Prepare release v3.5.2

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>

.github/workflows/build.yaml

@@ -51,7 +51,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/check_doc.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/codeql.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
 
     - name: setup go
       uses: actions/setup-go@v5

.github/workflows/documentation.yml

@@ -1,6 +1,7 @@
 name: Build and Publish Documentation
 
 on:
+  workflow_dispatch: {}
   push:
     branches:
       - master
@@ -19,7 +20,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -39,9 +40,9 @@ jobs:
         run: curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b $HOME/bin ${MIXTUS_VERSION}
 
       - name: Build documentation
-        run: $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
-        env:
-          STRUCTOR_LATEST_TAG: ${{ vars.STRUCTOR_LATEST_TAG }}
+        run: |
+          STRUCTOR_LATEST_TAG=$(curl -s https://api.github.com/repos/traefik/traefik/releases/latest | jq -r '.tag_name')
+          $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
 
       - name: Apply seo
         run: $HOME/bin/seo -path=./site -product=traefik

.github/workflows/experimental.yaml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/release.yaml

@@ -30,7 +30,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -89,7 +89,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -126,13 +126,11 @@ jobs:
           tar cfz "dist/traefik-${VERSION}.src.tar.gz" \
             --exclude-vcs \
             --exclude .idea \
-            --exclude .travis \
-            --exclude .semaphoreci \
             --exclude .github \
             --exclude dist .
           
           chown -R "$(id -u)":"$(id -g)" dist/
-          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION}
+          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION} --latest=true
           
           ./script/deploy.sh
 

.github/workflows/template-webui.yaml

@@ -8,7 +8,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/test-conformance.yaml

@@ -30,11 +30,6 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
 
-      - name: Avoid generating webui
-        run: |
-          mkdir webui/static
-          touch webui/static/index.html
-
       - name: K8s Gateway API conformance test and report
         run: |
           make test-gateway-api-conformance

.github/workflows/test-integration.yaml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -30,11 +30,6 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true
 
-      - name: Avoid generating webui
-        run: |
-          mkdir webui/static
-          touch webui/static/index.html
-
       - name: Build binary
         run: make binary-linux-amd64
 
@@ -64,7 +59,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -74,11 +69,6 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true
 
-      - name: Avoid generating webui
-        run: |
-          mkdir webui/static
-          touch webui/static/index.html
-
       - name: Download traefik binary
         uses: actions/download-artifact@v4
         with:

.github/workflows/test-unit.yaml

@@ -20,7 +20,7 @@ jobs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -46,7 +46,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -56,11 +56,6 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true
 
-      - name: Avoid generating webui
-        run: |
-          mkdir webui/static
-          touch webui/static/index.html
-
       - name: Tests
         run: |
           go test -v -parallel 8 ${{ matrix.package.group }}
@@ -70,7 +65,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/validate.yaml

@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -27,11 +27,6 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true
 
-      - name: Avoid generating webui
-        run: |
-          mkdir webui/static
-          touch webui/static/index.html
-
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v7
         with:
@@ -42,7 +37,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -55,11 +50,6 @@ jobs:
       - name: Install misspell ${{ env.MISSPELL_VERSION }}
         run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/HEAD/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSPELL_VERSION}
 
-      - name: Avoid generating webui
-        run: |
-          mkdir webui/static
-          touch webui/static/index.html
-
       - name: Validate
         run: make validate-files
 
@@ -68,7 +58,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.golangci.yml

@@ -308,8 +308,6 @@ linters:
         text: 'SA1019: cfg.(SSLRedirect|SSLTemporaryRedirect|SSLHost|SSLForceHost|FeaturePolicy) is deprecated'
       - path: (.+)\.go$
         text: 'SA1019: c.Providers.(ConsulCatalog|Consul|Nomad).Namespace is deprecated'
-      - path: (.+)\.go$
-        text: 'SA1019: dockertypes.ContainerNode is deprecated'
       - path: pkg/provider/kubernetes/crd/kubernetes.go
         text: "Function 'loadConfigurationFromCRD' has too many statements"
         linters:

.semaphore/semaphore.yml

@@ -1,13 +0,0 @@
-version: v1.0
-name: Traefik Release - deprecated
-agent:
-  machine:
-    type: f1-standard-2
-    os_image: ubuntu2204
-blocks:
-  - name: 'Do nothing'
-    task:
-      jobs:
-        - name: 'Do nothing'
-          commands:
-            - echo "Do nothing"

CHANGELOG.md

@@ -1,3 +1,66 @@
+## [v3.5.2](https://github.com/traefik/traefik/tree/v3.5.2) (2025-09-09)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.1...v3.5.2)
+
+**Bug fixes:**
+- **[middleware,accesslogs]** Add GenericCLF log format for access logs ([#12033](https://github.com/traefik/traefik/pull/12033) by [sdelicata](https://github.com/sdelicata))
+- **[middleware]** Fix customerrors query url replacement ([#11876](https://github.com/traefik/traefik/pull/11876) by [DorianBlues](https://github.com/DorianBlues))
+- **[tls,service]** Send proxy protocol header before TLS handshake ([#11956](https://github.com/traefik/traefik/pull/11956) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Restore empty webui/static to use traefik as library ([#12025](https://github.com/traefik/traefik/pull/12025) by [youkoulayley](https://github.com/youkoulayley))
+
+**Documentation:**
+- **[accesslogs]** Fix path for access-logs header config ([#12030](https://github.com/traefik/traefik/pull/12030) by [cgatt](https://github.com/cgatt))
+- **[acme]** Fixes typo for OCSP in CLI example ([#12039](https://github.com/traefik/traefik/pull/12039) by [mloiseleur](https://github.com/mloiseleur))
+- **[docker/swarm]** Fixes typo for Swarm mode in CLI example ([#12038](https://github.com/traefik/traefik/pull/12038) by [BilalBudhani](https://github.com/BilalBudhani))
+- **[kv]** Fix broken links in KV store documentation ([#12040](https://github.com/traefik/traefik/pull/12040) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[middleware]** Add redis options to ratelimit middleware & Include distributed rate limit middleware ([#12041](https://github.com/traefik/traefik/pull/12041) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[server]** Fix link to HTTP3 section in documentation ([#12028](https://github.com/traefik/traefik/pull/12028) by [vincentbernat](https://github.com/vincentbernat))
+- Fix migration path in documentation ([#12032](https://github.com/traefik/traefik/pull/12032) by [nmengin](https://github.com/nmengin))
+
+## [v3.5.1](https://github.com/traefik/traefik/tree/v3.5.1) (2025-08-27)
+[All Commits](https://github.com/traefik/traefik/compare/v3.5.0...v3.5.1)
+
+**Bug fixes:**
+- **[accesslogs,otel]** Provide Log Body in OTEL access Log ([#11867](https://github.com/traefik/traefik/pull/11867) by [tomMoulard](https://github.com/tomMoulard))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.25.1 ([#11882](https://github.com/traefik/traefik/pull/11882) by [ldez](https://github.com/ldez))
+- **[k8s/gatewayapi]** Make app protocol case insensitive ([#11989](https://github.com/traefik/traefik/pull/11989) by [shreealt](https://github.com/shreealt))
+- **[otel]** Fix misspelling in docs ([#11952](https://github.com/traefik/traefik/pull/11952) by [mmanciop](https://github.com/mmanciop))
+- **[server]** Bump to github.com/pires/go-proxyproto v0.8.1 ([#11991](https://github.com/traefik/traefik/pull/11991) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Silent expected errors on receiving sigterm signal ([#11838](https://github.com/traefik/traefik/pull/11838) by [Kwuray](https://github.com/Kwuray))
+- **[tracing]** Fix capturedRequestHeaders and capturedResponseHeaders headers options not being canonicalized in tracing ([#12005](https://github.com/traefik/traefik/pull/12005) by [mcuelenaere](https://github.com/mcuelenaere))
+- **[tracing]** Follow OTel semantic conventions for root span naming ([#11673](https://github.com/traefik/traefik/pull/11673) by [Alex-Waring](https://github.com/Alex-Waring))
+- **[webui]** Update Traefik Proxy dashboard UI development deps ([#11958](https://github.com/traefik/traefik/pull/11958) by [mdeliatf](https://github.com/mdeliatf))
+- Refactor to use reflect.TypeFor ([#12010](https://github.com/traefik/traefik/pull/12010) by [cuiweixie](https://github.com/cuiweixie))
+
+**Documentation:**
+- **[docker]** Fix missing middleware application for whoami service in docker guide ([#12012](https://github.com/traefik/traefik/pull/12012) by [Copilot](https://github.com/apps/copilot-swe-agent))
+- **[k8s/gatewayapi]** Fix documentation to match new gateway-api selector syntax ([#12006](https://github.com/traefik/traefik/pull/12006) by [Firespray-31](https://github.com/Firespray-31))
+- **[middleware,hub]** Add Traefik Hub Middlewares To Reference Section ([#11937](https://github.com/traefik/traefik/pull/11937) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[plugins]** Add extend documentation ([#11904](https://github.com/traefik/traefik/pull/11904) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Update Broken Links in the Migration Docs ([#12016](https://github.com/traefik/traefik/pull/12016) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Fix Documentation menu ([#12013](https://github.com/traefik/traefik/pull/12013) by [nmengin](https://github.com/nmengin))
+- Fix invalid links in documentation ([#11995](https://github.com/traefik/traefik/pull/11995) by [mloiseleur](https://github.com/mloiseleur))
+- Fix typo in index ([#11994](https://github.com/traefik/traefik/pull/11994) by [ignyx](https://github.com/ignyx))
+- Restore missing migration section ([#11973](https://github.com/traefik/traefik/pull/11973) by [rtribotte](https://github.com/rtribotte))
+- Clean Documentation ([#11945](https://github.com/traefik/traefik/pull/11945) by [nmengin](https://github.com/nmengin))
+- Add back the link to Peka's page ([#11942](https://github.com/traefik/traefik/pull/11942) by [kevinpollet](https://github.com/kevinpollet))
+
+**Misc:**
+- Merge branch v2.11 into v3.5 ([#12019](https://github.com/traefik/traefik/pull/12019) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.11 into v3.5 ([#12017](https://github.com/traefik/traefik/pull/12017) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.11 into v3.5 ([#11966](https://github.com/traefik/traefik/pull/11966) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.4 into v3.5 ([#11953](https://github.com/traefik/traefik/pull/11953) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.11.29](https://github.com/traefik/traefik/tree/v2.11.29) (2025-08-26)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.28...v2.11.29)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.25.2 ([#11983](https://github.com/traefik/traefik/pull/11983) by [ldez](https://github.com/ldez))
+- **[docker]** Bump github.com/docker/docker to v28.3.3 ([#12007](https://github.com/traefik/traefik/pull/12007) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- Fix invalid links in documentation ([#11960](https://github.com/traefik/traefik/pull/11960) by [mloiseleur](https://github.com/mloiseleur))
+- Update releases docs for v3.5 ([#11949](https://github.com/traefik/traefik/pull/11949) by [jnoordsij](https://github.com/jnoordsij))
+
 ## [v3.5.0](https://github.com/traefik/traefik/tree/v3.5.0) (2025-07-23)
 [All Commits](https://github.com/traefik/traefik/compare/v3.5.0-rc1...v3.5.0)
 

Makefile

@@ -35,12 +35,15 @@ build-webui-image:
 .PHONY: clean-webui
 #? clean-webui: Clean WebUI static generated assets
 clean-webui:
-	rm -rf webui/static
+	rm -r webui/static
+	mkdir -p webui/static
+	printf 'For more information see `webui/readme.md`' > webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md
 
 webui/static/index.html:
 	$(MAKE) build-webui-image
 	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui yarn build:prod
 	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ./static
+	printf 'For more information see `webui/readme.md`' > webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md
 
 .PHONY: generate-webui
 #? generate-webui: Generate WebUI
@@ -181,11 +184,6 @@ generate-crd:
 generate-genconf:
 	go run ./cmd/internal/gen/
 
-.PHONY: release-packages
-#? release-packages: Create packages for the release
-release-packages: generate-webui
-	$(CURDIR)/script/release-packages.sh
-
 .PHONY: fmt
 #? fmt: Format the Code
 fmt:

README.md

@@ -7,7 +7,6 @@
     </picture>
 </p>
 
-[![Build Status SemaphoreCI](https://traefik-oss.semaphoreci.com/badges/traefik/branches/master.svg?style=shields)](https://traefik-oss.semaphoreci.com/projects/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
 [![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
@@ -152,7 +151,7 @@ We use [Semantic Versioning](https://semver.org/).
 
 ## Credits
 
-Kudos to Peka for his awesome work on the gopher's logo!.
+Kudos to [Peka](https://www.instagram.com/pierroks/) for his awesome work on the gopher's logo!.
 
 The gopher's logo of Traefik is licensed under the Creative Commons 3.0 Attributions license.
 

docs/content/assets/css/menu-icons.css

@@ -0,0 +1,58 @@
+/* Traefik Hub Menu icon base styles */
+.menu-icon {
+  height: 18px;
+  width: 18px;
+  vertical-align: middle;
+  margin-left: 6px;
+  transition: all 0.2s ease;
+  filter: drop-shadow(0 1px 1px rgba(0,0,0,0.1));
+  display: inline;
+  white-space: nowrap;
+}
+
+/* Ensure parent container keeps items inline */
+.nav-link-with-icon {
+  white-space: nowrap !important;
+  display: inline-flex !important;
+  align-items: center !important;
+}
+
+/* Hover effects */
+.menu-icon:hover {
+  transform: scale(1.05);
+  opacity: 0.8;
+}
+
+/* Tablet responsive */
+@media (max-width: 1024px) {
+  .menu-icon {
+    height: 14px;
+    width: 14px;
+    margin-left: 4px;
+  }
+}
+
+/* Mobile responsive */
+@media (max-width: 768px) {
+  .menu-icon {
+    height: 12px;
+    width: 12px;
+    margin-left: 3px;
+    vertical-align: middle;
+  }
+  
+  /* Keep mobile navigation items inline */
+  .nav-link-with-icon {
+    display: inline-flex !important;
+    align-items: center !important;
+    width: auto !important;
+  }
+}
+
+/* High DPI displays */
+@media (-webkit-min-device-pixel-ratio: 2), (min-resolution: 192dpi) {
+  .menu-icon {
+    image-rendering: -webkit-optimize-contrast;
+    image-rendering: crisp-edges;
+  }
+}

docs/content/deprecation/releases.md

@@ -6,7 +6,8 @@ Below is a non-exhaustive list of versions and their maintenance status:
 
 | Version | Release Date | Active Support     | Security Support  |
 |---------|--------------|--------------------|-------------------|
-| 3.4     | May 05, 2025 | Yes                | Yes               |
+| 3.5     | Jul 23, 2025 | Yes                | Yes               |
+| 3.4     | May 05, 2025 | Ended Jul 23, 2025 | No                |
 | 3.3     | Jan 06, 2025 | Ended May 05, 2025 | No                |
 | 3.2     | Oct 28, 2024 | Ended Jan 06, 2025 | No                |
 | 3.1     | Jul 15, 2024 | Ended Oct 28, 2024 | No                |
@@ -33,7 +34,7 @@ Below is a non-exhaustive list of versions and their maintenance status:
 
 This page is maintained and updated periodically to reflect our roadmap and any decisions affecting the end of support for Traefik Proxy.
 
-Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v2 to v3 migration guide](../migration/v2-to-v3.md).
+Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v2 to v3 migration guide](../migrate/v2-to-v3.md).
 
