](https://github.com/kevinpollet))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.1 ([#12319](https://github.com/traefik/traefik/pull/12319) by [GreyXor](https://github.com/GreyXor))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.0 ([#12308](https://github.com/traefik/traefik/pull/12308) by [GreyXor](https://github.com/GreyXor))
+- **[server]** Bump golang.org/x/crypto to v0.45.0 ([#12296](https://github.com/traefik/traefik/pull/12296) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- Update SECURITY.md to streamline information ([#12310](https://github.com/traefik/traefik/pull/12310) by [emilevauge](https://github.com/emilevauge))
+- Update SECURITY.md ([#12304](https://github.com/traefik/traefik/pull/12304) by [cwayne18](https://github.com/cwayne18))
+
+## [v3.6.2](https://github.com/traefik/traefik/tree/v3.6.2) (2025-11-18)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.1...v3.6.2)
+
+**Bug fixes:**
+- **[k8s/ingress-nginx]** Deprecate Kubernetes Ingress NGINX provider experimental flag ([#12286](https://github.com/traefik/traefik/pull/12286) by [rtribotte](https://github.com/rtribotte))
+
+## [v3.6.1](https://github.com/traefik/traefik/tree/v3.6.1) (2025-11-13)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.0...v3.6.1)
+
+**Bug fixes:**
+- **[docker]** Auto-negotiate Docker API Version ([#12256](https://github.com/traefik/traefik/pull/12256) by [felixbuenemann](https://github.com/felixbuenemann))
+- **[server]** Fix multi-layer routing with models ([#12258](https://github.com/traefik/traefik/pull/12258) by [juliens](https://github.com/juliens))
+- **[udp]** Revert "Avoid allocations in readLoop by using sync.Pool" ([#12267](https://github.com/traefik/traefik/pull/12267) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Fix blocked navigation on Safari ([#12231](https://github.com/traefik/traefik/pull/12231) by [gndz07](https://github.com/gndz07))
+- **[webui]** Restore remote Upgrade to Hub button web component ([#12219](https://github.com/traefik/traefik/pull/12219) by [gndz07](https://github.com/gndz07))
+
+**Documentation:**
+- **[k8s]** Fix Nginx provider documentation ([#12266](https://github.com/traefik/traefik/pull/12266) by [nmengin](https://github.com/nmengin))
+- **[k8s]** Fix Gateway API version and the list of features supported ([#12254](https://github.com/traefik/traefik/pull/12254) by [nmengin](https://github.com/nmengin))
+
+## [v2.11.31](https://github.com/traefik/traefik/tree/v2.11.31) (2025-11-13)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.30...v2.11.31)
+
+**Bug fixes:**
+- **[docker,docker/swarm]** Auto-negotiate Docker API version ([#12262](https://github.com/traefik/traefik/pull/12262) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v3.6.0](https://github.com/traefik/traefik/tree/v3.6.0) (2025-11-07)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.0-rc1...v3.6.0)
+
+**Enhancements:**
+- **[acme]** Add new certificatesresolvers options ([#11977](https://github.com/traefik/traefik/pull/11977) by [ldez](https://github.com/ldez))
+- **[consul,consulcatalog,nomad]** Log provider namespace during startup ([#12002](https://github.com/traefik/traefik/pull/12002) by [shreealt](https://github.com/shreealt))
+- **[docker]** Allow discovering non-running Docker containers  ([#10645](https://github.com/traefik/traefik/pull/10645) by [acouvreur](https://github.com/acouvreur))
+- **[ecs]** AWS ECS IPv6 Support ([#12179](https://github.com/traefik/traefik/pull/12179) by [wizbit](https://github.com/wizbit))
+- **[file,k8s/crd,service]** Add least time load balancing strategy ([#12167](https://github.com/traefik/traefik/pull/12167) by [sdelicata](https://github.com/sdelicata))
+- **[healthcheck,tcp]** Add TCP Healthcheck ([#11238](https://github.com/traefik/traefik/pull/11238) by [ddtmachado](https://github.com/ddtmachado))
+- **[healthcheck]** Add passive health checks ([#11351](https://github.com/traefik/traefik/pull/11351) by [Nelwhix](https://github.com/Nelwhix))
+- **[k8s/crd]** Add highest random weight in Kubernetes CRD ([#12061](https://github.com/traefik/traefik/pull/12061) by [lbenguigui](https://github.com/lbenguigui))
+- **[k8s/gatewayapi]** Bump sigs.k8s.io/gateway-api to v1.4.0 ([#12140](https://github.com/traefik/traefik/pull/12140) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/ingress]** Allow publishing services with type ExternalName ([#12065](https://github.com/traefik/traefik/pull/12065) by [james-callahan](https://github.com/james-callahan))
+- **[k8s]** Add Knative provider ([#11448](https://github.com/traefik/traefik/pull/11448) by [idurgakalyan](https://github.com/idurgakalyan))
+- **[middleware,authentication]** Add warning when maxBodySize is not set ([#12085](https://github.com/traefik/traefik/pull/12085) by [kianelbo](https://github.com/kianelbo))
+- **[middleware,server]** Multi-layer routing ([#12130](https://github.com/traefik/traefik/pull/12130) by [sdelicata](https://github.com/sdelicata))
+- **[plugins]** Support syscall ([#11939](https://github.com/traefik/traefik/pull/11939) by [david-garcia-garcia](https://github.com/david-garcia-garcia))
+- **[server]** Implement HTTP2 HPACK table size options ([#12050](https://github.com/traefik/traefik/pull/12050) by [GCHQDeveloper548](https://github.com/GCHQDeveloper548))
+- **[service,udp]** Avoid allocations in readLoop by using sync.Pool ([#12029](https://github.com/traefik/traefik/pull/12029) by [arturmelanchyk](https://github.com/arturmelanchyk))
+- **[service]** Add HighestRandomWeight load balancing algorithm ([#9946](https://github.com/traefik/traefik/pull/9946) by [mathieuHa](https://github.com/mathieuHa))
+- **[webui]** Add Traefik Hub demo in dashboard ([#12193](https://github.com/traefik/traefik/pull/12193) by [gndz07](https://github.com/gndz07))
+- **[webui]** Reduce vertical padding in dashboard table rows for more compact layout ([#12145](https://github.com/traefik/traefik/pull/12145) by [leccelecce](https://github.com/leccelecce))
+
+**Bug fixes:**
+- **[server]** Make the aggregator compute provider namespace for router's parentRefs ([#12235](https://github.com/traefik/traefik/pull/12235) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- Prepare release v3.6.0-rc1 ([#12211](https://github.com/traefik/traefik/pull/12211) by [kevinpollet](https://github.com/kevinpollet))
+- Fix broken link to migration guide on readme ([#12021](https://github.com/traefik/traefik/pull/12021) by [0slb](https://github.com/0slb))
+- Fix broken links in TCP Service and HTTP Router documentation ([#12215](https://github.com/traefik/traefik/pull/12215) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Fix typo in v3.6 migration guide ([#12212](https://github.com/traefik/traefik/pull/12212) by [jnoordsij](https://github.com/jnoordsij))
+
+**Misc:**
+- Merge branch v3.5 into master ([#12210](https://github.com/traefik/traefik/pull/12210) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.5 into master ([#12191](https://github.com/traefik/traefik/pull/12191) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.5 into master ([#12188](https://github.com/traefik/traefik/pull/12188) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.5 into master ([#12160](https://github.com/traefik/traefik/pull/12160) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.5 into master ([#12136](https://github.com/traefik/traefik/pull/12136) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.5 into master ([#12120](https://github.com/traefik/traefik/pull/12120) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.5 into master ([#12095](https://github.com/traefik/traefik/pull/12095) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.5 into master ([#12051](https://github.com/traefik/traefik/pull/12051) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.5 into master ([#11976](https://github.com/traefik/traefik/pull/11976) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.5 into master ([#11940](https://github.com/traefik/traefik/pull/11940) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.5 into master ([#11900](https://github.com/traefik/traefik/pull/11900) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.5 into v3.6 ([#12242](https://github.com/traefik/traefik/pull/12242) by [kevinpollet](https://github.com/kevinpollet))
+
 ## [v3.5.6](https://github.com/traefik/traefik/tree/v3.5.6) (2025-11-07)
 [All Commits](https://github.com/traefik/traefik/compare/v3.5.4...v3.5.6)
 
@@ -15,6 +231,46 @@
 
 Release canceled.
 
+## [v3.6.0-rc1](https://github.com/traefik/traefik/tree/v3.6.0-rc1) (2025-10-28)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.0-rc1...v3.6.0-rc1)
+
+**Enhancements:**
+- **[acme]** Add new certificatesresolvers options ([#11977](https://github.com/traefik/traefik/pull/11977) by [ldez](https://github.com/ldez))
+- **[consul,consulcatalog,nomad]** Log provider namespace during startup ([#12002](https://github.com/traefik/traefik/pull/12002) by [shreealt](https://github.com/shreealt))
+- **[docker]** Allow discovering non-running Docker containers  ([#10645](https://github.com/traefik/traefik/pull/10645) by [acouvreur](https://github.com/acouvreur))
+- **[ecs]** AWS ECS IPv6 Support ([#12179](https://github.com/traefik/traefik/pull/12179) by [wizbit](https://github.com/wizbit))
+- **[file,k8s/crd,service]** Add least time load balancing strategy ([#12167](https://github.com/traefik/traefik/pull/12167) by [sdelicata](https://github.com/sdelicata))
+- **[healthcheck,tcp]** Add TCP Healthcheck ([#11238](https://github.com/traefik/traefik/pull/11238) by [ddtmachado](https://github.com/ddtmachado))
+- **[healthcheck]** Add passive health checks ([#11351](https://github.com/traefik/traefik/pull/11351) by [Nelwhix](https://github.com/Nelwhix))
+- **[k8s/crd]** Add highest random weight in Kubernetes CRD ([#12061](https://github.com/traefik/traefik/pull/12061) by [lbenguigui](https://github.com/lbenguigui))
+- **[k8s/gatewayapi]** Bump sigs.k8s.io/gateway-api to v1.4.0 ([#12140](https://github.com/traefik/traefik/pull/12140) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/ingress]** Allow publishing services with type ExternalName ([#12065](https://github.com/traefik/traefik/pull/12065) by [james-callahan](https://github.com/james-callahan))
+- **[k8s]** Add Knative provider ([#11448](https://github.com/traefik/traefik/pull/11448) by [idurgakalyan](https://github.com/idurgakalyan))
+- **[middleware,authentication]** Add warning when maxBodySize is not set ([#12085](https://github.com/traefik/traefik/pull/12085) by [kianelbo](https://github.com/kianelbo))
+- **[middleware,server]** Multi-layer routing ([#12130](https://github.com/traefik/traefik/pull/12130) by [sdelicata](https://github.com/sdelicata))
+- **[plugins]** Support syscall ([#11939](https://github.com/traefik/traefik/pull/11939) by [david-garcia-garcia](https://github.com/david-garcia-garcia))
+- **[server]** Implement HTTP2 HPACK table size options ([#12050](https://github.com/traefik/traefik/pull/12050) by [GCHQDeveloper548](https://github.com/GCHQDeveloper548))
+- **[service,udp]** Avoid allocations in readLoop by using sync.Pool ([#12029](https://github.com/traefik/traefik/pull/12029) by [arturmelanchyk](https://github.com/arturmelanchyk))
+- **[service]** Add HighestRandomWeight load balancing algorithm ([#9946](https://github.com/traefik/traefik/pull/9946) by [mathieuHa](https://github.com/mathieuHa))
+- **[webui]** Add Traefik Hub demo in dashboard ([#12193](https://github.com/traefik/traefik/pull/12193) by [gndz07](https://github.com/gndz07))
+- **[webui]** Reduce vertical padding in dashboard table rows for more compact layout ([#12145](https://github.com/traefik/traefik/pull/12145) by [leccelecce](https://github.com/leccelecce))
+
+**Documentation:**
+- Fix broken link to migration guide on readme ([#12021](https://github.com/traefik/traefik/pull/12021) by [0slb](https://github.com/0slb))
+
+**Misc:**
+- Merge branch v3.5 into master ([#12210](https://github.com/traefik/traefik/pull/12210) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.5 into master ([#12191](https://github.com/traefik/traefik/pull/12191) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.5 into master ([#12188](https://github.com/traefik/traefik/pull/12188) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.5 into master ([#12160](https://github.com/traefik/traefik/pull/12160) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.5 into master ([#12136](https://github.com/traefik/traefik/pull/12136) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.5 into master ([#12120](https://github.com/traefik/traefik/pull/12120) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.5 into master ([#12095](https://github.com/traefik/traefik/pull/12095) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.5 into master ([#12051](https://github.com/traefik/traefik/pull/12051) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v3.5 into master ([#11976](https://github.com/traefik/traefik/pull/11976) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.5 into master ([#11940](https://github.com/traefik/traefik/pull/11940) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.5 into master ([#11900](https://github.com/traefik/traefik/pull/11900) by [kevinpollet](https://github.com/kevinpollet))
+
 ## [v3.5.4](https://github.com/traefik/traefik/tree/v3.5.4) (2025-10-28)
 [All Commits](https://github.com/traefik/traefik/compare/v3.5.3...v3.5.4)
 

Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.2
-FROM alpine:3.22
+FROM alpine:3.23
 
 RUN apk add --no-cache --no-progress ca-certificates tzdata
 

Makefile

@@ -100,10 +100,15 @@ test-integration:
 	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -test.timeout=20m -failfast -v $(TESTFLAGS)
 
 .PHONY: test-gateway-api-conformance
-#? test-gateway-api-conformance: Run the conformance tests
+#? test-gateway-api-conformance: Run the Gateway API conformance tests
 test-gateway-api-conformance: build-image-dirty
-	# In case of a new Minor/Major version, the k8sConformanceTraefikVersion needs to be updated.
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.5" $(TESTFLAGS)
+	# In case of a new Minor/Major version, the traefikVersion needs to be updated.
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -tags gatewayAPIConformance -test.run GatewayAPIConformanceSuite -traefikVersion="v3.6" $(TESTFLAGS)
+
+.PHONY: test-knative-conformance
+#? test-knative-conformance: Run the Knative conformance tests
+test-knative-conformance: build-image-dirty
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration/integration_test.go ./integration/knative_conformance_test.go -v -tags knativeConformance -test.run KnativeConformanceSuite
 
 .PHONY: test-ui-unit
 #? test-ui-unit: Run the unit tests for the webui

README.md

@@ -34,7 +34,7 @@ Pointing Traefik at your orchestrator should be the _only_ configuration step yo
 
 ---
 
-:warning: When migrating to a new major version of Traefik, please refer to the [migration guide](https://doc.traefik.io/traefik/migration/v2-to-v3/) to ensure a smooth transition and to be aware of any breaking changes.
+:warning: When migrating to a new major version of Traefik, please refer to the [migration guide](https://doc.traefik.io/traefik/migrate/v2-to-v3/) to ensure a smooth transition and to be aware of any breaking changes.
 
 
 ## Overview

SECURITY.md

@@ -1,10 +1,5 @@
 # Security Policy
 
-You can join our security mailing list to be aware of the latest announcements from our security team.
-You can subscribe by sending an email to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
-
-Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
-
 ## Supported Versions
 
 - We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
@@ -17,10 +12,10 @@ We use [Semantic Versioning](https://semver.org/).
 
 | Version   | Supported          |
 |-----------|--------------------|
-| `2.2.x`   | :white_check_mark: |
-| `< 2.2.x` | :x:                |
-| `1.7.x`   | :white_check_mark: |
-| `< 1.7.x` | :x:                |
+| `3.6.x`   | :white_check_mark: |
+| `< 3.6.x` | :x:                |
+| `2.11.x`   | :white_check_mark: |
+| `< 2.11.x` | :x:                |
 
 ## Reporting a Vulnerability
 
@@ -28,3 +23,5 @@ We want to keep Traefik safe for everyone.
 If you've discovered a security vulnerability in Traefik,
 we appreciate your help in disclosing it to us in a responsible manner,
 by creating a [security advisory](https://github.com/traefik/traefik/security/advisories).
+
+Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).

cmd/traefik/traefik.go

@@ -97,6 +97,11 @@ func runCmd(staticConfiguration *static.Configuration) error {
 		return fmt.Errorf("setting up logger: %w", err)
 	}
 
+	log.Warn().Msg("Traefik can reject some encoded characters in the request path." +
+		"When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986)," +
+		"it is recommended to set these options to `false` to avoid split-view situation." +
+		"Refer to the documentation for more details: https://doc.traefik.io/traefik/v3.6/migrate/v3/#encoded-characters-configuration-default-values")
+
 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
 
 	staticConfiguration.SetEffectiveConfiguration()
@@ -114,9 +119,7 @@ func runCmd(staticConfiguration *static.Configuration) error {
 		log.Debug().RawJSON("staticConfiguration", []byte(redactedStaticConfiguration)).Msg("Static configuration loaded [json]")
 	}
 
-	if staticConfiguration.Global.CheckNewVersion {
-		checkNewVersion()
-	}
+	checkNewVersion(staticConfiguration)
 
 	stats(staticConfiguration)
 
@@ -614,13 +617,28 @@ func setupTracing(ctx context.Context, conf *static.Tracing) (*tracing.Tracer, i
 	return tracer, closer
 }
 
-func checkNewVersion() {
-	ticker := time.Tick(24 * time.Hour)
-	safe.Go(func() {
-		for time.Sleep(10 * time.Minute); ; <-ticker {
-			version.CheckNewVersion()
-		}
-	})
+func checkNewVersion(staticConfiguration *static.Configuration) {
+	logger := log.With().Logger()
+
+	if staticConfiguration.Global.CheckNewVersion {
+		logger.Info().Msg(`Version check is enabled.`)
+		logger.Info().Msg(`Traefik checks for new releases to notify you if your version is out of date.`)
+		logger.Info().Msg(`It also collects usage data during this process.`)
+		logger.Info().Msg(`Check the documentation to get more info: https://doc.traefik.io/traefik/contributing/data-collection/`)
+
+		ticker := time.Tick(24 * time.Hour)
+		safe.Go(func() {
+			for time.Sleep(10 * time.Minute); ; <-ticker {
+				version.CheckNewVersion()
+			}
+		})
+	} else {
+		logger.Info().Msg(`
+Version check is disabled.
+You will not be notified if a new version is available.
+More details: https://doc.traefik.io/traefik/contributing/data-collection/
+`)
+	}
 }
 
 func stats(staticConfiguration *static.Configuration) {

docs/check.Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.22
+FROM alpine:3.23
 
 RUN apk --no-cache --no-progress add \
     build-base \
@@ -34,6 +34,7 @@ RUN apk --no-cache --no-progress add \
 
 COPY ./scripts/verify.sh /verify.sh
 COPY ./scripts/lint.sh /lint.sh
+COPY ./scripts/lint-yaml.sh /lint-yaml.sh
 
 WORKDIR /app
 VOLUME ["/tmp","/app"]

docs/content/assets/css/code-copy.css

@@ -0,0 +1,18 @@
+/* Fix positioning of the built-in clipboard button for code blocks.
+ * In this theme, the button can end up positioned relative to <body>,
+ * so anchor it to the code block container instead.
+ */
+
+.md-typeset pre.highlight {
+  position: relative;
+}
+
+.md-typeset pre.highlight > button.md-clipboard {
+  position: absolute;
+  top: .25rem;
+  right: .25rem;
+  z-index: 10;
+  opacity: 1;
+  visibility: visible;
+}
+

docs/content/assets/js/extra.js

@@ -1,4 +1,14 @@
 /* Highlight */
 (function(hljs) {
     hljs.initHighlightingOnLoad();
-})(hljs);
+})(hljs);
+
+/* Scarf Analytics - cookieless, anonymous company-level intelligence */
+(function() {
+    var img = document.createElement('img');
+    img.src = 'https://static.scarf.sh/a.png?x-pxid=1a49232a-b165-4015-8ed2-a1092f1f0d83';
+    img.referrerPolicy = 'no-referrer-when-downgrade';
+    img.loading = 'eager';
+    img.style.cssText = 'visibility:hidden;position:absolute;width:1px;height:1px;';
+    document.body.appendChild(img);
+})();

docs/content/contributing/data-collection.md

@@ -1,17 +1,72 @@
 ---
 title: "Traefik Data Collection Documentation"
-description: "To learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances. Read the technical documentation."
+description: "Learn what data Traefik shares, how it is used, and how you can control it. This documentation explains both version check and anonymous usage statistics data. Read the technical documentation."
 ---
 
 # Data Collection
 
-Understanding How Traefik is Being Used
+Understanding the data Traefik shares and how it is used
 {: .subtitle }
 
-## Configuration Example
+## Introduction
 
-Understanding how you use Traefik is very important to us: it helps us improve the solution in many different ways.
-For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us, so we can benefit from your experience and use cases.
+Protecting user privacy is essential to Traefik Labs, and we design every data-sharing mechanism with transparency and minimalism in mind.
+This page describes the two types of data exchanged by Traefik and how to configure them.
+
+For more details on how your data is handled, please refer to our [Privacy and Cookie Policy](https://traefik.io/legal/privacy-and-cookie-policy).
+
+## Configuration Overview
+
+Traefik provides two independent mechanisms:
+
+- `checkNewVersion`, enabled by default. You may disable it at any time.
+- `sendAnonymousUsage`, which requires explicit opt‑in.
+
+Examples below show how to activate or deactivate both of them.
+
+```yaml tab="YAML"
+global:
+  checkNewVersion: true      # set to false to disable
+  sendAnonymousUsage: false  # set to true to enable
+```
+
+```toml tab="TOML"
+[global]
+  checkNewVersion = true      # set to false to disable
+  sendAnonymousUsage = false  # set to true to enable
+```
+
+```bash tab="CLI"
+--global.checkNewVersion=true      # set to false to disable
+--global.sendAnonymousUsage=false  # set to true to enable
+```
+
+A log message at startup clearly indicates whether each of those options are enabled or disabled.
+
+## Version Check (`checkNewVersion`) – Opt-out
+
+Traefik periodically contacts `update.traefik.io` to determine whether a newer version is available.
+When this request is made, Traefik shares the **running version** and the **public IP** of the instance.
+The IP is used to build global usage statistics and does not influence the version comparison.
+
+This mechanism helps you stay informed about updates and provides TraefikLabs with a broad view of which versions are deployed in the wild.
+
+The collected IP addresses are also used for marketing purposes, specifically to detect companies running Traefik and offer them adapted support contracts, enterprise features, and tailored services.
+
+If you want to explore the implementation, you can read the version check source code: [version.go](https://github.com/traefik/traefik/blob/master/pkg/version/version.go)
+
+## Anonymous Usage Data (`sendAnonymousUsage`) – Opt‑in
+
+Traefik can also collect anonymous usage statistics once per day, starting 10 minutes after it starts running.  
+These statistics include:
+
+- the Traefik version,
+- a hash of the configuration,
+- an anonymized version of the static configuration (all sensitive fields removed: tokens, passwords, URLs, IP addresses, domains, emails, etc.).
+
+This feature comes from this [public proposal](https://github.com/traefik/traefik/issues/2369).
+
+This information helps TraefikLabs understand how Traefik is used in general and prioritize features and provider support accordingly. Dynamic configuration (routers and services) is never collected.
 
 !!! example "Enabling Data Collection"
 
@@ -32,21 +87,6 @@ For this very reason, the sendAnonymousUsage option is mandatory: we want you to
     --global.sendAnonymousUsage
     ```
 
-## Collected Data
-
-This feature comes from this [public proposal](https://github.com/traefik/traefik/issues/2369).
-
-In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
-Those data help us prioritize our developments and focus on what's important for our users (for example, which provider is popular, and which is not).
-
-### What's collected / when ?
-
-Once a day (the first call begins 10 minutes after the start of Traefik), we collect:
-
-- the Traefik version number
-- a hash of the configuration
-- an **anonymized version** of the static configuration (token, username, password, URL, IP, domain, email, etc., are removed).
-
 !!! info
 
     - We do not collect the dynamic configuration information (routers & services).
@@ -93,8 +133,9 @@ providers:
       insecureSkipVerify: true
 ```
 
-## The Code for Data Collection
+### The Code for Anonymous Usage Collection
 
-If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/traefik/traefik/blob/master/pkg/collector/collector.go)
+If you want to explore the implementation, you can read the collector source code:
+[collector.go](https://github.com/traefik/traefik/blob/master/pkg/collector/collector.go)
 
-By default, we anonymize all configuration fields, except fields tagged with `export=true`.
+Traefik anonymizes all configuration fields by default, except those explicitly marked with `export=true`.

docs/content/deprecation/releases.md

@@ -6,25 +6,14 @@ Below is a non-exhaustive list of versions and their maintenance status:
 
 | Version | Release Date | Active Support     | Security Support  |
 |---------|--------------|--------------------|-------------------|
-| 3.5     | Jul 23, 2025 | Yes                | Yes               |
+| 3.6     | Nov 07, 2025 | Yes                | Yes               |
+| 3.5     | Jul 23, 2025 | Ended Nov 07, 2025 | No                |
 | 3.4     | May 05, 2025 | Ended Jul 23, 2025 | No                |
 | 3.3     | Jan 06, 2025 | Ended May 05, 2025 | No                |
 | 3.2     | Oct 28, 2024 | Ended Jan 06, 2025 | No                |
 | 3.1     | Jul 15, 2024 | Ended Oct 28, 2024 | No                |
 | 3.0     | Apr 29, 2024 | Ended Jul 15, 2024 | No                |
 | 2.11    | Feb 12, 2024 | Ended Apr 29, 2025 | Ends Feb 01, 2026 |
-| 2.10    | Apr 24, 2023 | Ended Feb 12, 2024 | No                |
-| 2.9     | Oct 03, 2022 | Ended Apr 24, 2023 | No                |
-| 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 | No                |
-| 2.7     | May 24, 2022 | Ended Jun 29, 2022 | No                |
-| 2.6     | Jan 24, 2022 | Ended May 24, 2022 | No                |
-| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 | No                |
-| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 | No                |
-| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 | No                |
-| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 | No                |
-| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 | No                |
-| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 | No                |
-| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 | No                |
 
 ??? example "Active Support / Security Support"
 

docs/content/features/index.md

@@ -0,0 +1,148 @@
+---
+title: "Traefik Product Features Comparison"
+description: "Compare features across Traefik Proxy, Traefik Hub API Gateway (including AI Gateway capabilities), and Traefik Hub API Management to choose the right solution for your needs."
+---
+
+# Traefik Product Features Comparison
+
+The Traefik ecosystem offers multiple products designed to meet different requirements, from basic reverse proxy functionality to comprehensive API management and AI gateway capabilities. This comparison matrix helps you understand the features available in each product and choose the right solution for your use case.
+
+## Product Overview
+
+- **Traefik Proxy** is the open-source application proxy that serves as the foundation for all Traefik products. It provides essential reverse proxy, load balancing, and service discovery capabilities.
+
+- **[Traefik Hub API Gateway](https://traefik.io/solutions/api-gateway/)** builds on Traefik Proxy with enterprise-grade security, distributed features, and advanced access control for cloud-native API gateway scenarios. It includes **AI Gateway capabilities** that transform any AI endpoint into a managed API.
+
+- **[Traefik Hub API Management](https://traefik.io/solutions/api-management/)** adds comprehensive API lifecycle management, developer portals, and organizational features for teams managing multiple APIs across environments.
+
+- **[Traefik AI Gateway](https://traefik.io/solutions/ai-gateway/)** transforms any AI endpoint into a managed API with unified access to multiple LLMs, centralized credential management, semantic caching, local inferencing, and comprehensive AI governance features.
+
+- **[Traefik MCP Gateway](https://traefik.io/solutions/mcp-gateway/)** provides secure, governed access to Model Context Protocol (MCP) servers for AI agents with task-based access control (TBAC), session-smart routing, and comprehensive audit capabilities for enterprise AI workflows.
+
+## Features Matrix
+
+| Feature | Traefik Proxy | Traefik Hub API Gateway | Traefik Hub API Management |
+|---------|---------------|------------------------|---------------------------|
+| **Core Networking** | | | | 
+| Services Auto-Discovery | ✓ | ✓ | ✓ |
+| Graceful Configuration Reload | ✓ | ✓ | ✓ |
+| Websockets, HTTP/2, HTTP/3, TCP, UDP, GRPC | ✓ | ✓ | ✓ |
+| Real-time Logs, Access Logs, Metrics & Distributed Tracing | ✓ | ✓ | ✓ |
+| Canary Deployments | ✓ | ✓ | ✓ |
+| Let's Encrypt | ✓ | ✓ | ✓ |
+| **Plugin Ecosystem** | | | |
+| [Plugin Support](https://plugins.traefik.io/plugins) ([Go](https://github.com/traefik/yaegi), [WASM](https://webassembly.org/)) | ✓ | ✓ | ✓ |
+| **Deployment & Operations** | | | |
+| Hybrid cloud, multi-cloud & on-prem compatible | ✓ | ✓ | ✓ |
+| Per-cluster dashboard | ✓ | ✓ | ✓ |
+| GitOps-native declarative configuration | ✓ | ✓ | ✓ |
+| **Authentication & Authorization** | | | |
+| JWT Authentication | ✗ | ✓ | ✓ |
+| OAuth 2.0 Token Introspection Authentication | ✗ | ✓ | ✓ |
+| OAuth 2.0 Client Credentials Authentication | ✗ | ✓ | ✓ |
+| OpenID Connect Authentication | ✗ | ✓ | ✓ |
+| Lightweight Directory Access Protocol (LDAP) | ✗ | ✓ | ✓ |
+| API Key Authentication | ✗ | ✓ | ✓ |
+| **Security & Policy** | | | |
+| Open Policy Agent | ✗ | ✓ | ✓ |
+| Native Coraza Web Application Firewall (WAF) | ✗ | ✓ | ✓ |
+| HashiCorp Vault Integration | ✗ | ✓ | ✓ |
+| **Distributed Features** | | | |
+| Distributed Let's Encrypt | ✗ | ✓ | ✓ |
+| Distributed Rate Limit | ✗ | ✓ | ✓ |
+| HTTP Caching | ✗ | ✓ | ✓ |
+| **Compliance** | | | |
+| FIPS 140-2 Compliance (Linux & Windows) | ✗ | ✓ | ✓ |
+| **AI Gateway Capabilities** | | | |
+| Unified Multi-LLM API Access | ✗ | ✓ | ✓ |
+| Centralized AI Credential Management | ✗ | ✓ | ✓ |
+| AI Provider Flexibility (OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, etc.) | ✗ | ✓ | ✓ |
+| Semantic Caching for AI Responses | ✗ | ✓ | ✓ |
+| Content Guard & PII Protection | ✗ | ✓ | ✓ |
+| AI-specific Observability & OpenTelemetry Integration | ✗ | ✓ | ✓ |
+| Support for Local/Self-hosted LLMs & Inference (Ollama, Mistral, etc.) | ✗ | ✓ | ✓ |
+| **MCP Gateway Capabilities** | | | |
+| Task-Based Access Control (TBAC) for AI Agents | ✗ | ✓ | ✓ |
+| MCP Servers Governance | ✗ | ✓ | ✓ |
+| Session-Smart Load Balancing for Agent Workflows | ✗ | ✓ | ✓ |
+| OAuth 2.1 / 2.0 Resource Server for MCP | ✗ | ✓ | ✓ |
+| Fine-grained Policy Enforcement for AI Tools | ✗ | ✓ | ✓ |
+| Audit-ready Observability for Agent Interactions | ✗ | ✓ | ✓ |
+| **API Management** | | | |
+| Flexible API grouping and versioning | ✗ | ✗ | ✓ |
+| API Developer Portal | ✗ | ✗ | ✓ |
+| OpenAPI Specifications Support | ✗ | ✗ | ✓ |
+| Multi-cluster dashboard | ✗ | ✗ | ✓ |
+| Built-in identity provider (or use your own) | ✗ | ✗ | ✓ |
+| Configuration linter & change impact analysis | ✗ | ✗ | ✓ |
+| Pre-built Grafana dashboards | ✗ | ✗ | ✓ |
+| Event correlation for quick incident mitigation | ✗ | ✗ | ✓ |
+| Traffic debugger  | ✗ | ✓ | ✓ |
+| **Support** | | | |
+| Built-In Commercial Support | Add-on | ✓ | ✓ |
+
+## Choosing the Right Product
+
+### Start with Traefik Proxy
+
+Traefik Proxy is the ideal starting point for organizations looking for a reliable, open-source application proxy with essential networking capabilities. Deploy it as your default ingress tier if you need:
+
+- Basic reverse proxy and load balancing
+- Service discovery for containerized applications
+- Simple TLS termination and Let's Encrypt integration
+- Cost-effective solution with community support (can upgrade to Traefik Hub for more features)
+
+### Upgrade to Traefik Hub API Gateway
+
+Traefik Hub API Gateway layers enterprise security, distributed coordination, and AI Gateway capabilities on top of Traefik Proxy. Upgrade to it when you need:
+
+- Enterprise security requirements (JWT, OIDC, LDAP)
+- Distributed deployments across multiple clusters
+- Advanced rate limiting and caching
+- WAF and policy enforcement
+- AI Gateway capabilities
+- Commercial support
+
+### Consider Traefik AI Gateway
+
+Traefik AI Gateway unifies hosted and self-hosted LLM access under centralized control and observability. Consider it if you have:
+
+- Multi-LLM applications requiring unified API access
+- Organizations using multiple AI providers (OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, etc.)
+- Local/self-hosted LLM deployments (Ollama, Mistral)
+- Centralized AI credential and security management
+- Cost optimization through semantic caching
+- PII protection and content filtering for AI interactions
+- Comprehensive AI observability and compliance requirements
+
+### Choose Traefik MCP Gateway
+
+Traefik MCP Gateway governs how AI agents interact with Model Context Protocol servers through task-aware policies and session-smart routing. Choose it if you need:
+
+- AI agent deployments requiring secure access to MCP servers
+- Task-based access control (TBAC) for AI workflows
+- Governance of Model Context Protocol interactions
+- Session-smart routing for long-running agent conversations
+- OAuth 2.1 / 2.0 compliant MCP server protection
+- Audit-ready observability for AI agent activities
+- Fine-grained policy enforcement for AI tools and resources
+
+### Choose Traefik Hub API Management
+
+Traefik Hub API Management extends the gateway foundation with API lifecycle tooling, developer experience features, and governance workflows. Choose it when you have:
+
+- Multiple APIs requiring centralized management
+- Developer teams needing self-service portals
+- Complex API versioning and lifecycle requirements
+- Multi-cluster environments requiring unified dashboards
+- Compliance and governance needs
+
+## Migration Path
+
+The Traefik ecosystem is designed for seamless upgrades. You can start with Traefik Proxy and add capabilities as your requirements grow:
+
+1. **Traefik Proxy** → **Hub API Gateway**: Add enterprise security, distributed features, and AI Gateway capabilities
+2. **Hub API Gateway** → **Hub API Management**: Add comprehensive API management and governance features
+3. **MCP Gateway**: Specialized solution for AI agent governance and Model Context Protocol management
+
+All products share the same core configuration concepts, making migration straightforward while preserving your existing configurations and operational knowledge.

docs/content/getting-started/concepts.md

@@ -57,4 +57,4 @@ You no longer need to create and synchronize configuration files cluttered with
     Traefik is able to use your cluster API to discover the services and read the attached information.
     In Traefik, these connectors are called [providers](../providers/overview.md "Link to overview about Traefik providers") because they *provide* the configuration to Traefik.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/getting-started/configuration-overview.md

@@ -77,7 +77,7 @@ traefik --help
 # or
 
 docker run traefik[:version] --help
-# ex: docker run traefik:v3.5 --help
+# ex: docker run traefik:v3.6 --help
 ```
 
 Check the [CLI reference](../reference/install-configuration/configuration-options.md "Link to CLI reference overview") for an overview about all available arguments.
@@ -92,4 +92,4 @@ All the configuration options are documented in their related section.
 
 You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/getting-started/docker.md

@@ -36,7 +36,7 @@ This configuration:
 # docker-compose.yml
 services:
   traefik:
-    image: traefik:v3.5
+    image: traefik:v3.6
     command:
       - "--api.insecure=true"
       - "--providers.docker=true"
@@ -84,7 +84,7 @@ docker run -d \
   -p 8080:8080 \
   -v $PWD/traefik.yml:/etc/traefik/traefik.yml \
   -v /var/run/docker.sock:/var/run/docker.sock \
-  traefik:v3.5
+  traefik:v3.6
 ```
 
 ## Expose the Dashboard
@@ -159,4 +159,4 @@ That's it! You've successfully deployed Traefik and configured routing in Docker
 - [Enable Metrics](../reference/install-configuration/observability/metrics.md)
 - [Learn more about Docker provider](../reference/install-configuration/providers/docker.md)
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/getting-started/faq.md

@@ -252,4 +252,4 @@ In which case, you should make sure your infrastructure is properly set up for a
 LEGO_DISABLE_CNAME_SUPPORT=true
 ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/getting-started/install-traefik.md

@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:
 
 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
 
-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.5/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.5/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.6/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.6/traefik.sample.toml)
 
 ```shell
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.5
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.6
 ```
 
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip
 
     * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v3.5`
+    ex: `traefik:v3.6`
     * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
     * Any orchestrator using docker images can fetch the official Traefik docker image.
 
@@ -144,4 +144,4 @@ And run it:
 
 All the details are available in the [Contributing Guide](../contributing/building-testing.md)
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/getting-started/kubernetes.md

@@ -331,4 +331,4 @@ That's it! You've successfully deployed Traefik and configured routing in a Kube
 - [Learn more about Kubernetes CRD provider](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md)
 - [Learn more about Kubernetes Gateway API provider](../reference/install-configuration/providers/kubernetes/kubernetes-gateway.md)
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/https/acme.md

@@ -201,6 +201,36 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
     --certificatesresolvers.myresolver.acme.tlschallenge=true
     ```
 
+#### `Delay`
+
+_Optional, Default=0_
+
+The delay between the creation of the challenge and the validation.
+A value lower than or equal to zero means no delay.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      tlsChallenge:
+        # ...
+        delay: 12
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.tlsChallenge]
+    # ...
+    delay = 12
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.tlschallenge.delay=12
+```
+
 ### `httpChallenge`
 
 Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
@@ -252,6 +282,8 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
 
 #### `Delay`
 
+_Optional, Default=0_
+
 The delay between the creation of the challenge and the validation.
 A value lower than or equal to zero means no delay.
 
@@ -1004,6 +1036,39 @@ certificatesResolvers:
 # ...
 ```
 
+### `disableCommonName`
+
+_Optional, Default=false_
+
+Disable common name inside CSR and certificates.
+
+It's recommended to disable the common name and required to get a certificate for IP.
+
+- https://letsencrypt.org/docs/profiles/#certificate-common-name
+- https://community.letsencrypt.org/t/ip-san-error-csr-contains-ip-address-in-common-name/239012/7
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      disableCommonName: true
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  disableCommonName = true
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.disableCommonName=true
+# ...
+```
+
 ### `keyType`
 
 _Optional, Default="RSA4096"_
@@ -1146,4 +1211,4 @@ If Let's Encrypt is not reachable, the following certificates will apply:
 !!! important
     For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/https/overview.md

@@ -20,4 +20,4 @@ That is to say, how to obtain [TLS certificates](./tls.md#certificates-definitio
 either through a definition in the dynamic configuration, or through [Let's Encrypt](./acme.md) (ACME).
 And how to configure [TLS options](./tls.md#tls-options), and [certificates stores](./tls.md#certificates-stores).
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/https/tls.md

@@ -587,4 +587,4 @@ spec:
   disableSessionTickets: true
 ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/index.md

@@ -11,6 +11,8 @@ Traefik is an [open-source](https://github.com/traefik/traefik) Application Prox
 
 If you start with Traefik for service discovery and routing, you can seamlessly add [API management](https://traefik.io/solutions/api-management/), [API gateway](https://traefik.io/solutions/api-gateway/), [AI gateway](https://traefik.io/solutions/ai-gateway/), and [API mocking](https://traefik.io/solutions/api-mocking/) capabilities as needed.
 
+For a detailed comparison of all Traefik products and their capabilities, see our [Product Features Comparison](./features/).
+
 With 3.3 billion downloads and over 55k stars on GitHub, Traefik is used globally across hybrid cloud, multi-cloud, on prem, and bare metal environments running Kubernetes, Docker Swarm, AWS, [the list goes on](https://doc.traefik.io/traefik/reference/install-configuration/providers/overview/).
 
 Here’s how it works—Traefik receives requests on behalf of your system, identifies which components are responsible for handling them, and routes them securely. It automatically discovers the right configuration for your services by inspecting your infrastructure to identify relevant information and which service serves which request.

docs/content/middlewares/http/basicauth.md

@@ -340,4 +340,4 @@ http:
     removeHeader = true
 ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/middlewares/http/forwardauth.md

@@ -785,4 +785,4 @@ http:
   preserveRequestMethod = true
 ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/middlewares/http/headers.md

@@ -422,4 +422,4 @@ Set `isDevelopment` to `true` when developing to mitigate the unwanted effects o
 Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.
 If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false`.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/middlewares/http/overview.md

@@ -127,4 +127,4 @@ http:
 
 Please take a look at the community-contributed plugins in the [plugin catalog](https://plugins.traefik.io/plugins).
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/middlewares/http/redirectregex.md

@@ -85,4 +85,4 @@ The `replacement` option defines how to modify the URL to have the new target UR
 
     Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/middlewares/http/stripprefix.md

@@ -146,4 +146,4 @@ http:
     forceSlash = false
 ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/middlewares/overview.md

@@ -112,4 +112,4 @@ A list of HTTP middlewares can be found [here](http/overview.md).
 
 A list of TCP middlewares can be found [here](tcp/overview.md).
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/migrate/nginx-to-traefik.md

@@ -0,0 +1,678 @@
+---
+title: "Migrate from Ingress NGINX Controller to Traefik"
+description: "Step-by-step guide to migrate from Kubernetes Ingress NGINX Controller to Traefik with zero downtime and annotation compatibility."
+---
+
+# Migrate from Ingress NGINX Controller to Traefik
+
+How to migrate from Ingress NGINX Controller to Traefik with zero downtime.
+{: .subtitle }
+
+---
+
+!!! danger "Ingress NGINX Controller Retirement"
+
+    The Kubernetes Ingress NGINX Controller project has announced its retirement in **March 2026**. After this date:
+
+    - No new releases or updates
+    - No security patches
+    - No bug fixes
+
+    For more information, see the [official Kubernetes blog announcement](https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement).
+
+## What You Will Achieve
+
+By completing this migration, your existing Ingress resources will work with Traefik without any modifications. The Traefik Kubernetes Ingress NGINX Provider automatically translates NGINX annotations into Traefik configuration:
+
+```yaml tab="Your Existing Ingress (No Changes Needed)"
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: myapp
+  annotations:
+    # These NGINX annotations are automatically translated by Traefik
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/cors-allow-origin: "https://example.com"
+    nginx.ingress.kubernetes.io/affinity: "cookie"
+    nginx.ingress.kubernetes.io/session-cookie-name: "route"
+spec:
+  ingressClassName: nginx  # ← Traefik will watch this class
+  rules:
+    - host: myapp.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: whoami
+                port:
+                  number: 80
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: whoami
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: whoami
+  template:
+    metadata:
+      labels:
+        app: whoami
+    spec:
+      containers:
+        - name: whoami
+          image: traefik/whoami
+          ports:
+            - containerPort: 80
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+spec:
+  selector:
+    app: whoami
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+```
+
+For a complete list of supported annotations and behavioral differences, see the [Ingress NGINX Routing Configuration](../reference/routing-configuration/kubernetes/ingress-nginx.md) documentation.
+
+!!! info "Traefik Version Requirement"
+
+    The Kubernetes Ingress NGINX provider requires **Traefik v3.6.2 or later**.
+
+---
+
+## Prerequisites
+
+Before starting the migration, ensure you have:
+
+- **Existing Ingress NGINX Controller** running in your Kubernetes cluster
+- **Kubernetes cluster access** with `kubectl` configured 
+- **Cluster support for running multiple LoadBalancer services** on ports 80/443 simultaneously
+- **Helm**
+- **Cluster admin permissions** to create RBAC resources
+- **Backup of critical configurations** (Ingress resources, ConfigMaps, Secrets)
+
+!!! tip "Backup Recommendations"
+
+    ```bash
+    # Export all Ingress resources
+    kubectl get ingress --all-namespaces -o yaml > ingress-backup.yaml
+
+    # Export NGINX ConfigMaps
+    kubectl get configmap --all-namespaces -l app.kubernetes.io/name=ingress-nginx -o yaml > nginx-configmaps.yaml
+    ```
+
+---
+
+## Migration Strategy Overview
+
+This migration achieves **zero downtime** by running Traefik alongside NGINX. Both controllers serve the same Ingress resources simultaneously, allowing you to progressively shift traffic before removing NGINX.
+
+```text
+Current:     DNS → LoadBalancer → NGINX → Your Services
+
+Migration:   DNS → LoadBalancer → NGINX  → Your Services
+                 → LoadBalancer → Traefik → Your Services
+
+Final:       DNS → LoadBalancer → Traefik → Your Services
+```
+
+**Migration Flow:**
+
+1. Install Traefik alongside NGINX (both serving traffic in parallel)
+2. Add Traefik LoadBalancer to DNS (if you choose DNS option; cf. step 3)
+3. Progressively shift traffic from NGINX to Traefik
+4. Remove NGINX from DNS, preserve the IngressClass, and uninstall
+
+---
+
+## Step 1: Install Traefik Alongside NGINX
+
+??? info "Install Ingress NGINX Controller"
+
+    If you have not installed Ingress NGINX Controller yet, you can set up a fresh Ingress NGINX Controller installation following the instructions below:
+
+    ### Install Ingress NGINX Controller
+
+    ```bash
+    helm upgrade --install ingress-nginx ingress-nginx \
+      --repo https://kubernetes.github.io/ingress-nginx \
+      --namespace ingress-nginx --create-namespace
+    ```
+Install Traefik with the Kubernetes Ingress NGINX provider enabled. Both controllers will serve the same Ingress resources simultaneously.
+
+### Add Traefik Helm Repository
+
+```bash
+helm repo add traefik https://traefik.github.io/charts
+helm repo update
+```
+
+### Install Traefik
+
+```bash
+helm upgrade --install traefik traefik/traefik \
+  --namespace traefik --create-namespace \
+  --set providers.kubernetesIngressNginx.enabled=true
+```
+
+Or using a [values file](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/VALUES.md) for more configuration:
+
+```yaml tab="traefik-values.yaml"
+...
+providers:
+  kubernetesIngressNginx:
+    enabled: true
+ ...
+```
+
+```bash
+helm upgrade --install traefik traefik/traefik \
+  --namespace traefik --create-namespace \
+  --values traefik-values.yaml
+```
+
+### Verify Both Controllers Are Running
+
+```bash
+# Check NGINX pods
+kubectl get pods -n ingress-nginx
+
+# Check Traefik pods
+kubectl get pods -n traefik
+
+# Check both services have LoadBalancer IPs
+kubectl get svc -n ingress-nginx ingress-nginx-controller
+kubectl get svc -n traefik traefik
+```
+
+At this point, both NGINX and Traefik are running and can serve the same Ingress resources. Traffic is still flowing only through NGINX since DNS points to the NGINX LoadBalancer.
+
+---
+
+## Step 2: Verify Traefik Is Handling Traffic
+
+Before adding Traefik to DNS, verify it correctly serves your Ingress resources.
+
+### Test via Traefik's LoadBalancer IP
+
+Get Traefik's LoadBalancer IP and use `--resolve` to test without changing DNS:
+
+```bash
+# Get LoadBalancer IPs
+NGINX_IP=$(kubectl get svc -n ingress-nginx ingress-nginx-controller -o go-template='{{ $ing := index .status.loadBalancer.ingress 0 }}{{ if $ing.ip }}{{ $ing.ip }}{{ else }}{{ $ing.hostname }}{{ end }}')
+TRAEFIK_IP=$(kubectl get svc -n traefik traefik -o go-template='{{ $ing := index .status.loadBalancer.ingress 0 }}{{ if $ing.ip }}{{ $ing.ip }}{{ else }}{{ $ing.hostname }}{{ end }}')
+echo -e "Nginx IP: $NGINX_IP\nTraefik IP: $TRAEFIK_IP"
+
+# Test HTTP for both
+FQDN=myapp.example.com
+# Observe HTTPS redirections:
+curl --connect-to "${FQDN}:80:${NGINX_IP}:80" "http://${FQDN}" -D -
+curl --connect-to "${FQDN}:80:${TRAEFIK_IP}:80" "http://${FQDN}" -D - # note X-Forwarded-Server which should be traefik
+
+# Test HTTPS
+curl --connect-to "${FQDN}:443:${NGINX_IP}:443" "https://${FQDN}"
+curl --connect-to "${FQDN}:443:${TRAEFIK_IP}:443" "https://${FQDN}"
+```
+
+!!! warning "TLS Certificates During Migration"
+
+    Both NGINX and Traefik must serve valid TLS certificates for HTTPS tests to succeed. Since Traefik is not publicly exposed during this verification phase, **Let's Encrypt HTTP challenge will not work**.
+
+    Your options for TLS certificates during migration:
+
+    - **Existing certificates via `tls.secretName`** - If you use cert-manager or another external tool, your existing TLS secrets referenced in `spec.tls` will work with both controllers
+    - **Let's Encrypt DNS challenge** - Configure Traefik's [ACME DNS challenge](../reference/install-configuration/tls/certificate-resolvers/acme.md#dnschallenge) to obtain certificates without public exposure
+
+    Avoid using `curl -k` (skip certificate verification) as this masks TLS configuration issues that could cause problems after migration.
+
+### Verify Ingress Discovery
+
+Check Traefik logs to confirm it discovered your Ingress resources:
+
+```bash
+kubectl logs -n traefik deployment/traefik | grep -i "ingress"
+```
+
+---
+
+## Step 3: Shift Traffic to Traefik
+
+With both controllers running and verified, progressively shift traffic from NGINX to Traefik.
+
+### Option A: DNS-Based Migration
+
+Add the Traefik LoadBalancer IP to your DNS records alongside NGINX. This allows both controllers to receive traffic.
+
+**Get LoadBalancer addresses:**
+
+```bash
+# NGINX LoadBalancer
+echo $(kubectl get svc -n ingress-nginx ingress-nginx-controller -o go-template='{{ $ing := index .status.loadBalancer.ingress 0 }}{{ if $ing.ip }}{{ $ing.ip }}{{ else }}{{ $ing.hostname }}{{ end }}')
+
+# Traefik LoadBalancer
+echo $(kubectl get svc -n traefik traefik -o go-template='{{ $ing := index .status.loadBalancer.ingress 0 }}{{ if $ing.ip }}{{ $ing.ip }}{{ else }}{{ $ing.hostname }}{{ end }}')
+```
+
+**Progressive DNS migration:**
+
+1. **Add Traefik to DNS** - Add the Traefik LoadBalancer IP to your DNS records (both IPs now receive traffic via round-robin)
+2. **Monitor** - Observe traffic patterns on both controllers
+3. **Remove NGINX from DNS** - Once confident, remove the NGINX LoadBalancer IP from DNS
+4. **Wait for DNS propagation** - Allow time for DNS caches to expire
+5. **Uninstall NGINX** - Proceed to [Step 4](#step-4-uninstall-ingress-nginx-controller)
+
+!!! warning "DNS TTL May Not Be Respected"
+
+    Some ISPs ignore DNS TTL values to reduce traffic costs, caching records longer than specified. After removing NGINX from DNS, keep NGINX running for at least 24-48 hours before uninstalling to avoid dropping traffic from users whose ISPs have stale DNS caches.
+
+??? info "ExternalDNS Users"
+
+    If you use [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) to automatically manage DNS records based on Ingress status, both NGINX and Traefik will compete to update the Ingress status with their LoadBalancer IPs when `publishService` is enabled. Traefik typically wins because it updates faster, which can cause unexpected traffic shifts.
+
+    **Recommended approach for ExternalDNS:**
+
+    1. **[Install Traefik](#step-1-install-traefik-alongside-nginx) with `publishService` disabled**:
+
+        ```yaml
+        # traefik-values.yaml
+        providers:
+          kubernetesIngressNginx:
+            enabled: true
+            publishService:
+              enabled: false  # Disable to prevent status updates
+        ```
+
+    2. **Test Traefik** using [port-forward](#step-2-verify-traefik-is-handling-traffic) or a separate test hostname
+
+    3. **Switch DNS via NGINX** - Configure NGINX to publish Traefik's service address:
+
+        ```yaml
+        # nginx-values.yaml
+        controller:
+          publishService:
+            pathOverride: "traefik/traefik"  # Points to Traefik's service
+        ```
+
+        This makes NGINX update the Ingress status with Traefik's LoadBalancer IP, causing ExternalDNS to point traffic to Traefik.
+
+    4. **Verify traffic flows through Traefik** - At this point, you can still rollback by removing the `pathOverride`
+
+    5. **[Enable `publishService` on Traefik](#step-1-install-traefik-alongside-nginx)** and [uninstall NGINX](#step-5-uninstall-nginx-ingress-controller)
+
+### Option B: External Load Balancer with Weighted Traffic
+
+For more control over traffic distribution, use an external load balancer (like Traefik, Cloudflare, AWS ALB, or a dedicated load balancer) in front of both Kubernetes LoadBalancers.
+
+!!! note "Infrastructure Prerequisite"
+
+    This option assumes you already have an external load balancer in your infrastructure, or are willing to set one up **before** starting the migration. Adding an external load balancer is a significant infrastructure change that should be planned and tested separately from the ingress controller migration.
+
+**Setup:**
+
+1. Create an external load balancer pointing to the NGINX Kubernetes LoadBalancer
+2. Update DNS to point to the external load balancer
+3. Add the Traefik Kubernetes LoadBalancer to the external load balancer with a low weight (e.g., 10%)
+4. Gradually increase Traefik's weight while decreasing NGINX's weight
+5. Once NGINX receives no traffic, uninstall it
+
+**Example weight progression:**
+
+| Phase | NGINX Weight | Traefik Weight | Duration |
+|-------|-------------|----------------|----------|
+| Initial | 100% | 0% | - |
+| Start | 90% | 10% | 1 hour |
+| Increase | 50% | 50% | 2 hour |
+| Near-complete | 10% | 90% | 4 hour |
+| Final | 0% | 100% | - |
+
+!!! tip "External Load Balancer Options"
+
+    - **Cloudflare Load Balancing** - Traffic steering with health checks
+    - **AWS Global Accelerator** - Weighted routing across endpoints
+    - **Google Cloud Load Balancing** - Traffic splitting
+    - **Traefik / HAProxy / NGINX (external)** - Self-hosted option with weighted backends
+    - ...
+
+### LoadBalancer IP Retention
+
+If you want Traefik to eventually use the same LoadBalancer IP as NGINX (to simplify DNS management), you can transfer the IP after the migration. Since Traefik is already running with its own LoadBalancer, this can be done with zero downtime.
+
+**Zero-downtime IP transfer process:**
+
+1. Traefik is already running with its own LoadBalancer IP (from Step 1)
+2. Add Traefik's LoadBalancer IP to DNS (traffic now goes to both NGINX and Traefik)
+3. Remove NGINX's IP from DNS and wait for propagation
+4. Delete NGINX's LoadBalancer service to release the IP
+5. Upgrade Traefik to claim the released IP
+6. (Optional) Remove Traefik's old IP from DNS once the new IP is active
+
+This way, traffic is always flowing to Traefik during the IP transfer.
+
+**Get your current NGINX LoadBalancer IP:**
+
+```bash
+kubectl get svc -n ingress-nginx ingress-nginx-controller -o go-template='{{ $ing := index .status.loadBalancer.ingress 0 }}{{ if $ing.ip }}{{ $ing.ip }}{{ else }}{{ $ing.hostname }}{{ end }}'
+```
+
+??? note "AWS (Network Load Balancer with Elastic IPs)"
+
+    AWS does not support static IPs for Classic Load Balancers. Use Network Load Balancers (NLB) with Elastic IPs instead. This requires the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/) to be installed in your cluster.
+
+    **Pre-allocate Elastic IPs (one per availability zone):**
+
+    ```bash
+    aws ec2 allocate-address --domain vpc --region <your-region>
+    # Note the AllocationId (eipalloc-xxx) for each EIP
+    ```
+
+    **Update `traefik-values.yaml`:**
+
+    ```yaml
+    service:
+      type: LoadBalancer
+      loadBalancerClass: service.k8s.aws/nlb  # Requires AWS Load Balancer Controller
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-type: "external"
+        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
+        service.beta.kubernetes.io/aws-load-balancer-eip-allocations: "eipalloc-xxx,eipalloc-yyy"
+    ```
+
+    For more details, see the [AWS Load Balancer Controller annotations documentation](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/).
+
+??? note "Azure"
+
+    Azure supports static public IPs for Load Balancers.
+
+    **Identify existing public IP:**
+
+    ```bash
+    az network public-ip list --resource-group <your-resource-group> \
+      --query "[?ipAddress=='<your-ip>'].name" -o tsv
+    ```
+
+    **Update `traefik-values.yaml`:**
+
+    ```yaml
+    service:
+      type: LoadBalancer
+      annotations:
+        # Only needed if the public IP is in a different resource group than the AKS cluster
+        service.beta.kubernetes.io/azure-load-balancer-resource-group: "<public-ip-resource-group>"
+      spec:
+        loadBalancerIP: "<your-existing-ip>"
+    ```
+
+    For more details, see the [Azure AKS static IP documentation](https://learn.microsoft.com/en-us/azure/aks/static-ip).
+
+??? note "GCP"
+
+    GCP supports static IPs through reserved regional IP addresses.
+
+    **Reserve or identify existing IP:**
+
+    ```bash
+    # List existing static IPs
+    gcloud compute addresses list
+
+    # Or reserve a new regional static IP (must be in the same region as your GKE cluster)
+    gcloud compute addresses create traefik-ip --region <your-cluster-region>
+    ```
+
+    **Update `traefik-values.yaml`:**
+
+    ```yaml
+    service:
+      type: LoadBalancer
+      spec:
+        loadBalancerIP: "<your-static-ip>"
+    ```
+
+    For more details, see the [GKE LoadBalancer Service parameters documentation](https://cloud.google.com/kubernetes-engine/docs/concepts/service-load-balancer-parameters).
+
+??? note "Other Cloud Providers"
+
+    - **DigitalOcean:** Supports `loadBalancerIP` with floating IPs
+    - **Linode:** Supports `loadBalancerIP` specification
+    - **Bare Metal (MetalLB):** Use IP address pools
+
+**Transfer the IP:**
+
+Once DNS is pointing to Traefik and your values are configured with the target IP:
+
+```bash
+# Ensure Traefik is already receiving traffic via its current LoadBalancer
+kubectl get svc -n traefik traefik
+
+# Delete NGINX LoadBalancer service to release the IP
+kubectl delete svc -n ingress-nginx ingress-nginx-controller
+
+# Upgrade Traefik to claim the released IP
+helm upgrade traefik traefik/traefik \
+  --namespace traefik \
+  --values traefik-values.yaml
+
+# Verify Traefik now has the old NGINX IP
+kubectl get svc -n traefik traefik
+```
+
+!!! tip "Zero Downtime During Helm Upgrade"
+
+    The Helm upgrade only restarts the Traefik pod, not the LoadBalancer service. Traefik uses a `RollingUpdate` deployment strategy by default, so the new pod starts before the old one terminates. For additional safety, configure high availability:
+
+    ```yaml
+    # In traefik-values.yaml
+    deployment:
+      replicas: 2
+
+    # Spread pods across nodes to survive node failures
+    affinity:
+      podAntiAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                app.kubernetes.io/name: traefik
+                app.kubernetes.io/instance: traefik
+            topologyKey: kubernetes.io/hostname
+
+    # Ensure at least one pod is always available during disruptions
+    podDisruptionBudget:
+      enabled: true
+      minAvailable: 1
+    ```
+
+    With multiple replicas spread across nodes and a PodDisruptionBudget, at least one pod is always running during upgrades and node maintenance.
+
+---
+
+## Step 4: Uninstall Ingress NGINX Controller
+
+Once NGINX is no longer receiving traffic, remove it from your cluster. Before uninstalling, you must ensure the `nginx` IngressClass is preserved. Traefik needs it to continue discovering your Ingresses.
+
+### Preserve the IngressClass
+
+??? note "If NGINX Was Installed via Helm"
+
+    Add the `helm.sh/resource-policy: keep` annotation to tell Helm to preserve the IngressClass:
+
+    ```bash
+    # Add the required annotation
+    helm upgrade ingress-nginx ingress-nginx \
+      --repo https://kubernetes.github.io/ingress-nginx \
+      --namespace ingress-nginx \
+      --reuse-values \
+      --set-json 'controller.ingressClassResource.annotations={"helm.sh/resource-policy": "keep"}'
+    # Check that the annotation is really here
+    kubectl describe ingressclass nginx
+    ```
+
+    The `--reuse-values` flag is critical - it preserves all your existing NGINX configuration. Without it, Helm would reset everything to defaults, potentially breaking your setup.
+
+    !!! info "kubectl annotate/patch/edit does not work"
+
+        Adding the annotation via `kubectl annotate`, `kubectl patch`, or `kubectl edit` will not preserve the IngressClass. Helm stores its release state internally and checks annotations from its internal manifest, not the live cluster state. Only `helm upgrade` updates Helm's internal state.
+
+??? note "If NGINX Was Installed via GitOps (ArgoCD, Flux)"
+
+    Ensure the `nginx` IngressClass is defined as a standalone resource in your Git repository, separate from the NGINX Helm release:
+
+    ```yaml
+    # ingressclass.yaml
+    apiVersion: networking.k8s.io/v1
+    kind: IngressClass
+    metadata:
+      name: nginx
+    spec:
+      controller: k8s.io/ingress-nginx
+    ```
+
+??? note "If NGINX Was Installed Manually"
+
+    Create the IngressClass as a standalone resource:
+
+    ```bash
+    kubectl apply -f - <<EOF
+    apiVersion: networking.k8s.io/v1
+    kind: IngressClass
+    metadata:
+      name: nginx
+    spec:
+      controller: k8s.io/ingress-nginx
+    EOF
+    ```
+
+### Delete NGINX Admission Webhook
+
+You should delete the admission webhook to avoid issues with Ingress modifications after NGINX is removed:
+
+```bash
+kubectl delete validatingwebhookconfiguration ingress-nginx-admission
+kubectl delete mutatingwebhookconfiguration ingress-nginx-admission --ignore-not-found
+```
+
+### Uninstall NGINX
+
+```bash
+helm uninstall ingress-nginx -n ingress-nginx
+```
+
+If you added the `helm.sh/resource-policy: keep` annotation, you should see:
+
+```text
+These resources were kept due to the resource policy:
+[IngressClass] nginx
+
+release "ingress-nginx" uninstalled
+```
+
+### Verify IngressClass Exists
+
+```bash
+kubectl get ingressclass nginx
+```
+
+In case, the ingressClass is somehow deleted, you can recreate it using the commands in [Preserve the IngressClass](#preserve-the-ingressclass).
+
+### Clean Up NGINX Namespace
+
+```bash
+kubectl delete namespace ingress-nginx
+```
+
+!!! success "Migration Complete"
+
+    Congratulations! You have successfully migrated from Ingress NGINX Controller to Traefik with zero downtime. Your existing Ingresses with `ingressClassName: nginx` continue to work, now served by Traefik.
+
+---
+
+## Troubleshooting
+
+There is a dashboard available in Traefik that can help to understand what's going on.
+Refer to the [dedicated documentation](../reference/install-configuration/api-dashboard.md#configuration-example) to enable it.
+
+??? note "Ingresses Not Discovered by Traefik"
+
+    ```bash
+    # Verify IngressClass exists
+    kubectl get ingressclass nginx
+
+    # Check Traefik provider configuration
+    kubectl logs -n traefik deployment/traefik | grep -i "nginx\|ingress"
+
+    # Verify Ingress has correct ingressClassName
+    kubectl get ingress <name> -o yaml | grep ingressClassName
+    ```
+
+??? note "Annotation Not Working as Expected"
+
+    Some NGINX annotations have behavioral differences in Traefik. Check the [limitations documentation](../reference/routing-configuration/kubernetes/ingress-nginx.md#limitations) for details.
+
+??? note "TLS Certificates Not Working"
+
+    Existing TLS configurations continue to work with Traefik:
+
+    - Keep `spec.tls` entries exactly as-is; Traefik terminates TLS using the referenced secrets
+    - TLS secrets must stay in the same namespace as the Ingress
+    - NGINX `ssl-redirect` / `force-ssl-redirect` annotations are honored
+
+    ```bash
+        # Verify TLS secret exists in the same namespace as Ingress
+    kubectl get secrets -n <namespace>
+
+        # Check secret format
+    kubectl get secret <tls-secret-name> -n <namespace> -o yaml
+    ```
+
+??? note "LoadBalancer IP Not Assigned"
+
+    ```bash
+      # Check service status
+      kubectl describe svc -n traefik traefik
+
+      # Check for events
+      kubectl get events -n traefik --sort-by='.lastTimestamp'
+    ```
+
+---
+
+## Next Steps
+
+**Learn More About Traefik:**
+
+- [Kubernetes Ingress NGINX Install Configuration](../reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md) - Detailed provider configuration
+- [Kubernetes Ingress NGINX Routing Configuration](../reference/routing-configuration/kubernetes/ingress-nginx.md) - Routing rules and annotation support
+- [HTTP Middlewares](../reference/routing-configuration/http/middlewares/overview.md) - Extend functionality beyond NGINX annotations
+- [TLS Configuration](../reference/routing-configuration/http/tls/overview.md) - Advanced TLS and certificate management
+
+**Enhance Your Setup:**
+
+- Enable [metrics](../reference/install-configuration/observability/metrics.md) and [tracing](../reference/install-configuration/observability/tracing.md)
+- Configure [access logs](../reference/install-configuration/observability/logs-and-accesslogs.md) for observability
+- Explore [Traefik Middlewares](../reference/routing-configuration/http/middlewares/overview.md) for advanced traffic management
+- Migrate from Nginx-based config to Traefik [IngressRoute](../reference/routing-configuration/kubernetes/crd/http/ingressroute.md) or [Kubernetes Gateway API](../reference/routing-configuration/kubernetes/gateway-api.md)
+- Consider [Traefik Hub](https://traefik.io/traefik-hub/) for enterprise features like AI & API Gateway, API Management, and advanced security
+
+---
+
+## Feedback and Support
+
+If you encounter issues during migration or have suggestions for improving this guide:
+
+- **Report Issues:** [GitHub Issues](https://github.com/traefik/traefik/issues)
+- **Community Support:** [Traefik Community Forum](https://community.traefik.io/)
+- **Enterprise Support:** [Traefik Labs Commercial Support](https://traefik.io/pricing/)
+
+We welcome contributions to improve this migration guide. See our [contribution guidelines](../contributing/submitting-pull-requests.md) to get started.