 !!! important "All target dates for end of support or feature removal announcements may be subject to change."
 

docs/content/expose/docker.md

@@ -258,6 +258,9 @@ labels:
   
   # IP Allowlist Middleware
   - "traefik.http.middlewares.ip-allowlist.ipallowlist.sourceRange=127.0.0.1/32,192.168.0.0/16,10.0.0.0/8"
+  
+  # Apply middlewares to whoami router
+  - "traefik.http.routers.whoami.middlewares=secure-headers,ip-allowlist"
 ```
 
 Add the same middleware to your whoami-api service:

docs/content/expose/kubernetes.md

@@ -325,11 +325,13 @@ kubectl create secret tls whoami-tls --cert=tls.crt --key=tls.key
         web:
           port: 80
           protocol: HTTP
-          namespacePolicy: All
+          namespacePolicy:
+            from: All
         websecure:
           port: 443
           protocol: HTTPS
-          namespacePolicy: All
+          namespacePolicy:
+            from: All
           mode: Terminate
           certificateRefs:
             - kind: Secret

docs/content/extend/extend-traefik.md

@@ -0,0 +1,56 @@
+---
+title: Extend Traefik
+description: Extend Traefik with custom plugins using Yaegi and WebAssembly.
+---
+
+# Extend Traefik
+
+Plugins are a powerful feature for extending Traefik with custom features and behaviors. The [Plugin Catalog](https://plugins.traefik.io/) is a software-as-a-service (SaaS) platform that provides an exhaustive list of the existing plugins.
+
+??? note "Plugin Catalog Access"
+    You can reach the [Plugin Catalog](https://plugins.traefik.io/) from the Traefik Dashboard using the `Plugins` menu entry.
+
+## Add a new plugin to a Traefik instance
+
+To add a new plugin to a Traefik instance, you must change that instance's install (static) configuration. Each plugin's **Install** section provides an install (static) configuration example. Many plugins have their own section in the Traefik routing (dynamic) configuration.
+
+!!! danger "Experimental Features"
+    Plugins can change the behavior of Traefik in unforeseen ways. Exercise caution when adding new plugins to production Traefik instances.
+
+To learn more about how to add a new plugin to a Traefik instance, please refer to the [developer documentation](https://plugins.traefik.io/install).
+
+## Plugin Systems
+
+Traefik supports two different plugin systems, each designed for different use cases and developer preferences.
+
+### Yaegi Plugin System
+
+Traefik [Yaegi](https://github.com/traefik/yaegi) plugins are developed using the Go language. It is essentially a Go package. Unlike pre-compiled plugins, Yaegi plugins are executed on the fly by Yaegi, a Go interpreter embedded in Traefik.
+
+This approach eliminates the need for compilation and a complex toolchain, making plugin development as straightforward as creating web browser extensions. Yaegi plugins support both middleware and provider functionality.
+
+#### Key characteristics
+
+- Written in Go language
+- No compilation required
+- Executed by embedded interpreter
+- Supports full Go feature set
+- Hot-reloadable during development
+
+### WebAssembly (WASM) Plugin System
+
+Traefik WASM plugins can be developed using any language that compiles to WebAssembly (WASM). This method is based on [http-wasm](https://http-wasm.io/).
+
+WASM plugins compile to portable binary modules that execute with near-native performance while maintaining security isolation.
+
+#### Key characteristics
+
+- Multi-language support (Go, Rust, C++, etc.)
+- Compiled to WebAssembly binary
+- Near-native performance
+- Strong security isolation
+- Currently supports middleware only
+
+## Build Your Own Plugins
+
+Traefik users can create their own plugins and share them with the community using the [Plugin Catalog](https://plugins.traefik.io/). To learn more about Traefik plugin creation, please refer to the [developer documentation](https://plugins.traefik.io/create).

docs/content/getting-started/configuration-overview.md

@@ -12,10 +12,10 @@ How the Magic Happens
 
 Configuration in Traefik can refer to two different things:
 
-- The fully dynamic routing configuration (referred to as the _dynamic configuration_)
-- The startup configuration (referred to as the _static configuration_)
+- The fully dynamic routing configuration (referred to as the _routing configuration_, formerly known as the _dynamic configuration_)
+- The startup configuration (referred to as the _install configuration_, formerly known as the _static configuration_)
 
-Elements in the _static configuration_ set up connections to [providers](../providers/overview.md) and define the [entrypoints](../routing/entrypoints.md) Traefik will listen to (these elements don't change often).
+Elements in the install configuration_ set up connections to [providers](../providers/overview.md) and define the [entrypoints](../routing/entrypoints.md) Traefik will listen to (these elements don't change often).
 
 The _dynamic configuration_ contains everything that defines how the requests are handled by your system.
 This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.
@@ -32,9 +32,9 @@ Since this configuration is specific to your infrastructure choices, we invite y
 
 !!! info ""
 
-    In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers.
+    In the [Quick Start example](../getting-started/quick-start.md), the routing configuration comes from docker in the form of labels attached to your containers.
 
-!!! info "HTTPS Certificates also belong to the dynamic configuration."
+!!! info "HTTPS Certificates also belong to the routing configuration."
 
     You can add / update / remove them without restarting your Traefik instance.
 
@@ -82,11 +82,11 @@ docker run traefik[:version] --help
 # ex: docker run traefik:v3.5 --help
 ```
 
-Check the [CLI reference](../reference/static-configuration/cli.md "Link to CLI reference overview") for an overview about all available arguments.
+Check the [CLI reference](../reference/install-configuration/configuration-options.md "Link to CLI reference overview") for an overview about all available arguments.
 
 ### Environment Variables
 
-All available environment variables can be found in the [static configuration environment overview](../reference/static-configuration/env.md).
+All available environment variables can be found in the [static configuration environment overview](../reference/install-configuration/configuration-options.md).
 
 ## Available Configuration Options
 

docs/content/getting-started/kubernetes.md

@@ -79,7 +79,10 @@ providers:
   kubernetesGateway:
     enabled: true
 gateway:
-  namespacePolicy: All
+  listeners:
+    web:
+      namespacePolicy:
+        from: All
 ```
 
 !!! info
@@ -106,7 +109,7 @@ helm install traefik traefik/traefik --wait \
   --set ingressRoute.dashboard.matchRule='Host(`dashboard.localhost`)' \
   --set ingressRoute.dashboard.entryPoints={web} \
   --set providers.kubernetesGateway.enabled=true \
-  --set gateway.namespacePolicy=All
+  --set gateway.listeners.web.namespacePolicy.from=All
 ```
 
 !!! info

docs/content/https/acme.md

@@ -352,13 +352,14 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Auroradns](https://www.pcextreme.com/dns-health-checks)               | `auroradns`        | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)        |
 | [Autodns](https://www.internetx.com/domains/autodns/)                  | `autodns`          | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)          |
 | [Axelname](https://axelname.ru)                                        | `axelname`         | `AXELNAME_NICKNAME`, `AXELNAME_TOKEN`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/axelname)         |
-| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`                                        | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
+| [Azion](https://www.azion.com/en/products/edge-dns/)                   | `azion`            | `AZION_PERSONAL_TOKEN`                                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/azion)            |
+| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | DEPRECATED use `azuredns` instead.                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
 | [AzureDNS](https://azure.microsoft.com/services/dns/)                  | `azuredns`         | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_ENVIRONMENT]`, `[AZURE_PRIVATE_ZONE]`, `[AZURE_ZONE_NAME]` | [Additional configuration](https://go-acme.github.io/lego/dns/azuredns)         |
 | [Baidu Cloud](https://cloud.baidu.com)                                 | `baiducloud`       | `BAIDUCLOUD_ACCESS_KEY_ID`, `BAIDUCLOUD_SECRET_ACCESS_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/baiducloud)       |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)             | `bindman`          | `BINDMAN_MANAGER_ADDRESS`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)          |
 | [Blue Cat](https://www.bluecatnetworks.com/)                           | `bluecat`          | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)          |
 | [BookMyName](https://www.bookmyname.com)                               | `bookmyname`       | `BOOKMYNAME_USERNAME`, `BOOKMYNAME_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/bookmyname)       |
-| [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | `BRANDIT_API_USERNAME`, `BRANDIT_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
+| [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
 | [Bunny](https://bunny.net)                                             | `bunny`            | `BUNNY_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/bunny)            |
 | [Checkdomain](https://www.checkdomain.de/)                             | `checkdomain`      | `CHECKDOMAIN_TOKEN`,                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/)     |
 | [Civo](https://www.civo.com/)                                          | `civo`             | `CIVO_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/civo)             |
@@ -366,7 +367,8 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [CloudDNS](https://vshosting.eu/)                                      | `clouddns`         | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)         |
 | [Cloudflare](https://www.cloudflare.com)                               | `cloudflare`       | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)       |
 | [ClouDNS](https://www.cloudns.net/)                                    | `cloudns`          | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)          |
-| [CloudXNS](https://www.cloudxns.net) (DEPRECATED)                      | `cloudxns`         | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [CloudXNS](https://www.cloudxns.net) (DEPRECATED)                      | `cloudxns`         | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [ConoHa v3](https://www.conoha.jp/)                                    | `conohav3`         | `CONOHAV3_TENANT_ID`, `CONOHAV3_API_USER_ID`, `CONOHAV3_API_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conohav3)         |
 | [ConoHa](https://www.conoha.jp)                                        | `conoha`           | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)           |
 | [Constellix](https://constellix.com)                                   | `constellix`       | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)       |
 | [Core-Networks](https://www.core-networks.de)                          | `corenetworks`     | `CORENETWORKS_LOGIN`, `CORENETWORKS_PASSWORD`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/corenetworks)     |
@@ -378,12 +380,13 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [DNS Made Easy](https://dnsmadeeasy.com)                               | `dnsmadeeasy`      | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)      |
 | [dnsHome.de](https://www.dnshome.de)                                   | `dnsHomede`        | `DNSHOMEDE_CREDENTIALS`                                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnshomede)        |
 | [DNSimple](https://dnsimple.com)                                       | `dnsimple`         | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)         |
-| [DNSPod](https://www.dnspod.com/)                                      | `dnspod`           | `DNSPOD_API_KEY`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
+| [DNSPod](https://www.dnspod.com/) (DEPRECATED)                         | `dnspod`           | DEPRECATED  use `tencentcloud` instead.                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
 | [Domain Offensive (do.de)](https://www.do.de/)                         | `dode`             | `DODE_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dode)             |
 | [Domeneshop](https://domene.shop)                                      | `domeneshop`       | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)       |
 | [DreamHost](https://www.dreamhost.com/)                                | `dreamhost`        | `DREAMHOST_API_KEY`                                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)        |
 | [Duck DNS](https://www.duckdns.org/)                                   | `duckdns`          | `DUCKDNS_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)          |
 | [Dyn](https://dyn.com)                                                 | `dyn`              | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)              |
+| [DynDnsFree.de](https://www.dyndnsfree.de)                             | `dyndnsfree`       | `DYNDNSFREE_USERNAME`, `DYNDNSFREE_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dyndnsfree)       |
 | [Dynu](https://www.dynu.com)                                           | `dynu`             | `DYNU_API_KEY`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)             |
 | [EasyDNS](https://easydns.com/)                                        | `easydns`          | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)          |
 | [EdgeDNS](https://www.akamai.com/)                                     | `edgedns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
@@ -399,7 +402,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Glesys](https://glesys.com/)                                          | `glesys`           | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)           |
 | [GoDaddy](https://www.godaddy.com)                                     | `godaddy`          | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)          |
 | [Google Cloud DNS](https://cloud.google.com/dns/docs/)                 | `gcloud`           | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)           |
-| [Google Domains](https://domains.google)                               | `googledomains`    | `GOOGLE_DOMAINS_ACCESS_TOKEN`                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/googledomains)    |
+| [Google Domains](https://domains.google) (DEPRECATED)                  | `googledomains`    | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/googledomains)    |
 | [Hetzner](https://hetzner.com)                                         | `hetzner`          | `HETZNER_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)          |
 | [hosting.de](https://www.hosting.de)                                   | `hostingde`        | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)        |
 | [Hosttech](https://www.hosttech.eu)                                    | `hosttech`         | `HOSTTECH_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)         |
@@ -460,6 +463,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [RFC2136](https://tools.ietf.org/html/rfc2136)                         | `rfc2136`          | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)          |
 | [RimuHosting](https://rimuhosting.com)                                 | `rimuhosting`      | `RIMUHOSTING_API_KEY`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)      |
 | [Route 53](https://aws.amazon.com/route53/)                            | `route53`          | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/route53)          |
+| [RU Center](https://nic.ru/)                                           | `nicru`            | `NICRU_USER`, `NICRU_PASSWORD`, `NICRU_SERVICE_ID`, `NICRU_SECRET`, `NICRU_SERVICE_NAME`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/nicru)            |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                            | `sakuracloud`      | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)      |
 | [Scaleway](https://www.scaleway.com)                                   | `scaleway`         | `SCW_API_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
 | [Selectel v2](https://selectel.ru/en/)                                 | `selectelv2`       | `SELECTELV2_ACCOUNT_ID`, `SELECTELV2_PASSWORD`, `SELECTELV2_PROJECT_ID`, `SELECTELV2_USERNAME`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/selectelv2)       |
@@ -494,6 +498,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Yandex Cloud](https://cloud.yandex.com/en/)                           | `yandexcloud`      | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud)      |
 | [Yandex](https://yandex.com)                                           | `yandex`           | `YANDEX_PDD_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)           |
 | [Zone.ee](https://www.zone.ee)                                         | `zoneee`           | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)           |
+| [ZoneEdit](https://www.zoneedit.com)                                   | `zoneedit`         | `ZONEEDIT_USER`, `ZONEEDIT_AUTH_TOKEN`                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/zoneedit)         |
 | [Zonomi](https://zonomi.com)                                           | `zonomi`           | `ZONOMI_API_KEY`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)           |
 | External Program                                                       | `exec`             | `EXEC_PATH`                                                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/exec)             |
 | HTTP request                                                           | `httpreq`          | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)          |

docs/content/https/tls.md

@@ -234,7 +234,7 @@ The TLS options allow one to configure some parameters of the TLS connection.
 
 !!! important "TLSOption in Kubernetes"
 
-    When using the [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
+    When using the [TLSOption resource](../../routing/providers/kubernetes-crd/#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
     if not explicitly overwritten, should apply to all ingresses.  
     To achieve that, you'll have to create a TLSOption resource with the name `default`.
     There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
@@ -503,7 +503,7 @@ Traefik supports mutual authentication, through the `clientAuth` section.
 
 For authentication policies that require verification of the client certificate, the certificate authority for the certificates should be set in `clientAuth.caFiles`.
 
-In Kubernetes environment, CA certificate can be set in `clientAuth.secretNames`. See [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) for more details.
+In Kubernetes environment, CA certificate can be set in `clientAuth.secretNames`. See [TLSOption resource](../../routing/providers/kubernetes-crd/#kind-tlsoption) for more details.
 
 The `clientAuth.clientAuthType` option governs the behaviour as follows:
 

docs/content/index.md

@@ -11,7 +11,7 @@ Traefik is an [open-source](https://github.com/traefik/traefik) Application Prox
 
 If you start with Traefik for service discovery and routing, you can seamlessly add [API management](https://traefik.io/solutions/api-management/), [API gateway](https://traefik.io/solutions/api-gateway/), [AI gateway](https://traefik.io/solutions/ai-gateway/), and [API mocking](https://traefik.io/solutions/api-mocking/) capabilities as needed.
 
-With 3.3 billion downloads and over 55k stars on GitHub, Traefik is used globally across hybrid cloud, multi-cloud, on prem, and bare metal environments running Kuberentes, Docker Swarm, AWS, [the list goes on](https://doc.traefik.io/traefik/reference/install-configuration/providers/overview/).
+With 3.3 billion downloads and over 55k stars on GitHub, Traefik is used globally across hybrid cloud, multi-cloud, on prem, and bare metal environments running Kubernetes, Docker Swarm, AWS, [the list goes on](https://doc.traefik.io/traefik/reference/install-configuration/providers/overview/).
 
 Here’s how it works—Traefik receives requests on behalf of your system, identifies which components are responsible for handling them, and routes them securely. It automatically discovers the right configuration for your services by inspecting your infrastructure to identify relevant information and which service serves which request.
 

docs/content/middlewares/http/addprefix.md

@@ -8,8 +8,6 @@ description: "Learn how to implement the HTTP AddPrefix middleware in Traefik Pr
 Prefixing the Path
 {: .subtitle }
 
-![AddPrefix](../../assets/img/middleware/addprefix.png)
-
 The AddPrefix middleware updates the path of a request before forwarding it.
 