docs/content/migrate/v2-to-v3.md

@@ -158,4 +158,4 @@ core:
 - ✅ All applications functioning correctly
 - ✅ Performance metrics stable
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/migrate/v3.md

@@ -496,3 +496,110 @@ kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/con
 
 Starting with `v3.5.4`, and when using OpenTelemetry, the `traefik_tls_certs_not_after_milliseconds` metric is renamed to `traefik_tls_certs_not_after_seconds`.
 This change aligns the metric name with its real unit precision, which is in seconds. 
+
+## v3.6.0
+
+### Kubernetes Gateway API Provider
+
+Starting with `v3.6.0`, the Kubernetes Gateway API provider only supports version [v1.4.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.4.0) of the specification,
+which requires the Gateway API CRDs to be updated.
+
+**Apply Updated CRDs:**
+
+```shell
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml
+```
+
+For the experimental channel:
+
+```shell
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml
+```
+
+### Kubernetes CRD Provider
+
+To use the new `leasttime` load-balancer algorithm with the Kubernetes CRD provider, you need to update your CRDs.
+
+**Apply Updated CRDs:**
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+```
+
+## v3.6.2
+
+### Ingress NGINX Provider
+
+The KubernetesIngressNGINX Provider is no longer experimental in v3.6.2 and can be enabled without the `experimental.kubernetesIngressNGINX` option.
+
+**Deprecated Configuration:**
+
+??? example "Experimental kubernetesIngressNGINX option (deprecated)"
+
+    ```yaml tab="File (YAML)"
+    experimental:
+      kubernetesIngressNGINX: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [experimental]
+        kubernetesIngressNGINX=true
+    ```
+
+    ```bash tab="CLI"
+    --experimental.kubernetesIngressNGINX=true
+    ```
+
+**Migration Steps:**
+
+1. Remove the `kubernetesIngressNGINX` option from the experimental section
+2. Configure the provider using the [kubernetesIngressNGINX Provider documentation](../reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md)
+
+## v3.6.4
+
+### Encoded Characters in Request Path
+
+Starting with `v3.6.4`, for security reasons, Traefik now rejects requests with a path containing a specific set of encoded characters by default.
+
+When such a request is received, Traefik responds with a `400 Bad Request` status code.
+
+Here is the list of the encoded characters that are rejected by default, along with the corresponding configuration option to allow them:
+
+| Encoded Character | Character               | Config option to allow the encoded character                                         |
+|-------------------|-------------------------|--------------------------------------------------------------------------------------|
+| `%2f` or `%2F`    | `/` (slash)             | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSlash`          |
+| `%5c` or `%5C`    | `\` (backslash)         | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedBackSlash`     |
+| `%00`             | `NULL` (null character) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedNullCharacter` |
+| `%3b` or `%3B`    | `;` (semicolon)         | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSemicolon`     |
+| `%25`             | `%` (percent)           | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedPercent`       |
+| `%3f` or `%3F`    | `?` (question mark)     | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedQuestionMark`  |
+| `%23`             | `#` (hash)              | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedHash`          |
+
+Please check out the entrypoint [encodedCharacters option](../reference/install-configuration/entrypoints.md#opt-http-encodedCharacters) documentation for more details.
+
+## v3.6.7
+
+### Encoded Characters Configuration Default Values
+
+Since `v3.6.7`, the options for encoded characters now have a `true` default value.
+This means that Traefik will not reject requests with a path containing a specific set of encoded characters by default.
+It is now up to the users to configure the security hardening of encoded characters.
+
+Here is the list of the encoded characters that can be configured to `false` to disallow them:
+
+| Encoded Character | Character               | Config options                                                                       | Default value |
+|-------------------|-------------------------|--------------------------------------------------------------------------------------|---------------|
+| `%2f` or `%2F`    | `/` (slash)             | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSlash`          | `true`        |
+| `%5c` or `%5C`    | `\` (backslash)         | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedBackSlash`     | `true`        |
+| `%00`             | `NULL` (null character) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedNullCharacter` | `true`        |
+| `%3b` or `%3B`    | `;` (semicolon)         | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSemicolon`     | `true`        |
+| `%25`             | `%` (percent)           | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedPercent`       | `true`        |
+| `%3f` or `%3F`    | `?` (question mark)     | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedQuestionMark`  | `true`        |
+| `%23`             | `#` (hash)              | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedHash`          | `true`        |
+
+Note: This check is not done against query parameters,
+but only against the request path as defined
+in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3).
+
+Please check out the entrypoint [encodedCharacters option](../routing/entrypoints.md#encoded-characters) documentation
+for more details.