 ## Configuration Examples

docs/content/middlewares/http/basicauth.md

@@ -8,8 +8,6 @@ description: "The HTTP basic authentication (BasicAuth) middleware in Traefik Pr
 Adding Basic Authentication
 {: .subtitle }
 
-![BasicAuth](../../assets/img/middleware/basicauth.png)
-
 The BasicAuth middleware grants access to services to authorized users only.
 
 ## Configuration Examples

docs/content/middlewares/http/buffering.md

@@ -8,8 +8,6 @@ description: "The HTTP buffering middleware in Traefik Proxy limits the size of
 How to Read the Request before Forwarding It
 {: .subtitle }
 
-![Buffering](../../assets/img/middleware/buffering.png)
-
 The Buffering middleware limits the size of requests that can be forwarded to services.
 
 With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified size limit.

docs/content/middlewares/http/chain.md

@@ -8,8 +8,6 @@ description: "The HTTP chain middleware lets you define reusable combinations of
 When One Isn't Enough
 {: .subtitle }
 
-![Chain](../../assets/img/middleware/chain.png)
-
 The Chain middleware enables you to define reusable combinations of other pieces of middleware.
 It makes reusing the same groups easier.
 

docs/content/middlewares/http/circuitbreaker.md

@@ -8,8 +8,6 @@ description: "The HTTP circuit breaker in Traefik Proxy prevents stacking reques
 Don't Waste Time Calling Unhealthy Services
 {: .subtitle }
 
-![CircuitBreaker](../../assets/img/middleware/circuitbreaker.png)
-
 The circuit breaker protects your system from stacking requests to unhealthy services, resulting in cascading failures.
 
 When your system is healthy, the circuit is closed (normal operations).

docs/content/middlewares/http/compress.md

@@ -8,8 +8,6 @@ description: "Traefik Proxy's HTTP middleware lets you compress responses before
 Compress Allows Compressing Responses before Sending them to the Client
 {: .subtitle }
 
-![Compress](../../assets/img/middleware/compress.png)
-
 The Compress middleware supports Gzip, Brotli and Zstandard compression.
 The activation of compression, and the compression method choice rely (among other things) on the request's `Accept-Encoding` header.
 

docs/content/middlewares/http/digestauth.md

@@ -8,8 +8,6 @@ description: "Traefik Proxy's HTTP DigestAuth middleware restricts access to you
 Adding Digest Authentication
 {: .subtitle }
 
-![BasicAuth](../../assets/img/middleware/digestauth.png)
-
 The DigestAuth middleware grants access to services to authorized users only.
 
 ## Configuration Examples

docs/content/middlewares/http/errorpages.md

@@ -8,8 +8,6 @@ description: "In Traefik Proxy, the Errors middleware returns custom pages accor
 It Has Never Been Easier to Say That Something Went Wrong
 {: .subtitle }
 
-![Errors](../../assets/img/middleware/errorpages.png)
-
 The Errors middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
 
 !!! important

docs/content/middlewares/http/forwardauth.md

@@ -8,8 +8,6 @@ description: "In Traefik Proxy, the HTTP ForwardAuth middleware delegates authen
 Using an External Service to Forward Authentication
 {: .subtitle }
 
-![AuthForward](../../assets/img/middleware/authforward.png)
-
 The ForwardAuth middleware delegates authentication to an external service.
 If the service answers with a 2XX code, access is granted, and the original request is performed.
 Otherwise, the response from the authentication server is returned.

docs/content/middlewares/http/headers.md

@@ -8,8 +8,6 @@ description: "In Traefik Proxy, the HTTP headers middleware manages the headers
 Managing Request/Response headers
 {: .subtitle }
 
-![Headers](../../assets/img/middleware/headers.png)
-
 The Headers middleware manages the headers of requests and responses.
 
 A set of forwarded headers are automatically added by default. See the [FAQ](../../getting-started/faq.md#what-are-the-forwarded-headers-when-proxying-http-requests) for more information.

docs/content/middlewares/http/inflightreq.md

@@ -8,8 +8,6 @@ description: "Traefik Proxy's HTTP middleware lets you limit the number of simul
 Limiting the Number of Simultaneous In-Flight Requests
 {: .subtitle }
 
-![InFlightReq](../../assets/img/middleware/inflightreq.png)
-
 To proactively prevent services from being overwhelmed with high load, the number of allowed simultaneous in-flight requests can be limited.
 
 ## Configuration Examples

docs/content/middlewares/http/ipwhitelist.md

@@ -8,8 +8,6 @@ description: "Learn how to use IPWhiteList in HTTP middleware for limiting clien
 Limiting Clients to Specific IPs
 {: .subtitle }
 
-![IPWhiteList](../../assets/img/middleware/ipwhitelist.png)
-
 IPWhiteList limits allowed requests based on the client IP.
 
 !!! warning

docs/content/middlewares/http/overview.md

@@ -8,8 +8,6 @@ description: "Read the official Traefik Proxy documentation for an overview of t
 Controlling connections
 {: .subtitle }
 
-![Overview](../../assets/img/middleware/overview.png)
-
 ## Configuration Example
 
 ```yaml tab="Docker & Swarm"

docs/content/middlewares/overview.md

@@ -8,8 +8,6 @@ description: "There are several available middleware in Traefik Proxy used to mo
 Tweaking the Request
 {: .subtitle }
 
-![Overview](../assets/img/middleware/overview.png)
-
 Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your [service](../routing/services/index.md) (or before the answer from the services are sent to the clients).
 
 There are several available middleware in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.

docs/content/middlewares/tcp/overview.md

@@ -8,8 +8,6 @@ description: "Read the official Traefik Proxy documentation for an overview of t
 Controlling connections
 {: .subtitle }
 
-![Overview](../../assets/img/middleware/overview.png)
-
 ## Configuration Example
 
 ```yaml tab="Docker & Swarm"

docs/content/migrate/v2-to-v3-details.md

@@ -5,7 +5,7 @@ description: "Configuration changes and their details to successfully migrate fr
 
 # Configuration Details for Migrating from Traefik v2 to v3
 
-## Static Configuration Changes
+## Install Configuration Changes
 
 ### SwarmMode
 
@@ -619,7 +619,7 @@ Please take a look at the observability documentation for more information:
 In v3, the `ServiceURL` field is not an object anymore but a string representation.
 An update may be required if you index access logs.
 
-## Dynamic Configuration Changes
+## Routing Configuration Changes
 
 ### Router Rule Matchers
 
@@ -730,7 +730,7 @@ In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing
 
 ### TCP LoadBalancer `terminationDelay` option
 
-The TCP LoadBalancer `terminationDelay` option has been removed.
+The TCP LoadBalancer `terminationDelay` option has been deprecated.
 This option can now be configured directly on the `TCPServersTransport` level, please take a look at this [documentation](../routing/services/index.md#terminationdelay)
 
 ### Kubernetes CRDs API Group `traefik.containo.us`

docs/content/migrate/v2-to-v3.md

@@ -0,0 +1,161 @@
+---
+title: "Traefik V3 Migration Documentation"
+description: "Migrate from Traefik Proxy v2 to v3 and update all the necessary configurations to take advantage of all the improvements. Read the technical documentation."
+---
+
+# Migration Guide: From v2 to v3
+
+How to Migrate from Traefik v2 to Traefik v3.
+{: .subtitle }
+
+!!! success "Streamlined Migration Process"
+    Traefik v3 introduces minimal breaking changes and maintains backward compatibility with v2 syntax in dynamic configuration, offering a gradual migration path.
+
+With Traefik v3, we are introducing a streamlined transition process from v2. Minimal breaking changes have been made to specific options in the [static configuration](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes"), and we are ensuring backward compatibility with v2 syntax in the [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes"). This will offer a gradual path for adopting the v3 syntax, allowing users to progressively migrate their Kubernetes ingress resources, Docker labels, etc., to the new format.
+
+## Migration Overview
+
+The migration process consists of three progressive steps designed to minimize risk and ensure a smooth transition:
+
+!!! abstract "Migration Steps"
+    **Step 1:** [Prepare configurations and test v3](#step-1-prepare-configurations-and-test-v3)  
+    **Step 2:** [Migrate production instances to Traefik v3](#step-2-migrate-production-instances-to-traefik-v3)  
+    **Step 3:** [Progressively migrate dynamic configuration](#step-3-progressively-migrate-dynamic-configuration)
+
+---
+
+## Step 1: Prepare Configurations and Test v3
+
+!!! info "Preparation Phase"
+    This step focuses on updating static configurations and enabling backward compatibility for a safe testing environment.
+
+### Configuration Updates
+
+**Review and Update Static Configuration**
+
+Check the changes in [static configurations](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes") and [operations](./v2-to-v3-details.md#operations-changes "Link to operations changes") brought by Traefik v3. Modify your configurations accordingly.
+
+**Enable v2 Compatibility Mode**
+
+Add the following configuration to maintain v2 syntax compatibility:
+
+```yaml
+# static configuration
+core:
+  defaultRuleSyntax: v2
+```
+
+!!! note "Backward Compatibility"
+    This snippet in the static configuration makes the [v2 format](../migrate/v2-to-v3-details.md#configure-the-default-syntax-in-static-configuration "Link to configure default syntax in static config") the default rule matchers syntax.
+
+### Testing Phase
+
+**Start Your Test Environment**
+
+1. Start Traefik v3 with the updated configuration
+2. Monitor the startup logs for any errors
+3. Test routing to your applications
+
+**Validation Checklist**
+
+- ✅ Traefik starts without error logs
+- ✅ All routes are functioning correctly  
+- ✅ Applications are accessible through Traefik
+
+!!! success "Ready for Next Step"
+    If you don't get any error logs while testing, you are good to go! Otherwise, follow the remaining migration options highlighted in the logs.
+
+Once your Traefik test instances are starting and routing to your applications, proceed to the next step.
+
+---
+
+## Step 2: Migrate Production Instances to Traefik v3
+
+!!! warning "Production Migration"
+    This is the critical step where you migrate your production environment. Proper monitoring and rollback preparation are essential.
+
+### Migration Strategy
+
+**Progressive Deployment**
+
+We strongly advise you to follow a progressive migration strategy ([Kubernetes rolling update mechanism](https://kubernetes.io/docs/tutorials/kubernetes-basics/update/update-intro/ "Link to the Kubernetes rolling update documentation"), for example) to migrate your production instances to v3.
+
+**Required Preparations**
+
+!!! danger "Critical Requirements"
+    - ✅ **Real-time monitoring solution** for ingress traffic ([monitoring guide](https://traefik.io/blog/capture-traefik-metrics-for-apps-on-kubernetes-with-prometheus/ "Link to the blog on capturing Traefik metrics with Prometheus"))
+    - ✅ **Rollback plan** ready for immediate execution
+    - ✅ **Team availability** during migration window
+
+### Migration Execution
+
+**During Migration:**
+
+1. **Monitor continuously:** Watch ingress traffic for any errors or anomalies
+2. **Be prepared to rollback:** Have your rollback procedure ready to execute immediately
+3. **Use debug logs:** Leverage debug and access logs to understand any issues that arise
+
+**Validation Steps:**
+
+- Monitor response times and error rates
+- Verify all critical application paths are working
+- Check that SSL/TLS termination is functioning correctly
+- Validate middleware behavior
+
+!!! success "Migration Complete"
+    Once every Traefik instance is updated, you will be on Traefik v3!
+
+---
+
+## Step 3: Progressively Migrate Dynamic Configuration
+
+!!! info "Optional Immediate Step"
+    This step can be done later in the process, as Traefik v3 is compatible with the v2 format for [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes"). Enable Traefik logs to get some help if any deprecated option is in use.
+
+### Migration Process
+
+**Review Dynamic Configuration Changes**
+
+Check the changes in [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes") to understand what updates are needed.
+
+**Progressive Router Migration**
+
+1. **Select a router** to migrate first (start with non-critical services)
+2. **[Switch to v3 syntax](./v2-to-v3-details.md#configure-the-syntax-per-router "Link to configuring the syntax per router")** for that specific router
+3. **Test thoroughly** to ensure ingress traffic is not impacted
+4. **Deploy and validate** the updated resource
+5. **Remove the old v2 resource** once validation is complete
+6. **Repeat** for each remaining router
+
+### Migration Best Practices
+
+!!! tip "Migration Strategy"
+    - Start with development or staging environments
+    - Migrate one service at a time
+    - Test each migration thoroughly before proceeding
+    - Keep detailed logs of what was changed
+
+### Final Configuration Cleanup
+
+Once all Ingress resources are migrated to v3 syntax, remove the compatibility configuration:
+
+```yaml
+# Remove this from static configuration
+core:
+  defaultRuleSyntax: v2  # ← Delete this entire section
+```
+
+!!! success "🎉 Migration Complete!"
+    You are now fully migrated to Traefik v3 and can take advantage of all the new features and improvements!
+
+### Post-Migration Verification
+
+**Final Checklist:**
+
+- ✅ All routers use v3 syntax
+- ✅ v2 compatibility mode disabled
+- ✅ No deprecated warnings in logs
+- ✅ All applications functioning correctly
+- ✅ Performance metrics stable
+
+{!traefik-for-business-applications.md!}

docs/content/migrate/v3.md

@@ -0,0 +1,491 @@
+---
+title: "Traefik Migration Documentation"
+description: "Learn the steps needed to migrate to new Traefik Proxy v3 versions. Read the technical documentation."
+---
+
+# Migration: Steps needed between the versions
+
+This guide provides detailed migration steps for upgrading between different Traefik v3 versions. Each section covers breaking changes, deprecations, and configuration updates required for a smooth transition.
+
+---
+
+## v3.0 to v3.1
+
+### Kubernetes Provider RBACs
+
+Starting with v3.1, Traefik's Kubernetes Providers use the [EndpointSlices API](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/) (requires Kubernetes >=v1.21) for service endpoint discovery. This change also introduces NodePort load-balancing capabilities.
+
+The following RBAC updates are required for all Kubernetes providers:
+
+- Remove endpoints permissions and add endpointslices:
+
+```yaml
+# Remove this section from your RBAC
+# - apiGroups: [""]
+#   resources: ["endpoints"]
+#   verbs: ["get", "list", "watch"]
+
+# Add this section instead
+- apiGroups:
+    - discovery.k8s.io
+  resources:
+    - endpointslices
+  verbs:
+    - list
+    - watch
+```
+
+- Add nodes permissions for NodePort support:
+
+```yaml
+- apiGroups:
+    - ""
+  resources:
+    - nodes
+  verbs:
+    - get
+    - list
+    - watch
+```
+
+!!! note "Affected Providers"
+    These changes apply to:
+    
+    - [KubernetesIngress](../routing/providers/kubernetes-ingress.md#configuration-example) provider
+    - [KubernetesCRD](../reference/dynamic-configuration/kubernetes-crd.md#rbac) provider  
+    - [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider
+
+#### Gateway API: KubernetesGateway Provider
+
+The KubernetesGateway Provider is no longer experimental in v3.1 and can be enabled without the `experimental.kubernetesgateway` option.
+
+**Deprecated Configuration:**
+
+??? example "Experimental kubernetesgateway option (deprecated)"
+
+    ```yaml tab="File (YAML)"
+    experimental:
+      kubernetesgateway: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [experimental]
+        kubernetesgateway=true
+    ```
+
+    ```bash tab="CLI"
+    --experimental.kubernetesgateway=true
+    ```
+
+**Migration Steps:**
+
+1. Remove the `kubernetesgateway` option from the experimental section
+2. Configure the provider using the [KubernetesGateway Provider documentation](../providers/kubernetes-gateway.md)
+
+---
+
+## v3.1.0 to v3.1.1
+
+### IngressClass Lookup
+
+The `disableIngressClassLookup` option has been deprecated and will be removed in the next major version.
+
+**Migration Required:**
+
+- **Old:** `disableIngressClassLookup`
+- **New:** `disableClusterScopeResources`
+
+The new option provides broader control over cluster scope resources discovery, including both IngressClass and Nodes resources.
+
+---
+
+## v3.1 to v3.2
+
+### Kubernetes CRD Provider
+
+New optional fields have been added to several CRDs. These updates are backward compatible and only add new functionality.
+
+**Apply the latest CRDs:**
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+```
+
+**Updated Resources:**
+
+- [TraefikService](../../routing/services/#mirroring-service) ([PR #11032](https://github.com/traefik/traefik/pull/11032))
+- [RateLimit](../../middlewares/http/ratelimit/) & [InFlightReq](../../middlewares/http/inflightreq/) middlewares ([PR #9747](https://github.com/traefik/traefik/pull/9747))
+- [Compress](../../middlewares/http/compress/) middleware ([PR #10943](https://github.com/traefik/traefik/pull/10943))
+
+### Kubernetes Gateway Provider Standard Channel
+
+Starting with v3.2, the Kubernetes Gateway Provider now supports [GRPCRoute](https://gateway-api.sigs.k8s.io/api-types/grpcroute/) resources.
+
+Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
+the `grcroutes` and `grpcroutes/status` rights have to be added.
+
+**Required RBAC Updates:**
+
+```yaml
+...
+- apiGroups:
+    - gateway.networking.k8s.io
+  resources:
+    - grpcroutes
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - gateway.networking.k8s.io
+  resources:
+    - grpcroutes/status
+  verbs:
+    - update
+...
+```
+
+### Kubernetes Gateway Provider Experimental Channel
+
+Due to breaking changes in Kubernetes Gateway [v1.2.0-rc1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0-rc1), Traefik v3.3 only supports Kubernetes Gateway v1.2.x when experimental features are enabled.
+
+**New Feature: BackendTLSPolicy Support**
+
+The provider now supports [BackendTLSPolicy](https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/) resources.
+
+Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
+the `backendtlspolicies` and `backendtlspolicies/status` rights have to be added.
+
+**Required RBAC Updates:**
+
+```yaml
+  ...
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - backendtlspolicies
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - backendtlspolicies/status
+    verbs:
+      - update
+  ...
+```
+
+---
+
+## v3.2.1
+
+### X-Forwarded-Prefix Header Changes
+
+In v3.2.1, the `X-Forwarded-Prefix` header is now handled like other `X-Forwarded-*` headers - Traefik removes it when sent from untrusted sources.
+
+This change improves security by preventing header spoofing from untrusted clients. Refer to the [Forwarded headers documentation](../routing/entrypoints.md#forwarded-headers) for configuration details.
+
+---
+
+## v3.2.2
+
+### Swarm Provider Label Updates
+
+In v3.2.2, Swarm-specific labels have been deprecated and will be removed in a future version.
+
+**Migration Required:**
+
+| Deprecated Label | New Label |
+|------------------|-----------|
+| `traefik.docker.network` | `traefik.swarm.network` |
+| `traefik.docker.lbswarm` | `traefik.swarm.lbswarm` |
+
+---
+
+## v3.2 to v3.3
+
+### ACME DNS Certificate Resolver
+
+In v3.3, DNS challenge configuration options have been reorganized for better clarity.
+
+**Migration Required:**
+
+| Deprecated Option | New Option |
+|-------------------|------------|
+| `acme.dnsChallenge.delaybeforecheck` | `acme.dnsChallenge.propagation.delayBeforeChecks` |
+| `acme.dnsChallenge.disablepropagationcheck` | `acme.dnsChallenge.propagation.disableChecks` |
+
+### Tracing Global Attributes
+
+In v3.3, the tracing configuration has been clarified to better reflect its purpose.
+
+**Migration Required:**
+
+- **Old:** `tracing.globalAttributes`
+- **New:** `tracing.resourceAttributes`
+
+The old option name was misleading as it specifically adds resource attributes for the collector, not global span attributes.
+
+---
+
+## v3.3.4
+
+### OpenTelemetry Request Duration Metric
+
+In v3.3.4, the OpenTelemetry Request Duration metric unit has been standardized to match other providers and naming conventions.
+
+**Change Details:**
+
+- **Metric:** `traefik_(entrypoint|router|service)_request_duration_seconds`
+- **Old Unit:** Milliseconds  
+- **New Unit:** Seconds
+
+This change ensures consistency across all metrics providers and follows standard naming conventions.
+
+---
+
+## v3.3.5
+
+### Compress Middleware Default Encodings
+
+In v3.3.5, the default compression algorithms have been reordered to favor gzip compression.
+
+**New Default:** `gzip, br, zstd`
+
+This change affects requests that either:
+
+- Don't specify preferred algorithms in the `Accept-Encoding` header
+- Have no order preference in their `Accept-Encoding` header
+
+The reordering helps ensure better compatibility with older clients that may not support newer compression algorithms.
+
+---
+
+## v3.3.6
+
+### Request Path Sanitization
+
+Starting with v3.3.6, incoming request paths are now automatically cleaned before processing for security and consistency.
+
+**What's Changed:**
+
+The following path segments are now interpreted and collapsed:
+
+- `/../` (parent directory references)
+- `/./` (current directory references)  
+- Duplicate slash segments (`//`)
+
+**Disabling Sanitization:**
+
+```yaml
+# EntryPoint HTTP configuration
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      sanitizePath: false  # Not recommended
+```
+
+!!! danger "Security Warning"
+    Setting `sanitizePath: false` is not safe. This option should only be used with legacy clients that don't properly URL-encode data. Always ensure requests are properly URL-encoded instead of disabling this security feature.
+
+**Example Risk:**
+Base64 data containing "/" characters can lead to unsafe routing when path sanitization is disabled and the data isn't URL-encoded.
+
+---
+
+## v3.3 to v3.4
+
+### Kubernetes CRD Provider
+
+#### Load-Balancing Strategy Updates
+
+Starting with v3.4, HTTP service definitions now support additional load-balancing strategies for better traffic distribution.
+
+**Apply Updated CRDs:**
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+```
+
+**New Strategy Values:**
+
+- `wrr` (Weighted Round Robin)
+- `p2c` (Power of Two Choices)
+
+!!! warning "Deprecation"
+    The `RoundRobin` strategy is deprecated but still supported (equivalent to `wrr`). It will be removed in the next major release.
+
+Refer to the [HTTP Services Load Balancing documentation](../../routing/services/#load-balancing-strategy) for detailed information.
+
+#### ServersTransport CA Certificate Configuration
+
+A new `rootCAs` option has been added to the `ServersTransport` and `ServersTransportTCP` CRDs. It supports both ConfigMaps and Secrets for CA certificates and replaces the `rootCAsSecrets` option.
+
+**Apply Updates:**
+
+```shell
+# Update CRDs
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+
+# Update RBACs
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+```
+
+**New Configuration Format:**
+
+```yaml
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: foo
+  namespace: bar
+spec:
+  rootCAs:
+    - configMap: ca-config-map
+    - secret: ca-secret
+      
+---      
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransportTCP
+metadata:
+  name: foo
+  namespace: bar
+spec:
+  rootCAs:
+    - configMap: ca-config-map
+    - secret: ca-secret
+```
+
+!!! warning "Deprecation"
+    The `rootCAsSecrets` option (Secrets only) is still supported but deprecated. It will be removed in the next major release.
+
+### Rule Syntax Configuration
+
+In v3.4, rule syntax configuration options will be removed in the next major version.
+
+**Deprecated Options:**
+
+- `core.defaultRuleSyntax` (static configuration)
+- `ruleSyntax` (router option)
+
+These options were transitional helpers for migrating from v2 to v3 syntax. Please ensure all router rules use v3 syntax before the next major release.
+
+---
+
+## v3.4.1
+
+### Request Path Normalization
+
+Starting with v3.4.1, request paths are now normalized according to RFC 3986 standards for better consistency and security.
+
+**Normalization Process:**
+
+1. **Unreserved Character Decoding:** Characters like `%2E` (.) are decoded to their literal form
+2. **Case Normalization:** Percent-encoded characters are uppercased (`%2e` becomes `%2E`)
+
+This follows [RFC 3986 percent-encoding normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2) and [case normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1) standards.
+
+**Processing Order:**
+
+1. Path normalization (cannot be disabled)
+2. Path sanitization (if enabled)
+
+### Reserved Character Handling in Routing
+
+Starting with v3.4.1, reserved characters (per [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2)) remain encoded during router rule matching to prevent routing ambiguity.
+
+**Why This Matters:**
+Reserved characters change the meaning of request paths when decoded. Keeping them encoded during routing prevents security vulnerabilities and ensures predictable routing behavior.
+
+### Request Path Matching Examples
+
+The following table illustrates how path matching behavior has changed:
+
+| Request Path      | Router Rule                  | Traefik v3.4.0 | Traefik v3.4.1 | Explanation                                           |
+|-------------------|------------------------------|----------------|----------------|-------------------------------------------------------|
+| `/foo%2Fbar`      | ```PathPrefix(`/foo/bar`)``` | Match          | No match       | `%2F` (/) stays encoded, preventing false matches     |
+| `/foo/../bar`     | ```PathPrefix(`/foo`)```     | No match       | No match       | Path traversal is sanitized away                      |
+| `/foo/../bar`     | ```PathPrefix(`/bar`)```     | Match          | Match          | Resolves to `/bar` after sanitization                 |
+| `/foo/%2E%2E/bar` | ```PathPrefix(`/foo`)```     | Match          | No match       | Encoded dots normalized then sanitized                |
+| `/foo/%2E%2E/bar` | ```PathPrefix(`/bar`)```     | No match       | Match          | Resolves to `/bar` after normalization + sanitization |
+
+## v3.4.5
+
+### MultiPath TCP
+
+Since `v3.4.5`, the MultiPath TCP support introduced with `v3.4.2` has been removed.
+It appears that enabling MPTCP on some platforms can cause Traefik to stop with the following error logs message:
+
+- `set tcp X.X.X.X:X->X.X.X.X:X: setsockopt: operation not supported`
+
+However, it can be re-enabled by setting the `multipathtcp` variable in the GODEBUG environment variable, see the related [go documentation](https://go.dev/doc/godebug#go-124).
+
+## v3.5.0
+
+### Observability
+
+#### TraceVerbosity on Routers and Entrypoints
+
+Starting with `v3.5.0`, a new `traceVerbosity` option is available for both entrypoints and routers.
+This option allows you to control the level of detail for tracing spans.
+Routers can override the value inherited from their entrypoint.
+
+**Impact:**
+
+- If you rely on tracing, review your configuration to explicitly set the desired verbosity level.
+- Existing configurations will default to `minimal` unless overridden, which will result in fewer spans being generated than before.
+
+Possible values are:
+
+- `minimal`: produces a single server span and one client span for each request processed by a router.
+- `detailed`: enables the creation of additional spans for each middleware executed for each request processed by a router.
+
+See the updated documentation for [entrypoints](../reference/install-configuration/entrypoints.md) and [dynamic routers](../reference/routing-configuration/http/router/observability.md#traceverbosity).
+
+#### K8s Resource Attributes
+
+Since `v3.5.0`, the semconv attributes `k8s.pod.name` and `k8s.pod.uid` are injected automatically in OTel resource attributes when OTel tracing/logs/metrics are enabled.
+
+For that purpose, the following right has to be added to the Traefik Kubernetes RBACs:
+
+```yaml
+  ...
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+  ...
+```
+
+---
+
+## v3.5.2
+
+### Deprecation of ProxyProtocol option
+
+Starting with `v3.5.2`, the `proxyProtocol` option for TCP LoadBalancer is deprecated.
+This option can now be configured at the `TCPServersTransport` level, please check out the [documentation](../reference/routing-configuration/tcp/serverstransport.md) for more details.
+
+#### Kubernetes CRD Provider
+
+To use the new `proxyprotocol` option in the Kubernetes CRD provider, you need to update your CRDs.
+
+**Apply Updated CRDs:**
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.5/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+```

docs/content/migration/v2-to-v3.md

@@ -1,77 +0,0 @@
----
-title: "Traefik V3 Migration Documentation"
-description: "Migrate from Traefik Proxy v2 to v3 and update all the necessary configurations to take advantage of all the improvements. Read the technical documentation."
----
-
-# Migration Guide: From v2 to v3
-
-How to Migrate from Traefik v2 to Traefik v3.
-{: .subtitle }
-
-With Traefik v3, we are introducing a streamlined transition process from v2. Minimal breaking changes have been made to specific options in the [static configuration](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes"), and we are ensuring backward compatibility with v2 syntax in the [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes"). This will offer a gradual path for adopting the v3 syntax, allowing users to progressively migrate their Kubernetes ingress resources, Docker labels, etc., to the new format.
-
-Here are the steps to progressively migrate from Traefik v2 to v3:
-
-1. [Prepare configurations and test v3](#step-1-prepare-configurations-and-test-v3)
-1. [Migrate production instances to Traefik v3](#step-2-migrate-production-instances-to-traefik-v3)
-1. [Progressively migrate dynamic configuration](#step-3-progressively-migrate-dynamic-configuration)
-
-## Step 1: Prepare Configurations and Test v3
-
-Check the changes in [static configurations](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes") and [operations](./v2-to-v3-details.md#operations-changes "Link to operations changes") brought by Traefik v3.
-Modify your configurations accordingly.
-
-Then, add the following snippet to the static configuration:
-
-```yaml
-# static configuration
-core:
-  defaultRuleSyntax: v2
-```
-
-This snippet in the static configuration makes the [v2 format](../migration/v2-to-v3-details.md#configure-the-default-syntax-in-static-configuration "Link to configure default syntax in static config") the default rule matchers syntax.
-
-Start Traefik v3 with this new configuration to test it.
-
-If you don’t get any error logs while testing, you are good to go!
-Otherwise, follow the remaining migration options highlighted in the logs.
-
-Once your Traefik test instances are starting and routing to your applications, proceed to the next step.
-
-## Step 2: Migrate Production Instances to Traefik v3
-
-We strongly advise you to follow a progressive migration strategy ([Kubernetes rolling update mechanism](https://kubernetes.io/docs/tutorials/kubernetes-basics/update/update-intro/ "Link to the Kubernetes rolling update documentation"), for example) to migrate your production instances to v3.
-
-!!! Warning
-    Ensure you have a [real-time monitoring solution](https://traefik.io/blog/capture-traefik-metrics-for-apps-on-kubernetes-with-prometheus/ "Link to the blog on capturing Traefik metrics with Prometheus") for your ingress traffic to detect issues instantly.
-
-During the progressive migration, monitor your ingress traffic for any errors. Be prepared to rollback to a working state in case of any issues.
-
-If you encounter any issues, leverage debug and access logs provided by Traefik to understand what went wrong and how to fix it.
-
-Once every Traefik instance is updated, you will be on Traefik v3!
-
-## Step 3: Progressively Migrate Dynamic Configuration
-
-!!! info
-    This step can be done later in the process, as Traefik v3 is compatible with the v2 format for [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes").
-    Enable Traefik logs to get some help if any deprecated option is in use.
-
-Check the changes in [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes").
-
-Then, progressively [switch each router to the v3 syntax](./v2-to-v3-details.md#configure-the-syntax-per-router "Link to configuring the syntax per router").
-
-Test and update each Ingress resource and ensure that ingress traffic is not impacted.
-
-Once a v3 Ingress resource migration is validated, deploy the resource and delete the v2 Ingress resource.
-Repeat it until all Ingress resources are migrated.
-
-Now, remove the following snippet added to the static configuration in Step 1:
-
-```yaml
-# static configuration
-core:
-  defaultRuleSyntax: v2
-```
-
-You are now fully migrated to Traefik v3 🎉