docs/content/observability/access-logs.md

@@ -306,7 +306,7 @@ Example utilizing Docker Compose:
 ```yaml
 services:
   traefik:
-    image: traefik:v3.5
+    image: traefik:v3.6
     environment:
       - TZ=US/Alaska
     command:
@@ -780,4 +780,4 @@ accesslog:
 --accesslog.otlp.grpc.tls.insecureSkipVerify=true
 ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/observability/logs.md

@@ -644,4 +644,4 @@ log:
 --log.otlp.grpc.tls.insecureSkipVerify=true
 ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/observe/overview.md

@@ -77,4 +77,4 @@ additionalArguments:
 !!! note
     A router with its own observability configuration will override the global default.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/operations/api.md

@@ -176,4 +176,4 @@ All the following endpoints must be accessed with a `GET` HTTP request.
 | `/debug/pprof/symbol`          | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation.             |
 | `/debug/pprof/trace`           | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation.               |
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/operations/dashboard.md

@@ -168,4 +168,4 @@ api:
 --api.dashboard=false
 ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/plugins/index.md

@@ -31,4 +31,4 @@ The experience of implementing a Traefik plugin is comparable to writing a web b
 
 To learn more about Traefik plugin creation, please refer to the [developer documentation](https://plugins.traefik.io/create).
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/providers/docker.md

@@ -163,7 +163,7 @@ See the [Docker API Access](#docker-api-access) section for more information.
     ```yaml
     services:
       traefik:
-         image: traefik:v3.5 # The official v3 Traefik docker image
+         image: traefik:v3.6 # The official v3 Traefik docker image
          ports:
            - "80:80"
          volumes:
@@ -702,4 +702,4 @@ providers:
 --providers.docker.allowEmptyServices=true
 ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/providers/file.md

@@ -292,4 +292,4 @@ To illustrate, it is possible to easily define multiple routers, services, and T
     {{ end }}
     ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/providers/kubernetes-crd.md

@@ -16,7 +16,7 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku
 
 ## Requirements
 
-{!kubernetes-requirements.md!}
+{% include-markdown "includes/kubernetes-requirements.md" %}
 
 !!! tip "All Steps for a Successful Deployment"
 
@@ -31,10 +31,10 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku
 
     ```bash
     # Install Traefik Resource Definitions:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
     
     # Install RBAC for Traefik:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
     ```
 
 ## Resource Configuration
@@ -365,4 +365,4 @@ providers:
 
 For additional information, refer to the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/providers/kubernetes-gateway.md

@@ -8,33 +8,33 @@ description: "Learn how to use the Kubernetes Gateway API as a provider for conf
 The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
 specification from the Kubernetes Special Interest Groups (SIGs).
 
-This provider supports Standard version [v1.3.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.3.0) of the Gateway API specification. 
+This provider supports Standard version [v1.4.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.4.0) of the Gateway API specification. 
 
 It fully supports all HTTP core and some extended features, as well as the `TCPRoute` and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).
 
-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.3.0/traefik-traefik).
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.4.0/traefik-traefik).
 
 ## Requirements
 
-{!kubernetes-requirements.md!}
+{% include-markdown "includes/kubernetes-requirements.md" %}
 
 !!! info "Helm Chart"
 
     When using the Traefik [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart), the CRDs (Custom Resource Definitions) and RBAC (Role-Based Access Control) are automatically managed for you.
-    The only remaining task is to enable the `kubernetesGateway` in the chart [values](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L130).
+    The only remaining task is to enable the `kubernetesGateway` in the chart [values](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L323).
 
 1. Install/update the Kubernetes Gateway API CRDs.
 
     ```bash
     # Install Gateway API CRDs from the Standard channel.
-    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml
     ```
 
 2. Install the additional Traefik RBAC required for Gateway API.
 
     ```bash
     # Install Traefik RBACs.
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
     ```
 
 3. Deploy Traefik and enable the `kubernetesGateway` provider in the static configuration as detailed below:
@@ -275,7 +275,7 @@ providers:
 
     ```bash
     # Install Gateway API CRDs from the Experimental channel.
-    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml
     ```
 
 ### `labelselector`
@@ -357,4 +357,4 @@ providers:
 --providers.kubernetesgateway.throttleDuration=10s
 ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/providers/kubernetes-ingress.md

@@ -13,7 +13,7 @@ it manages access to cluster services by supporting the [Ingress](https://kubern
 
 ## Requirements
 
-{!kubernetes-requirements.md!}
+{% include-markdown "includes/kubernetes-requirements.md" %}
 
 ## Routing Configuration
 
@@ -555,6 +555,6 @@ providers:
 ### Further
 
 To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.5/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.6/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/providers/overview.md

@@ -227,4 +227,4 @@ List of providers that support constraints:
 - [Kubernetes Ingress](./kubernetes-ingress.md#labelselector)
 - [Kubernetes Gateway](./kubernetes-gateway.md#labelselector)
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/providers/swarm.md

@@ -769,4 +769,4 @@ providers:
 --providers.swarm.allowEmptyServices=true
 ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -199,37 +199,39 @@
 - "traefik.http.routers.router1.tls.domains[1].main=foobar"
 - "traefik.http.routers.router1.tls.domains[1].sans=foobar, foobar"
 - "traefik.http.routers.router1.tls.options=foobar"
-- "traefik.http.services.service02.loadbalancer.healthcheck.followredirects=true"
-- "traefik.http.services.service02.loadbalancer.healthcheck.headers.name0=foobar"
-- "traefik.http.services.service02.loadbalancer.healthcheck.headers.name1=foobar"
-- "traefik.http.services.service02.loadbalancer.healthcheck.hostname=foobar"
-- "traefik.http.services.service02.loadbalancer.healthcheck.interval=42s"
-- "traefik.http.services.service02.loadbalancer.healthcheck.method=foobar"
-- "traefik.http.services.service02.loadbalancer.healthcheck.mode=foobar"
-- "traefik.http.services.service02.loadbalancer.healthcheck.path=foobar"
-- "traefik.http.services.service02.loadbalancer.healthcheck.port=42"
-- "traefik.http.services.service02.loadbalancer.healthcheck.scheme=foobar"
-- "traefik.http.services.service02.loadbalancer.healthcheck.status=42"
-- "traefik.http.services.service02.loadbalancer.healthcheck.timeout=42s"
-- "traefik.http.services.service02.loadbalancer.healthcheck.unhealthyinterval=42s"
-- "traefik.http.services.service02.loadbalancer.passhostheader=true"
-- "traefik.http.services.service02.loadbalancer.responseforwarding.flushinterval=42s"
-- "traefik.http.services.service02.loadbalancer.serverstransport=foobar"
-- "traefik.http.services.service02.loadbalancer.sticky=true"
-- "traefik.http.services.service02.loadbalancer.sticky.cookie=true"
-- "traefik.http.services.service02.loadbalancer.sticky.cookie.domain=foobar"
-- "traefik.http.services.service02.loadbalancer.sticky.cookie.httponly=true"
-- "traefik.http.services.service02.loadbalancer.sticky.cookie.maxage=42"
-- "traefik.http.services.service02.loadbalancer.sticky.cookie.name=foobar"
-- "traefik.http.services.service02.loadbalancer.sticky.cookie.path=foobar"
-- "traefik.http.services.service02.loadbalancer.sticky.cookie.samesite=foobar"
-- "traefik.http.services.service02.loadbalancer.sticky.cookie.secure=true"
-- "traefik.http.services.service02.loadbalancer.strategy=foobar"
-- "traefik.http.services.service02.loadbalancer.server.port=foobar"
-- "traefik.http.services.service02.loadbalancer.server.preservepath=true"
-- "traefik.http.services.service02.loadbalancer.server.scheme=foobar"
-- "traefik.http.services.service02.loadbalancer.server.url=foobar"
-- "traefik.http.services.service02.loadbalancer.server.weight=42"
+- "traefik.http.services.service03.loadbalancer.healthcheck.followredirects=true"
+- "traefik.http.services.service03.loadbalancer.healthcheck.headers.name0=foobar"
+- "traefik.http.services.service03.loadbalancer.healthcheck.headers.name1=foobar"
+- "traefik.http.services.service03.loadbalancer.healthcheck.hostname=foobar"
+- "traefik.http.services.service03.loadbalancer.healthcheck.interval=42s"
+- "traefik.http.services.service03.loadbalancer.healthcheck.method=foobar"
+- "traefik.http.services.service03.loadbalancer.healthcheck.mode=foobar"
+- "traefik.http.services.service03.loadbalancer.healthcheck.path=foobar"
+- "traefik.http.services.service03.loadbalancer.healthcheck.port=42"
+- "traefik.http.services.service03.loadbalancer.healthcheck.scheme=foobar"
+- "traefik.http.services.service03.loadbalancer.healthcheck.status=42"
+- "traefik.http.services.service03.loadbalancer.healthcheck.timeout=42s"
+- "traefik.http.services.service03.loadbalancer.healthcheck.unhealthyinterval=42s"
+- "traefik.http.services.service03.loadbalancer.passhostheader=true"
+- "traefik.http.services.service03.loadbalancer.passivehealthcheck.failurewindow=42s"
+- "traefik.http.services.service03.loadbalancer.passivehealthcheck.maxfailedattempts=42"
+- "traefik.http.services.service03.loadbalancer.responseforwarding.flushinterval=42s"
+- "traefik.http.services.service03.loadbalancer.serverstransport=foobar"
+- "traefik.http.services.service03.loadbalancer.sticky=true"
+- "traefik.http.services.service03.loadbalancer.sticky.cookie=true"
+- "traefik.http.services.service03.loadbalancer.sticky.cookie.domain=foobar"
+- "traefik.http.services.service03.loadbalancer.sticky.cookie.httponly=true"
+- "traefik.http.services.service03.loadbalancer.sticky.cookie.maxage=42"
+- "traefik.http.services.service03.loadbalancer.sticky.cookie.name=foobar"
+- "traefik.http.services.service03.loadbalancer.sticky.cookie.path=foobar"
+- "traefik.http.services.service03.loadbalancer.sticky.cookie.samesite=foobar"
+- "traefik.http.services.service03.loadbalancer.sticky.cookie.secure=true"
+- "traefik.http.services.service03.loadbalancer.strategy=foobar"
+- "traefik.http.services.service03.loadbalancer.server.port=foobar"
+- "traefik.http.services.service03.loadbalancer.server.preservepath=true"
+- "traefik.http.services.service03.loadbalancer.server.scheme=foobar"
+- "traefik.http.services.service03.loadbalancer.server.url=foobar"
+- "traefik.http.services.service03.loadbalancer.server.weight=42"
 - "traefik.tcp.middlewares.tcpmiddleware01.ipallowlist.sourcerange=foobar, foobar"
 - "traefik.tcp.middlewares.tcpmiddleware02.ipwhitelist.sourcerange=foobar, foobar"
 - "traefik.tcp.middlewares.tcpmiddleware03.inflightconn.amount=42"

docs/content/reference/dynamic-configuration/file.toml

@@ -55,12 +55,23 @@
         fallback = "foobar"
         [http.services.Service01.failover.healthCheck]
     [http.services.Service02]
-      [http.services.Service02.loadBalancer]
+      [http.services.Service02.highestRandomWeight]
+
+        [[http.services.Service02.highestRandomWeight.services]]
+          name = "foobar"
+          weight = 42
+
+        [[http.services.Service02.highestRandomWeight.services]]
+          name = "foobar"
+          weight = 42
+        [http.services.Service02.highestRandomWeight.healthCheck]
+    [http.services.Service03]
+      [http.services.Service03.loadBalancer]
         strategy = "foobar"
         passHostHeader = true
         serversTransport = "foobar"
-        [http.services.Service02.loadBalancer.sticky]
-          [http.services.Service02.loadBalancer.sticky.cookie]
+        [http.services.Service03.loadBalancer.sticky]
+          [http.services.Service03.loadBalancer.sticky.cookie]
             name = "foobar"
             secure = true
             httpOnly = true
@@ -69,16 +80,16 @@
             path = "foobar"
             domain = "foobar"
 
-        [[http.services.Service02.loadBalancer.servers]]
+        [[http.services.Service03.loadBalancer.servers]]
           url = "foobar"
           weight = 42
           preservePath = true
 
-        [[http.services.Service02.loadBalancer.servers]]
+        [[http.services.Service03.loadBalancer.servers]]
           url = "foobar"
           weight = 42
           preservePath = true
-        [http.services.Service02.loadBalancer.healthCheck]
+        [http.services.Service03.loadBalancer.healthCheck]
           scheme = "foobar"
           mode = "foobar"
           path = "foobar"
@@ -90,37 +101,40 @@
           timeout = "42s"
           hostname = "foobar"
           followRedirects = true
-          [http.services.Service02.loadBalancer.healthCheck.headers]
+          [http.services.Service03.loadBalancer.healthCheck.headers]
             name0 = "foobar"
             name1 = "foobar"
-        [http.services.Service02.loadBalancer.responseForwarding]
+        [http.services.Service03.loadBalancer.passiveHealthCheck]
+          failureWindow = "42s"
+          maxFailedAttempts = 42
+        [http.services.Service03.loadBalancer.responseForwarding]
           flushInterval = "42s"
-    [http.services.Service03]
-      [http.services.Service03.mirroring]
+    [http.services.Service04]
+      [http.services.Service04.mirroring]
         service = "foobar"
         mirrorBody = true
         maxBodySize = 42
 
-        [[http.services.Service03.mirroring.mirrors]]
+        [[http.services.Service04.mirroring.mirrors]]
           name = "foobar"
           percent = 42
 
-        [[http.services.Service03.mirroring.mirrors]]
+        [[http.services.Service04.mirroring.mirrors]]
           name = "foobar"
           percent = 42
-        [http.services.Service03.mirroring.healthCheck]
-    [http.services.Service04]
-      [http.services.Service04.weighted]
+        [http.services.Service04.mirroring.healthCheck]
+    [http.services.Service05]
+      [http.services.Service05.weighted]
 
-        [[http.services.Service04.weighted.services]]
+        [[http.services.Service05.weighted.services]]
           name = "foobar"
           weight = 42
 
-        [[http.services.Service04.weighted.services]]
+        [[http.services.Service05.weighted.services]]
           name = "foobar"
           weight = 42
-        [http.services.Service04.weighted.sticky]
-          [http.services.Service04.weighted.sticky.cookie]
+        [http.services.Service05.weighted.sticky]
+          [http.services.Service05.weighted.sticky.cookie]
             name = "foobar"
             secure = true
             httpOnly = true
@@ -128,7 +142,7 @@
             maxAge = 42
             path = "foobar"
             domain = "foobar"
-        [http.services.Service04.weighted.healthCheck]
+        [http.services.Service05.weighted.healthCheck]
   [http.middlewares]
     [http.middlewares.Middleware01]
       [http.middlewares.Middleware01.addPrefix]

docs/content/reference/dynamic-configuration/file.yaml

@@ -65,6 +65,14 @@ http:
         fallback: foobar
         healthCheck: {}
     Service02:
+      highestRandomWeight:
+        services:
+          - name: foobar
+            weight: 42
+          - name: foobar
+            weight: 42
+        healthCheck: {}
+    Service03:
       loadBalancer:
         sticky:
           cookie:
@@ -98,11 +106,14 @@ http:
           headers:
             name0: foobar
             name1: foobar
+        passiveHealthCheck:
+          failureWindow: 42s
+          maxFailedAttempts: 42
         passHostHeader: true
         responseForwarding:
           flushInterval: 42s
         serversTransport: foobar
-    Service03:
+    Service04:
       mirroring:
         service: foobar
         mirrorBody: true
@@ -113,7 +124,7 @@ http:
           - name: foobar
             percent: 42
         healthCheck: {}
-    Service04:
+    Service05:
       weighted:
         services:
           - name: foobar

docs/content/reference/dynamic-configuration/kubernetes-crd.md

@@ -26,4 +26,4 @@ Dynamic configuration with Kubernetes Custom Resource
 --8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
 ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

docs/content/reference/dynamic-configuration/kubernetes-gateway-resource.yml

@@ -1,4 +1,3 @@
----
 apiVersion: gateway.networking.k8s.io/v1
 kind: GatewayClass
 metadata:

docs/content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml

@@ -1,4 +1,3 @@
----
 apiVersion: gateway.networking.k8s.io/v1
 kind: GatewayClass
 metadata:

docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml

@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -25,7 +24,7 @@ spec:
       serviceAccountName: traefik-controller
       containers:
         - name: traefik
-          image: traefik:v3.5
+          image: traefik:v3.6
           args:
             - --entryPoints.web.address=:80
             - --entryPoints.websecure.address=:443

docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml

@@ -0,0 +1,65 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: traefik-ingress-nginx-controller
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - secrets
+    verbs:
+      - list
+      - watch
+  # When using the watchNamespaceSelector option,
+  # Traefik requires permissions to list and watch namespaces.
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - list
+      - watch
+  # The pods right is needed to inject k8s.pod.uid and k8s.pod.name OTel attributes.
+  # When OTel tracing/logs/metrics are not enabled, this rule is not needed.
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+      - ingressclasses
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: traefik-ingress-nginx-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-ingress-nginx-controller
+subjects:
+  - kind: ServiceAccount
+    name: traefik-ingress-nginx-controller
+    namespace: default

docs/content/reference/dynamic-configuration/kubernetes-knative-rbac.yml

@@ -0,0 +1,49 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: knative-networking-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.internal.knative.dev
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.internal.knative.dev
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gateway-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: knative-networking-role
+subjects:
+  - kind: ServiceAccount
+    name: traefik-controller
+    namespace: default

docs/content/reference/dynamic-configuration/kubernetes-whoami-svc.yml

@@ -1,4 +1,3 @@
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:

docs/content/reference/dynamic-configuration/kv-ref.md

@@ -274,56 +274,63 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-traefikhttpservicesService01failoverfallback" href="#opt-traefikhttpservicesService01failoverfallback" title="#opt-traefikhttpservicesService01failoverfallback">`traefik/http/services/Service01/failover/fallback`</a> | `foobar` |
 | <a id="opt-traefikhttpservicesService01failoverhealthCheck" href="#opt-traefikhttpservicesService01failoverhealthCheck" title="#opt-traefikhttpservicesService01failoverhealthCheck">`traefik/http/services/Service01/failover/healthCheck`</a> | `` |
 | <a id="opt-traefikhttpservicesService01failoverservice" href="#opt-traefikhttpservicesService01failoverservice" title="#opt-traefikhttpservicesService01failoverservice">`traefik/http/services/Service01/failover/service`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService02loadBalancerhealthCheckfollowRedirects" href="#opt-traefikhttpservicesService02loadBalancerhealthCheckfollowRedirects" title="#opt-traefikhttpservicesService02loadBalancerhealthCheckfollowRedirects">`traefik/http/services/Service02/loadBalancer/healthCheck/followRedirects`</a> | `true` |
-| <a id="opt-traefikhttpservicesService02loadBalancerhealthCheckheadersname0" href="#opt-traefikhttpservicesService02loadBalancerhealthCheckheadersname0" title="#opt-traefikhttpservicesService02loadBalancerhealthCheckheadersname0">`traefik/http/services/Service02/loadBalancer/healthCheck/headers/name0`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService02loadBalancerhealthCheckheadersname1" href="#opt-traefikhttpservicesService02loadBalancerhealthCheckheadersname1" title="#opt-traefikhttpservicesService02loadBalancerhealthCheckheadersname1">`traefik/http/services/Service02/loadBalancer/healthCheck/headers/name1`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService02loadBalancerhealthCheckhostname" href="#opt-traefikhttpservicesService02loadBalancerhealthCheckhostname" title="#opt-traefikhttpservicesService02loadBalancerhealthCheckhostname">`traefik/http/services/Service02/loadBalancer/healthCheck/hostname`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService02loadBalancerhealthCheckinterval" href="#opt-traefikhttpservicesService02loadBalancerhealthCheckinterval" title="#opt-traefikhttpservicesService02loadBalancerhealthCheckinterval">`traefik/http/services/Service02/loadBalancer/healthCheck/interval`</a> | `42s` |
-| <a id="opt-traefikhttpservicesService02loadBalancerhealthCheckmethod" href="#opt-traefikhttpservicesService02loadBalancerhealthCheckmethod" title="#opt-traefikhttpservicesService02loadBalancerhealthCheckmethod">`traefik/http/services/Service02/loadBalancer/healthCheck/method`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService02loadBalancerhealthCheckmode" href="#opt-traefikhttpservicesService02loadBalancerhealthCheckmode" title="#opt-traefikhttpservicesService02loadBalancerhealthCheckmode">`traefik/http/services/Service02/loadBalancer/healthCheck/mode`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService02loadBalancerhealthCheckpath" href="#opt-traefikhttpservicesService02loadBalancerhealthCheckpath" title="#opt-traefikhttpservicesService02loadBalancerhealthCheckpath">`traefik/http/services/Service02/loadBalancer/healthCheck/path`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService02loadBalancerhealthCheckport" href="#opt-traefikhttpservicesService02loadBalancerhealthCheckport" title="#opt-traefikhttpservicesService02loadBalancerhealthCheckport">`traefik/http/services/Service02/loadBalancer/healthCheck/port`</a> | `42` |
-| <a id="opt-traefikhttpservicesService02loadBalancerhealthCheckscheme" href="#opt-traefikhttpservicesService02loadBalancerhealthCheckscheme" title="#opt-traefikhttpservicesService02loadBalancerhealthCheckscheme">`traefik/http/services/Service02/loadBalancer/healthCheck/scheme`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService02loadBalancerhealthCheckstatus" href="#opt-traefikhttpservicesService02loadBalancerhealthCheckstatus" title="#opt-traefikhttpservicesService02loadBalancerhealthCheckstatus">`traefik/http/services/Service02/loadBalancer/healthCheck/status`</a> | `42` |
-| <a id="opt-traefikhttpservicesService02loadBalancerhealthChecktimeout" href="#opt-traefikhttpservicesService02loadBalancerhealthChecktimeout" title="#opt-traefikhttpservicesService02loadBalancerhealthChecktimeout">`traefik/http/services/Service02/loadBalancer/healthCheck/timeout`</a> | `42s` |
-| <a id="opt-traefikhttpservicesService02loadBalancerhealthCheckunhealthyInterval" href="#opt-traefikhttpservicesService02loadBalancerhealthCheckunhealthyInterval" title="#opt-traefikhttpservicesService02loadBalancerhealthCheckunhealthyInterval">`traefik/http/services/Service02/loadBalancer/healthCheck/unhealthyInterval`</a> | `42s` |
-| <a id="opt-traefikhttpservicesService02loadBalancerpassHostHeader" href="#opt-traefikhttpservicesService02loadBalancerpassHostHeader" title="#opt-traefikhttpservicesService02loadBalancerpassHostHeader">`traefik/http/services/Service02/loadBalancer/passHostHeader`</a> | `true` |
-| <a id="opt-traefikhttpservicesService02loadBalancerresponseForwardingflushInterval" href="#opt-traefikhttpservicesService02loadBalancerresponseForwardingflushInterval" title="#opt-traefikhttpservicesService02loadBalancerresponseForwardingflushInterval">`traefik/http/services/Service02/loadBalancer/responseForwarding/flushInterval`</a> | `42s` |
-| <a id="opt-traefikhttpservicesService02loadBalancerservers0preservePath" href="#opt-traefikhttpservicesService02loadBalancerservers0preservePath" title="#opt-traefikhttpservicesService02loadBalancerservers0preservePath">`traefik/http/services/Service02/loadBalancer/servers/0/preservePath`</a> | `true` |
-| <a id="opt-traefikhttpservicesService02loadBalancerservers0url" href="#opt-traefikhttpservicesService02loadBalancerservers0url" title="#opt-traefikhttpservicesService02loadBalancerservers0url">`traefik/http/services/Service02/loadBalancer/servers/0/url`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService02loadBalancerservers0weight" href="#opt-traefikhttpservicesService02loadBalancerservers0weight" title="#opt-traefikhttpservicesService02loadBalancerservers0weight">`traefik/http/services/Service02/loadBalancer/servers/0/weight`</a> | `42` |
-| <a id="opt-traefikhttpservicesService02loadBalancerservers1preservePath" href="#opt-traefikhttpservicesService02loadBalancerservers1preservePath" title="#opt-traefikhttpservicesService02loadBalancerservers1preservePath">`traefik/http/services/Service02/loadBalancer/servers/1/preservePath`</a> | `true` |
-| <a id="opt-traefikhttpservicesService02loadBalancerservers1url" href="#opt-traefikhttpservicesService02loadBalancerservers1url" title="#opt-traefikhttpservicesService02loadBalancerservers1url">`traefik/http/services/Service02/loadBalancer/servers/1/url`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService02loadBalancerservers1weight" href="#opt-traefikhttpservicesService02loadBalancerservers1weight" title="#opt-traefikhttpservicesService02loadBalancerservers1weight">`traefik/http/services/Service02/loadBalancer/servers/1/weight`</a> | `42` |
-| <a id="opt-traefikhttpservicesService02loadBalancerserversTransport" href="#opt-traefikhttpservicesService02loadBalancerserversTransport" title="#opt-traefikhttpservicesService02loadBalancerserversTransport">`traefik/http/services/Service02/loadBalancer/serversTransport`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService02loadBalancerstickycookiedomain" href="#opt-traefikhttpservicesService02loadBalancerstickycookiedomain" title="#opt-traefikhttpservicesService02loadBalancerstickycookiedomain">`traefik/http/services/Service02/loadBalancer/sticky/cookie/domain`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService02loadBalancerstickycookiehttpOnly" href="#opt-traefikhttpservicesService02loadBalancerstickycookiehttpOnly" title="#opt-traefikhttpservicesService02loadBalancerstickycookiehttpOnly">`traefik/http/services/Service02/loadBalancer/sticky/cookie/httpOnly`</a> | `true` |
-| <a id="opt-traefikhttpservicesService02loadBalancerstickycookiemaxAge" href="#opt-traefikhttpservicesService02loadBalancerstickycookiemaxAge" title="#opt-traefikhttpservicesService02loadBalancerstickycookiemaxAge">`traefik/http/services/Service02/loadBalancer/sticky/cookie/maxAge`</a> | `42` |
-| <a id="opt-traefikhttpservicesService02loadBalancerstickycookiename" href="#opt-traefikhttpservicesService02loadBalancerstickycookiename" title="#opt-traefikhttpservicesService02loadBalancerstickycookiename">`traefik/http/services/Service02/loadBalancer/sticky/cookie/name`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService02loadBalancerstickycookiepath" href="#opt-traefikhttpservicesService02loadBalancerstickycookiepath" title="#opt-traefikhttpservicesService02loadBalancerstickycookiepath">`traefik/http/services/Service02/loadBalancer/sticky/cookie/path`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService02loadBalancerstickycookiesameSite" href="#opt-traefikhttpservicesService02loadBalancerstickycookiesameSite" title="#opt-traefikhttpservicesService02loadBalancerstickycookiesameSite">`traefik/http/services/Service02/loadBalancer/sticky/cookie/sameSite`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService02loadBalancerstickycookiesecure" href="#opt-traefikhttpservicesService02loadBalancerstickycookiesecure" title="#opt-traefikhttpservicesService02loadBalancerstickycookiesecure">`traefik/http/services/Service02/loadBalancer/sticky/cookie/secure`</a> | `true` |
-| <a id="opt-traefikhttpservicesService02loadBalancerstrategy" href="#opt-traefikhttpservicesService02loadBalancerstrategy" title="#opt-traefikhttpservicesService02loadBalancerstrategy">`traefik/http/services/Service02/loadBalancer/strategy`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService03mirroringhealthCheck" href="#opt-traefikhttpservicesService03mirroringhealthCheck" title="#opt-traefikhttpservicesService03mirroringhealthCheck">`traefik/http/services/Service03/mirroring/healthCheck`</a> | `` |
-| <a id="opt-traefikhttpservicesService03mirroringmaxBodySize" href="#opt-traefikhttpservicesService03mirroringmaxBodySize" title="#opt-traefikhttpservicesService03mirroringmaxBodySize">`traefik/http/services/Service03/mirroring/maxBodySize`</a> | `42` |
-| <a id="opt-traefikhttpservicesService03mirroringmirrorBody" href="#opt-traefikhttpservicesService03mirroringmirrorBody" title="#opt-traefikhttpservicesService03mirroringmirrorBody">`traefik/http/services/Service03/mirroring/mirrorBody`</a> | `true` |
-| <a id="opt-traefikhttpservicesService03mirroringmirrors0name" href="#opt-traefikhttpservicesService03mirroringmirrors0name" title="#opt-traefikhttpservicesService03mirroringmirrors0name">`traefik/http/services/Service03/mirroring/mirrors/0/name`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService03mirroringmirrors0percent" href="#opt-traefikhttpservicesService03mirroringmirrors0percent" title="#opt-traefikhttpservicesService03mirroringmirrors0percent">`traefik/http/services/Service03/mirroring/mirrors/0/percent`</a> | `42` |
-| <a id="opt-traefikhttpservicesService03mirroringmirrors1name" href="#opt-traefikhttpservicesService03mirroringmirrors1name" title="#opt-traefikhttpservicesService03mirroringmirrors1name">`traefik/http/services/Service03/mirroring/mirrors/1/name`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService03mirroringmirrors1percent" href="#opt-traefikhttpservicesService03mirroringmirrors1percent" title="#opt-traefikhttpservicesService03mirroringmirrors1percent">`traefik/http/services/Service03/mirroring/mirrors/1/percent`</a> | `42` |
-| <a id="opt-traefikhttpservicesService03mirroringservice" href="#opt-traefikhttpservicesService03mirroringservice" title="#opt-traefikhttpservicesService03mirroringservice">`traefik/http/services/Service03/mirroring/service`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService04weightedhealthCheck" href="#opt-traefikhttpservicesService04weightedhealthCheck" title="#opt-traefikhttpservicesService04weightedhealthCheck">`traefik/http/services/Service04/weighted/healthCheck`</a> | `` |
-| <a id="opt-traefikhttpservicesService04weightedservices0name" href="#opt-traefikhttpservicesService04weightedservices0name" title="#opt-traefikhttpservicesService04weightedservices0name">`traefik/http/services/Service04/weighted/services/0/name`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService04weightedservices0weight" href="#opt-traefikhttpservicesService04weightedservices0weight" title="#opt-traefikhttpservicesService04weightedservices0weight">`traefik/http/services/Service04/weighted/services/0/weight`</a> | `42` |
-| <a id="opt-traefikhttpservicesService04weightedservices1name" href="#opt-traefikhttpservicesService04weightedservices1name" title="#opt-traefikhttpservicesService04weightedservices1name">`traefik/http/services/Service04/weighted/services/1/name`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService04weightedservices1weight" href="#opt-traefikhttpservicesService04weightedservices1weight" title="#opt-traefikhttpservicesService04weightedservices1weight">`traefik/http/services/Service04/weighted/services/1/weight`</a> | `42` |
-| <a id="opt-traefikhttpservicesService04weightedstickycookiedomain" href="#opt-traefikhttpservicesService04weightedstickycookiedomain" title="#opt-traefikhttpservicesService04weightedstickycookiedomain">`traefik/http/services/Service04/weighted/sticky/cookie/domain`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService04weightedstickycookiehttpOnly" href="#opt-traefikhttpservicesService04weightedstickycookiehttpOnly" title="#opt-traefikhttpservicesService04weightedstickycookiehttpOnly">`traefik/http/services/Service04/weighted/sticky/cookie/httpOnly`</a> | `true` |
-| <a id="opt-traefikhttpservicesService04weightedstickycookiemaxAge" href="#opt-traefikhttpservicesService04weightedstickycookiemaxAge" title="#opt-traefikhttpservicesService04weightedstickycookiemaxAge">`traefik/http/services/Service04/weighted/sticky/cookie/maxAge`</a> | `42` |
-| <a id="opt-traefikhttpservicesService04weightedstickycookiename" href="#opt-traefikhttpservicesService04weightedstickycookiename" title="#opt-traefikhttpservicesService04weightedstickycookiename">`traefik/http/services/Service04/weighted/sticky/cookie/name`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService04weightedstickycookiepath" href="#opt-traefikhttpservicesService04weightedstickycookiepath" title="#opt-traefikhttpservicesService04weightedstickycookiepath">`traefik/http/services/Service04/weighted/sticky/cookie/path`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService04weightedstickycookiesameSite" href="#opt-traefikhttpservicesService04weightedstickycookiesameSite" title="#opt-traefikhttpservicesService04weightedstickycookiesameSite">`traefik/http/services/Service04/weighted/sticky/cookie/sameSite`</a> | `foobar` |
-| <a id="opt-traefikhttpservicesService04weightedstickycookiesecure" href="#opt-traefikhttpservicesService04weightedstickycookiesecure" title="#opt-traefikhttpservicesService04weightedstickycookiesecure">`traefik/http/services/Service04/weighted/sticky/cookie/secure`</a> | `true` |
+| <a id="opt-traefikhttpservicesService02highestRandomWeighthealthCheck" href="#opt-traefikhttpservicesService02highestRandomWeighthealthCheck" title="#opt-traefikhttpservicesService02highestRandomWeighthealthCheck">`traefik/http/services/Service02/highestRandomWeight/healthCheck`</a> | `` |
+| <a id="opt-traefikhttpservicesService02highestRandomWeightservices0name" href="#opt-traefikhttpservicesService02highestRandomWeightservices0name" title="#opt-traefikhttpservicesService02highestRandomWeightservices0name">`traefik/http/services/Service02/highestRandomWeight/services/0/name`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService02highestRandomWeightservices0weight" href="#opt-traefikhttpservicesService02highestRandomWeightservices0weight" title="#opt-traefikhttpservicesService02highestRandomWeightservices0weight">`traefik/http/services/Service02/highestRandomWeight/services/0/weight`</a> | `42` |
+| <a id="opt-traefikhttpservicesService02highestRandomWeightservices1name" href="#opt-traefikhttpservicesService02highestRandomWeightservices1name" title="#opt-traefikhttpservicesService02highestRandomWeightservices1name">`traefik/http/services/Service02/highestRandomWeight/services/1/name`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService02highestRandomWeightservices1weight" href="#opt-traefikhttpservicesService02highestRandomWeightservices1weight" title="#opt-traefikhttpservicesService02highestRandomWeightservices1weight">`traefik/http/services/Service02/highestRandomWeight/services/1/weight`</a> | `42` |
+| <a id="opt-traefikhttpservicesService03loadBalancerhealthCheckfollowRedirects" href="#opt-traefikhttpservicesService03loadBalancerhealthCheckfollowRedirects" title="#opt-traefikhttpservicesService03loadBalancerhealthCheckfollowRedirects">`traefik/http/services/Service03/loadBalancer/healthCheck/followRedirects`</a> | `true` |
+| <a id="opt-traefikhttpservicesService03loadBalancerhealthCheckheadersname0" href="#opt-traefikhttpservicesService03loadBalancerhealthCheckheadersname0" title="#opt-traefikhttpservicesService03loadBalancerhealthCheckheadersname0">`traefik/http/services/Service03/loadBalancer/healthCheck/headers/name0`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService03loadBalancerhealthCheckheadersname1" href="#opt-traefikhttpservicesService03loadBalancerhealthCheckheadersname1" title="#opt-traefikhttpservicesService03loadBalancerhealthCheckheadersname1">`traefik/http/services/Service03/loadBalancer/healthCheck/headers/name1`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService03loadBalancerhealthCheckhostname" href="#opt-traefikhttpservicesService03loadBalancerhealthCheckhostname" title="#opt-traefikhttpservicesService03loadBalancerhealthCheckhostname">`traefik/http/services/Service03/loadBalancer/healthCheck/hostname`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService03loadBalancerhealthCheckinterval" href="#opt-traefikhttpservicesService03loadBalancerhealthCheckinterval" title="#opt-traefikhttpservicesService03loadBalancerhealthCheckinterval">`traefik/http/services/Service03/loadBalancer/healthCheck/interval`</a> | `42s` |
+| <a id="opt-traefikhttpservicesService03loadBalancerhealthCheckmethod" href="#opt-traefikhttpservicesService03loadBalancerhealthCheckmethod" title="#opt-traefikhttpservicesService03loadBalancerhealthCheckmethod">`traefik/http/services/Service03/loadBalancer/healthCheck/method`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService03loadBalancerhealthCheckmode" href="#opt-traefikhttpservicesService03loadBalancerhealthCheckmode" title="#opt-traefikhttpservicesService03loadBalancerhealthCheckmode">`traefik/http/services/Service03/loadBalancer/healthCheck/mode`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService03loadBalancerhealthCheckpath" href="#opt-traefikhttpservicesService03loadBalancerhealthCheckpath" title="#opt-traefikhttpservicesService03loadBalancerhealthCheckpath">`traefik/http/services/Service03/loadBalancer/healthCheck/path`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService03loadBalancerhealthCheckport" href="#opt-traefikhttpservicesService03loadBalancerhealthCheckport" title="#opt-traefikhttpservicesService03loadBalancerhealthCheckport">`traefik/http/services/Service03/loadBalancer/healthCheck/port`</a> | `42` |
+| <a id="opt-traefikhttpservicesService03loadBalancerhealthCheckscheme" href="#opt-traefikhttpservicesService03loadBalancerhealthCheckscheme" title="#opt-traefikhttpservicesService03loadBalancerhealthCheckscheme">`traefik/http/services/Service03/loadBalancer/healthCheck/scheme`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService03loadBalancerhealthCheckstatus" href="#opt-traefikhttpservicesService03loadBalancerhealthCheckstatus" title="#opt-traefikhttpservicesService03loadBalancerhealthCheckstatus">`traefik/http/services/Service03/loadBalancer/healthCheck/status`</a> | `42` |
+| <a id="opt-traefikhttpservicesService03loadBalancerhealthChecktimeout" href="#opt-traefikhttpservicesService03loadBalancerhealthChecktimeout" title="#opt-traefikhttpservicesService03loadBalancerhealthChecktimeout">`traefik/http/services/Service03/loadBalancer/healthCheck/timeout`</a> | `42s` |
+| <a id="opt-traefikhttpservicesService03loadBalancerhealthCheckunhealthyInterval" href="#opt-traefikhttpservicesService03loadBalancerhealthCheckunhealthyInterval" title="#opt-traefikhttpservicesService03loadBalancerhealthCheckunhealthyInterval">`traefik/http/services/Service03/loadBalancer/healthCheck/unhealthyInterval`</a> | `42s` |
+| <a id="opt-traefikhttpservicesService03loadBalancerpassHostHeader" href="#opt-traefikhttpservicesService03loadBalancerpassHostHeader" title="#opt-traefikhttpservicesService03loadBalancerpassHostHeader">`traefik/http/services/Service03/loadBalancer/passHostHeader`</a> | `true` |
+| <a id="opt-traefikhttpservicesService03loadBalancerpassiveHealthCheckfailureWindow" href="#opt-traefikhttpservicesService03loadBalancerpassiveHealthCheckfailureWindow" title="#opt-traefikhttpservicesService03loadBalancerpassiveHealthCheckfailureWindow">`traefik/http/services/Service03/loadBalancer/passiveHealthCheck/failureWindow`</a> | `42s` |
+| <a id="opt-traefikhttpservicesService03loadBalancerpassiveHealthCheckmaxFailedAttempts" href="#opt-traefikhttpservicesService03loadBalancerpassiveHealthCheckmaxFailedAttempts" title="#opt-traefikhttpservicesService03loadBalancerpassiveHealthCheckmaxFailedAttempts">`traefik/http/services/Service03/loadBalancer/passiveHealthCheck/maxFailedAttempts`</a> | `42` |
+| <a id="opt-traefikhttpservicesService03loadBalancerresponseForwardingflushInterval" href="#opt-traefikhttpservicesService03loadBalancerresponseForwardingflushInterval" title="#opt-traefikhttpservicesService03loadBalancerresponseForwardingflushInterval">`traefik/http/services/Service03/loadBalancer/responseForwarding/flushInterval`</a> | `42s` |
+| <a id="opt-traefikhttpservicesService03loadBalancerservers0preservePath" href="#opt-traefikhttpservicesService03loadBalancerservers0preservePath" title="#opt-traefikhttpservicesService03loadBalancerservers0preservePath">`traefik/http/services/Service03/loadBalancer/servers/0/preservePath`</a> | `true` |
+| <a id="opt-traefikhttpservicesService03loadBalancerservers0url" href="#opt-traefikhttpservicesService03loadBalancerservers0url" title="#opt-traefikhttpservicesService03loadBalancerservers0url">`traefik/http/services/Service03/loadBalancer/servers/0/url`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService03loadBalancerservers0weight" href="#opt-traefikhttpservicesService03loadBalancerservers0weight" title="#opt-traefikhttpservicesService03loadBalancerservers0weight">`traefik/http/services/Service03/loadBalancer/servers/0/weight`</a> | `42` |
+| <a id="opt-traefikhttpservicesService03loadBalancerservers1preservePath" href="#opt-traefikhttpservicesService03loadBalancerservers1preservePath" title="#opt-traefikhttpservicesService03loadBalancerservers1preservePath">`traefik/http/services/Service03/loadBalancer/servers/1/preservePath`</a> | `true` |
+| <a id="opt-traefikhttpservicesService03loadBalancerservers1url" href="#opt-traefikhttpservicesService03loadBalancerservers1url" title="#opt-traefikhttpservicesService03loadBalancerservers1url">`traefik/http/services/Service03/loadBalancer/servers/1/url`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService03loadBalancerservers1weight" href="#opt-traefikhttpservicesService03loadBalancerservers1weight" title="#opt-traefikhttpservicesService03loadBalancerservers1weight">`traefik/http/services/Service03/loadBalancer/servers/1/weight`</a> | `42` |
+| <a id="opt-traefikhttpservicesService03loadBalancerserversTransport" href="#opt-traefikhttpservicesService03loadBalancerserversTransport" title="#opt-traefikhttpservicesService03loadBalancerserversTransport">`traefik/http/services/Service03/loadBalancer/serversTransport`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService03loadBalancerstickycookiedomain" href="#opt-traefikhttpservicesService03loadBalancerstickycookiedomain" title="#opt-traefikhttpservicesService03loadBalancerstickycookiedomain">`traefik/http/services/Service03/loadBalancer/sticky/cookie/domain`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService03loadBalancerstickycookiehttpOnly" href="#opt-traefikhttpservicesService03loadBalancerstickycookiehttpOnly" title="#opt-traefikhttpservicesService03loadBalancerstickycookiehttpOnly">`traefik/http/services/Service03/loadBalancer/sticky/cookie/httpOnly`</a> | `true` |
+| <a id="opt-traefikhttpservicesService03loadBalancerstickycookiemaxAge" href="#opt-traefikhttpservicesService03loadBalancerstickycookiemaxAge" title="#opt-traefikhttpservicesService03loadBalancerstickycookiemaxAge">`traefik/http/services/Service03/loadBalancer/sticky/cookie/maxAge`</a> | `42` |
+| <a id="opt-traefikhttpservicesService03loadBalancerstickycookiename" href="#opt-traefikhttpservicesService03loadBalancerstickycookiename" title="#opt-traefikhttpservicesService03loadBalancerstickycookiename">`traefik/http/services/Service03/loadBalancer/sticky/cookie/name`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService03loadBalancerstickycookiepath" href="#opt-traefikhttpservicesService03loadBalancerstickycookiepath" title="#opt-traefikhttpservicesService03loadBalancerstickycookiepath">`traefik/http/services/Service03/loadBalancer/sticky/cookie/path`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService03loadBalancerstickycookiesameSite" href="#opt-traefikhttpservicesService03loadBalancerstickycookiesameSite" title="#opt-traefikhttpservicesService03loadBalancerstickycookiesameSite">`traefik/http/services/Service03/loadBalancer/sticky/cookie/sameSite`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService03loadBalancerstickycookiesecure" href="#opt-traefikhttpservicesService03loadBalancerstickycookiesecure" title="#opt-traefikhttpservicesService03loadBalancerstickycookiesecure">`traefik/http/services/Service03/loadBalancer/sticky/cookie/secure`</a> | `true` |
+| <a id="opt-traefikhttpservicesService03loadBalancerstrategy" href="#opt-traefikhttpservicesService03loadBalancerstrategy" title="#opt-traefikhttpservicesService03loadBalancerstrategy">`traefik/http/services/Service03/loadBalancer/strategy`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService04mirroringhealthCheck" href="#opt-traefikhttpservicesService04mirroringhealthCheck" title="#opt-traefikhttpservicesService04mirroringhealthCheck">`traefik/http/services/Service04/mirroring/healthCheck`</a> | `` |
+| <a id="opt-traefikhttpservicesService04mirroringmaxBodySize" href="#opt-traefikhttpservicesService04mirroringmaxBodySize" title="#opt-traefikhttpservicesService04mirroringmaxBodySize">`traefik/http/services/Service04/mirroring/maxBodySize`</a> | `42` |
+| <a id="opt-traefikhttpservicesService04mirroringmirrorBody" href="#opt-traefikhttpservicesService04mirroringmirrorBody" title="#opt-traefikhttpservicesService04mirroringmirrorBody">`traefik/http/services/Service04/mirroring/mirrorBody`</a> | `true` |
+| <a id="opt-traefikhttpservicesService04mirroringmirrors0name" href="#opt-traefikhttpservicesService04mirroringmirrors0name" title="#opt-traefikhttpservicesService04mirroringmirrors0name">`traefik/http/services/Service04/mirroring/mirrors/0/name`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService04mirroringmirrors0percent" href="#opt-traefikhttpservicesService04mirroringmirrors0percent" title="#opt-traefikhttpservicesService04mirroringmirrors0percent">`traefik/http/services/Service04/mirroring/mirrors/0/percent`</a> | `42` |
+| <a id="opt-traefikhttpservicesService04mirroringmirrors1name" href="#opt-traefikhttpservicesService04mirroringmirrors1name" title="#opt-traefikhttpservicesService04mirroringmirrors1name">`traefik/http/services/Service04/mirroring/mirrors/1/name`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService04mirroringmirrors1percent" href="#opt-traefikhttpservicesService04mirroringmirrors1percent" title="#opt-traefikhttpservicesService04mirroringmirrors1percent">`traefik/http/services/Service04/mirroring/mirrors/1/percent`</a> | `42` |
+| <a id="opt-traefikhttpservicesService04mirroringservice" href="#opt-traefikhttpservicesService04mirroringservice" title="#opt-traefikhttpservicesService04mirroringservice">`traefik/http/services/Service04/mirroring/service`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService05weightedhealthCheck" href="#opt-traefikhttpservicesService05weightedhealthCheck" title="#opt-traefikhttpservicesService05weightedhealthCheck">`traefik/http/services/Service05/weighted/healthCheck`</a> | `` |
+| <a id="opt-traefikhttpservicesService05weightedservices0name" href="#opt-traefikhttpservicesService05weightedservices0name" title="#opt-traefikhttpservicesService05weightedservices0name">`traefik/http/services/Service05/weighted/services/0/name`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService05weightedservices0weight" href="#opt-traefikhttpservicesService05weightedservices0weight" title="#opt-traefikhttpservicesService05weightedservices0weight">`traefik/http/services/Service05/weighted/services/0/weight`</a> | `42` |
+| <a id="opt-traefikhttpservicesService05weightedservices1name" href="#opt-traefikhttpservicesService05weightedservices1name" title="#opt-traefikhttpservicesService05weightedservices1name">`traefik/http/services/Service05/weighted/services/1/name`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService05weightedservices1weight" href="#opt-traefikhttpservicesService05weightedservices1weight" title="#opt-traefikhttpservicesService05weightedservices1weight">`traefik/http/services/Service05/weighted/services/1/weight`</a> | `42` |
+| <a id="opt-traefikhttpservicesService05weightedstickycookiedomain" href="#opt-traefikhttpservicesService05weightedstickycookiedomain" title="#opt-traefikhttpservicesService05weightedstickycookiedomain">`traefik/http/services/Service05/weighted/sticky/cookie/domain`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService05weightedstickycookiehttpOnly" href="#opt-traefikhttpservicesService05weightedstickycookiehttpOnly" title="#opt-traefikhttpservicesService05weightedstickycookiehttpOnly">`traefik/http/services/Service05/weighted/sticky/cookie/httpOnly`</a> | `true` |
+| <a id="opt-traefikhttpservicesService05weightedstickycookiemaxAge" href="#opt-traefikhttpservicesService05weightedstickycookiemaxAge" title="#opt-traefikhttpservicesService05weightedstickycookiemaxAge">`traefik/http/services/Service05/weighted/sticky/cookie/maxAge`</a> | `42` |
+| <a id="opt-traefikhttpservicesService05weightedstickycookiename" href="#opt-traefikhttpservicesService05weightedstickycookiename" title="#opt-traefikhttpservicesService05weightedstickycookiename">`traefik/http/services/Service05/weighted/sticky/cookie/name`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService05weightedstickycookiepath" href="#opt-traefikhttpservicesService05weightedstickycookiepath" title="#opt-traefikhttpservicesService05weightedstickycookiepath">`traefik/http/services/Service05/weighted/sticky/cookie/path`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService05weightedstickycookiesameSite" href="#opt-traefikhttpservicesService05weightedstickycookiesameSite" title="#opt-traefikhttpservicesService05weightedstickycookiesameSite">`traefik/http/services/Service05/weighted/sticky/cookie/sameSite`</a> | `foobar` |
+| <a id="opt-traefikhttpservicesService05weightedstickycookiesecure" href="#opt-traefikhttpservicesService05weightedstickycookiesecure" title="#opt-traefikhttpservicesService05weightedstickycookiesecure">`traefik/http/services/Service05/weighted/sticky/cookie/secure`</a> | `true` |
 | <a id="opt-traefiktcpmiddlewaresTCPMiddleware01ipAllowListsourceRange0" href="#opt-traefiktcpmiddlewaresTCPMiddleware01ipAllowListsourceRange0" title="#opt-traefiktcpmiddlewaresTCPMiddleware01ipAllowListsourceRange0">`traefik/tcp/middlewares/TCPMiddleware01/ipAllowList/sourceRange/0`</a> | `foobar` |
 | <a id="opt-traefiktcpmiddlewaresTCPMiddleware01ipAllowListsourceRange1" href="#opt-traefiktcpmiddlewaresTCPMiddleware01ipAllowListsourceRange1" title="#opt-traefiktcpmiddlewaresTCPMiddleware01ipAllowListsourceRange1">`traefik/tcp/middlewares/TCPMiddleware01/ipAllowList/sourceRange/1`</a> | `foobar` |
 | <a id="opt-traefiktcpmiddlewaresTCPMiddleware02ipWhiteListsourceRange0" href="#opt-traefiktcpmiddlewaresTCPMiddleware02ipWhiteListsourceRange0" title="#opt-traefiktcpmiddlewaresTCPMiddleware02ipWhiteListsourceRange0">`traefik/tcp/middlewares/TCPMiddleware02/ipWhiteList/sourceRange/0`</a> | `foobar` |
@@ -365,7 +372,6 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-traefiktcproutersTCPRouter1tlspassthrough" href="#opt-traefiktcproutersTCPRouter1tlspassthrough" title="#opt-traefiktcproutersTCPRouter1tlspassthrough">`traefik/tcp/routers/TCPRouter1/tls/passthrough`</a> | `true` |
 | <a id="opt-traefiktcpserversTransportsTCPServersTransport0dialKeepAlive" href="#opt-traefiktcpserversTransportsTCPServersTransport0dialKeepAlive" title="#opt-traefiktcpserversTransportsTCPServersTransport0dialKeepAlive">`traefik/tcp/serversTransports/TCPServersTransport0/dialKeepAlive`</a> | `42s` |
 | <a id="opt-traefiktcpserversTransportsTCPServersTransport0dialTimeout" href="#opt-traefiktcpserversTransportsTCPServersTransport0dialTimeout" title="#opt-traefiktcpserversTransportsTCPServersTransport0dialTimeout">`traefik/tcp/serversTransports/TCPServersTransport0/dialTimeout`</a> | `42s` |
-| <a id="opt-traefiktcpserversTransportsTCPServersTransport0proxyProtocolversion" href="#opt-traefiktcpserversTransportsTCPServersTransport0proxyProtocolversion" title="#opt-traefiktcpserversTransportsTCPServersTransport0proxyProtocolversion">`traefik/tcp/serversTransports/TCPServersTransport0/proxyProtocol/version`</a> | `42` |
 | <a id="opt-traefiktcpserversTransportsTCPServersTransport0terminationDelay" href="#opt-traefiktcpserversTransportsTCPServersTransport0terminationDelay" title="#opt-traefiktcpserversTransportsTCPServersTransport0terminationDelay">`traefik/tcp/serversTransports/TCPServersTransport0/terminationDelay`</a> | `42s` |
 | <a id="opt-traefiktcpserversTransportsTCPServersTransport0tlscertificates0certFile" href="#opt-traefiktcpserversTransportsTCPServersTransport0tlscertificates0certFile" title="#opt-traefiktcpserversTransportsTCPServersTransport0tlscertificates0certFile">`traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/0/certFile`</a> | `foobar` |
 | <a id="opt-traefiktcpserversTransportsTCPServersTransport0tlscertificates0keyFile" href="#opt-traefiktcpserversTransportsTCPServersTransport0tlscertificates0keyFile" title="#opt-traefiktcpserversTransportsTCPServersTransport0tlscertificates0keyFile">`traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/0/keyFile`</a> | `foobar` |
@@ -381,7 +387,6 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-traefiktcpserversTransportsTCPServersTransport0tlsspiffetrustDomain" href="#opt-traefiktcpserversTransportsTCPServersTransport0tlsspiffetrustDomain" title="#opt-traefiktcpserversTransportsTCPServersTransport0tlsspiffetrustDomain">`traefik/tcp/serversTransports/TCPServersTransport0/tls/spiffe/trustDomain`</a> | `foobar` |
 | <a id="opt-traefiktcpserversTransportsTCPServersTransport1dialKeepAlive" href="#opt-traefiktcpserversTransportsTCPServersTransport1dialKeepAlive" title="#opt-traefiktcpserversTransportsTCPServersTransport1dialKeepAlive">`traefik/tcp/serversTransports/TCPServersTransport1/dialKeepAlive`</a> | `42s` |