docs/content/migration/v3.md

@@ -1,371 +0,0 @@
----
-title: "Traefik Migration Documentation"
-description: "Learn the steps needed to migrate to new Traefik Proxy v3 versions. Read the technical documentation."
----
-
-# Migration: Steps needed between the versions
-
-## v3.0 to v3.1
-
-### Kubernetes Provider RBACs
-
-Starting with v3.1, the Kubernetes Providers now use the [EndpointSlices API](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/) (Kubernetes >=v1.21) to discover service endpoint addresses.
-It also brings NodePort load-balancing which requires Nodes resources lookup.
-
-Therefore, in the corresponding RBACs (see [KubernetesIngress](../routing/providers/kubernetes-ingress.md#configuration-example), [KubernetesCRD](../reference/dynamic-configuration/kubernetes-crd.md#rbac), and [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs):
-
-- the `endpoints` right has to be removed and the following `endpointslices` right has to be added:
-
-```yaml
-  ... 
-  - apiGroups:
-      - discovery.k8s.io
-    resources:
-      - endpointslices
-    verbs:
-      - list
-      - watch
-  ...
-```
-
-- the `nodes` right has to be added:
-
-```yaml
-  ...
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - get
-      - list
-      - watch
-  ...
-```
-
-#### Gateway API: KubernetesGateway Provider
-
-In v3.1, the KubernetesGateway Provider is no longer an experimental feature.
-It can be enabled without the associated `experimental.kubernetesgateway` option, which is now deprecated.
-
-??? example "An example of the experimental `kubernetesgateway` option"
-
-    ```yaml tab="File (YAML)"
-    experimental:
-      kubernetesgateway: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [experimental]
-        kubernetesgateway=true
-    ```
-
-    ```bash tab="CLI"
-    --experimental.kubernetesgateway=true
-    ```
-
-##### Remediation
-
-The `kubernetesgateway` option should be removed from the experimental section of the static configuration.
-To configure `kubernetesgateway`, please check out the [KubernetesGateway Provider documentation](../providers/kubernetes-gateway.md).
-
-## v3.1.0 to v3.1.1
-
-### IngressClass Lookup
-
-The Kubernetes Ingress provider option `disableIngressClassLookup` has been deprecated in v3.1.1, and will be removed in the next major version.
-Please use the `disableClusterScopeResources` option instead to avoid cluster scope resources discovery (IngressClass, Nodes).
-
-## v3.1 to v3.2
-
-### Kubernetes CRD Provider
-
-Starting with v3.2, the CRDs has been updated on [TraefikService](../../routing/services#mirroring-service) (PR [#11032](https://github.com/traefik/traefik/pull/11032)), on [RateLimit](../../middlewares/http/ratelimit) & [InFlightReq](../../middlewares/http/inflightreq) middlewares (PR [#9747](https://github.com/traefik/traefik/pull/9747)) and on [Compress](../../middlewares/http/compress) middleware (PR [#10943](https://github.com/traefik/traefik/pull/10943)).
-
-This update adds only new optional fields.
-CRDs can be updated with this command:
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-```
-
-### Kubernetes Gateway Provider Standard Channel
-
-Starting with v3.2, the Kubernetes Gateway Provider now supports [GRPCRoute](https://gateway-api.sigs.k8s.io/api-types/grpcroute/).
-
-Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
-the `grcroutes` and `grpcroutes/status` rights have to be added.
-
-```yaml
-  ...
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - grpcroutes
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - grpcroutes/status
-    verbs:
-      - update
-  ...
-```
-
-### Kubernetes Gateway Provider Experimental Channel
-
-!!! warning "Breaking changes"
-
-    Because of a breaking change introduced in Kubernetes Gateway [v1.2.0-rc1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0-rc1),
-    Traefik v3.3 only supports Kubernetes Gateway v1.2.x when experimental channel features are enabled.
-
-Starting with v3.2, the Kubernetes Gateway Provider now supports [BackendTLSPolicy](https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/).
-
-Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
-the `backendtlspolicies` and `backendtlspolicies/status` rights have to be added.
-
-```yaml
-  ...
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - backendtlspolicies
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - backendtlspolicies/status
-    verbs:
-      - update
-  ...
-```
-
-## v3.2.1
-
-### X-Forwarded-Prefix
-
-In `v3.2.1`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
-Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
-
-## v3.2.2
-
-### Swarm Provider
-
-In `v3.2.2`, the `traefik.docker.network` and `traefik.docker.lbswarm` labels have been deprecated,
-please use the `traefik.swarm.network` and `traefik.swarm.lbswarm` labels instead.
-
-## v3.2 to v3.3
-
-### ACME DNS Certificate Resolver
-
-In `v3.3`, the `acme.dnsChallenge.delaybeforecheck` and `acme.dnsChallenge.disablepropagationcheck` options of the ACME certificate resolver are deprecated, 
-please use respectively `acme.dnsChallenge.propagation.delayBeforeChecks` and `acme.dnsChallenge.propagation.disableChecks` options instead.
-
-### Tracing Global Attributes
-
-In `v3.3`, the `tracing.globalAttributes` option has been deprecated, please use the `tracing.resourceAttributes` option instead.
-The `tracing.globalAttributes` option is misleading as its name does not reflect the operation of adding resource attributes to be sent to the collector,
-and will be removed in the next major version.
-
-## v3.3.4
-
-### OpenTelemetry Request Duration metric
-
-In `v3.3.4`, the OpenTelemetry Request Duration metric (named `traefik_(entrypoint|router|service)_request_duration_seconds`) unit has been changed from milliseconds to seconds.
-To be consistent with the naming and other metrics providers, the metric now reports the duration in seconds.
-
-## v3.3.5
-
-### Compress Middleware
-
-In `v3.3.5`, the compress middleware `encodings` option default value is now `gzip, br, zstd`. 
-This change helps the algorithm selection to favor the `gzip` algorithm over the other algorithms.
-
-It impacts requests that do not specify their preferred algorithm,
-or has no order preference, in the `Accept-Encoding` header.
-
-## v3.3.6
-
-### Request Path Sanitization
-
-Since `v3.3.6`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends.
-Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed.
-
-If you want to disable this behavior, you can set the [`sanitizePath` option](../reference/install-configuration/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.
-This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
-For example, as base64 uses the “/” character internally,
-if it's not url encoded,
-it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
-
-!!! warning "Security"
-
-    Setting the `sanitizePath` option to `false` is not safe.
-    Ensure every request is properly url encoded instead.
-
-## v3.3 to v3.4
-
-### Kubernetes CRD Provider
-
-#### Load-Balancing
-
-In `v3.4`, the HTTP service definition has been updated.
-The strategy field now supports two new values: `wrr` and `p2c` (please refer to the [HTTP Services Load Balancing documentation](../../routing/services/#load-balancing-strategy) for more details).
-
-CRDs can be updated with this command:
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-```
-
-Please note that the `RoundRobin` strategy value is now deprecated, but still supported and equivalent to `wrr`, and will be removed in the next major release.
-
-#### ServersTransport CA Certificate
-
-In `v3.4`, a new `rootCAs` option has been added to the `ServersTransport` and `ServersTransportTCP` CRDs.
-It allows the configuration of CA certificates from both `ConfigMaps` and `Secrets`,
-and replaces the `rootCAsSecrets` option, as shown below:
-
-CRDs can be updated with this command:
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-```
-
-RBACs need to be updated with this command:
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
-```
-
-```yaml
----
-apiVersion: traefik.io/v1alpha1
-kind: ServersTransport
-metadata:
-  name: foo
-  namespace: bar
-spec:
-  rootCAs:
-    - configMap: ca-config-map
-    - secret: ca-secret
-      
----      
-apiVersion: traefik.io/v1alpha1
-kind: ServersTransportTCP
-metadata:
-  name: foo
-  namespace: bar
-spec:
-  rootCAs:
-    - configMap: ca-config-map
-    - secret: ca-secret
-```
-
-The `rootCAsSecrets` option, which allows only `Secrets` references,
-is still supported, but is now deprecated,
-and will be removed in the next major release.
-
-### Rule Syntax
-
-In `v3.4.0`, the `core.defaultRuleSyntax` static configuration option and the `ruleSyntax` router option have been deprecated,
-and will be removed in the next major version.
-
-This `core.defaultRuleSyntax` option was used to switch between the v2 and v3 syntax for the router's rules,
-and to help with the migration from v2 to v3.
-
-The `ruleSyntax` router's option was used to override the default rule syntax for a specific router.
-
-In preparation for the next major release, please remove any use of these two options and use the v3 syntax for writing the router's rules.
-
-## v3.4.1
-
-### Request Path Normalization
-
-Since `v3.4.1`, the request path is now normalized by decoding unreserved characters in the request path,
-and also uppercasing the percent-encoded characters.
-This follows [RFC 3986 percent-encoding normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2),
-and [RFC 3986 case normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1).
-
-The normalization happens before the request path is sanitized,
-and cannot be disabled.
-This notably helps with encoded dots characters (which are unreserved characters) to be sanitized properly.
-
-### Routing Path
-
-Since `v3.4.1`, the reserved characters [(as per RFC 3986)](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2) are kept encoded in the request path when matching the router rules.
-Those characters, when decoded, change the meaning of the request path for routing purposes,
-and Traefik now keeps them encoded to avoid any ambiguity.
-
-### Request Path Matching Examples
-
-| Request Path      | Router Rule            | Traefik v3.4.0 | Traefik v3.4.1 |
-|-------------------|------------------------|----------------|----------------|
-| `/foo%2Fbar`      | PathPrefix(`/foo/bar`) | Match          | No match       |
-| `/foo/../bar`     | PathPrefix(`/foo`)     | No match       | No match       |
-| `/foo/../bar`     | PathPrefix(`/bar`)     | Match          | Match          |
-| `/foo/%2E%2E/bar` | PathPrefix(`/foo`)     | Match          | No match       |
-| `/foo/%2E%2E/bar` | PathPrefix(`/bar`)     | No match       | Match          |
-
-## v3.4.5
-
-### MultiPath TCP
-
-Since `v3.4.5`, the MultiPath TCP support introduced with `v3.4.2` has been removed.
-It appears that enabling MPTCP on some platforms can cause Traefik to stop with the following error logs message:
-
-- `set tcp X.X.X.X:X->X.X.X.X:X: setsockopt: operation not supported`
-
-However, it can be re-enabled by setting the `multipathtcp` variable in the GODEBUG environment variable, see the related [go documentation](https://go.dev/doc/godebug#go-124).
-
-## v3.5.0
-
-### Observability
-
-#### TraceVerbosity on Routers and Entrypoints
-
-Starting with `v3.5.0`, a new `traceVerbosity` option is available for both entrypoints and routers.
-This option allows you to control the level of detail for tracing spans.
-Routers can override the value inherited from their entrypoint.
-
-**Impact:**
-
-- If you rely on tracing, review your configuration to explicitly set the desired verbosity level.
-- Existing configurations will default to `minimal` unless overridden, which will result in fewer spans being generated than before.
-
-Possible values are:
-
-- `minimal`: produces a single server span and one client span for each request processed by a router.
-- `detailed`: enables the creation of additional spans for each middleware executed for each request processed by a router.
-
-See the updated documentation for [entrypoints](../reference/install-configuration/entrypoints.md) and [dynamic routers](../reference/dynamic-configuration/file.md#observability-options).
-
-#### K8s Resource Attributes
-
-Since `v3.5.0`, the semconv attributes `k8s.pod.name` and `k8s.pod.uid` are injected automatically in OTel resource attributes when OTel tracing/logs/metrics are enabled.
-
-For that purpose, the following right has to be added to the Traefik Kubernetes RBACs:
-
-```yaml
-  ...
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-    verbs:
-      - get
-  ...
-```

docs/content/observability/access-logs.md

@@ -69,27 +69,43 @@ accessLog:
 
 _Optional, Default="common"_
 
-By default, logs are written using the Common Log Format (CLF).
-To write logs in JSON, use `json` in the `format` option.
-If the given format is unsupported, the default (CLF) is used instead.
+By default, logs are written using the Traefik Common Log Format (CLF).
+The available log formats are:
 
-!!! info "Common Log Format"
+- `common` - Traefik's extended CLF format (default)
+- `genericCLF` - Generic CLF format compatible with standard log analyzers
+- `json` - JSON format for structured logging
 
+If the given format is unsupported, the default (`common`) is used instead.
+
+!!! info "Traefik Common Log Format vs Generic CLF"
+
+    **Traefik Common Log Format (`common`):**
     ```html
     <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
     ```
+    
+    **Generic CLF Format (`genericCLF`):**
+    ```html
+    <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length> "<request_referrer>" "<request_user_agent>"
+    ```
+    
+    The `genericCLF` format omits Traefik-specific fields (request count, router name, service URL, and duration) for better compatibility with standard CLF parsers.
 
 ```yaml tab="File (YAML)"
+# JSON format
 accessLog:
   format: "json"
 ```
 
 ```toml tab="File (TOML)"
+# JSON format
 [accessLog]
   format = "json"
 ```
 
 ```bash tab="CLI"
+# JSON format
 --accesslog.format=json
 ```
 
@@ -362,7 +378,7 @@ accesslog:
 --accesslog.otlp.serviceName=name
 ```
 
-### `ressourceAttributes`
+### `resourceAttributes`
 
 _Optional, Default=empty_
 

docs/content/observability/logs.md

@@ -241,7 +241,7 @@ log:
 --log.otlp.serviceName=name
 ```
 
-### `ressourceAttributes`
+### `resourceAttributes`
 
 _Optional, Default=empty_
 

docs/content/observability/metrics/opentelemetry.md

@@ -160,7 +160,7 @@ metrics:
 ```bash tab="CLI"
 --metrics.otlp.serviceName=name
 ```
-#### `ressourceAttributes`
+#### `resourceAttributes`
 
 _Optional, Default=empty_
 

docs/content/observe/logs-and-access-logs.md

@@ -155,8 +155,9 @@ When the `observability` options are not defined on a router, it inherits the be
 
 Traefik Proxy supports the following log formats:
 
-- Common Log Format (CLF)
-- JSON
+- `common` - Traefik's extended CLF format (default)
+- `genericCLF` - Generic CLF format compatible with standard log analyzers
+- `json` - JSON format for structured logging
 
 ## Access Log Filters
 

docs/content/operations/api.md

@@ -46,7 +46,7 @@ And then define a routing configuration on Traefik itself with the
 
 --8<-- "content/operations/include-api-examples.md"
 
-??? warning "The router's [rule](../../routing/routers#rule) must catch requests for the URI path `/api`"
+??? warning "The router's [rule](../../routing/routers/#rule) must catch requests for the URI path `/api`"
     Using an "Host" rule is recommended, by catching all the incoming traffic on this host domain to the API.
     However, you can also use "path prefix" rule or any combination or rules.
 
@@ -109,7 +109,7 @@ api:
 --api.dashboard=true
 ```
 
-!!! warning "With Dashboard enabled, the router [rule](../../routing/routers#rule) must catch requests for both `/api` and `/dashboard`"
+!!! warning "With Dashboard enabled, the router [rule](../../routing/routers/#rule) must catch requests for both `/api` and `/dashboard`"
     Please check the [Dashboard documentation](./dashboard.md#dashboard-router-rule) to learn more about this and to get examples.
 
 ### `debug`

docs/content/operations/cli.md

@@ -31,7 +31,7 @@ traefik [--flag=flag_argument] [-f [flag_argument]]
 traefik [--flag[=true|false| ]] [-f [true|false| ]]
 ```
 
-All flags are documented in the [(static configuration) CLI reference](../reference/static-configuration/cli.md).
+All flags are documented in the [(static configuration) CLI reference](../reference/install-configuration/configuration-options.md).
 
 !!! info "Flags are case-insensitive."
 

docs/content/providers/file.md

@@ -103,7 +103,7 @@ It supports providing configuration through a [single configuration file](#filen
 
 ## Provider Configuration
 
-For an overview of all the options that can be set with the file provider, see the [dynamic configuration](../reference/dynamic-configuration/file.md) and [static configuration](../reference/static-configuration/overview.md) references.
+For an overview of all the options that can be set with the file provider, see the [routing configuration](../reference/routing-configuration/other-providers/file.md) and [install configuration](../reference/install-configuration/configuration-options.md) references.
 