 | <a id="opt-traefiktcpserversTransportsTCPServersTransport1dialTimeout" href="#opt-traefiktcpserversTransportsTCPServersTransport1dialTimeout" title="#opt-traefiktcpserversTransportsTCPServersTransport1dialTimeout">`traefik/tcp/serversTransports/TCPServersTransport1/dialTimeout`</a> | `42s` |
-| <a id="opt-traefiktcpserversTransportsTCPServersTransport1proxyProtocolversion" href="#opt-traefiktcpserversTransportsTCPServersTransport1proxyProtocolversion" title="#opt-traefiktcpserversTransportsTCPServersTransport1proxyProtocolversion">`traefik/tcp/serversTransports/TCPServersTransport1/proxyProtocol/version`</a> | `42` |
 | <a id="opt-traefiktcpserversTransportsTCPServersTransport1terminationDelay" href="#opt-traefiktcpserversTransportsTCPServersTransport1terminationDelay" title="#opt-traefiktcpserversTransportsTCPServersTransport1terminationDelay">`traefik/tcp/serversTransports/TCPServersTransport1/terminationDelay`</a> | `42s` |
 | <a id="opt-traefiktcpserversTransportsTCPServersTransport1tlscertificates0certFile" href="#opt-traefiktcpserversTransportsTCPServersTransport1tlscertificates0certFile" title="#opt-traefiktcpserversTransportsTCPServersTransport1tlscertificates0certFile">`traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/0/certFile`</a> | `foobar` |
 | <a id="opt-traefiktcpserversTransportsTCPServersTransport1tlscertificates0keyFile" href="#opt-traefiktcpserversTransportsTCPServersTransport1tlscertificates0keyFile" title="#opt-traefiktcpserversTransportsTCPServersTransport1tlscertificates0keyFile">`traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/0/keyFile`</a> | `foobar` |

docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: ingressroutes.traefik.io
 spec:
   group: traefik.io
@@ -43,11 +43,31 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/install-configuration/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/entrypoints/
                   Default: all.
                 items:
                   type: string
                 type: array
+              parentRefs:
+                description: |-
+                  ParentRefs defines references to parent IngressRoute resources for multi-layer routing.
+                  When set, this IngressRoute's routers will be children of the referenced parent IngressRoute's routers.
+                  More info: https://doc.traefik.io/traefik/v3.6/routing/routers/#parentrefs
+                items:
+                  description: IngressRouteRef is a reference to an IngressRoute resource.
+                  properties:
+                    name:
+                      description: Name defines the name of the referenced IngressRoute
+                        resource.
+                      type: string
+                    namespace:
+                      description: Namespace defines the namespace of the referenced
+                        IngressRoute resource.
+                      type: string
+                  required:
+                  - name
+                  type: object
+                type: array
               routes:
                 description: Routes defines the list of routes.
                 items:
@@ -64,12 +84,12 @@ spec:
                     match:
                       description: |-
                         Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/routing/rules-and-priority/
+                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/
                       type: string
                     middlewares:
                       description: |-
                         Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/kubernetes/crd/http/middleware/
+                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/middleware/
                       items:
                         description: MiddlewareRef is a reference to a Middleware
                           resource.
@@ -89,7 +109,7 @@ spec:
                     observability:
                       description: |-
                         Observability defines the observability configuration for a router.
-                        More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/routing/observability/
+                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/observability/
                       properties:
                         accessLogs:
                           description: AccessLogs enables access logs for this router.
@@ -112,7 +132,7 @@ spec:
                     priority:
                       description: |-
                         Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/routing/rules-and-priority/#priority
+                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/#priority
                       maximum: 9223372036854775000
                       type: integer
                     services:
@@ -227,6 +247,25 @@ spec:
                               PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
                               By default, passHostHeader is true.
                             type: boolean
+                          passiveHealthCheck:
+                            description: PassiveHealthCheck defines passive health
+                              checks for ExternalName services.
+                            properties:
+                              failureWindow:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: FailureWindow defines the time window
+                                  during which the failed attempts must occur for
+                                  the server to be marked as unhealthy. It also defines
+                                  for how long the server will be considered unhealthy.
+                                x-kubernetes-int-or-string: true
+                              maxFailedAttempts:
+                                description: MaxFailedAttempts is the number of consecutive
+                                  failed attempts allowed within the failure window
+                                  before marking the server as unhealthy.
+                                type: integer
+                            type: object
                           port:
                             anyOf:
                             - type: integer
@@ -263,7 +302,7 @@ spec:
                           sticky:
                             description: |-
                               Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                             properties:
                               cookie:
                                 description: Cookie defines the sticky cookie configuration.
@@ -312,11 +351,13 @@ spec:
                           strategy:
                             description: |-
                               Strategy defines the load balancing strategy between the servers.
-                              Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
+                              Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).
                               RoundRobin value is deprecated and supported for backward compatibility.
                             enum:
                             - wrr
                             - p2c
+                            - hrw
+                            - leasttime
                             - RoundRobin
                             type: string
                           weight:
@@ -332,7 +373,7 @@ spec:
                     syntax:
                       description: |-
                         Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/routing/rules-and-priority/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/#rulesyntax
                         Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
                       type: string
                   required:
@@ -342,18 +383,18 @@ spec:
               tls:
                 description: |-
                   TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/routing/router/#tls
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/router/#tls
                 properties:
                   certResolver:
                     description: |-
                       CertResolver defines the name of the certificate resolver to use.
                       Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.5/reference/install-configuration/tls/certificate-resolvers/acme/
+                      More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/tls/certificate-resolvers/acme/
                     type: string
                   domains:
                     description: |-
                       Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/tls/tls-certificates/#domains
+                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -372,17 +413,17 @@ spec:
                     description: |-
                       Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                       If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/tls/tls-options/
+                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-options/
                     properties:
                       name:
                         description: |-
                           Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/kubernetes/crd/http/tlsoption/
+                          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsoption/
                         type: string
                       namespace:
                         description: |-
                           Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/kubernetes/crd/http/tlsoption/
+                          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsoption/
                         type: string
                     required:
                     - name
@@ -399,12 +440,12 @@ spec:
                       name:
                         description: |-
                           Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/kubernetes/crd/http/tlsstore/
+                          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsstore/
                         type: string
                       namespace:
                         description: |-
                           Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/kubernetes/crd/http/tlsstore/
+                          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsstore/
                         type: string
                     required:
                     - name

docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: ingressroutetcps.traefik.io
 spec:
   group: traefik.io
@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/install-configuration/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -56,7 +56,7 @@ spec:
                     match:
                       description: |-
                         Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/tcp/routing/rules-and-priority/
+                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/
                       type: string
                     middlewares:
                       description: Middlewares defines the list of references to MiddlewareTCP
@@ -80,7 +80,7 @@ spec:
                     priority:
                       description: |-
                         Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/tcp/routing/rules-and-priority/#priority
+                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/#priority
                       maximum: 9223372036854775000
                       type: integer
                     services:
@@ -122,7 +122,7 @@ spec:
                           proxyProtocol:
                             description: |-
                               ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/tcp/service/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/service/#proxy-protocol
                               Deprecated: ProxyProtocol will not be supported in future APIVersions, please use ServersTransport to configure ProxyProtocol instead.
                             properties:
                               version:
@@ -164,7 +164,7 @@ spec:
                     syntax:
                       description: |-
                         Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/tcp/routing/rules-and-priority/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/#rulesyntax
                         Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
                       enum:
                       - v3
@@ -177,18 +177,18 @@ spec:
               tls:
                 description: |-
                   TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/tcp/routing/router/#tls
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/router/#tls
                 properties:
                   certResolver:
                     description: |-
                       CertResolver defines the name of the certificate resolver to use.
                       Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.5/reference/install-configuration/tls/certificate-resolvers/acme/
+                      More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/tls/certificate-resolvers/acme/
                     type: string
                   domains:
                     description: |-
                       Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/tcp/tls/#domains
+                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/tls/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -207,7 +207,7 @@ spec:
                     description: |-
                       Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                       If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/tcp/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/tls/#tls-options
                     properties:
                       name:
                         description: Name defines the name of the referenced Traefik

docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: ingressrouteudps.traefik.io
 spec:
   group: traefik.io
@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/install-configuration/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/entrypoints/
                   Default: all.
                 items:
                   type: string

docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: middlewares.traefik.io
 spec:
   group: traefik.io
@@ -19,7 +19,7 @@ spec:
       openAPIV3Schema:
         description: |-
           Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/overview/
         properties:
           apiVersion:
             description: |-
@@ -45,7 +45,7 @@ spec:
                 description: |-
                   AddPrefix holds the add prefix middleware configuration.
                   This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/addprefix/
                 properties:
                   prefix:
                     description: |-
@@ -60,12 +60,12 @@ spec:
                 description: |-
                   BasicAuth holds the basic auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/middlewares/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/basicauth/
                 properties:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/middlewares/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/basicauth/#headerfield
                     type: string
                   realm:
                     description: |-
@@ -86,7 +86,7 @@ spec:
                 description: |-
                   Buffering holds the buffering middleware configuration.
                   This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/buffering/#maxrequestbodybytes
                 properties:
                   maxRequestBodyBytes:
                     description: |-
@@ -118,14 +118,14 @@ spec:
                     description: |-
                       RetryExpression defines the retry conditions.
                       It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/buffering/#retryexpression
                     type: string
                 type: object
               chain:
                 description: |-
                   Chain holds the configuration of the chain middleware.
                   This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/middlewares/chain/
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/chain/
                 properties:
                   middlewares:
                     description: Middlewares is the list of MiddlewareRef which composes
@@ -188,7 +188,7 @@ spec:
                 description: |-
                   Compress holds the compress middleware configuration.
                   This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/middlewares/compress/
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/compress/
                 properties:
                   defaultEncoding:
                     description: DefaultEncoding specifies the default encoding if
@@ -238,12 +238,12 @@ spec:
                 description: |-
                   DigestAuth holds the digest auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/middlewares/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/digestauth/
                 properties:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/middlewares/digestauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/digestauth/#headerfield
                     type: string
                   realm:
                     description: |-
@@ -263,7 +263,7 @@ spec:
                 description: |-
                   ErrorPage holds the custom error middleware configuration.
                   This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/middlewares/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/errorpages/
                 properties:
                   query:
                     description: |-
@@ -275,7 +275,7 @@ spec:
                   service:
                     description: |-
                       Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/middlewares/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/errorpages/#service
                     properties:
                       healthCheck:
                         description: Healthcheck defines health checks for ExternalName
@@ -381,6 +381,25 @@ spec:
                           PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
                           By default, passHostHeader is true.
                         type: boolean
+                      passiveHealthCheck:
+                        description: PassiveHealthCheck defines passive health checks
+                          for ExternalName services.
+                        properties:
+                          failureWindow:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: FailureWindow defines the time window during
+                              which the failed attempts must occur for the server
+                              to be marked as unhealthy. It also defines for how long
+                              the server will be considered unhealthy.
+                            x-kubernetes-int-or-string: true
+                          maxFailedAttempts:
+                            description: MaxFailedAttempts is the number of consecutive
+                              failed attempts allowed within the failure window before
+                              marking the server as unhealthy.
+                            type: integer
+                        type: object
                       port:
                         anyOf:
                         - type: integer
@@ -417,7 +436,7 @@ spec:
                       sticky:
                         description: |-
                           Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                         properties:
                           cookie:
                             description: Cookie defines the sticky cookie configuration.
@@ -465,11 +484,13 @@ spec:
                       strategy:
                         description: |-
                           Strategy defines the load balancing strategy between the servers.
-                          Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
+                          Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).
                           RoundRobin value is deprecated and supported for backward compatibility.
                         enum:
                         - wrr
                         - p2c
+                        - hrw
+                        - leasttime
                         - RoundRobin
                         type: string
                       weight:
@@ -504,7 +525,7 @@ spec:
                 description: |-
                   ForwardAuth holds the forward auth middleware configuration.
                   This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/middlewares/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/forwardauth/
                 properties:
                   addAuthCookiesToResponse:
                     description: AddAuthCookiesToResponse defines the list of cookies
@@ -532,7 +553,7 @@ spec:
                   authResponseHeadersRegex:
                     description: |-
                       AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/middlewares/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/forwardauth/#authresponseheadersregex
                     type: string
                   forwardBody:
                     description: ForwardBody defines whether to send the request body
@@ -541,7 +562,7 @@ spec:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/middlewares/forwardauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/forwardauth/#headerfield
                     type: string
                   maxBodySize:
                     description: MaxBodySize defines the maximum body size in bytes
@@ -603,7 +624,7 @@ spec:
                 description: |-
                   Headers holds the headers middleware configuration.
                   This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/headers/#customrequestheaders
                 properties:
                   accessControlAllowCredentials:
                     description: AccessControlAllowCredentials defines whether the
@@ -775,7 +796,7 @@ spec:
                 description: |-
                   InFlightReq holds the in-flight request middleware configuration.
                   This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/inflightreq/
                 properties:
                   amount:
                     description: |-
@@ -789,12 +810,12 @@ spec:
                       SourceCriterion defines what criterion is used to group requests as originating from a common source.
                       If several strategies are defined at the same time, an error will be raised.
                       If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/inflightreq/#sourcecriterion
                     properties:
                       ipStrategy:
                         description: |-
                           IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
@@ -830,12 +851,12 @@ spec:
                 description: |-
                   IPAllowList holds the IP allowlist middleware configuration.
                   This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/
                 properties:
                   ipStrategy:
                     description: |-
                       IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
@@ -873,7 +894,7 @@ spec:
                   ipStrategy:
                     description: |-
                       IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
@@ -904,7 +925,7 @@ spec:
                 description: |-
                   PassTLSClientCert holds the pass TLS client cert middleware configuration.
                   This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/passtlsclientcert/
                 properties:
                   info:
                     description: Info selects the specific client certificate details
@@ -1007,13 +1028,13 @@ spec:
                   x-kubernetes-preserve-unknown-fields: true
                 description: |-
                   Plugin defines the middleware plugin configuration.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/middlewares/overview/#community-middlewares
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/overview/#community-middlewares
                 type: object
               rateLimit:
                 description: |-
                   RateLimit holds the rate limit configuration.
                   This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/middlewares/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/ratelimit/
                 properties:
                   average:
                     description: |-
@@ -1132,7 +1153,7 @@ spec:
                       ipStrategy:
                         description: |-
                           IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
@@ -1168,7 +1189,7 @@ spec:
                 description: |-
                   RedirectRegex holds the redirect regex middleware configuration.
                   This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/redirectregex/#regex
                 properties:
                   permanent:
                     description: Permanent defines whether the redirection is permanent
@@ -1187,11 +1208,12 @@ spec:
                 description: |-
                   RedirectScheme holds the redirect scheme middleware configuration.
                   This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/redirectscheme/
                 properties:
                   permanent:
-                    description: Permanent defines whether the redirection is permanent
-                      (308).
+                    description: |-
+                      Permanent defines whether the redirection is permanent.
+                      For HTTP GET requests a 301 is returned, otherwise a 308 is returned.
                     type: boolean
                   port:
                     description: Port defines the port of the new URL.
@@ -1204,7 +1226,7 @@ spec:
                 description: |-
                   ReplacePath holds the replace path middleware configuration.
                   This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/replacepath/
                 properties:
                   path:
                     description: Path defines the path to use as replacement in the
@@ -1215,7 +1237,7 @@ spec:
                 description: |-
                   ReplacePathRegex holds the replace path regex middleware configuration.
                   This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/replacepathregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression used to match
@@ -1231,7 +1253,7 @@ spec:
                   Retry holds the retry middleware configuration.
                   This middleware reissues requests a given number of times to a backend server if that server does not reply.
                   As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/middlewares/retry/
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/retry/
                 properties:
                   attempts:
                     description: Attempts defines how many times the request should
@@ -1255,7 +1277,7 @@ spec:
                 description: |-
                   StripPrefix holds the strip prefix middleware configuration.
                   This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/stripprefix/
                 properties:
                   forceSlash:
                     description: |-
@@ -1274,7 +1296,7 @@ spec:
                 description: |-
                   StripPrefixRegex holds the strip prefix regex middleware configuration.
                   This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.5/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/stripprefixregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression to match the

docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: middlewaretcps.traefik.io
 spec:
   group: traefik.io
@@ -19,7 +19,7 @@ spec:
       openAPIV3Schema:
         description: |-
           MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/tcp/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/overview/
         properties:
           apiVersion:
             description: |-
@@ -56,7 +56,7 @@ spec:
                 description: |-
                   IPAllowList defines the IPAllowList middleware configuration.
                   This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/tcp/middlewares/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/ipallowlist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of
@@ -70,7 +70,7 @@ spec:
                   IPWhiteList defines the IPWhiteList middleware configuration.
                   This middleware accepts/refuses connections based on the client IP.
                   Deprecated: please use IPAllowList instead.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/tcp/middlewares/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/ipwhitelist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of

docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: serverstransports.traefik.io
 spec:
   group: traefik.io
@@ -21,7 +21,7 @@ spec:
           ServersTransport is the CRD implementation of a ServersTransport.
           If no serversTransport is specified, the default@internal will be used.
           The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/load-balancing/serverstransport/
+          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/serverstransport/
         properties:
           apiVersion:
             description: |-

docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: serverstransporttcps.traefik.io
 spec:
   group: traefik.io
@@ -21,7 +21,7 @@ spec:
           ServersTransportTCP is the CRD implementation of a TCPServersTransport.
           If no tcpServersTransport is specified, a default one named default@internal will be used.
           The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/tcp/serverstransport/
+          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/serverstransport/
         properties:
           apiVersion:
             description: |-

docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: tlsoptions.traefik.io
 spec:
   group: traefik.io
@@ -19,7 +19,7 @@ spec:
       openAPIV3Schema:
         description: |-
           TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#tls-options
+          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#tls-options
         properties:
           apiVersion:
             description: |-
@@ -44,14 +44,14 @@ spec:
               alpnProtocols:
                 description: |-
                   ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#alpn-protocols
                 items:
                   type: string
                 type: array
               cipherSuites:
                 description: |-
                   CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#cipher-suites
                 items:
                   type: string
                 type: array
@@ -79,7 +79,7 @@ spec:
               curvePreferences:
                 description: |-
                   CurvePreferences defines the preferred elliptic curves.
-                  More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#curve-preferences
                 items:
                   type: string
                 type: array

docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: tlsstores.traefik.io
 spec:
   group: traefik.io
@@ -21,7 +21,7 @@ spec:
           TLSStore is the CRD implementation of a Traefik TLS Store.
           For the time being, only the TLSStore named default is supported.
           This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#certificates-stores
         properties:
           apiVersion:
             description: |-

docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: traefikservices.traefik.io
 spec:
   group: traefik.io
@@ -22,7 +22,7 @@ spec:
           TraefikService object allows to:
           - Apply weight to Services on load-balancing
           - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/kubernetes/crd/http/traefikservice/
+          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/traefikservice/
         properties:
           apiVersion:
             description: |-
@@ -44,6 +44,244 @@ spec:
           spec:
             description: TraefikServiceSpec defines the desired state of a TraefikService.
             properties:
+              highestRandomWeight:
+                description: HighestRandomWeight defines the highest random weight
+                  service configuration.
+                properties:
+                  services:
+                    description: Services defines the list of Kubernetes Service and/or
+                      TraefikService to load-balance, with weight.
+                    items:
+                      description: Service defines an upstream HTTP service to proxy
+                        traffic to.
+                      properties:
+                        healthCheck:
+                          description: Healthcheck defines health checks for ExternalName
+                            services.
+                          properties:
+                            followRedirects:
+                              description: |-
+                                FollowRedirects defines whether redirects should be followed during the health check calls.
+                                Default: true
+                              type: boolean
+                            headers:
+                              additionalProperties:
+                                type: string
+                              description: Headers defines custom headers to be sent
+                                to the health check endpoint.
+                              type: object
+                            hostname:
+                              description: Hostname defines the value of hostname
+                                in the Host header of the health check request.
+                              type: string
+                            interval:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Interval defines the frequency of the health check calls for healthy targets.
+                                Default: 30s
+                              x-kubernetes-int-or-string: true
+                            method:
+                              description: Method defines the healthcheck method.
+                              type: string
+                            mode:
+                              description: |-
+                                Mode defines the health check mode.
+                                If defined to grpc, will use the gRPC health check protocol to probe the server.
+                                Default: http
+                              type: string
+                            path:
+                              description: Path defines the server URL path for the
+                                health check endpoint.
+                              type: string
+                            port:
+                              description: Port defines the server URL port for the
+                                health check endpoint.
+                              type: integer
+                            scheme:
+                              description: Scheme replaces the server URL scheme for
+                                the health check endpoint.
+                              type: string
+                            status:
+                              description: Status defines the expected HTTP status
+                                code of the response to the health check request.
+                              type: integer
+                            timeout:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                                Default: 5s
+                              x-kubernetes-int-or-string: true
+                            unhealthyInterval:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                                When UnhealthyInterval is not defined, it defaults to the Interval value.
+                                Default: 30s
+                              x-kubernetes-int-or-string: true
+                          type: object
+                        kind:
+                          description: Kind defines the kind of the Service.
+                          enum:
+                          - Service
+                          - TraefikService
+                          type: string
+                        name:
+                          description: |-
+                            Name defines the name of the referenced Kubernetes Service or TraefikService.
+                            The differentiation between the two is specified in the Kind field.
+                          type: string
+                        namespace:
+                          description: Namespace defines the namespace of the referenced
+                            Kubernetes Service or TraefikService.
+                          type: string
+                        nativeLB:
+                          description: |-
+                            NativeLB controls, when creating the load-balancer,
+                            whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+                            The Kubernetes Service itself does load-balance to the pods.
+                            By default, NativeLB is false.
+                          type: boolean
+                        nodePortLB:
+                          description: |-
+                            NodePortLB controls, when creating the load-balancer,
+                            whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                            It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                            By default, NodePortLB is false.
+                          type: boolean
+                        passHostHeader:
+                          description: |-
+                            PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+                            By default, passHostHeader is true.
+                          type: boolean
+                        passiveHealthCheck:
+                          description: PassiveHealthCheck defines passive health checks
+                            for ExternalName services.
+                          properties:
+                            failureWindow:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: FailureWindow defines the time window during
+                                which the failed attempts must occur for the server
+                                to be marked as unhealthy. It also defines for how
+                                long the server will be considered unhealthy.
+                              x-kubernetes-int-or-string: true
+                            maxFailedAttempts:
+                              description: MaxFailedAttempts is the number of consecutive
+                                failed attempts allowed within the failure window
+                                before marking the server as unhealthy.
+                              type: integer
+                          type: object
+                        port:
+                          anyOf:
+                          - type: integer
+                          - type: string
+                          description: |-
+                            Port defines the port of a Kubernetes Service.
+                            This can be a reference to a named port.
+                          x-kubernetes-int-or-string: true
+                        responseForwarding:
+                          description: ResponseForwarding defines how Traefik forwards
+                            the response from the upstream Kubernetes Service to the
+                            client.
+                          properties:
+                            flushInterval:
+                              description: |-
+                                FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+                                A negative value means to flush immediately after each write to the client.
+                                This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+                                for such responses, writes are flushed to the client immediately.
+                                Default: 100ms
+                              type: string
+                          type: object
+                        scheme:
+                          description: |-
+                            Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+                            It defaults to https when Kubernetes Service port is 443, http otherwise.
+                          type: string
+                        serversTransport:
+                          description: |-
+                            ServersTransport defines the name of ServersTransport resource to use.
+                            It allows to configure the transport between Traefik and your servers.
+                            Can only be used on a Kubernetes Service.
+                          type: string
+                        sticky:
+                          description: |-
+                            Sticky defines the sticky sessions configuration.
+                            More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                          properties:
+                            cookie:
+                              description: Cookie defines the sticky cookie configuration.
+                              properties:
+                                domain:
+                                  description: |-
+                                    Domain defines the host to which the cookie will be sent.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
+                                  type: string
+                                httpOnly:
+                                  description: HTTPOnly defines whether the cookie
+                                    can be accessed by client-side APIs, such as JavaScript.
+                                  type: boolean
+                                maxAge:
+                                  description: |-
+                                    MaxAge defines the number of seconds until the cookie expires.
+                                    When set to a negative number, the cookie expires immediately.
+                                    When set to zero, the cookie never expires.
+                                  type: integer
+                                name:
+                                  description: Name defines the Cookie name.
+                                  type: string
+                                path:
+                                  description: |-
+                                    Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                    When not provided the cookie will be sent on every request to the domain.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                  type: string
+                                sameSite:
+                                  description: |-
+                                    SameSite defines the same site policy.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                                  enum:
+                                  - none
+                                  - lax
+                                  - strict
+                                  type: string
+                                secure:
+                                  description: Secure defines whether the cookie can
+                                    only be transmitted over an encrypted connection
+                                    (i.e. HTTPS).
+                                  type: boolean
+                              type: object
+                          type: object
+                        strategy:
+                          description: |-
+                            Strategy defines the load balancing strategy between the servers.
+                            Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).
+                            RoundRobin value is deprecated and supported for backward compatibility.
+                          enum:
+                          - wrr
+                          - p2c
+                          - hrw
+                          - leasttime
+                          - RoundRobin
+                          type: string
+                        weight:
+                          description: |-
+                            Weight defines the weight and should only be specified when Name references a TraefikService object
+                            (and to be precise, one that embeds a Weighted Round Robin).
+                          minimum: 0
+                          type: integer
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
               mirroring:
                 description: Mirroring defines the Mirroring service configuration.
                 properties:
@@ -245,6 +483,25 @@ spec:
                             PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
                             By default, passHostHeader is true.
                           type: boolean
+                        passiveHealthCheck:
+                          description: PassiveHealthCheck defines passive health checks
+                            for ExternalName services.
+                          properties:
+                            failureWindow:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: FailureWindow defines the time window during
+                                which the failed attempts must occur for the server
+                                to be marked as unhealthy. It also defines for how
+                                long the server will be considered unhealthy.
+                              x-kubernetes-int-or-string: true
+                            maxFailedAttempts:
+                              description: MaxFailedAttempts is the number of consecutive
+                                failed attempts allowed within the failure window
+                                before marking the server as unhealthy.
+                              type: integer
+                          type: object
                         percent:
                           description: |-
                             Percent defines the part of the traffic to mirror.
@@ -286,7 +543,7 @@ spec:
                         sticky:
                           description: |-
                             Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
@@ -334,11 +591,13 @@ spec:
                         strategy:
                           description: |-
                             Strategy defines the load balancing strategy between the servers.
-                            Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
+                            Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).
                             RoundRobin value is deprecated and supported for backward compatibility.
                           enum:
                           - wrr
                           - p2c
+                          - hrw
+                          - leasttime
                           - RoundRobin
                           type: string
                         weight:
@@ -379,6 +638,25 @@ spec:
                       PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
                       By default, passHostHeader is true.
                     type: boolean
+                  passiveHealthCheck:
+                    description: PassiveHealthCheck defines passive health checks
+                      for ExternalName services.
+                    properties:
+                      failureWindow:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: FailureWindow defines the time window during
+                          which the failed attempts must occur for the server to be
+                          marked as unhealthy. It also defines for how long the server
+                          will be considered unhealthy.
+                        x-kubernetes-int-or-string: true
+                      maxFailedAttempts:
+                        description: MaxFailedAttempts is the number of consecutive
+                          failed attempts allowed within the failure window before
+                          marking the server as unhealthy.
+                        type: integer
+                    type: object
                   port:
                     anyOf:
                     - type: integer
@@ -414,7 +692,7 @@ spec:
                   sticky:
                     description: |-
                       Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.
@@ -461,11 +739,13 @@ spec:
                   strategy:
                     description: |-
                       Strategy defines the load balancing strategy between the servers.
-                      Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
+                      Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).
                       RoundRobin value is deprecated and supported for backward compatibility.
                     enum:
                     - wrr
                     - p2c
+                    - hrw
+                    - leasttime
                     - RoundRobin
                     type: string
                   weight:
@@ -591,6 +871,25 @@ spec:
                             PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
                             By default, passHostHeader is true.
                           type: boolean
+                        passiveHealthCheck:
+                          description: PassiveHealthCheck defines passive health checks
+                            for ExternalName services.
+                          properties:
+                            failureWindow:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: FailureWindow defines the time window during
+                                which the failed attempts must occur for the server
+                                to be marked as unhealthy. It also defines for how
+                                long the server will be considered unhealthy.
+                              x-kubernetes-int-or-string: true
+                            maxFailedAttempts:
+                              description: MaxFailedAttempts is the number of consecutive
+                                failed attempts allowed within the failure window
+                                before marking the server as unhealthy.
+                              type: integer
+                          type: object
                         port:
                           anyOf:
                           - type: integer
@@ -627,7 +926,7 @@ spec:
                         sticky:
                           description: |-
                             Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
@@ -675,11 +974,13 @@ spec:
                         strategy:
                           description: |-
                             Strategy defines the load balancing strategy between the servers.
-                            Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
+                            Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).
                             RoundRobin value is deprecated and supported for backward compatibility.
                           enum:
                           - wrr
                           - p2c
+                          - hrw
+                          - leasttime
                           - RoundRobin
                           type: string
                         weight:
@@ -695,7 +996,7 @@ spec:
                   sticky:
                     description: |-
                       Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.5/reference/routing-configuration/kubernetes/crd/http/traefikservice/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/traefikservice/#stickiness-and-load-balancing
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.

docs/content/reference/install-configuration/api-dashboard.md

@@ -3,13 +3,27 @@ title: "Traefik API & Dashboard Documentation"
 description: "Traefik Proxy exposes information through API handlers and showcase them on the Dashboard. Learn about the security, configuration, and endpoints of the APIs and Dashboard. Read the technical documentation."
 ---
 
-The dashboard is the central place that shows you the current active routes handled by Traefik.
+Traefik exposes a number of information through API endpoints, such as the configuration of your routers, services, middlewares, etc.
+
+The dashboard, which is the central place that displays the current active routes handled by Traefik, fetches the data from this API.
 
 <figure>
     <img src="../../../assets/img/webui-dashboard.png" alt="Dashboard - Providers" />
     <figcaption>The dashboard in action</figcaption>
 </figure>
 
+## Security
+
+Enabling the API and the dashboard in production is not recommended, because it will expose all configuration elements,
+including sensitive data, for which access should be reserved to administrators.
+
+In production, it should be at least secured by authentication and authorizations.
+
+!!! info
+
+    It's recommended to NOT publicly exposing the API's port, keeping it restricted to internal networks
+    (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).
+
 ## Configuration Example
 
 Enable the dashboard:
@@ -150,7 +164,7 @@ http:
 The API and the dashboard can be configured:
 
 - In the Helm Chart: You can find the options to customize the Traefik installation
-enabing the dashboard [here](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L155).
+enabling the dashboard [here](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L155).
 - In the Traefik Static Configuration as described below.
 
 | Field      | Description  | Default | Required |
@@ -187,6 +201,7 @@ All the following endpoints must be accessed with a `GET` HTTP request.
 | <a id="opt-apientrypoints" href="#opt-apientrypoints" title="#opt-apientrypoints">`/api/entrypoints`</a> | Lists all the entry points information.                                                     |