 !!! warning "Limitations"
 

docs/content/reference/dynamic-configuration/consul-catalog.md

@@ -1,16 +0,0 @@
----
-title: "Traefik Consul Configuration Documentation"
-description: "View the reference for performing dynamic configurations with Traefik Proxy and Consul Catalog. Read the technical documentation."
----
-
-# Consul Catalog Configuration Reference
-
-Dynamic configuration with Consul Catalog
-{: .subtitle }
-
-The labels are case-insensitive.
-
-```yaml
---8<-- "content/reference/dynamic-configuration/consul-catalog.yml"
---8<-- "content/reference/dynamic-configuration/docker-labels.yml"
-```

docs/content/reference/dynamic-configuration/consul-catalog.yml

@@ -1,2 +0,0 @@
-- "traefik.enable=true"
-- "traefik.consulcatalog.connect=true"

docs/content/reference/dynamic-configuration/docker.md

@@ -1,17 +0,0 @@
----
-title: "Traefik Docker Configuration Documentation"
-description: "Reference dynamic configuration with Docker labels in Traefik Proxy. Read the technical documentation."
----
-
-# Docker Configuration Reference
-
-Dynamic configuration with Docker Labels
-{: .subtitle }
-
-The labels are case-insensitive.
-
-```yaml
-labels:
-  --8<-- "content/reference/dynamic-configuration/docker.yml"
-  --8<-- "content/reference/dynamic-configuration/docker-labels.yml"
-```

docs/content/reference/dynamic-configuration/docker.yml

@@ -1,2 +0,0 @@
-- "traefik.enable=true"
-- "traefik.docker.network=foobar"

docs/content/reference/dynamic-configuration/ecs.md

@@ -1,16 +0,0 @@
----
-title: "Traefik AWS ECS Configuration Documentation"
-description: "Learn how to do dynamic configuration in Traefik Proxy with AWS ECS. Read the technical documentation."
----
-
-# ECS Configuration Reference
-
-Dynamic configuration with ECS provider
-{: .subtitle }
-
-The labels are case-insensitive.
-
-```yaml
---8<-- "content/reference/dynamic-configuration/ecs.yml"
---8<-- "content/reference/dynamic-configuration/docker-labels.yml"
-```

docs/content/reference/dynamic-configuration/ecs.yml

@@ -1 +0,0 @@
-- "traefik.enable=true"

docs/content/reference/dynamic-configuration/file.md

@@ -1,17 +0,0 @@
----
-title: "Traefik File Dynamic Configuration"
-description: "This guide will provide you with the YAML and TOML files for dynamic configuration in Traefik Proxy. Read the technical documentation."
----
-
-# File Configuration Reference
-
-Dynamic configuration with files
-{: .subtitle }
-
-```yml  tab="YAML"
---8<-- "content/reference/dynamic-configuration/file.yaml"
-```
-
-```toml  tab="TOML"
---8<-- "content/reference/dynamic-configuration/file.toml"
-```

docs/content/reference/dynamic-configuration/file.toml

@@ -454,16 +454,16 @@
       [tcp.services.TCPService01.loadBalancer]
         serversTransport = "foobar"
         terminationDelay = 42
+
+        [[tcp.services.TCPService01.loadBalancer.servers]]
+          address = "foobar"
+          tls = true
+
+        [[tcp.services.TCPService01.loadBalancer.servers]]
+          address = "foobar"
+          tls = true
         [tcp.services.TCPService01.loadBalancer.proxyProtocol]
           version = 42
-
-        [[tcp.services.TCPService01.loadBalancer.servers]]
-          address = "foobar"
-          tls = true
-
-        [[tcp.services.TCPService01.loadBalancer.servers]]
-          address = "foobar"
-          tls = true
     [tcp.services.TCPService02]
       [tcp.services.TCPService02.weighted]
 
@@ -489,6 +489,8 @@
       dialKeepAlive = "42s"
       dialTimeout = "42s"
       terminationDelay = "42s"
+      [tcp.serversTransports.TCPServersTransport0.proxyProtocol]
+        version = 42
       [tcp.serversTransports.TCPServersTransport0.tls]
         serverName = "foobar"
         insecureSkipVerify = true
@@ -509,6 +511,8 @@
       dialKeepAlive = "42s"
       dialTimeout = "42s"
       terminationDelay = "42s"
+      [tcp.serversTransports.TCPServersTransport1.proxyProtocol]
+        version = 42
       [tcp.serversTransports.TCPServersTransport1.tls]
         serverName = "foobar"
         insecureSkipVerify = true

docs/content/reference/dynamic-configuration/file.yaml

@@ -518,14 +518,14 @@ tcp:
   services:
     TCPService01:
       loadBalancer:
-        proxyProtocol:
-          version: 42
         servers:
           - address: foobar
             tls: true
           - address: foobar
             tls: true
         serversTransport: foobar
+        proxyProtocol:
+          version: 42
         terminationDelay: 42
     TCPService02:
       weighted:
@@ -552,6 +552,8 @@ tcp:
     TCPServersTransport0:
       dialKeepAlive: 42s
       dialTimeout: 42s
+      proxyProtocol:
+        version: 42
       terminationDelay: 42s
       tls:
         serverName: foobar
@@ -573,6 +575,8 @@ tcp:
     TCPServersTransport1:
       dialKeepAlive: 42s
       dialTimeout: 42s
+      proxyProtocol:
+        version: 42
       terminationDelay: 42s
       tls:
         serverName: foobar

docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml

@@ -544,6 +544,7 @@ spec:
                             description: |-
                               ProxyProtocol defines the PROXY protocol configuration.
                               More info: https://doc.traefik.io/traefik/v3.5/routing/services/#proxy-protocol
+                              Deprecated: ProxyProtocol will not be supported in future APIVersions, please use ServersTransport to configure ProxyProtocol instead.
                             properties:
                               version:
                                 description: Version defines the PROXY Protocol version
@@ -2400,6 +2401,15 @@ spec:
                   to a backend server can be established.
                 pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
                 x-kubernetes-int-or-string: true
+              proxyProtocol:
+                description: ProxyProtocol holds the PROXY Protocol configuration.
+                properties:
+                  version:
+                    description: Version defines the PROXY Protocol version to use.
+                    maximum: 2
+                    minimum: 1
+                    type: integer
+                type: object
               terminationDelay:
                 anyOf:
                 - type: integer

docs/content/reference/dynamic-configuration/kv-ref.md

@@ -365,6 +365,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/tcp/routers/TCPRouter1/tls/passthrough` | `true` |
 | `traefik/tcp/serversTransports/TCPServersTransport0/dialKeepAlive` | `42s` |
 | `traefik/tcp/serversTransports/TCPServersTransport0/dialTimeout` | `42s` |
+| `traefik/tcp/serversTransports/TCPServersTransport0/proxyProtocol/version` | `42` |
 | `traefik/tcp/serversTransports/TCPServersTransport0/terminationDelay` | `42s` |
 | `traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/0/certFile` | `foobar` |
 | `traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/0/keyFile` | `foobar` |
@@ -380,6 +381,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/tcp/serversTransports/TCPServersTransport0/tls/spiffe/trustDomain` | `foobar` |
 | `traefik/tcp/serversTransports/TCPServersTransport1/dialKeepAlive` | `42s` |
 | `traefik/tcp/serversTransports/TCPServersTransport1/dialTimeout` | `42s` |
+| `traefik/tcp/serversTransports/TCPServersTransport1/proxyProtocol/version` | `42` |
 | `traefik/tcp/serversTransports/TCPServersTransport1/terminationDelay` | `42s` |
 | `traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/0/certFile` | `foobar` |
 | `traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/0/keyFile` | `foobar` |

docs/content/reference/dynamic-configuration/kv.md

@@ -1,11 +0,0 @@
----
-title: "Traefik Dynamic Configuration with KV stores"
-description: "Read the technical documentation to learn the Traefik Dynamic Configuration with KV stores."
----
-
-# KV Configuration Reference
-
-Dynamic configuration with KV stores.
-{: .subtitle }
-
---8<-- "content/reference/dynamic-configuration/kv-ref.md"

docs/content/reference/dynamic-configuration/nomad.md

@@ -1,16 +0,0 @@
----
-title: "Traefik Nomad Service Discovery Configuration Documentation"
-description: "View the reference for performing dynamic configurations with Traefik Proxy and Nomad Service Discovery. Read the technical documentation."
----
-
-# Nomad Service Discovery Configuration Reference
-
-Dynamic configuration with Nomad Service Discovery
-{: .subtitle }
-
-The labels are case-insensitive.
-
-```yaml
---8<-- "content/reference/dynamic-configuration/nomad.yml"
---8<-- "content/reference/dynamic-configuration/docker-labels.yml"
-```

docs/content/reference/dynamic-configuration/nomad.yml

@@ -1 +0,0 @@
-- "traefik.enable=true"

docs/content/reference/dynamic-configuration/swarm.md

@@ -1,17 +0,0 @@
----
-title: "Traefik Docker Swarm Configuration Documentation"
-description: "Reference dynamic configuration with Docker Swarm labels in Traefik Proxy. Read the technical documentation."
----
-
-# Docker Swarm Configuration Reference
-
-Dynamic configuration with Docker Labels
-{: .subtitle }
-
-The labels are case-insensitive.
-
-```yaml
-labels:
-  --8<-- "content/reference/dynamic-configuration/swarm.yml"
-  --8<-- "content/reference/dynamic-configuration/docker-labels.yml"
-```

docs/content/reference/dynamic-configuration/swarm.yml

@@ -1,3 +0,0 @@
-- "traefik.enable=true"
-- "traefik.swarm.network=foobar"
-- "traefik.swarm.lbswarm=true"

docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml

@@ -123,6 +123,7 @@ spec:
                             description: |-
                               ProxyProtocol defines the PROXY protocol configuration.
                               More info: https://doc.traefik.io/traefik/v3.5/routing/services/#proxy-protocol
+                              Deprecated: ProxyProtocol will not be supported in future APIVersions, please use ServersTransport to configure ProxyProtocol instead.
                             properties:
                               version:
                                 description: Version defines the PROXY Protocol version

docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml

@@ -63,6 +63,15 @@ spec:
                   to a backend server can be established.
                 pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
                 x-kubernetes-int-or-string: true
+              proxyProtocol:
+                description: ProxyProtocol holds the PROXY Protocol configuration.
+                properties:
+                  version:
+                    description: Version defines the PROXY Protocol version to use.
+                    maximum: 2
+                    minimum: 1
+                    type: integer
+                type: object
               terminationDelay:
                 anyOf:
                 - type: integer

docs/content/reference/install-configuration/boot-environment.md

@@ -7,14 +7,14 @@ description: "Read the official Traefik documentation to get started with config
 
 Traefik Proxy’s configuration is divided into two main categories:
 
-- **Static Configuration**: Defines parameters that require Traefik to restart when changed. This includes entry points, providers, API/dashboard settings, and logging levels.
-- **Dynamic Configuration**: Involves elements that can be updated without restarting Traefik, such as routers, services, and middlewares.
+- **Install Configuration**: (formerly known as the static configuration) Defines parameters that require Traefik to restart when changed. This includes entry points, providers, API/dashboard settings, and logging levels.
+- **Routing Configuration**: (formerly known as the dynamic configuration) Involves elements that can be updated without restarting Traefik, such as routers, services, and middlewares.
 
-This section focuses on setting up the static configuration, which is essential for Traefik’s initial boot.
+This section focuses on setting up the install configuration, which is essential for Traefik’s initial boot.
 
 ## Configuration Methods
 
-Traefik offers multiple methods to define static configuration. 
+Traefik offers multiple methods to define install configuration. 
 
 !!! warning "Note"
     It’s crucial to choose one method and stick to it, as mixing different configuration options is not supported and can lead to unexpected behavior.
@@ -28,7 +28,7 @@ Here are the methods available for configuring the Traefik proxy:
 
 ## File
 
-You can define the static configuration in a file using formats like YAML or TOML.
+You can define the install configuration in a file using formats like YAML or TOML.
 
 ### Configuration Example
 
@@ -69,7 +69,7 @@ log:
 
 ### Configuration File
 
-At startup, Traefik searches for static configuration in a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in the following directories:
+At startup, Traefik searches for install configuration in a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in the following directories:
 
 - `/etc/traefik/`
 - `$XDG_CONFIG_HOME/`
@@ -84,7 +84,7 @@ traefik --configFile=foo/bar/myconfigfile.yml
 
 ## CLI
 
-Using the CLI, you can pass static configuration directly as command-line arguments when starting Traefik. 
+Using the CLI, you can pass install configuration directly as command-line arguments when starting Traefik. 
 
 ### Configuration Example
 
@@ -99,7 +99,7 @@ traefik \
 
 ## Environment Variables
 
-You can also set the static configuration using environment variables. Each option corresponds to an environment variable prefixed with `TRAEFIK_`.
+You can also set the install configuration using environment variables. Each option corresponds to an environment variable prefixed with `TRAEFIK_`.
 
 ### Configuration Example
 
@@ -109,7 +109,7 @@ TRAEFIK_ENTRYPOINTS_WEB_ADDRESS=":80" TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS=":44
 
 ## Helm
 
-When deploying Traefik Proxy using Helm in a Kubernetes cluster, the static configuration is defined in a `values.yaml` file. 
+When deploying Traefik Proxy using Helm in a Kubernetes cluster, the install configuration is defined in a `values.yaml` file. 
 
 You can find the official Traefik Helm chart on [GitHub](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/VALUES.md)
 