 | <a id="opt-apientrypointsname" href="#opt-apientrypointsname" title="#opt-apientrypointsname">`/api/entrypoints/{name}`</a> | Returns the information of the entry point specified by `name`.                             |
 | <a id="opt-apioverview" href="#opt-apioverview" title="#opt-apioverview">`/api/overview`</a> | Returns statistic information about HTTP, TCP and about enabled features and providers. |
+| <a id="opt-apisupport-dump" href="#opt-apisupport-dump" title="#opt-apisupport-dump">`/api/support-dump`</a> | Returns an archive that contains the anonymized static configuration and the runtime configuration. |
 | <a id="opt-apirawdata" href="#opt-apirawdata" title="#opt-apirawdata">`/api/rawdata`</a> | Returns information about dynamic configurations, errors, status and dependency relations.  |
 | <a id="opt-apiversion" href="#opt-apiversion" title="#opt-apiversion">`/api/version`</a> | Returns information about Traefik version.                                                  |
 | <a id="opt-debugvars" href="#opt-debugvars" title="#opt-debugvars">`/debug/vars`</a> | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                          |
@@ -203,14 +218,16 @@ All the following endpoints must be accessed with a `GET` HTTP request.
 
 ## Dashboard
 
-The dashboard is available at the same location as the API, but by default on the path  `/dashboard/`.
+The dashboard is available by default on the path  `/dashboard/`.
 
 !!! note
 
     - The trailing slash `/` in `/dashboard/` is mandatory. This limitation can be mitigated using the the [RedirectRegex Middleware](../../middlewares/http/redirectregex.md).
-	  - There is also a redirect from the path `/` to `/dashboard/`, but you should not rely on this behavior, as it is subject to change and may complicate routing rules.
+    - There is also a redirect from the path `/` to `/dashboard/`.
 
-To securely access the dashboard, you need to define a routing configuration within Traefik. This involves setting up a router attached to the service `api@internal`, which allows you to:
+As mentioned above in the [Security](#security) section, it is important to secure access to both the dashboard and the API.
+You need to define a routing configuration within Traefik.
+This involves setting up a router attached to the service `api@internal`, which allows you to:
 
 - Implement security features using [middlewares](../../middlewares/overview.md), such as authentication ([basicAuth](../../middlewares/http/basicauth.md), [digestAuth](../../middlewares/http/digestauth.md),
   [forwardAuth](../../middlewares/http/forwardauth.md)) or [allowlisting](../../middlewares/http/ipallowlist.md).
@@ -238,4 +255,4 @@ rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
 rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
 ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/install-configuration/configuration-options.md

@@ -51,6 +51,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-certificatesresolvers-name-acme-certificatesduration" href="#opt-certificatesresolvers-name-acme-certificatesduration" title="#opt-certificatesresolvers-name-acme-certificatesduration">certificatesresolvers._name_.acme.certificatesduration</a> | Certificates' duration in hours. | 2160 |
 | <a id="opt-certificatesresolvers-name-acme-clientresponseheadertimeout" href="#opt-certificatesresolvers-name-acme-clientresponseheadertimeout" title="#opt-certificatesresolvers-name-acme-clientresponseheadertimeout">certificatesresolvers._name_.acme.clientresponseheadertimeout</a> | Timeout for receiving the response headers when communicating with the ACME server. | 30 |
 | <a id="opt-certificatesresolvers-name-acme-clienttimeout" href="#opt-certificatesresolvers-name-acme-clienttimeout" title="#opt-certificatesresolvers-name-acme-clienttimeout">certificatesresolvers._name_.acme.clienttimeout</a> | Timeout for a complete HTTP transaction with the ACME server. | 120 |
+| <a id="opt-certificatesresolvers-name-acme-disablecommonname" href="#opt-certificatesresolvers-name-acme-disablecommonname" title="#opt-certificatesresolvers-name-acme-disablecommonname">certificatesresolvers._name_.acme.disablecommonname</a> | Disable the common name in the CSR. | false |
 | <a id="opt-certificatesresolvers-name-acme-dnschallenge" href="#opt-certificatesresolvers-name-acme-dnschallenge" title="#opt-certificatesresolvers-name-acme-dnschallenge">certificatesresolvers._name_.acme.dnschallenge</a> | Activate DNS-01 Challenge. | false |
 | <a id="opt-certificatesresolvers-name-acme-dnschallenge-delaybeforecheck" href="#opt-certificatesresolvers-name-acme-dnschallenge-delaybeforecheck" title="#opt-certificatesresolvers-name-acme-dnschallenge-delaybeforecheck">certificatesresolvers._name_.acme.dnschallenge.delaybeforecheck</a> | (Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. | 0 |
 | <a id="opt-certificatesresolvers-name-acme-dnschallenge-disablepropagationcheck" href="#opt-certificatesresolvers-name-acme-dnschallenge-disablepropagationcheck" title="#opt-certificatesresolvers-name-acme-dnschallenge-disablepropagationcheck">certificatesresolvers._name_.acme.dnschallenge.disablepropagationcheck</a> | (Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] | false |
@@ -72,7 +73,8 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-certificatesresolvers-name-acme-preferredchain" href="#opt-certificatesresolvers-name-acme-preferredchain" title="#opt-certificatesresolvers-name-acme-preferredchain">certificatesresolvers._name_.acme.preferredchain</a> | Preferred chain to use. | |
 | <a id="opt-certificatesresolvers-name-acme-profile" href="#opt-certificatesresolvers-name-acme-profile" title="#opt-certificatesresolvers-name-acme-profile">certificatesresolvers._name_.acme.profile</a> | Certificate profile to use. | |
 | <a id="opt-certificatesresolvers-name-acme-storage" href="#opt-certificatesresolvers-name-acme-storage" title="#opt-certificatesresolvers-name-acme-storage">certificatesresolvers._name_.acme.storage</a> | Storage to use. | acme.json |
-| <a id="opt-certificatesresolvers-name-acme-tlschallenge" href="#opt-certificatesresolvers-name-acme-tlschallenge" title="#opt-certificatesresolvers-name-acme-tlschallenge">certificatesresolvers._name_.acme.tlschallenge</a> | Activate TLS-ALPN-01 Challenge. | true |
+| <a id="opt-certificatesresolvers-name-acme-tlschallenge" href="#opt-certificatesresolvers-name-acme-tlschallenge" title="#opt-certificatesresolvers-name-acme-tlschallenge">certificatesresolvers._name_.acme.tlschallenge</a> | Activate TLS-ALPN-01 Challenge. | false |
+| <a id="opt-certificatesresolvers-name-acme-tlschallenge-delay" href="#opt-certificatesresolvers-name-acme-tlschallenge-delay" title="#opt-certificatesresolvers-name-acme-tlschallenge-delay">certificatesresolvers._name_.acme.tlschallenge.delay</a> | Delay between the creation of the challenge and the validation. | 0 |
 | <a id="opt-certificatesresolvers-name-tailscale" href="#opt-certificatesresolvers-name-tailscale" title="#opt-certificatesresolvers-name-tailscale">certificatesresolvers._name_.tailscale</a> | Enables Tailscale certificate resolution. | true |
 | <a id="opt-core-defaultrulesyntax" href="#opt-core-defaultrulesyntax" title="#opt-core-defaultrulesyntax">core.defaultrulesyntax</a> | Defines the rule parser default syntax (v2 or v3) | v3 |
 | <a id="opt-entrypoints-name" href="#opt-entrypoints-name" title="#opt-entrypoints-name">entrypoints._name_</a> | Entry points definition. | false |
@@ -83,6 +85,13 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-entrypoints-name-forwardedheaders-insecure" href="#opt-entrypoints-name-forwardedheaders-insecure" title="#opt-entrypoints-name-forwardedheaders-insecure">entrypoints._name_.forwardedheaders.insecure</a> | Trust all forwarded headers. | false |
 | <a id="opt-entrypoints-name-forwardedheaders-trustedips" href="#opt-entrypoints-name-forwardedheaders-trustedips" title="#opt-entrypoints-name-forwardedheaders-trustedips">entrypoints._name_.forwardedheaders.trustedips</a> | Trust only forwarded headers from selected IPs. | |
 | <a id="opt-entrypoints-name-http" href="#opt-entrypoints-name-http" title="#opt-entrypoints-name-http">entrypoints._name_.http</a> | HTTP configuration. | |
+| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash">entrypoints._name_.http.encodedcharacters.allowencodedbackslash</a> | Defines whether requests with encoded back slash characters in the path are allowed. | true |
+| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedhash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedhash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedhash">entrypoints._name_.http.encodedcharacters.allowencodedhash</a> | Defines whether requests with encoded hash characters in the path are allowed. | true |
+| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter" href="#opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter" title="#opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter">entrypoints._name_.http.encodedcharacters.allowencodednullcharacter</a> | Defines whether requests with encoded null characters in the path are allowed. | true |
+| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedpercent" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedpercent" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedpercent">entrypoints._name_.http.encodedcharacters.allowencodedpercent</a> | Defines whether requests with encoded percent characters in the path are allowed. | true |
+| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark">entrypoints._name_.http.encodedcharacters.allowencodedquestionmark</a> | Defines whether requests with encoded question mark characters in the path are allowed. | true |
+| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon">entrypoints._name_.http.encodedcharacters.allowencodedsemicolon</a> | Defines whether requests with encoded semicolon characters in the path are allowed. | true |
+| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedslash">entrypoints._name_.http.encodedcharacters.allowencodedslash</a> | Defines whether requests with encoded slash characters in the path are allowed. | true |
 | <a id="opt-entrypoints-name-http-encodequerysemicolons" href="#opt-entrypoints-name-http-encodequerysemicolons" title="#opt-entrypoints-name-http-encodequerysemicolons">entrypoints._name_.http.encodequerysemicolons</a> | Defines whether request query semicolons should be URLEncoded. | false |
 | <a id="opt-entrypoints-name-http-maxheaderbytes" href="#opt-entrypoints-name-http-maxheaderbytes" title="#opt-entrypoints-name-http-maxheaderbytes">entrypoints._name_.http.maxheaderbytes</a> | Maximum size of request headers in bytes. | 1048576 |
 | <a id="opt-entrypoints-name-http-middlewares" href="#opt-entrypoints-name-http-middlewares" title="#opt-entrypoints-name-http-middlewares">entrypoints._name_.http.middlewares</a> | Default middlewares for the routers linked to the entry point. | |
@@ -98,6 +107,8 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-entrypoints-name-http-tls-domains0-sans" href="#opt-entrypoints-name-http-tls-domains0-sans" title="#opt-entrypoints-name-http-tls-domains0-sans">entrypoints._name_.http.tls.domains[0].sans</a> | Subject alternative names. | |
 | <a id="opt-entrypoints-name-http-tls-options" href="#opt-entrypoints-name-http-tls-options" title="#opt-entrypoints-name-http-tls-options">entrypoints._name_.http.tls.options</a> | Default TLS options for the routers linked to the entry point. | |
 | <a id="opt-entrypoints-name-http2-maxconcurrentstreams" href="#opt-entrypoints-name-http2-maxconcurrentstreams" title="#opt-entrypoints-name-http2-maxconcurrentstreams">entrypoints._name_.http2.maxconcurrentstreams</a> | Specifies the number of concurrent streams per connection that each client is allowed to initiate. | 250 |
+| <a id="opt-entrypoints-name-http2-maxdecoderheadertablesize" href="#opt-entrypoints-name-http2-maxdecoderheadertablesize" title="#opt-entrypoints-name-http2-maxdecoderheadertablesize">entrypoints._name_.http2.maxdecoderheadertablesize</a> | Specifies the maximum size of the HTTP2 HPACK header table on the decoding (receiving from client) side. | 4096 |
+| <a id="opt-entrypoints-name-http2-maxencoderheadertablesize" href="#opt-entrypoints-name-http2-maxencoderheadertablesize" title="#opt-entrypoints-name-http2-maxencoderheadertablesize">entrypoints._name_.http2.maxencoderheadertablesize</a> | Specifies the maximum size of the HTTP2 HPACK header table on the encoding (sending to client) side. | 4096 |
 | <a id="opt-entrypoints-name-http3" href="#opt-entrypoints-name-http3" title="#opt-entrypoints-name-http3">entrypoints._name_.http3</a> | HTTP/3 configuration. | false |
 | <a id="opt-entrypoints-name-http3-advertisedport" href="#opt-entrypoints-name-http3-advertisedport" title="#opt-entrypoints-name-http3-advertisedport">entrypoints._name_.http3.advertisedport</a> | UDP port to advertise, on which HTTP/3 is available. | 0 |
 | <a id="opt-entrypoints-name-observability-accesslogs" href="#opt-entrypoints-name-observability-accesslogs" title="#opt-entrypoints-name-observability-accesslogs">entrypoints._name_.observability.accesslogs</a> | Enables access-logs for this entryPoint. | true |
@@ -119,6 +130,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-experimental-abortonpluginfailure" href="#opt-experimental-abortonpluginfailure" title="#opt-experimental-abortonpluginfailure">experimental.abortonpluginfailure</a> | Defines whether all plugins must be loaded successfully for Traefik to start. | false |
 | <a id="opt-experimental-fastproxy" href="#opt-experimental-fastproxy" title="#opt-experimental-fastproxy">experimental.fastproxy</a> | Enables the FastProxy implementation. | false |
 | <a id="opt-experimental-fastproxy-debug" href="#opt-experimental-fastproxy-debug" title="#opt-experimental-fastproxy-debug">experimental.fastproxy.debug</a> | Enable debug mode for the FastProxy implementation. | false |
+| <a id="opt-experimental-knative" href="#opt-experimental-knative" title="#opt-experimental-knative">experimental.knative</a> | Allow the Knative provider usage. | false |
 | <a id="opt-experimental-kubernetesgateway" href="#opt-experimental-kubernetesgateway" title="#opt-experimental-kubernetesgateway">experimental.kubernetesgateway</a> | (Deprecated) Allow the Kubernetes gateway api provider usage. | false |
 | <a id="opt-experimental-kubernetesingressnginx" href="#opt-experimental-kubernetesingressnginx" title="#opt-experimental-kubernetesingressnginx">experimental.kubernetesingressnginx</a> | Allow the Kubernetes Ingress NGINX provider usage. | false |
 | <a id="opt-experimental-localplugins-name" href="#opt-experimental-localplugins-name" title="#opt-experimental-localplugins-name">experimental.localplugins._name_</a> | Local plugins configuration. | false |
@@ -126,14 +138,14 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-experimental-localplugins-name-settings" href="#opt-experimental-localplugins-name-settings" title="#opt-experimental-localplugins-name-settings">experimental.localplugins._name_.settings</a> | Plugin's settings (works only for wasm plugins). | |
 | <a id="opt-experimental-localplugins-name-settings-envs" href="#opt-experimental-localplugins-name-settings-envs" title="#opt-experimental-localplugins-name-settings-envs">experimental.localplugins._name_.settings.envs</a> | Environment variables to forward to the wasm guest. | |
 | <a id="opt-experimental-localplugins-name-settings-mounts" href="#opt-experimental-localplugins-name-settings-mounts" title="#opt-experimental-localplugins-name-settings-mounts">experimental.localplugins._name_.settings.mounts</a> | Directory to mount to the wasm guest. | |
-| <a id="opt-experimental-localplugins-name-settings-useunsafe" href="#opt-experimental-localplugins-name-settings-useunsafe" title="#opt-experimental-localplugins-name-settings-useunsafe">experimental.localplugins._name_.settings.useunsafe</a> | Allow the plugin to use unsafe package. | false |
+| <a id="opt-experimental-localplugins-name-settings-useunsafe" href="#opt-experimental-localplugins-name-settings-useunsafe" title="#opt-experimental-localplugins-name-settings-useunsafe">experimental.localplugins._name_.settings.useunsafe</a> | Allow the plugin to use unsafe and syscall packages. | false |
 | <a id="opt-experimental-otlplogs" href="#opt-experimental-otlplogs" title="#opt-experimental-otlplogs">experimental.otlplogs</a> | Enables the OpenTelemetry logs integration. | false |
 | <a id="opt-experimental-plugins-name-hash" href="#opt-experimental-plugins-name-hash" title="#opt-experimental-plugins-name-hash">experimental.plugins._name_.hash</a> | plugin's hash to validate' | |
 | <a id="opt-experimental-plugins-name-modulename" href="#opt-experimental-plugins-name-modulename" title="#opt-experimental-plugins-name-modulename">experimental.plugins._name_.modulename</a> | plugin's module name. | |
 | <a id="opt-experimental-plugins-name-settings" href="#opt-experimental-plugins-name-settings" title="#opt-experimental-plugins-name-settings">experimental.plugins._name_.settings</a> | Plugin's settings (works only for wasm plugins). | |
 | <a id="opt-experimental-plugins-name-settings-envs" href="#opt-experimental-plugins-name-settings-envs" title="#opt-experimental-plugins-name-settings-envs">experimental.plugins._name_.settings.envs</a> | Environment variables to forward to the wasm guest. | |
 | <a id="opt-experimental-plugins-name-settings-mounts" href="#opt-experimental-plugins-name-settings-mounts" title="#opt-experimental-plugins-name-settings-mounts">experimental.plugins._name_.settings.mounts</a> | Directory to mount to the wasm guest. | |
-| <a id="opt-experimental-plugins-name-settings-useunsafe" href="#opt-experimental-plugins-name-settings-useunsafe" title="#opt-experimental-plugins-name-settings-useunsafe">experimental.plugins._name_.settings.useunsafe</a> | Allow the plugin to use unsafe package. | false |
+| <a id="opt-experimental-plugins-name-settings-useunsafe" href="#opt-experimental-plugins-name-settings-useunsafe" title="#opt-experimental-plugins-name-settings-useunsafe">experimental.plugins._name_.settings.useunsafe</a> | Allow the plugin to use unsafe and syscall packages. | false |
 | <a id="opt-experimental-plugins-name-version" href="#opt-experimental-plugins-name-version" title="#opt-experimental-plugins-name-version">experimental.plugins._name_.version</a> | plugin's version. | |
 | <a id="opt-global-checknewversion" href="#opt-global-checknewversion" title="#opt-global-checknewversion">global.checknewversion</a> | Periodically check if a new version has been released. | true |
 | <a id="opt-global-sendanonymoususage" href="#opt-global-sendanonymoususage" title="#opt-global-sendanonymoususage">global.sendanonymoususage</a> | Periodically send anonymous usage statistics. If the option is not specified, it will be disabled by default. | false |
@@ -315,6 +327,21 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-providers-http-tls-cert" href="#opt-providers-http-tls-cert" title="#opt-providers-http-tls-cert">providers.http.tls.cert</a> | TLS cert | |
 | <a id="opt-providers-http-tls-insecureskipverify" href="#opt-providers-http-tls-insecureskipverify" title="#opt-providers-http-tls-insecureskipverify">providers.http.tls.insecureskipverify</a> | TLS insecure skip verify | false |
 | <a id="opt-providers-http-tls-key" href="#opt-providers-http-tls-key" title="#opt-providers-http-tls-key">providers.http.tls.key</a> | TLS key | |
+| <a id="opt-providers-knative" href="#opt-providers-knative" title="#opt-providers-knative">providers.knative</a> | Enables Knative provider. | false |
+| <a id="opt-providers-knative-certauthfilepath" href="#opt-providers-knative-certauthfilepath" title="#opt-providers-knative-certauthfilepath">providers.knative.certauthfilepath</a> | Kubernetes certificate authority file path (not needed for in-cluster client). | |
+| <a id="opt-providers-knative-endpoint" href="#opt-providers-knative-endpoint" title="#opt-providers-knative-endpoint">providers.knative.endpoint</a> | Kubernetes server endpoint (required for external cluster client). | |
+| <a id="opt-providers-knative-labelselector" href="#opt-providers-knative-labelselector" title="#opt-providers-knative-labelselector">providers.knative.labelselector</a> | Kubernetes label selector to use. | |
+| <a id="opt-providers-knative-namespaces" href="#opt-providers-knative-namespaces" title="#opt-providers-knative-namespaces">providers.knative.namespaces</a> | Kubernetes namespaces. | |
+| <a id="opt-providers-knative-privateentrypoints" href="#opt-providers-knative-privateentrypoints" title="#opt-providers-knative-privateentrypoints">providers.knative.privateentrypoints</a> | Entrypoint names used to expose the Ingress privately. If empty local Ingresses are skipped. | |
+| <a id="opt-providers-knative-privateservice" href="#opt-providers-knative-privateservice" title="#opt-providers-knative-privateservice">providers.knative.privateservice</a> | Kubernetes service used to expose the networking controller privately. | |
+| <a id="opt-providers-knative-privateservice-name" href="#opt-providers-knative-privateservice-name" title="#opt-providers-knative-privateservice-name">providers.knative.privateservice.name</a> | Name of the Kubernetes service. | |
+| <a id="opt-providers-knative-privateservice-namespace" href="#opt-providers-knative-privateservice-namespace" title="#opt-providers-knative-privateservice-namespace">providers.knative.privateservice.namespace</a> | Namespace of the Kubernetes service. | |
+| <a id="opt-providers-knative-publicentrypoints" href="#opt-providers-knative-publicentrypoints" title="#opt-providers-knative-publicentrypoints">providers.knative.publicentrypoints</a> | Entrypoint names used to expose the Ingress publicly. If empty an Ingress is exposed on all entrypoints. | |
+| <a id="opt-providers-knative-publicservice" href="#opt-providers-knative-publicservice" title="#opt-providers-knative-publicservice">providers.knative.publicservice</a> | Kubernetes service used to expose the networking controller publicly. | |
+| <a id="opt-providers-knative-publicservice-name" href="#opt-providers-knative-publicservice-name" title="#opt-providers-knative-publicservice-name">providers.knative.publicservice.name</a> | Name of the Kubernetes service. | |
+| <a id="opt-providers-knative-publicservice-namespace" href="#opt-providers-knative-publicservice-namespace" title="#opt-providers-knative-publicservice-namespace">providers.knative.publicservice.namespace</a> | Namespace of the Kubernetes service. | |
+| <a id="opt-providers-knative-throttleduration" href="#opt-providers-knative-throttleduration" title="#opt-providers-knative-throttleduration">providers.knative.throttleduration</a> | Ingress refresh throttle duration | 0 |
+| <a id="opt-providers-knative-token" href="#opt-providers-knative-token" title="#opt-providers-knative-token">providers.knative.token</a> | Kubernetes bearer token (not needed for in-cluster client). | |
 | <a id="opt-providers-kubernetescrd" href="#opt-providers-kubernetescrd" title="#opt-providers-kubernetescrd">providers.kubernetescrd</a> | Enables Kubernetes CRD provider. | false |
 | <a id="opt-providers-kubernetescrd-allowcrossnamespace" href="#opt-providers-kubernetescrd-allowcrossnamespace" title="#opt-providers-kubernetescrd-allowcrossnamespace">providers.kubernetescrd.allowcrossnamespace</a> | Allow cross namespace resource reference. | false |
 | <a id="opt-providers-kubernetescrd-allowemptyservices" href="#opt-providers-kubernetescrd-allowemptyservices" title="#opt-providers-kubernetescrd-allowemptyservices">providers.kubernetescrd.allowemptyservices</a> | Allow the creation of services without endpoints. | false |

docs/content/reference/install-configuration/entrypoints.md

@@ -84,8 +84,8 @@ additionalArguments:
 
 ## Configuration Options
 
-| Field                                                           | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Default                 | Required |
-|:----------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------|:---------|
+| Field                                                                                                                                                                                                                                                  | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Default                 | Required |
+|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------|:---------|
 | <a id="opt-address" href="#opt-address" title="#opt-address">`address`</a> | Define the port, and optionally the hostname, on which to listen for incoming connections and packets.<br /> It also defines the protocol to use (TCP or UDP).<br /> If no protocol is specified, the default is TCP. The format is:`[host]:port[/tcp\|/udp]                                                                                                                                                                                                                                                                                                                                                                                                                        | -                       | Yes      |
 | <a id="opt-asDefault" href="#opt-asDefault" title="#opt-asDefault">`asDefault`</a> | Mark the `entryPoint` to be in the list of default `entryPoints`.<br /> `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br /> More information [here](#asdefault).                                                                                                                                                                                                                                                                                                                                                                                                                                       | false                   | No       |
 | <a id="opt-forwardedHeaders-trustedIPs" href="#opt-forwardedHeaders-trustedIPs" title="#opt-forwardedHeaders-trustedIPs">`forwardedHeaders.trustedIPs`</a> | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | -                       | No       |
@@ -94,14 +94,25 @@ additionalArguments:
 | <a id="opt-http-redirections-entryPoint-scheme" href="#opt-http-redirections-entryPoint-scheme" title="#opt-http-redirections-entryPoint-scheme">`http.redirections.`<br />`entryPoint.scheme`</a> | The target scheme to use for (permanent) redirection of all incoming requests.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | https                   | No       |
 | <a id="opt-http-redirections-entryPoint-permanent" href="#opt-http-redirections-entryPoint-permanent" title="#opt-http-redirections-entryPoint-permanent">`http.redirections.`<br />`entryPoint.permanent`</a> | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false                   | No       |
 | <a id="opt-http-redirections-entryPoint-priority" href="#opt-http-redirections-entryPoint-priority" title="#opt-http-redirections-entryPoint-priority">`http.redirections.`<br />`entryPoint.priority`</a> | Default priority applied to the routers attached to the `entryPoint`.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | MaxInt32-1 (2147483646) | No       |
+| <a id="opt-http-encodedCharacters" href="#opt-http-encodedCharacters" title="#opt-http-encodedCharacters">`http.encodedCharacters`</a> | Defines which encoded characters are allowed in the request path. More information [here](#encoded-characters).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | false                   | No       |
+| <a id="opt-http-encodedCharacters-allowEncodedSlash" href="#opt-http-encodedCharacters-allowEncodedSlash" title="#opt-http-encodedCharacters-allowEncodedSlash">`http.encodedCharacters.`<br />`allowEncodedSlash`</a> | Defines whether requests with encoded slash characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | true                    | No       |
+| <a id="opt-http-encodedCharacters-allowEncodedBackSlash" href="#opt-http-encodedCharacters-allowEncodedBackSlash" title="#opt-http-encodedCharacters-allowEncodedBackSlash">`http.encodedCharacters.`<br />`allowEncodedBackSlash`</a> | Defines whether requests with encoded back slash characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | true                    | No       |
+| <a id="opt-http-encodedCharacters-allowEncodedNullCharacter" href="#opt-http-encodedCharacters-allowEncodedNullCharacter" title="#opt-http-encodedCharacters-allowEncodedNullCharacter">`http.encodedCharacters.`<br />`allowEncodedNullCharacter`</a> | Defines whether requests with encoded null characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | true                    | No       |
+| <a id="opt-http-encodedCharacters-allowEncodedSemicolon" href="#opt-http-encodedCharacters-allowEncodedSemicolon" title="#opt-http-encodedCharacters-allowEncodedSemicolon">`http.encodedCharacters.`<br />`allowEncodedSemicolon`</a> | Defines whether requests with encoded semicolon characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | true                    | No       |
+| <a id="opt-http-encodedCharacters-allowEncodedPercent" href="#opt-http-encodedCharacters-allowEncodedPercent" title="#opt-http-encodedCharacters-allowEncodedPercent">`http.encodedCharacters.`<br />`allowEncodedPercent`</a> | Defines whether requests with encoded percent characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | true                    | No       |
+| <a id="opt-http-encodedCharacters-allowEncodedQuestionMark" href="#opt-http-encodedCharacters-allowEncodedQuestionMark" title="#opt-http-encodedCharacters-allowEncodedQuestionMark">`http.encodedCharacters.`<br />`allowEncodedQuestionMark`</a> | Defines whether requests with encoded question mark characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | true                    | No       |
+| <a id="opt-http-encodedCharacters-allowEncodedHash" href="#opt-http-encodedCharacters-allowEncodedHash" title="#opt-http-encodedCharacters-allowEncodedHash">`http.encodedCharacters.`<br />`allowEncodedHash`</a> | Defines whether requests with encoded hash characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | true                    | No       |
 | <a id="opt-http-encodeQuerySemicolons" href="#opt-http-encodeQuerySemicolons" title="#opt-http-encodeQuerySemicolons">`http.encodeQuerySemicolons`</a> | Enable query semicolons encoding. <br /> Use this option to avoid non-encoded semicolons to be interpreted as query parameter separators by Traefik. <br /> When using this option, the non-encoded semicolons characters in query will be transmitted encoded to the backend.<br /> More information [here](#encodequerysemicolons).                                                                                                                                                                                                                                                                                                                                               | false                   | No       |
 | <a id="opt-http-sanitizePath" href="#opt-http-sanitizePath" title="#opt-http-sanitizePath">`http.sanitizePath`</a> | Defines whether to enable the request path sanitization.<br /> More information [here](#sanitizepath).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | false                   | No       |
+| <a id="opt-http-maxHeaderBytes" href="#opt-http-maxHeaderBytes" title="#opt-http-maxHeaderBytes">`http.maxHeaderBytes`</a> | Set the maximum size of request headers in bytes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 1048576                 | No       |
 | <a id="opt-http-middlewares" href="#opt-http-middlewares" title="#opt-http-middlewares">`http.middlewares`</a> | Set the list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point. <br />More information [here](#httpmiddlewares).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | -                       | No       |
 | <a id="opt-http-tls" href="#opt-http-tls" title="#opt-http-tls">`http.tls`</a> | Enable TLS on every router attached to the `entryPoint`. <br /> If no certificate are set, a default self-signed certificate is generated by Traefik. <br /> We recommend to not use self signed certificates in production.                                                                                                                                                                                                                                                                                                                                                                                                                                                        | -                       | No       |
 | <a id="opt-http-tls-options" href="#opt-http-tls-options" title="#opt-http-tls-options">`http.tls.options`</a> | Apply TLS options on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../../routing/providers/kubernetes-crd.md#kind-tlsoption).                                                                                                                                                                                                                                                                                                                                                                                                                                                   | -                       | No       |
 | <a id="opt-http-tls-certResolver" href="#opt-http-tls-certResolver" title="#opt-http-tls-certResolver">`http.tls.certResolver`</a> | Apply a certificate resolver on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../install-configuration/tls/certificate-resolvers/overview.md).                                                                                                                                                                                                                                                                                                                                                                                                                                  | -                       | No       |
 | <a id="opt-http2-maxConcurrentStreams" href="#opt-http2-maxConcurrentStreams" title="#opt-http2-maxConcurrentStreams">`http2.maxConcurrentStreams`</a> | Set the number of concurrent streams per connection that each client is allowed to initiate. <br /> The value must be greater than zero.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 250                     | No       |
-| <a id="opt-http3" href="#opt-http3" title="#opt-http3">`http3`</a> | Enable HTTP/3 protocol on the `entryPoint`. <br /> HTTP/3 requires a TCP `entryPoint`. as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP. In most scenarios, this `entryPoint` is the same as the one used for TLS traffic.<br /> More information [here](#http3).                                                                                                                                                                                                                                                                                                                                                                                          | -                       | No       |
+| <a id="opt-http2-maxDecoderHeaderTableSize" href="#opt-http2-maxDecoderHeaderTableSize" title="#opt-http2-maxDecoderHeaderTableSize">`http2.maxDecoderHeaderTableSize`</a> | Set the maximum size of the decoder header compression table. This controls the maximum size of the header cache that the server is willing to maintain so the client does not need to repeatedly send the same header across requests in the same http2 connection. <br /> This value is only a maximum, the other end of the connection can use a lower size.                                                                                                                                                                                                                                                                                                                     | 4096                    | No       |
+| <a id="opt-http2-maxEncoderHeaderTableSize" href="#opt-http2-maxEncoderHeaderTableSize" title="#opt-http2-maxEncoderHeaderTableSize">`http2.maxEncoderHeaderTableSize`</a> | Set the maximum size of the encoder header compression table. This controls the maximum size of the header cache that the server is willing to maintain when sending headers to the client, allowing the server to reduce the amount of duplicate headers it is sending in responses. <br /> This value is only a maximum, the other end of the connection can use a lower size.                                                                                                                                                                                                                                                                                                    | 4096                    | No       |
+| <a id="opt-http3" href="#opt-http3" title="#opt-http3">`http3`</a> | Enable HTTP/3 protocol on the `entryPoint`. <br /> HTTP/3 requires a TCP `entryPoint`. as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP. In most scenarios, this `entryPoint` is the same as the one used for TLS traffic.<br /> More information [here](#http3).                                                                                                                                                                                                                                                                                                                                                                                         | -                       | No       |
 | <a id="opt-http3-advertisedPort" href="#opt-http3-advertisedPort" title="#opt-http3-advertisedPort">`http3.advertisedPort`</a> | Set the UDP port to advertise as the HTTP/3 authority. <br /> It defaults to the entryPoint's address port. <br /> It can be used to override the authority in the `alt-svc` header, for example if the public facing port is different from where Traefik is listening.                                                                                                                                                                                                                                                                                                                                                                                                            | -                       | No       |
 | <a id="opt-observability-accessLogs" href="#opt-observability-accessLogs" title="#opt-observability-accessLogs">`observability.accessLogs`</a> | Defines whether a router attached to this EntryPoint produces access-logs by default. Nonetheless, a router defining its own observability configuration will opt-out from this default.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | true                    | No       |
 | <a id="opt-observability-metrics" href="#opt-observability-metrics" title="#opt-observability-metrics">`observability.metrics`</a> | Defines whether a router attached to this EntryPoint produces metrics by default. Nonetheless, a router defining its own observability configuration will opt-out from this default.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | true                    | No       |
@@ -206,6 +217,33 @@ it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
 | <a id="opt-false-6" href="#opt-false-6" title="#opt-false-6">false</a> | /./foo/../bar// | /./foo/../bar//        |
 | <a id="opt-true-6" href="#opt-true-6" title="#opt-true-6">true</a> | /./foo/../bar// | /bar/                  |
 
+### Encoded Characters
+
+You can configure Traefik to control the handling of encoded characters in request paths for security purposes.
+By default, Traefik do not reject requests with path containing certain encoded characters that could be used in path traversal or other security attacks.
+
+!!! info 
+    
+    This check is not done against the request query parameters,
+    but only against the request path as defined in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3).
+
+!!! info "Security Considerations"
+
+    When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986) and notably decode encoded reserved characters in the requets path,
+    it is recommended to set these options to `false` to avoid split-view situation and helps prevent path traversal attacks or other malicious attempts to bypass security controls.
+
+Here is the list of the encoded characters that are rejected by default:
+
+| Encoded Character                                                                  | Character               |
+|------------------------------------------------------------------------------------|-------------------------|
+| <a id="opt-2f-or-2F" href="#opt-2f-or-2F" title="#opt-2f-or-2F">`%2f` or `%2F`</a> | `/` (slash)             |
+| <a id="opt-5c-or-5C" href="#opt-5c-or-5C" title="#opt-5c-or-5C">`%5c` or `%5C`</a> | `\` (backslash)         |
+| <a id="opt-00" href="#opt-00" title="#opt-00">`%00`</a> | `NULL` (null character) |
+| <a id="opt-3b-or-3B" href="#opt-3b-or-3B" title="#opt-3b-or-3B">`%3b` or `%3B`</a> | `;` (semicolon)         |
+| <a id="opt-25" href="#opt-25" title="#opt-25">`%25`</a> | `%` (percent)           |
+| <a id="opt-3f-or-3F" href="#opt-3f-or-3F" title="#opt-3f-or-3F">`%3f` or `%3F`</a> | `?` (question mark)     |
+| <a id="opt-23" href="#opt-23" title="#opt-23">`%23`</a> | `#` (hash)              |
+
 ### HTTP3
 
 As HTTP/3 actually uses UDP, when Traefik is configured with a TCP `entryPoint`

docs/content/reference/install-configuration/observability/logs-and-accesslogs.md

@@ -397,7 +397,7 @@ Example utilizing Docker Compose:
 ```yaml
 services:
   traefik:
-    image: traefik:v3.5
+    image: traefik:v3.6
     environment:
       - TZ=US/Alaska
     command:
@@ -409,4 +409,4 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
 ```
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/install-configuration/providers/docker.md

@@ -420,11 +420,11 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
         - [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.traefik.io/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
         - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
         - [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/)
-        - [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
+        - [A thread on Hacker News about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
         - [To DinD or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
         - [Traefik issue GH-4174 about security with Docker socket](https://github.com/traefik/traefik/issues/4174)
         - [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
         - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
         - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/install-configuration/providers/kubernetes/knative.md

@@ -0,0 +1,142 @@
+---
+title: "Traefik Knative Documentation"
+description: "Learn how to use the Knative as a provider for configuration discovery in Traefik Proxy. Read the technical documentation."
+---
+
+# Traefik & Knative
+
+The Traefik Knative provider integrates with Knative Serving to provide advanced traffic management and routing capabilities for serverless applications.
+
+[Knative](https://knative.dev) is a Kubernetes-based platform that enables serverless workloads with features like scale-to-zero, 
+automatic scaling, and revision management.
+
+The provider watches Knative `Ingress` resources and automatically configures Traefik routing rules,
+enabling seamless integration between Traefik's networking capabilities and Knative's serverless platform.
+
+## Requirements
+
+{% include-markdown "includes/kubernetes-requirements.md" %}
+
+1. Install/update the Knative CRDs.
+
+    ```bash
+    kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.19.0/serving-crds.yaml
+    ```
+
+2. Install the Knative Serving core components.
+
+    ```bash
+    kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.19.0/serving-core.yaml
+    ```
+
+3. Update the config-network configuration to use the Traefik ingress class.
+
+    ```bash
+       kubectl patch configmap/config-network \
+       -n knative-serving \
+       --type merge \
+       -p '{"data":{"ingress.class":"traefik.ingress.networking.knative.dev"}}'
+    ```
+
+4. Add a custom domain to your Knative configuration (Optional).
+
+    ```bash
+    kubectl patch configmap config-domain \
+      -n knative-serving \
+      --type='merge' \
+      -p='{"data":{"example.com":""}}'
+    ```
+
+5. Install/update the Traefik [RBAC](../../../dynamic-configuration/kubernetes-knative-rbac.yml).
+
+    ```bash
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-knative-rbac.yml
+    ```
+
+## Configuration Example
+
+As this provider is an experimental feature, it needs to be enabled in the experimental and in the provider sections of the configuration.
+You can enable the Knative provider as detailed below:
+
+```yaml tab="File (YAML)"
+experimental:
+  knative: true
+
+providers:
+  knative: {}
+```
+
+```toml tab="File (TOML)"
+[experimental.knative]
+
+[providers.knative]
+```
+
+```bash tab="CLI"
+--experimental.knative=true
+--providers.knative=true
+```
+
+The Knative provider uses the Knative API to retrieve its routing configuration.
+The provider then watches for incoming Knative events and derives the corresponding dynamic configuration from it.
+
+## Configuration Options
+
+<!-- markdownlint-disable MD013 -->
+
+| Field                                                                                                                                                                                                    | Description                                                                                                                                                                                                                                                                                                                                                                          | Default | Required |
+|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| <a id="opt-providers-providersThrottleDuration" href="#opt-providers-providersThrottleDuration" title="#opt-providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s      | No       |
+| <a id="opt-providers-knative-endpoint" href="#opt-providers-knative-endpoint" title="#opt-providers-knative-endpoint">providers.knative.endpoint</a> | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                        |         |
+| <a id="opt-providers-knative-token" href="#opt-providers-knative-token" title="#opt-providers-knative-token">providers.knative.token</a> | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                           |         |
+| <a id="opt-providers-knative-certauthfilepath" href="#opt-providers-knative-certauthfilepath" title="#opt-providers-knative-certauthfilepath">providers.knative.certauthfilepath</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                           |         |
+| <a id="opt-providers-knative-namespaces" href="#opt-providers-knative-namespaces" title="#opt-providers-knative-namespaces">providers.knative.namespaces</a> | Array of namespaces to watch.<br />If left empty, watch all namespaces.                                                                                                                                                                                                                                                                                                              |         |
+| <a id="opt-providers-knative-labelselector" href="#opt-providers-knative-labelselector" title="#opt-providers-knative-labelselector">providers.knative.labelselector</a> | Allow filtering Knative Ingress objects using label selectors.                                                                                                                                                                                                                                                                                                                       |         |
+| <a id="opt-providers-knative-throttleduration" href="#opt-providers-knative-throttleduration" title="#opt-providers-knative-throttleduration">providers.knative.throttleduration</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                           | 0       |
+| <a id="opt-providers-knative-privateentrypoints" href="#opt-providers-knative-privateentrypoints" title="#opt-providers-knative-privateentrypoints">providers.knative.privateentrypoints</a> | Entrypoint names used to expose the Ingress privately. If empty local Ingresses are skipped.                                                                                                                                                                                                                                                                                         |         |
+| <a id="opt-providers-knative-privateservice" href="#opt-providers-knative-privateservice" title="#opt-providers-knative-privateservice">providers.knative.privateservice</a> | Kubernetes service used to expose the networking controller privately.                                                                                                                                                                                                                                                                                                               |         |
+| <a id="opt-providers-knative-privateservice-name" href="#opt-providers-knative-privateservice-name" title="#opt-providers-knative-privateservice-name">providers.knative.privateservice.name</a> | Name of the private Kubernetes service.                                                                                                                                                                                                                                                                                                                                              |         |
+| <a id="opt-providers-knative-privateservice-namespace" href="#opt-providers-knative-privateservice-namespace" title="#opt-providers-knative-privateservice-namespace">providers.knative.privateservice.namespace</a> | Namespace of the private Kubernetes service.                                                                                                                                                                                                                                                                                                                                         |         |
+| <a id="opt-providers-knative-publicentrypoints" href="#opt-providers-knative-publicentrypoints" title="#opt-providers-knative-publicentrypoints">providers.knative.publicentrypoints</a> | Entrypoint names used to expose the Ingress publicly. If empty an Ingress is exposed on all entrypoints.                                                                                                                                                                                                                                                                             |         |
+| <a id="opt-providers-knative-publicservice" href="#opt-providers-knative-publicservice" title="#opt-providers-knative-publicservice">providers.knative.publicservice</a> | Kubernetes service used to expose the networking controller publicly.                                                                                                                                                                                                                                                                                                                |         |
+| <a id="opt-providers-knative-publicservice-name" href="#opt-providers-knative-publicservice-name" title="#opt-providers-knative-publicservice-name">providers.knative.publicservice.name</a> | Name of the public Kubernetes service.                                                                                                                                                                                                                                                                                                                                               |         |
+| <a id="opt-providers-knative-publicservice-namespace" href="#opt-providers-knative-publicservice-namespace" title="#opt-providers-knative-publicservice-namespace">providers.knative.publicservice.namespace</a> | Namespace of the public Kubernetes service.                                                                                                                                                                                                                                                                                                                                          |         |
+
+<!-- markdownlint-enable MD013 -->
+
+### `endpoint`
+
+The Kubernetes server endpoint URL.
+
+When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
+
+The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
+Both are mounted automatically when deployed inside Kubernetes.
+
+The endpoint may be specified to override the environment variable values inside a cluster.
+
+When the environment variables are not found, Traefik tries to connect to the Knative API server with an external-cluster client.
+In this case, the endpoint is required.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Knative cluster using the granted authentication and authorization of the associated kubeconfig.
+
+```yaml tab="File (YAML)"
+providers:
+  knative:
+    endpoint: "http://localhost:8080"
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.knative]
+  endpoint = "http://localhost:8080"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.knative.endpoint=http://localhost:8080
+```
+## Routing Configuration
+
+See the dedicated section in [routing](../../../routing-configuration/kubernetes/knative.md).
+
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/install-configuration/providers/kubernetes/kubernetes-crd.md

@@ -20,10 +20,10 @@ When you install Traefik without using the Helm Chart, or when you are upgrading
 
 ```bash
 # Install Traefik Resource Definitions:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
 
 # Install RBAC for Traefik:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
 ```
 
 ## Configuration Example
@@ -130,4 +130,4 @@ See the dedicated section in [routing](../../../../routing/providers/kubernetes-
 
 For additional information, refer to the [full example](../../../../user-guides/crd-acme/index.md) with Let's Encrypt.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/install-configuration/providers/kubernetes/kubernetes-gateway.md

@@ -8,33 +8,33 @@ description: "Learn how to use the Kubernetes Gateway API as a provider for conf
 The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
 specification from the Kubernetes Special Interest Groups (SIGs).
 
-This provider supports Standard version [v1.3.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.3.0) of the Gateway API specification.
+This provider supports Standard version [v1.4.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.4.0) of the Gateway API specification.
 
-It fully supports all HTTP core and some extended features, as well as the `TCPRoute` and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).
+It fully supports all `HTTPRoute` core and some extended features, like `BackendTLSPolicy`, and `GRPCRoute` resources from the [Standard channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels), as well as `TCPRoute`, and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels). 
 
-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.3.0/traefik-traefik).
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.4.0/traefik-traefik).
 
 !!! info "Using The Helm Chart"
 
     When using the Traefik [Helm Chart](../../../../getting-started/install-traefik.md#use-the-helm-chart), the CRDs (Custom Resource Definitions) and RBAC (Role-Based Access Control) are automatically managed for you.
-    The only remaining task is to enable the `kubernetesGateway` in the chart [values](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L130).
+    The only remaining task is to enable the `kubernetesGateway` in the chart [values](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L323).
 
 ## Requirements
 
-{!kubernetes-requirements.md!}
+{% include-markdown "includes/kubernetes-requirements.md" %}
 
 1. Install/update the Kubernetes Gateway API CRDs.
 
     ```bash
     # Install Gateway API CRDs from the Standard channel.
-    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml
     ```
 
 2. Install/update the Traefik [RBAC](../../../dynamic-configuration/kubernetes-gateway-rbac.yml).
 
     ```bash
     # Install Traefik RBACs.
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
     ```
 
 ## Configuration Example
@@ -137,4 +137,4 @@ See the dedicated section in [routing](../../../../routing/providers/kubernetes-
     and the dedicated [routing section](../../../../routing/providers/kubernetes-gateway.md)
     in the Traefik documentation.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md

@@ -3,67 +3,134 @@ title: "Traefik Kubernetes Ingress NGINX Documentation"
 description: "Understand the requirements, routing configuration, and how to set up the Kubernetes Ingress NGINX provider. Read the technical documentation."
 ---
 
-# Traefik & Ingresses with NGINX Annotations 
+# Traefik & Ingresses with NGINX Annotations
 
-The experimental Traefik Kubernetes Ingress NGINX provider is a Kubernetes Ingress controller; i.e,
-it manages access to cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.
-It also supports some of the [ingress-nginx](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/) annotations on ingresses to customize their behavior.
+This provider is a Kubernetes Ingress controller that manages access to cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.
+It also supports many of the [ingress-nginx](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/) annotations on Ingresses, enabling teams to migrate from NGINX Ingress Controller to Traefik with minimal configuration changes.
 
-!!! warning "Ingress Discovery"
+!!! warning "NGINX Ingress Controller Retirement"
 
-    The Kubernetes Ingress NGINX provider is discovering by default all Ingresses in the cluster,
-    which may lead to duplicated routers if you are also using the Kubernetes Ingress provider.
-    We recommend to use IngressClass for the Ingresses you want to be handled by this provider,
-    or to use the `watchNamespace` or `watchNamespaceSelector` options to limit the discovery of Ingresses to a specific namespace or set of namespaces.
+    The Kubernetes NGINX Ingress Controller project has announced its retirement in **March 2026** and will no longer receive updates or security patches.
+    Traefik provides a migration path by supporting NGINX annotations, allowing you to transition your workloads without rewriting all your Ingress configurations.
+
+    **→ See the [NGINX to Traefik Migration Guide](../../../../migrate/nginx-to-traefik.md) for step-by-step instructions.**
+
+    For more information about the NGINX Ingress Controller retirement, see the [official Kubernetes blog announcement](https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement).
+
+## Requirements
+
+When you install Traefik without using the Helm Chart, 
+ensure that you add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik Kubernetes Ingress NGINX provider. 
+
+!!! note "Additional RBAC for Namespace Selector"
+
+    When using the `watchNamespaceSelector` option, Traefik requires permissions to list and watch namespaces.
+    These permissions are included in the RBAC configuration below.
+
+```bash
+# Install RBAC for Traefik Ingress NGINX provider:
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml
+```
+
+## Ingress Discovery
+
+This provider discovers all Ingresses in the cluster by default, which may lead to duplicated routers if you are also using the standard Kubernetes Ingress provider.
+
+**Best Practices:**
+
+- Use IngressClass to specify which Ingresses should be handled by this provider
+- Configure `watchNamespace` to limit discovery to specific namespaces
+- Use `watchNamespaceSelector` to target Ingresses based on namespace labels
 
 ## Configuration Example
 
-As this provider is an experimental feature, it needs to be enabled in the experimental and in the provider sections of the configuration.
 You can enable the Kubernetes Ingress NGINX provider as detailed below:
 
 ```yaml tab="File (YAML)"
-experimental:
-  kubernetesIngressNGINX: true
-
 providers:
-  kubernetesIngressNGINX: {}
+  kubernetesIngressNGINX:
+    # Namespace discovery
+    watchNamespace: "default"
+    # OR use namespace selector (mutually exclusive with watchNamespace)
+    # watchNamespaceSelector: "environment=production"
+
+    # IngressClass configuration
+    ingressClass: "nginx"
+    controllerClass: "k8s.io/ingress-nginx"
+    watchIngressWithoutClass: false
+    ingressClassByName: false
 ```
 
 ```toml tab="File (TOML)"
-[experimental.kubernetesIngressNGINX]
-
 [providers.kubernetesIngressNGINX]
+  # Namespace discovery
+  watchNamespace = "default"
+  # OR use namespace selector (mutually exclusive with watchNamespace)
+  # watchNamespaceSelector = "environment=production"
+
+  # IngressClass configuration
+  ingressClass = "nginx"
+  controllerClass = "k8s.io/ingress-nginx"
+  watchIngressWithoutClass = false
+  ingressClassByName = false
 ```
 