docs/content/reference/install-configuration/configuration-options.md

@@ -0,0 +1,481 @@
+<!--
+CODE GENERATED AUTOMATICALLY
+THIS FILE MUST NOT BE EDITED BY HAND
+-->
+# Install Configuration Options
+## Configuration Options
+
+| Field | Description | Default | 
+|:-------|:------------|:-------|
+| accesslog | Access log settings. | false |
+| accesslog.addinternals | Enables access log for internal services (ping, dashboard, etc...). | false |
+| accesslog.bufferingsize | Number of access log lines to process in a buffered way. | 0 |
+| accesslog.fields.defaultmode | Default mode for fields: keep | drop | keep |
+| accesslog.fields.headers.defaultmode | Default mode for fields: keep | drop | redact | drop |
+| accesslog.fields.headers.names._name_ | Override mode for headers | |
+| accesslog.fields.names._name_ | Override mode for fields | |
+| accesslog.filepath | Access log file path. Stdout is used when omitted or empty. | |
+| accesslog.filters.minduration | Keep access logs when request took longer than the specified duration. | 0 |
+| accesslog.filters.retryattempts | Keep access logs when at least one retry happened. | false |
+| accesslog.filters.statuscodes | Keep access logs with status codes in the specified range. | |
+| accesslog.format | Access log format: json, common, or genericCLF | common |
+| accesslog.otlp | Settings for OpenTelemetry. | false |
+| accesslog.otlp.grpc | gRPC configuration for the OpenTelemetry collector. | false |
+| accesslog.otlp.grpc.endpoint | Sets the gRPC endpoint (host:port) of the collector. | localhost:4317 |
+| accesslog.otlp.grpc.headers._name_ | Headers sent with payload. | |
+| accesslog.otlp.grpc.insecure | Disables client transport security for the exporter. | false |
+| accesslog.otlp.grpc.tls.ca | TLS CA | |
+| accesslog.otlp.grpc.tls.cert | TLS cert | |
+| accesslog.otlp.grpc.tls.insecureskipverify | TLS insecure skip verify | false |
+| accesslog.otlp.grpc.tls.key | TLS key | |
+| accesslog.otlp.http | HTTP configuration for the OpenTelemetry collector. | false |
+| accesslog.otlp.http.endpoint | Sets the HTTP endpoint (scheme://host:port/path) of the collector. | https://localhost:4318 |
+| accesslog.otlp.http.headers._name_ | Headers sent with payload. | |
+| accesslog.otlp.http.tls.ca | TLS CA | |
+| accesslog.otlp.http.tls.cert | TLS cert | |
+| accesslog.otlp.http.tls.insecureskipverify | TLS insecure skip verify | false |
+| accesslog.otlp.http.tls.key | TLS key | |
+| accesslog.otlp.resourceattributes._name_ | Defines additional resource attributes (key:value). | |
+| accesslog.otlp.servicename | Defines the service name resource attribute. | traefik |
+| api | Enable api/dashboard. | false |
+| api.basepath | Defines the base path where the API and Dashboard will be exposed. | / |
+| api.dashboard | Activate dashboard. | true |
+| api.debug | Enable additional endpoints for debugging and profiling. | false |
+| api.disabledashboardad | Disable ad in the dashboard. | false |
+| api.insecure | Activate API directly on the entryPoint named traefik. | false |
+| certificatesresolvers._name_ | Certificates resolvers configuration. | false |
+| certificatesresolvers._name_.acme.cacertificates | Specify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. | |
+| certificatesresolvers._name_.acme.caserver | CA server to use. | https://acme-v02.api.letsencrypt.org/directory |
+| certificatesresolvers._name_.acme.caservername | Specify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. | |
+| certificatesresolvers._name_.acme.casystemcertpool | Define if the certificates pool must use a copy of the system cert pool. | false |
+| certificatesresolvers._name_.acme.certificatesduration | Certificates' duration in hours. | 2160 |
+| certificatesresolvers._name_.acme.clientresponseheadertimeout | Timeout for receiving the response headers when communicating with the ACME server. | 30 |
+| certificatesresolvers._name_.acme.clienttimeout | Timeout for a complete HTTP transaction with the ACME server. | 120 |
+| certificatesresolvers._name_.acme.dnschallenge | Activate DNS-01 Challenge. | false |
+| certificatesresolvers._name_.acme.dnschallenge.delaybeforecheck | (Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. | 0 |
+| certificatesresolvers._name_.acme.dnschallenge.disablepropagationcheck | (Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] | false |
+| certificatesresolvers._name_.acme.dnschallenge.propagation | DNS propagation checks configuration | false |
+| certificatesresolvers._name_.acme.dnschallenge.propagation.delaybeforechecks | Defines the delay before checking the challenge TXT record propagation. | 0 |
+| certificatesresolvers._name_.acme.dnschallenge.propagation.disableanschecks | Disables the challenge TXT record propagation checks against authoritative nameservers. | false |
+| certificatesresolvers._name_.acme.dnschallenge.propagation.disablechecks | Disables the challenge TXT record propagation checks (not recommended). | false |
+| certificatesresolvers._name_.acme.dnschallenge.propagation.requireallrns | Requires the challenge TXT record to be propagated to all recursive nameservers. | false |
+| certificatesresolvers._name_.acme.dnschallenge.provider | Use a DNS-01 based challenge provider rather than HTTPS. | |
+| certificatesresolvers._name_.acme.dnschallenge.resolvers | Use following DNS servers to resolve the FQDN authority. | |
+| certificatesresolvers._name_.acme.eab.hmacencoded | Base64 encoded HMAC key from External CA. | |
+| certificatesresolvers._name_.acme.eab.kid | Key identifier from External CA. | |
+| certificatesresolvers._name_.acme.email | Email address used for registration. | |
+| certificatesresolvers._name_.acme.emailaddresses | CSR email addresses to use. | |
+| certificatesresolvers._name_.acme.httpchallenge | Activate HTTP-01 Challenge. | false |
+| certificatesresolvers._name_.acme.httpchallenge.delay | Delay between the creation of the challenge and the validation. | 0 |
+| certificatesresolvers._name_.acme.httpchallenge.entrypoint | HTTP challenge EntryPoint | |
+| certificatesresolvers._name_.acme.keytype | KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. | RSA4096 |
+| certificatesresolvers._name_.acme.preferredchain | Preferred chain to use. | |
+| certificatesresolvers._name_.acme.profile | Certificate profile to use. | |
+| certificatesresolvers._name_.acme.storage | Storage to use. | acme.json |
+| certificatesresolvers._name_.acme.tlschallenge | Activate TLS-ALPN-01 Challenge. | true |
+| certificatesresolvers._name_.tailscale | Enables Tailscale certificate resolution. | true |
+| core.defaultrulesyntax | Defines the rule parser default syntax (v2 or v3) | v3 |
+| entrypoints._name_ | Entry points definition. | false |
+| entrypoints._name_.address | Entry point address. | |
+| entrypoints._name_.allowacmebypass | Enables handling of ACME TLS and HTTP challenges with custom routers. | false |
+| entrypoints._name_.asdefault | Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined. | false |
+| entrypoints._name_.forwardedheaders.connection | List of Connection headers that are allowed to pass through the middleware chain before being removed. | |
+| entrypoints._name_.forwardedheaders.insecure | Trust all forwarded headers. | false |
+| entrypoints._name_.forwardedheaders.trustedips | Trust only forwarded headers from selected IPs. | |
+| entrypoints._name_.http | HTTP configuration. | |
+| entrypoints._name_.http.encodequerysemicolons | Defines whether request query semicolons should be URLEncoded. | false |
+| entrypoints._name_.http.maxheaderbytes | Maximum size of request headers in bytes. | 1048576 |
+| entrypoints._name_.http.middlewares | Default middlewares for the routers linked to the entry point. | |
+| entrypoints._name_.http.redirections.entrypoint.permanent | Applies a permanent redirection. | true |
+| entrypoints._name_.http.redirections.entrypoint.priority | Priority of the generated router. | 9223372036854775806 |
+| entrypoints._name_.http.redirections.entrypoint.scheme | Scheme used for the redirection. | https |
+| entrypoints._name_.http.redirections.entrypoint.to | Targeted entry point of the redirection. | |
+| entrypoints._name_.http.sanitizepath | Defines whether to enable request path sanitization (removal of /./, /../ and multiple slash sequences). | true |
+| entrypoints._name_.http.tls | Default TLS configuration for the routers linked to the entry point. | false |
+| entrypoints._name_.http.tls.certresolver | Default certificate resolver for the routers linked to the entry point. | |
+| entrypoints._name_.http.tls.domains | Default TLS domains for the routers linked to the entry point. | |
+| entrypoints._name_.http.tls.domains[0].main | Default subject name. | |
+| entrypoints._name_.http.tls.domains[0].sans | Subject alternative names. | |
+| entrypoints._name_.http.tls.options | Default TLS options for the routers linked to the entry point. | |
+| entrypoints._name_.http2.maxconcurrentstreams | Specifies the number of concurrent streams per connection that each client is allowed to initiate. | 250 |
+| entrypoints._name_.http3 | HTTP/3 configuration. | false |
+| entrypoints._name_.http3.advertisedport | UDP port to advertise, on which HTTP/3 is available. | 0 |
+| entrypoints._name_.observability.accesslogs | Enables access-logs for this entryPoint. | true |
+| entrypoints._name_.observability.metrics | Enables metrics for this entryPoint. | true |
+| entrypoints._name_.observability.traceverbosity | Defines the tracing verbosity level for this entryPoint. | minimal |
+| entrypoints._name_.observability.tracing | Enables tracing for this entryPoint. | true |
+| entrypoints._name_.proxyprotocol | Proxy-Protocol configuration. | false |
+| entrypoints._name_.proxyprotocol.insecure | Trust all. | false |
+| entrypoints._name_.proxyprotocol.trustedips | Trust only selected IPs. | |
+| entrypoints._name_.reuseport | Enables EntryPoints from the same or different processes listening on the same TCP/UDP port. | false |
+| entrypoints._name_.transport.keepalivemaxrequests | Maximum number of requests before closing a keep-alive connection. | 0 |
+| entrypoints._name_.transport.keepalivemaxtime | Maximum duration before closing a keep-alive connection. | 0 |
+| entrypoints._name_.transport.lifecycle.gracetimeout | Duration to give active requests a chance to finish before Traefik stops. | 10 |
+| entrypoints._name_.transport.lifecycle.requestacceptgracetimeout | Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure. | 0 |
+| entrypoints._name_.transport.respondingtimeouts.idletimeout | IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. | 180 |
+| entrypoints._name_.transport.respondingtimeouts.readtimeout | ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. | 60 |
+| entrypoints._name_.transport.respondingtimeouts.writetimeout | WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. | 0 |
+| entrypoints._name_.udp.timeout | Timeout defines how long to wait on an idle session before releasing the related resources. | 3 |
+| experimental.abortonpluginfailure | Defines whether all plugins must be loaded successfully for Traefik to start. | false |
+| experimental.fastproxy | Enables the FastProxy implementation. | false |
+| experimental.fastproxy.debug | Enable debug mode for the FastProxy implementation. | false |
+| experimental.kubernetesgateway | (Deprecated) Allow the Kubernetes gateway api provider usage. | false |
+| experimental.kubernetesingressnginx | Allow the Kubernetes Ingress NGINX provider usage. | false |
+| experimental.localplugins._name_ | Local plugins configuration. | false |
+| experimental.localplugins._name_.modulename | Plugin's module name. | |
+| experimental.localplugins._name_.settings | Plugin's settings (works only for wasm plugins). | |
+| experimental.localplugins._name_.settings.envs | Environment variables to forward to the wasm guest. | |
+| experimental.localplugins._name_.settings.mounts | Directory to mount to the wasm guest. | |
+| experimental.localplugins._name_.settings.useunsafe | Allow the plugin to use unsafe package. | false |
+| experimental.otlplogs | Enables the OpenTelemetry logs integration. | false |
+| experimental.plugins._name_.modulename | plugin's module name. | |
+| experimental.plugins._name_.settings | Plugin's settings (works only for wasm plugins). | |
+| experimental.plugins._name_.settings.envs | Environment variables to forward to the wasm guest. | |
+| experimental.plugins._name_.settings.mounts | Directory to mount to the wasm guest. | |
+| experimental.plugins._name_.settings.useunsafe | Allow the plugin to use unsafe package. | false |
+| experimental.plugins._name_.version | plugin's version. | |
+| global.checknewversion | Periodically check if a new version has been released. | true |
+| global.sendanonymoususage | Periodically send anonymous usage statistics. If the option is not specified, it will be disabled by default. | false |
+| hostresolver | Enable CNAME Flattening. | false |
+| hostresolver.cnameflattening | A flag to enable/disable CNAME flattening | false |
+| hostresolver.resolvconfig | resolv.conf used for DNS resolving | /etc/resolv.conf |
+| hostresolver.resolvdepth | The maximal depth of DNS recursive resolving | 5 |
+| log | Traefik log settings. | false |
+| log.compress | Determines if the rotated log files should be compressed using gzip. | false |
+| log.filepath | Traefik log file path. Stdout is used when omitted or empty. | |
+| log.format | Traefik log format: json | common | common |
+| log.level | Log level set to traefik logs. | ERROR |
+| log.maxage | Maximum number of days to retain old log files based on the timestamp encoded in their filename. | 0 |
+| log.maxbackups | Maximum number of old log files to retain. | 0 |
+| log.maxsize | Maximum size in megabytes of the log file before it gets rotated. | 0 |
+| log.nocolor | When using the 'common' format, disables the colorized output. | false |
+| log.otlp | Settings for OpenTelemetry. | false |
+| log.otlp.grpc | gRPC configuration for the OpenTelemetry collector. | false |
+| log.otlp.grpc.endpoint | Sets the gRPC endpoint (host:port) of the collector. | localhost:4317 |
+| log.otlp.grpc.headers._name_ | Headers sent with payload. | |
+| log.otlp.grpc.insecure | Disables client transport security for the exporter. | false |
+| log.otlp.grpc.tls.ca | TLS CA | |
+| log.otlp.grpc.tls.cert | TLS cert | |
+| log.otlp.grpc.tls.insecureskipverify | TLS insecure skip verify | false |
+| log.otlp.grpc.tls.key | TLS key | |
+| log.otlp.http | HTTP configuration for the OpenTelemetry collector. | false |
+| log.otlp.http.endpoint | Sets the HTTP endpoint (scheme://host:port/path) of the collector. | https://localhost:4318 |
+| log.otlp.http.headers._name_ | Headers sent with payload. | |
+| log.otlp.http.tls.ca | TLS CA | |
+| log.otlp.http.tls.cert | TLS cert | |
+| log.otlp.http.tls.insecureskipverify | TLS insecure skip verify | false |
+| log.otlp.http.tls.key | TLS key | |
+| log.otlp.resourceattributes._name_ | Defines additional resource attributes (key:value). | |
+| log.otlp.servicename | Defines the service name resource attribute. | traefik |
+| metrics.addinternals | Enables metrics for internal services (ping, dashboard, etc...). | false |
+| metrics.datadog | Datadog metrics exporter type. | false |
+| metrics.datadog.addentrypointslabels | Enable metrics on entry points. | true |
+| metrics.datadog.address | Datadog's address. | localhost:8125 |
+| metrics.datadog.addrouterslabels | Enable metrics on routers. | false |
+| metrics.datadog.addserviceslabels | Enable metrics on services. | true |
+| metrics.datadog.prefix | Prefix to use for metrics collection. | traefik |
+| metrics.datadog.pushinterval | Datadog push interval. | 10 |
+| metrics.influxdb2 | InfluxDB v2 metrics exporter type. | false |
+| metrics.influxdb2.addentrypointslabels | Enable metrics on entry points. | true |
+| metrics.influxdb2.additionallabels._name_ | Additional labels (influxdb tags) on all metrics | |
+| metrics.influxdb2.address | InfluxDB v2 address. | http://localhost:8086 |
+| metrics.influxdb2.addrouterslabels | Enable metrics on routers. | false |
+| metrics.influxdb2.addserviceslabels | Enable metrics on services. | true |
+| metrics.influxdb2.bucket | InfluxDB v2 bucket ID. | |
+| metrics.influxdb2.org | InfluxDB v2 org ID. | |
+| metrics.influxdb2.pushinterval | InfluxDB v2 push interval. | 10 |
+| metrics.influxdb2.token | InfluxDB v2 access token. | |
+| metrics.otlp | OpenTelemetry metrics exporter type. | false |
+| metrics.otlp.addentrypointslabels | Enable metrics on entry points. | true |
+| metrics.otlp.addrouterslabels | Enable metrics on routers. | false |
+| metrics.otlp.addserviceslabels | Enable metrics on services. | true |
+| metrics.otlp.explicitboundaries | Boundaries for latency metrics. | 0.005000, 0.010000, 0.025000, 0.050000, 0.075000, 0.100000, 0.250000, 0.500000, 0.750000, 1.000000, 2.500000, 5.000000, 7.500000, 10.000000 |
+| metrics.otlp.grpc | gRPC configuration for the OpenTelemetry collector. | false |
+| metrics.otlp.grpc.endpoint | Sets the gRPC endpoint (host:port) of the collector. | localhost:4317 |
+| metrics.otlp.grpc.headers._name_ | Headers sent with payload. | |
+| metrics.otlp.grpc.insecure | Disables client transport security for the exporter. | false |
+| metrics.otlp.grpc.tls.ca | TLS CA | |
+| metrics.otlp.grpc.tls.cert | TLS cert | |
+| metrics.otlp.grpc.tls.insecureskipverify | TLS insecure skip verify | false |
+| metrics.otlp.grpc.tls.key | TLS key | |
+| metrics.otlp.http | HTTP configuration for the OpenTelemetry collector. | false |
+| metrics.otlp.http.endpoint | Sets the HTTP endpoint (scheme://host:port/path) of the collector. | https://localhost:4318 |
+| metrics.otlp.http.headers._name_ | Headers sent with payload. | |
+| metrics.otlp.http.tls.ca | TLS CA | |
+| metrics.otlp.http.tls.cert | TLS cert | |
+| metrics.otlp.http.tls.insecureskipverify | TLS insecure skip verify | false |
+| metrics.otlp.http.tls.key | TLS key | |
+| metrics.otlp.pushinterval | Period between calls to collect a checkpoint. | 10 |