 ```bash tab="CLI"
---experimental.kubernetesingressnginx=true
 --providers.kubernetesingressnginx=true
+--providers.kubernetesingressnginx.watchnamespace=default
+--providers.kubernetesingressnginx.ingressclass=nginx
+--providers.kubernetesingressnginx.controllerclass=k8s.io/ingress-nginx
+--providers.kubernetesingressnginx.watchingresswithoutclass=false
+--providers.kubernetesingressnginx.ingressclassbyname=false
 ```
 
-The provider then watches for incoming ingresses events, such as the example below,
-and derives the corresponding dynamic configuration from it,
-which in turn creates the resulting routers, services, handlers, etc.
+```yaml tab="Helm Chart Values"
+providers:
+  kubernetesIngressNginx:
+    # -- Enable Kubernetes Ingress NGINX provider
+    enabled: true
+
+    # Namespace discovery
+    # -- Namespace the controller watches for updates to Kubernetes objects
+    # When using rbac.namespaced, it will watch helm release namespace and namespaces listed in this array
+    namespaces:
+      - default
+    # OR use namespace selector (mutually exclusive with namespaces)
+    # namespaceSelector: "environment=production"
+
+    # IngressClass configuration
+    # -- Name of the ingress class this controller satisfies
+    ingressClass: "nginx"
+    # -- Ingress Class Controller value this controller satisfies
+    controllerClass: "k8s.io/ingress-nginx"
+    # -- Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified
+    watchIngressWithoutClass: false
+    # -- Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class
+    ingressClassByName: false
+```
+
+This provider watches for incoming Ingress events and automatically translates NGINX annotations into Traefik's dynamic configuration, creating the corresponding routers, services, middlewares, and other components needed to route traffic to your cluster services.
 
 ## Configuration Options
 <!-- markdownlint-disable MD013 -->
 
-| Field                                                       | Description                                                                                                                                                                                                                                                                                                                                                                          | Default | Required |
-|:------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
-| <a id="opt-providers-providersThrottleDuration" href="#opt-providers-providersThrottleDuration" title="#opt-providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-endpoint" href="#opt-providers-kubernetesIngressNGINX-endpoint" title="#opt-providers-kubernetesIngressNGINX-endpoint">`providers.kubernetesIngressNGINX.endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                        | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-token" href="#opt-providers-kubernetesIngressNGINX-token" title="#opt-providers-kubernetesIngressNGINX-token">`providers.kubernetesIngressNGINX.token`</a> | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                           | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-certAuthFilePath" href="#opt-providers-kubernetesIngressNGINX-certAuthFilePath" title="#opt-providers-kubernetesIngressNGINX-certAuthFilePath">`providers.kubernetesIngressNGINX.certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                           | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-throttleDuration" href="#opt-providers-kubernetesIngressNGINX-throttleDuration" title="#opt-providers-kubernetesIngressNGINX-throttleDuration">`providers.kubernetesIngressNGINX.throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                           | 0s      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-watchNamespace" href="#opt-providers-kubernetesIngressNGINX-watchNamespace" title="#opt-providers-kubernetesIngressNGINX-watchNamespace">`providers.kubernetesIngressNGINX.watchNamespace`</a> | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty.                                                                                                                                                                                                                                                      | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-watchNamespaceSelector" href="#opt-providers-kubernetesIngressNGINX-watchNamespaceSelector" title="#opt-providers-kubernetesIngressNGINX-watchNamespaceSelector">`providers.kubernetesIngressNGINX.watchNamespaceSelector`</a> | Selector selects namespaces the controller watches for updates to Kubernetes objects.                                                                                                                                                                                                                                                                                                | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-ingressClass" href="#opt-providers-kubernetesIngressNGINX-ingressClass" title="#opt-providers-kubernetesIngressNGINX-ingressClass">`providers.kubernetesIngressNGINX.ingressClass`</a> | Name of the ingress class this controller satisfies.                                                                                                                                                                                                                                                                                                                                 | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-controllerClass" href="#opt-providers-kubernetesIngressNGINX-controllerClass" title="#opt-providers-kubernetesIngressNGINX-controllerClass">`providers.kubernetesIngressNGINX.controllerClass`</a> | Ingress Class Controller value this controller satisfies.                                                                                                                                                                                                                                                                                                                            | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass" href="#opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass" title="#opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass">`providers.kubernetesIngressNGINX.watchIngressWithoutClass`</a> | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified.                                                                                                                                                                                                                                                                    | false   | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-ingressClassByName" href="#opt-providers-kubernetesIngressNGINX-ingressClassByName" title="#opt-providers-kubernetesIngressNGINX-ingressClassByName">`providers.kubernetesIngressNGINX.ingressClassByName`</a> | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class.                                                                                                                                                                                                                                                                                  | false   | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-publishService" href="#opt-providers-kubernetesIngressNGINX-publishService" title="#opt-providers-kubernetesIngressNGINX-publishService">`providers.kubernetesIngressNGINX.publishService`</a> | Service fronting the Ingress controller. Takes the form namespace/name.                                                                                                                                                                                                                                                                                                              | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-publishStatusAddress" href="#opt-providers-kubernetesIngressNGINX-publishStatusAddress" title="#opt-providers-kubernetesIngressNGINX-publishStatusAddress">`providers.kubernetesIngressNGINX.publishStatusAddress`</a> | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies.                                                                                                                                                                                                                                               | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-defaultBackendService" href="#opt-providers-kubernetesIngressNGINX-defaultBackendService" title="#opt-providers-kubernetesIngressNGINX-defaultBackendService">`providers.kubernetesIngressNGINX.defaultBackendService`</a> | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'.                                                                                                                                                                                                                                                                 | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-disableSvcExternalName" href="#opt-providers-kubernetesIngressNGINX-disableSvcExternalName" title="#opt-providers-kubernetesIngressNGINX-disableSvcExternalName">`providers.kubernetesIngressNGINX.disableSvcExternalName`</a> | Disable support for Services of type ExternalName.                                                                                                                                                                                                                                                                                                                                   | false   | No       |
+| Field                                                                                                                                                                                                                                                                                            | Description | Default | Required |
+|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------|:--------|:---------|
+| <a id="opt-providers-providers-ThrottleDuration" href="#opt-providers-providers-ThrottleDuration" title="#opt-providers-providers-ThrottleDuration">`providers.providers`<br/>`ThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-endpoint" href="#opt-providers-kubernetesIngressNGINX-endpoint" title="#opt-providers-kubernetesIngressNGINX-endpoint">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                        | ""      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-token" href="#opt-providers-kubernetesIngressNGINX-token" title="#opt-providers-kubernetesIngressNGINX-token">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`token`</a> | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                           | ""      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-certAuthFilePath" href="#opt-providers-kubernetesIngressNGINX-certAuthFilePath" title="#opt-providers-kubernetesIngressNGINX-certAuthFilePath">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                           | ""      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-throttleDuration" href="#opt-providers-kubernetesIngressNGINX-throttleDuration" title="#opt-providers-kubernetesIngressNGINX-throttleDuration">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                           | 0s      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-watchNamespace" href="#opt-providers-kubernetesIngressNGINX-watchNamespace" title="#opt-providers-kubernetesIngressNGINX-watchNamespace">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchNamespace`</a> | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty.                                                                                                                                                                                                                                                      | ""      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-watchNamespaceSelector" href="#opt-providers-kubernetesIngressNGINX-watchNamespaceSelector" title="#opt-providers-kubernetesIngressNGINX-watchNamespaceSelector">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchNamespaceSelector`</a> | Selector selects namespaces the controller watches for updates to Kubernetes objects.                                                                                                                                                                                                                                                                                                | ""      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-ingressClass" href="#opt-providers-kubernetesIngressNGINX-ingressClass" title="#opt-providers-kubernetesIngressNGINX-ingressClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ingressClass`</a> | Name of the ingress class this controller satisfies.                                                                                                                                                                                                                                                                                                                                 | "nginx"      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-controllerClass" href="#opt-providers-kubernetesIngressNGINX-controllerClass" title="#opt-providers-kubernetesIngressNGINX-controllerClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`controllerClass`</a> | Ingress Class Controller value this controller satisfies.                                                                                                                                                                                                                                                                                                                            | ""      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass" href="#opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass" title="#opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchIngressWithoutClass`</a> | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified.                                                                                                                                                                                                                                                                    | false   | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-ingressClassByName" href="#opt-providers-kubernetesIngressNGINX-ingressClassByName" title="#opt-providers-kubernetesIngressNGINX-ingressClassByName">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ingressClassByName`</a> | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class.                                                                                                                                                                                                                                                                                  | false   | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-publishService" href="#opt-providers-kubernetesIngressNGINX-publishService" title="#opt-providers-kubernetesIngressNGINX-publishService">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`publishService`</a> | Service fronting the Ingress controller. Takes the form `namespace/name`.                                                                                                                                                                                                                                                                                                              | ""      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-publishStatusAddress" href="#opt-providers-kubernetesIngressNGINX-publishStatusAddress" title="#opt-providers-kubernetesIngressNGINX-publishStatusAddress">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`publishStatusAddress`</a> | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies.                                                                                                                                                                                                                                               | ""      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-defaultBackendService" href="#opt-providers-kubernetesIngressNGINX-defaultBackendService" title="#opt-providers-kubernetesIngressNGINX-defaultBackendService">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`defaultBackendService`</a> | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'.                                                                                                                                                                                                                                                                 | ""      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-disableSvcExternalName" href="#opt-providers-kubernetesIngressNGINX-disableSvcExternalName" title="#opt-providers-kubernetesIngressNGINX-disableSvcExternalName">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`disableSvcExternalName`</a> | Disable support for Services of type ExternalName.                                                                                                                                                                                                                                                                                                                                   | false   | No       |
 
 <!-- markdownlint-enable MD013 -->
 
@@ -109,4 +176,4 @@ providers:
 
 See the dedicated section in [routing](../../../routing-configuration/kubernetes/ingress-nginx.md).
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress.md

@@ -60,7 +60,6 @@ which in turn creates the resulting routers, services, handlers, etc.
 | <a id="opt-providers-kubernetesIngress-ingressEndpoint-publishedService" href="#opt-providers-kubernetesIngress-ingressEndpoint-publishedService" title="#opt-providers-kubernetesIngress-ingressEndpoint-publishedService">`providers.kubernetesIngress.`<br />`ingressEndpoint.publishedService`</a> | The Kubernetes service to copy status from.<br />More information [here](#ingressendpointpublishedservice). | ""      | No       |
 | <a id="opt-providers-kubernetesIngress-throttleDuration" href="#opt-providers-kubernetesIngress-throttleDuration" title="#opt-providers-kubernetesIngress-throttleDuration">`providers.kubernetesIngress.throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.  | 0s      | No       |
 | <a id="opt-providers-kubernetesIngress-allowEmptyServices" href="#opt-providers-kubernetesIngress-allowEmptyServices" title="#opt-providers-kubernetesIngress-allowEmptyServices">`providers.kubernetesIngress.allowEmptyServices`</a> | Allows creating a route to reach a service that has no endpoint available.<br />It allows Traefik to handle the requests and responses targeting this service (applying middleware or observability operations) before returning a `503` HTTP Status.  | false   | No       |
-| <a id="opt-providers-kubernetesIngress-allowCrossNamespace" href="#opt-providers-kubernetesIngress-allowCrossNamespace" title="#opt-providers-kubernetesIngress-allowCrossNamespace">`providers.kubernetesIngress.allowCrossNamespace`</a> | Allows the `Ingress` to reference resources in namespaces other than theirs. | false   | No       |
 | <a id="opt-providers-kubernetesIngress-allowExternalNameServices" href="#opt-providers-kubernetesIngress-allowExternalNameServices" title="#opt-providers-kubernetesIngress-allowExternalNameServices">`providers.kubernetesIngress.allowExternalNameServices`</a> | Allows the `Ingress` to reference ExternalName services.   | false   | No       |
 | <a id="opt-providers-kubernetesIngress-nativeLBByDefault" href="#opt-providers-kubernetesIngress-nativeLBByDefault" title="#opt-providers-kubernetesIngress-nativeLBByDefault">`providers.kubernetesIngress.nativeLBByDefault`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `Ingress` by default.<br />It can br overridden in the [`ServerTransport`](../../../../routing/services/index.md#serverstransport).         | false   | No       |
 | <a id="opt-providers-kubernetesIngress-disableClusterScopeResources" href="#opt-providers-kubernetesIngress-disableClusterScopeResources" title="#opt-providers-kubernetesIngress-disableClusterScopeResources">`providers.kubernetesIngress.disableClusterScopeResources`</a> | Prevent from discovering cluster scope resources (`IngressClass` and `Nodes`).<br />By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.<br />Furthermore, Traefik will not handle Ingresses with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).<br />This will also prevent from using the `NodePortLB` options on services. | false   | No       |
@@ -116,6 +115,7 @@ depending on the service type:
 - **ClusterIP:** The ExternalIPs of the service will be propagated to the ingress status.
 - **NodePort:** The ExternalIP addresses of the nodes in the cluster will be propagated to the ingress status.
 - **LoadBalancer:** The IPs from the service's `loadBalancer.status` field (which contains the endpoints provided by the load balancer) will be propagated to the ingress status.
+- **ExternalName:** The hostname from the service's `spec.externalName` field will be propagated to the ingress status.
 
 When using third-party tools such as External-DNS, this option enables the copying of external service IPs to the ingress resources.
 
@@ -149,4 +149,4 @@ many examples of Ingresses definitions are located in the test
 [examples](https://github.com/traefik/traefik/tree/v3.1/pkg/provider/kubernetes/ingress/fixtures)
 of the Traefik repository.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/install-configuration/providers/others/file.md

@@ -121,4 +121,4 @@ http:
     As it is very difficult to listen to all file system notifications, Traefik uses [fsnotify](https://github.com/fsnotify/fsnotify).
     If using a directory with a mounted directory does not fix your issue, please check your file system compatibility with fsnotify.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/install-configuration/providers/overview.md

@@ -160,4 +160,4 @@ List of providers that support constraints:
 - [Consul Catalog](./hashicorp/consul-catalog.md#constraints)
 - [Nomad](./hashicorp/nomad.md#constraints)
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/install-configuration/providers/swarm.md

@@ -464,4 +464,4 @@ It allows different implementation levels of the [AAA (Authentication, Authoriza
 - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
 - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md

@@ -79,6 +79,7 @@ ACME certificate resolvers have the following configuration options:
 | <a id="opt-acme-caServer" href="#opt-acme-caServer" title="#opt-acme-caServer">`acme.caServer`</a> | CA server to use. | https://acme-v02.api.letsencrypt.org/directory | No |
 | <a id="opt-acme-preferredChain" href="#opt-acme-preferredChain" title="#opt-acme-preferredChain">`acme.preferredChain`</a> | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. | "" | No |
 | <a id="opt-acme-keyType" href="#opt-acme-keyType" title="#opt-acme-keyType">`acme.keyType`</a> | KeyType to use. | "RSA4096" | No |
+| <a id="opt-acme-disableCommonName" href="#opt-acme-disableCommonName" title="#opt-acme-disableCommonName">`acme.disableCommonName`</a> | Disable common name inside CSR and certificates.                                                                                                                                                                                                                        | false                                          | No       |
 | <a id="opt-acme-profile" href="#opt-acme-profile" title="#opt-acme-profile">`acme.profile`</a> | Certificate profile to use. | "" | No |
 | <a id="opt-acme-caCertificates" href="#opt-acme-caCertificates" title="#opt-acme-caCertificates">`acme.caCertificates`</a> | Specify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. | [] | No |
 | <a id="opt-acme-caSystemCertPool" href="#opt-acme-caSystemCertPool" title="#opt-acme-caSystemCertPool">`acme.caSystemCertPool`</a> | Defines if the certificates pool must use a copy of the system cert pool. | false | No |
@@ -101,6 +102,7 @@ ACME certificate resolvers have the following configuration options:
 | <a id="opt-acme-httpChallenge-entryPoint" href="#opt-acme-httpChallenge-entryPoint" title="#opt-acme-httpChallenge-entryPoint">`acme.httpChallenge.entryPoint`</a> | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80 | "" | Yes |
 | <a id="opt-acme-httpChallenge-delay" href="#opt-acme-httpChallenge-delay" title="#opt-acme-httpChallenge-delay">`acme.httpChallenge.delay`</a> | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay. | 0 | No |
 | <a id="opt-acme-tlsChallenge" href="#opt-acme-tlsChallenge" title="#opt-acme-tlsChallenge">`acme.tlsChallenge`</a> | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge). | - | No |
+| <a id="opt-acme-tlschallenge-delay" href="#opt-acme-tlschallenge-delay" title="#opt-acme-tlschallenge-delay">`acme.tlschallenge.delay`</a> | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay.                                                                                                                                                 | 0                                              | No       |
 | <a id="opt-acme-storage" href="#opt-acme-storage" title="#opt-acme-storage">`acme.storage`</a> | File path used for certificates storage. | "acme.json" | Yes |
 
 ## Automatic Certificate Renewal
@@ -328,4 +330,4 @@ If Let's Encrypt is not reachable, the following certificates will apply:
 !!! important
     For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/install-configuration/tls/certificate-resolvers/overview.md

@@ -17,4 +17,4 @@ The Certificates resolvers are defined in the static configuration.
     Defining a certificate resolver does not imply that routers are going to use it automatically.
     Each router or entrypoint that is meant to use the resolver must explicitly reference it.
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/routing-configuration/http/load-balancing/service.md

@@ -30,6 +30,9 @@ http:
           path: "/health"
           interval: "10s"
           timeout: "3s"
+        passiveHealthcheck:
+          failureWindow: "3s"
+          maxFailedAttempts: "3"
         passHostHeader: true
         serversTransport: "customTransport@file"
         responseForwarding:
@@ -49,6 +52,10 @@ http:
       path = "/health"
       interval = "10s"
       timeout = "3s"
+
+    [http.services.my-service.loadBalancer.passiveHealthcheck]
+      failureWindow = "3s"
+      maxFailedAttempts = "3"
     
     passHostHeader = true
     serversTransport = "customTransport@file"
@@ -66,6 +73,8 @@ labels:
   - "traefik.http.services.my-service.loadBalancer.healthcheck.path=/health"
   - "traefik.http.services.my-service.loadBalancer.healthcheck.interval=10s"
   - "traefik.http.services.my-service.loadBalancer.healthcheck.timeout=3s"
+  - "traefik.http.services.my-service.loadBalancer.passiveHealthcheck.failureWindow=3s"
+  - "traefik.http.services.my-service.loadBalancer.passiveHealthcheck.maxFailedAttempts=3"
   - "traefik.http.services.my-service.loadBalancer.passHostHeader=true"
   - "traefik.http.services.my-service.loadBalancer.serversTransport=customTransport@file"
   - "traefik.http.services.my-service.loadBalancer.responseForwarding.flushInterval=150ms"
@@ -81,6 +90,8 @@ labels:
     "traefik.http.services.my-service.loadBalancer.healthcheck.path=/health",
     "traefik.http.services.my-service.loadBalancer.healthcheck.interval=10s",
     "traefik.http.services.my-service.loadBalancer.healthcheck.timeout=3s",
+    "traefik.http.services.my-service.loadBalancer.passiveHealthcheck.failureWindow=3s",
+    "traefik.http.services.my-service.loadBalancer.passiveHealthcheck.maxFailedAttempts=3",
     "traefik.http.services.my-service.loadBalancer.passHostHeader=true",
     "traefik.http.services.my-service.loadBalancer.serversTransport=customTransport@file",
     "traefik.http.services.my-service.loadBalancer.responseForwarding.flushInterval=150ms"
@@ -95,6 +106,7 @@ labels:
 | <a id="opt-servers" href="#opt-servers" title="#opt-servers">`servers`</a> | Represents individual backend instances for your service                                                                                                                                                                                                                                                                                                                                      | Yes      |
 | <a id="opt-sticky" href="#opt-sticky" title="#opt-sticky">`sticky`</a> | Defines a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.                                                                                                                                                                                                                                                                  | No       |
 | <a id="opt-healthcheck" href="#opt-healthcheck" title="#opt-healthcheck">`healthcheck`</a> | Configures health check to remove unhealthy servers from the load balancing rotation.                                                                                                                                                                                                                                                                                                         | No       |
+| <a id="opt-passiveHealthcheck" href="#opt-passiveHealthcheck" title="#opt-passiveHealthcheck">`passiveHealthcheck`</a> | Configures the passive health check to remove unhealthy servers from the load balancing rotation.                                                                                                                                                                                                                                                                                             | No       |
 | <a id="opt-passHostHeader" href="#opt-passHostHeader" title="#opt-passHostHeader">`passHostHeader`</a> | Allows forwarding of the client Host header to server. By default, `passHostHeader` is true.                                                                                                                                                                                                                                                                                                  | No       |
 | <a id="opt-serversTransport" href="#opt-serversTransport" title="#opt-serversTransport">`serversTransport`</a> | Allows to reference an [HTTP ServersTransport](./serverstransport.md) configuration for the communication between Traefik and your servers. If no `serversTransport` is specified, the `default@internal` will be used.                                                                                                                                                                       | No       |
 | <a id="opt-responseForwarding" href="#opt-responseForwarding" title="#opt-responseForwarding">`responseForwarding`</a> | Configures how Traefik forwards the response from the backend server to the client.                                                                                                                                                                                                                                                                                                           | No       |
@@ -114,7 +126,9 @@ Servers represent individual backend instances for your service. The [service lo
 
 #### Health Check
 
-The `healthcheck` option configures health check to remove unhealthy servers from the load balancing rotation. Traefik will consider HTTP(s) servers healthy as long as they return a status code to the health check request (carried out every interval) between `2XX` and `3XX`, or matching the configured status. For gRPC servers, Traefik will consider them healthy as long as they return SERVING to [gRPC health check v1 requests](https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+The `healthcheck` option configures health check to remove unhealthy servers from the load balancing rotation.
+Traefik will consider HTTP(s) servers healthy as long as they return a status code to the health check request (carried out every interval) between `2XX` and `3XX`, or matching the configured status.
+For gRPC servers, Traefik will consider them healthy as long as they return SERVING to [gRPC health check v1 requests](https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
 
 To propagate status changes (e.g. all servers of this service are down) upwards, HealthCheck must also be enabled on the parent(s) of this service.
 
@@ -143,39 +157,39 @@ On subsequent requests, to keep the session alive with the same server, the clie
 
 ##### Stickiness on multiple levels
 
-    When chaining or mixing load-balancers (e.g. a load-balancer of servers is one of the "children" of a load-balancer of services), for stickiness to work all the way, the option needs to be specified at all required levels. Which means the client needs to send a cookie with as many key/value pairs as there are sticky levels.
+When chaining or mixing load-balancers (e.g. a load-balancer of servers is one of the "children" of a load-balancer of services), for stickiness to work all the way, the option needs to be specified at all required levels. Which means the client needs to send a cookie with as many key/value pairs as there are sticky levels.
 
 ##### Stickiness & Unhealthy Servers
 
-    If the server specified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).
+If the server specified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).
 
 ##### Cookie Name
 
-    The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`).
+The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`).
 
 ##### MaxAge
 
-    By default, the affinity cookie will never expire as the `MaxAge` option is set to zero.
+By default, the affinity cookie will never expire as the `MaxAge` option is set to zero.
+
+This option indicates the number of seconds until the cookie expires.  
+When set to a negative number, the cookie expires immediately.
 
-    This option indicates the number of seconds until the cookie expires.  
-    When set to a negative number, the cookie expires immediately.
-    
 ##### Secure & HTTPOnly & SameSite flags
 
-    By default, the affinity cookie is created without those flags.
-    One however can change that through configuration.
+By default, the affinity cookie is created without those flags.
+One however can change that through configuration.
 
-    `SameSite` can be `none`, `lax`, `strict` or empty.
+`SameSite` can be `none`, `lax`, `strict` or empty.
 
 ##### Domain
 
-    The Domain attribute of a cookie specifies the domain for which the cookie is valid. 
-    
-    By setting the Domain attribute, the cookie can be shared across subdomains (for example, a cookie set for example.com would be accessible to www.example.com, api.example.com, etc.). This is particularly useful in cases where sticky sessions span multiple subdomains, ensuring that the session is maintained even when the client interacts with different parts of the infrastructure.
+The Domain attribute of a cookie specifies the domain for which the cookie is valid. 
+
+By setting the Domain attribute, the cookie can be shared across subdomains (for example, a cookie set for example.com would be accessible to www.example.com, api.example.com, etc.). This is particularly useful in cases where sticky sessions span multiple subdomains, ensuring that the session is maintained even when the client interacts with different parts of the infrastructure.
 
 ??? example "Adding Stickiness -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
 
-    ```yaml tab="YAML"
+    ```yaml tab="Structured (YAML)"
     ## Dynamic configuration
     http:
       services:
@@ -185,7 +199,7 @@ On subsequent requests, to keep the session alive with the same server, the clie
              cookie: {}
     ```
 
-    ```toml tab="TOML"
+    ```toml tab="Structured (TOML)"
     ## Dynamic configuration
     [http.services]
       [http.services.my-service]
@@ -194,7 +208,7 @@ On subsequent requests, to keep the session alive with the same server, the clie
 
 ??? example "Adding Stickiness with custom Options -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
 
-    ```yaml tab="YAML"
+    ```yaml tab="Structured (YAML)"
     ## Dynamic configuration
     http:
       services:
@@ -208,7 +222,7 @@ On subsequent requests, to keep the session alive with the same server, the clie
                 httpOnly: true
     ```
 
-    ```toml tab="TOML"
+    ```toml tab="Structured (TOML)"
     ## Dynamic configuration
     [http.services]
       [http.services.my-service]
@@ -222,7 +236,7 @@ On subsequent requests, to keep the session alive with the same server, the clie
 
 ??? example "Setting Stickiness on all the required levels -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
 
-    ```yaml tab="YAML"
+    ```yaml tab="Structured (YAML)"
     ## Dynamic configuration
     http:
       services:
@@ -256,7 +270,7 @@ On subsequent requests, to keep the session alive with the same server, the clie
               - url: http://127.0.0.1:8084
     ```
 
-    ```toml tab="TOML"
+    ```toml tab="Structured (TOML)"
     ## Dynamic configuration
     [http.services]
       [http.services.wrr1]
@@ -288,11 +302,29 @@ On subsequent requests, to keep the session alive with the same server, the clie
             url = "http://127.0.0.1:8084"
     ```
 
-    To keep a session open with the same server, the client would then need to specify the two levels within the cookie for each request, e.g. with curl:
+To keep a session open with the same server, the client would then need to specify the two levels within the cookie for each request, e.g. with curl:
 
-    ```
-    curl -b "lvl1=whoami1; lvl2=http://127.0.0.1:8081" http://localhost:8000
-    ```
+```bash
+curl -b "lvl1=whoami1; lvl2=http://127.0.0.1:8081" http://localhost:8000
+```
+
+#### Passive Health Check
+
+The `passiveHealthcheck` option configures passive health check to remove unhealthy servers from the load balancing rotation.
+
+Passive health checks rely on real traffic to assess server health.
+Traefik forwards requests as usual and evaluates each response or timeout,
+incrementing a failure counter whenever a request fails.
+If the number of successive failures within a specified time window exceeds the configured threshold,
+Traefik will automatically stop routing traffic to that server until it recovers.
+A server will be considered healthy again after the configured failure window has passed.
+
+Below are the available options for the passive health check mechanism:
+
+| Field               | Description                                                                                                                                                                         | Default | Required |
+|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------|
+| <a id="opt-failureWindow" href="#opt-failureWindow" title="#opt-failureWindow">`failureWindow`</a> | Defines the time window during which the failed attempts must occur for the server to be marked as unhealthy. It also defines for how long the server will be considered unhealthy. | 10s     | No       |
+| <a id="opt-maxFailedAttempts" href="#opt-maxFailedAttempts" title="#opt-maxFailedAttempts">`maxFailedAttempts`</a> | Defines the number of consecutive failed attempts allowed within the failure window before marking the server as unhealthy.                                                         | 1       | No       |
 
 ## Weighted Round Robin (WRR)
 
@@ -421,13 +453,14 @@ http:
       [[http.services.appv2.loadBalancer.servers]]
         url = "http://private-ip-server-2/"
 ```
+
 ## P2C
 
 Power of two choices algorithm is a load balancing strategy that selects two servers at random and chooses the one with the least number of active requests.
 
 ??? example "P2C Load Balancing -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
 
-    ```yaml tab="YAML"
+    ```yaml tab="Structured (YAML)"
     ## Dynamic configuration
     http:
       services:
@@ -440,7 +473,7 @@ Power of two choices algorithm is a load balancing strategy that selects two ser
             - url: "http://private-ip-server-3/"
     ```
 
-    ```toml tab="TOML"
+    ```toml tab="Structured (TOML) "
     ## Dynamic configuration
     [http.services]
       [http.services.my-service.loadBalancer]
@@ -453,6 +486,48 @@ Power of two choices algorithm is a load balancing strategy that selects two ser
           url = "http://private-ip-server-3/"
     ```
 
+## Least-Time
+
+The Least-Time load balancing algorithm selects the server with the lowest average response time (Time To First Byte - TTFB),
+combined with the fewest active connections, weighted by server capacity.
+This strategy is ideal for heterogeneous backend environments where servers have varying performance characteristics,
+different hardware capabilities, or varying network latency.
+
+The algorithm continuously measures each backend's response time and tracks active connection counts.
+When routing a request,
+it calculates a score for each healthy server using the formula: `(avg_response_time × (1 + active_connections)) / weight`.
+The server with the lowest score receives the request.
+When multiple servers have identical scores,
+Weighted Round Robin (WRR) with Earliest Deadline First (EDF) scheduling is used as a tie-breaker to ensure fair distribution.
+
+??? example "Basic Least-Time Load Balancing -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
+
+    ```yaml tab="Structured (YAML)"
+    ## Dynamic configuration
+    http:
+      services:
+        my-service:
+          loadBalancer:
+            strategy: "leasttime"
+            servers:
+            - url: "http://private-ip-server-1/"
+            - url: "http://private-ip-server-2/"
+            - url: "http://private-ip-server-3/"
+    ```
+
+    ```toml tab="Structured (TOML)"
+    ## Dynamic configuration
+    [http.services]
+      [http.services.my-service.loadBalancer]
+        strategy = "leasttime"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-1/"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-2/"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-3/"
+    ```
+
 ## Mirroring
 
 The mirroring is able to mirror requests sent to a service to other services. Please note that by default the whole request is buffered in memory while it is being mirrored. See the `maxBodySize` option in the example below for how to modify this behaviour. You can also omit the request body by setting the `mirrorBody` option to false.

docs/content/reference/routing-configuration/http/middlewares/apikey.md

@@ -53,4 +53,4 @@ stringData:
 | <a id="opt-secretNonBase64Encoded" href="#opt-secretNonBase64Encoded" title="#opt-secretNonBase64Encoded">`secretNonBase64Encoded`</a> | Defines whether the secret sent by the client is base64 encoded. | false   | No       |
 | <a id="opt-secretValues" href="#opt-secretValues" title="#opt-secretValues">`secretValues`</a> | Contain the hash of the API keys. <br /> Supported hashing algorithms are Bcrypt, SHA1 and MD5. <br /> The hash should be generated using `htpasswd`.<br />Can reference a Kubernetes Secret using the URN format: `urn:k8s:secret:[name]:[valueKey]` | []      | Yes      |
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}

docs/content/reference/routing-configuration/http/middlewares/basicauth.md

@@ -92,4 +92,4 @@ The option `users` supports Kubernetes secrets.
     Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than other methods.
     You can find more information on the [Kubernetes Basic Authentication Secret Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret)
 
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}