+| metrics.otlp.resourceattributes._name_ | Defines additional resource attributes (key:value). | |
+| metrics.otlp.servicename | Defines the service name resource attribute. | traefik |
+| metrics.prometheus | Prometheus metrics exporter type. | false |
+| metrics.prometheus.addentrypointslabels | Enable metrics on entry points. | true |
+| metrics.prometheus.addrouterslabels | Enable metrics on routers. | false |
+| metrics.prometheus.addserviceslabels | Enable metrics on services. | true |
+| metrics.prometheus.buckets | Buckets for latency metrics. | 0.100000, 0.300000, 1.200000, 5.000000 |
+| metrics.prometheus.entrypoint | EntryPoint | traefik |
+| metrics.prometheus.headerlabels._name_ | Defines the extra labels for the requests_total metrics, and for each of them, the request header containing the value for this label. | |
+| metrics.prometheus.manualrouting | Manual routing | false |
+| metrics.statsd | StatsD metrics exporter type. | false |
+| metrics.statsd.addentrypointslabels | Enable metrics on entry points. | true |
+| metrics.statsd.address | StatsD address. | localhost:8125 |
+| metrics.statsd.addrouterslabels | Enable metrics on routers. | false |
+| metrics.statsd.addserviceslabels | Enable metrics on services. | true |
+| metrics.statsd.prefix | Prefix to use for metrics collection. | traefik |
+| metrics.statsd.pushinterval | StatsD push interval. | 10 |
+| ocsp | OCSP configuration. | false |
+| ocsp.responderoverrides._name_ | Defines a map of OCSP responders to replace for querying OCSP servers. | |
+| ping | Enable ping. | false |
+| ping.entrypoint | EntryPoint | traefik |
+| ping.manualrouting | Manual routing | false |
+| ping.terminatingstatuscode | Terminating status code | 503 |
+| providers.consul | Enable Consul backend with default settings. | false |
+| providers.consul.endpoints | KV store endpoints. | 127.0.0.1:8500 |
+| providers.consul.namespaces | Sets the namespaces used to discover the configuration (Consul Enterprise only). | |
+| providers.consul.rootkey | Root key used for KV store. | traefik |
+| providers.consul.tls.ca | TLS CA | |
+| providers.consul.tls.cert | TLS cert | |
+| providers.consul.tls.insecureskipverify | TLS insecure skip verify | false |
+| providers.consul.tls.key | TLS key | |
+| providers.consul.token | Per-request ACL token. | |
+| providers.consulcatalog | Enable ConsulCatalog backend with default settings. | false |
+| providers.consulcatalog.cache | Use local agent caching for catalog reads. | false |
+| providers.consulcatalog.connectaware | Enable Consul Connect support. | false |
+| providers.consulcatalog.connectbydefault | Consider every service as Connect capable by default. | false |
+| providers.consulcatalog.constraints | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
+| providers.consulcatalog.defaultrule | Default rule. | Host(`{{ normalize .Name }}`) |
+| providers.consulcatalog.endpoint.address | The address of the Consul server | |
+| providers.consulcatalog.endpoint.datacenter | Data center to use. If not provided, the default agent data center is used | |
+| providers.consulcatalog.endpoint.endpointwaittime | WaitTime limits how long a Watch will block. If not provided, the agent default values will be used | 0 |
+| providers.consulcatalog.endpoint.httpauth.password | Basic Auth password | |
+| providers.consulcatalog.endpoint.httpauth.username | Basic Auth username | |
+| providers.consulcatalog.endpoint.scheme | The URI scheme for the Consul server | |
+| providers.consulcatalog.endpoint.tls.ca | TLS CA | |
+| providers.consulcatalog.endpoint.tls.cert | TLS cert | |
+| providers.consulcatalog.endpoint.tls.insecureskipverify | TLS insecure skip verify | false |
+| providers.consulcatalog.endpoint.tls.key | TLS key | |
+| providers.consulcatalog.endpoint.token | Token is used to provide a per-request ACL token which overrides the agent's default token | |
+| providers.consulcatalog.exposedbydefault | Expose containers by default. | true |
+| providers.consulcatalog.namespaces | Sets the namespaces used to discover services (Consul Enterprise only). | |
+| providers.consulcatalog.prefix | Prefix for consul service tags. | traefik |
+| providers.consulcatalog.refreshinterval | Interval for check Consul API. | 15 |
+| providers.consulcatalog.requireconsistent | Forces the read to be fully consistent. | false |
+| providers.consulcatalog.servicename | Name of the Traefik service in Consul Catalog (needs to be registered via the orchestrator or manually). | traefik |
+| providers.consulcatalog.stale | Use stale consistency for catalog reads. | false |
+| providers.consulcatalog.strictchecks | A list of service health statuses to allow taking traffic. | passing, warning |
+| providers.consulcatalog.watch | Watch Consul API events. | false |
+| providers.docker | Enable Docker backend with default settings. | false |
+| providers.docker.allowemptyservices | Disregards the Docker containers health checks with respect to the creation or removal of the corresponding services. | false |
+| providers.docker.constraints | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
+| providers.docker.defaultrule | Default rule. | Host(`{{ normalize .Name }}`) |
+| providers.docker.endpoint | Docker server endpoint. Can be a TCP or a Unix socket endpoint. | unix:///var/run/docker.sock |
+| providers.docker.exposedbydefault | Expose containers by default. | true |
+| providers.docker.httpclienttimeout | Client timeout for HTTP connections. | 0 |
+| providers.docker.network | Default Docker network used. | |
+| providers.docker.password | Password for Basic HTTP authentication. | |
+| providers.docker.tls.ca | TLS CA | |
+| providers.docker.tls.cert | TLS cert | |
+| providers.docker.tls.insecureskipverify | TLS insecure skip verify | false |
+| providers.docker.tls.key | TLS key | |
+| providers.docker.usebindportip | Use the ip address from the bound port, rather than from the inner network. | false |
+| providers.docker.username | Username for Basic HTTP authentication. | |
+| providers.docker.watch | Watch Docker events. | true |
+| providers.ecs | Enable AWS ECS backend with default settings. | false |
+| providers.ecs.accesskeyid | AWS credentials access key ID to use for making requests. | |
+| providers.ecs.autodiscoverclusters | Auto discover cluster. | false |
+| providers.ecs.clusters | ECS Cluster names. | default |
+| providers.ecs.constraints | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
+| providers.ecs.defaultrule | Default rule. | Host(`{{ normalize .Name }}`) |
+| providers.ecs.ecsanywhere | Enable ECS Anywhere support. | false |
+| providers.ecs.exposedbydefault | Expose services by default. | true |
+| providers.ecs.healthytasksonly | Determines whether to discover only healthy tasks. | false |
+| providers.ecs.refreshseconds | Polling interval (in seconds). | 15 |
+| providers.ecs.region | AWS region to use for requests. | |
+| providers.ecs.secretaccesskey | AWS credentials access key to use for making requests. | |
+| providers.etcd | Enable Etcd backend with default settings. | false |
+| providers.etcd.endpoints | KV store endpoints. | 127.0.0.1:2379 |
+| providers.etcd.password | Password for authentication. | |
+| providers.etcd.rootkey | Root key used for KV store. | traefik |
+| providers.etcd.tls.ca | TLS CA | |
+| providers.etcd.tls.cert | TLS cert | |
+| providers.etcd.tls.insecureskipverify | TLS insecure skip verify | false |
+| providers.etcd.tls.key | TLS key | |
+| providers.etcd.username | Username for authentication. | |
+| providers.file.debugloggeneratedtemplate | Enable debug logging of generated configuration template. | false |
+| providers.file.directory | Load dynamic configuration from one or more .yml or .toml files in a directory. | |
+| providers.file.filename | Load dynamic configuration from a file. | |
+| providers.file.watch | Watch provider. | true |
+| providers.http | Enable HTTP backend with default settings. | false |
+| providers.http.endpoint | Load configuration from this endpoint. | |
+| providers.http.headers._name_ | Define custom headers to be sent to the endpoint. | |
+| providers.http.pollinterval | Polling interval for endpoint. | 5 |
+| providers.http.polltimeout | Polling timeout for endpoint. | 5 |
+| providers.http.tls.ca | TLS CA | |
+| providers.http.tls.cert | TLS cert | |
+| providers.http.tls.insecureskipverify | TLS insecure skip verify | false |
+| providers.http.tls.key | TLS key | |
+| providers.kubernetescrd | Enable Kubernetes backend with default settings. | false |
+| providers.kubernetescrd.allowcrossnamespace | Allow cross namespace resource reference. | false |
+| providers.kubernetescrd.allowemptyservices | Allow the creation of services without endpoints. | false |
+| providers.kubernetescrd.allowexternalnameservices | Allow ExternalName services. | false |
+| providers.kubernetescrd.certauthfilepath | Kubernetes certificate authority file path (not needed for in-cluster client). | |
+| providers.kubernetescrd.disableclusterscoperesources | Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). | false |
+| providers.kubernetescrd.endpoint | Kubernetes server endpoint (required for external cluster client). | |
+| providers.kubernetescrd.ingressclass | Value of kubernetes.io/ingress.class annotation to watch for. | |
+| providers.kubernetescrd.labelselector | Kubernetes label selector to use. | |
+| providers.kubernetescrd.namespaces | Kubernetes namespaces. | |
+| providers.kubernetescrd.nativelbbydefault | Defines whether to use Native Kubernetes load-balancing mode by default. | false |
+| providers.kubernetescrd.throttleduration | Ingress refresh throttle duration | 0 |
+| providers.kubernetescrd.token | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
+| providers.kubernetesgateway | Enable Kubernetes gateway api provider with default settings. | false |
+| providers.kubernetesgateway.certauthfilepath | Kubernetes certificate authority file path (not needed for in-cluster client). | |
+| providers.kubernetesgateway.endpoint | Kubernetes server endpoint (required for external cluster client). | |
+| providers.kubernetesgateway.experimentalchannel | Toggles Experimental Channel resources support (TCPRoute, TLSRoute...). | false |
+| providers.kubernetesgateway.labelselector | Kubernetes label selector to select specific GatewayClasses. | |
+| providers.kubernetesgateway.namespaces | Kubernetes namespaces. | |
+| providers.kubernetesgateway.nativelbbydefault | Defines whether to use Native Kubernetes load-balancing by default. | false |
+| providers.kubernetesgateway.statusaddress.hostname | Hostname used for Kubernetes Gateway status address. | |
+| providers.kubernetesgateway.statusaddress.ip | IP used to set Kubernetes Gateway status address. | |
+| providers.kubernetesgateway.statusaddress.service | Published Kubernetes Service to copy status addresses from. | |
+| providers.kubernetesgateway.statusaddress.service.name | Name of the Kubernetes service. | |
+| providers.kubernetesgateway.statusaddress.service.namespace | Namespace of the Kubernetes service. | |
+| providers.kubernetesgateway.throttleduration | Kubernetes refresh throttle duration | 0 |
+| providers.kubernetesgateway.token | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
+| providers.kubernetesingress | Enable Kubernetes backend with default settings. | false |
+| providers.kubernetesingress.allowemptyservices | Allow creation of services without endpoints. | false |
+| providers.kubernetesingress.allowexternalnameservices | Allow ExternalName services. | false |
+| providers.kubernetesingress.certauthfilepath | Kubernetes certificate authority file path (not needed for in-cluster client). | |
+| providers.kubernetesingress.disableclusterscoperesources | Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). | false |
+| providers.kubernetesingress.disableingressclasslookup | Disables the lookup of IngressClasses (Deprecated, please use DisableClusterScopeResources). | false |
+| providers.kubernetesingress.endpoint | Kubernetes server endpoint (required for external cluster client). | |
+| providers.kubernetesingress.ingressclass | Value of kubernetes.io/ingress.class annotation or IngressClass name to watch for. | |
+| providers.kubernetesingress.ingressendpoint.hostname | Hostname used for Kubernetes Ingress endpoints. | |
+| providers.kubernetesingress.ingressendpoint.ip | IP used for Kubernetes Ingress endpoints. | |
+| providers.kubernetesingress.ingressendpoint.publishedservice | Published Kubernetes Service to copy status from. | |
+| providers.kubernetesingress.labelselector | Kubernetes Ingress label selector to use. | |
+| providers.kubernetesingress.namespaces | Kubernetes namespaces. | |
+| providers.kubernetesingress.nativelbbydefault | Defines whether to use Native Kubernetes load-balancing mode by default. | false |
+| providers.kubernetesingress.strictprefixmatching | Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). | false |
+| providers.kubernetesingress.throttleduration | Ingress refresh throttle duration | 0 |
+| providers.kubernetesingress.token | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
+| providers.kubernetesingressnginx | Enable Kubernetes Ingress NGINX provider. | false |
+| providers.kubernetesingressnginx.certauthfilepath | Kubernetes certificate authority file path (not needed for in-cluster client). | |
+| providers.kubernetesingressnginx.controllerclass | Ingress Class Controller value this controller satisfies. | k8s.io/ingress-nginx |
+| providers.kubernetesingressnginx.defaultbackendservice | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'. | |
+| providers.kubernetesingressnginx.disablesvcexternalname | Disable support for Services of type ExternalName. | false |
+| providers.kubernetesingressnginx.endpoint | Kubernetes server endpoint (required for external cluster client). | |
+| providers.kubernetesingressnginx.ingressclass | Name of the ingress class this controller satisfies. | nginx |
+| providers.kubernetesingressnginx.ingressclassbyname | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. | false |
+| providers.kubernetesingressnginx.publishservice | Service fronting the Ingress controller. Takes the form 'namespace/name'. | |
+| providers.kubernetesingressnginx.publishstatusaddress | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies. | |
+| providers.kubernetesingressnginx.throttleduration | Ingress refresh throttle duration. | 0 |
+| providers.kubernetesingressnginx.token | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
+| providers.kubernetesingressnginx.watchingresswithoutclass | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. | false |
+| providers.kubernetesingressnginx.watchnamespace | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty. | |
+| providers.kubernetesingressnginx.watchnamespaceselector | Selector selects namespaces the controller watches for updates to Kubernetes objects. | |
+| providers.nomad | Enable Nomad backend with default settings. | false |
+| providers.nomad.allowemptyservices | Allow the creation of services without endpoints. | false |
+| providers.nomad.constraints | Constraints is an expression that Traefik matches against the Nomad service's tags to determine whether to create route(s) for that service. | |
+| providers.nomad.defaultrule | Default rule. | Host(`{{ normalize .Name }}`) |
+| providers.nomad.endpoint.address | The address of the Nomad server, including scheme and port. | http://127.0.0.1:4646 |
+| providers.nomad.endpoint.endpointwaittime | WaitTime limits how long a Watch will block. If not provided, the agent default values will be used | 0 |
+| providers.nomad.endpoint.region | Nomad region to use. If not provided, the local agent region is used. | |
+| providers.nomad.endpoint.tls.ca | TLS CA | |
+| providers.nomad.endpoint.tls.cert | TLS cert | |
+| providers.nomad.endpoint.tls.insecureskipverify | TLS insecure skip verify | false |
+| providers.nomad.endpoint.tls.key | TLS key | |
+| providers.nomad.endpoint.token | Token is used to provide a per-request ACL token. | |
+| providers.nomad.exposedbydefault | Expose Nomad services by default. | true |
+| providers.nomad.namespaces | Sets the Nomad namespaces used to discover services. | |
+| providers.nomad.prefix | Prefix for nomad service tags. | traefik |
+| providers.nomad.refreshinterval | Interval for polling Nomad API. | 15 |
+| providers.nomad.stale | Use stale consistency for catalog reads. | false |
+| providers.nomad.throttleduration | Watch throttle duration. | 0 |
+| providers.nomad.watch | Watch Nomad Service events. | false |
+| providers.plugin._name_ | Plugins configuration. | |
+| providers.providersthrottleduration | Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. | 2 |
+| providers.redis | Enable Redis backend with default settings. | false |
+| providers.redis.db | Database to be selected after connecting to the server. | 0 |
+| providers.redis.endpoints | KV store endpoints. | 127.0.0.1:6379 |
+| providers.redis.password | Password for authentication. | |
+| providers.redis.rootkey | Root key used for KV store. | traefik |
+| providers.redis.sentinel.latencystrategy | Defines whether to route commands to the closest master or replica nodes (mutually exclusive with RandomStrategy and ReplicaStrategy). | false |
+| providers.redis.sentinel.mastername | Name of the master. | |
+| providers.redis.sentinel.password | Password for Sentinel authentication. | |
+| providers.redis.sentinel.randomstrategy | Defines whether to route commands randomly to master or replica nodes (mutually exclusive with LatencyStrategy and ReplicaStrategy). | false |
+| providers.redis.sentinel.replicastrategy | Defines whether to route all commands to replica nodes (mutually exclusive with LatencyStrategy and RandomStrategy). | false |
+| providers.redis.sentinel.usedisconnectedreplicas | Use replicas disconnected with master when cannot get connected replicas. | false |
+| providers.redis.sentinel.username | Username for Sentinel authentication. | |
+| providers.redis.tls.ca | TLS CA | |
+| providers.redis.tls.cert | TLS cert | |
+| providers.redis.tls.insecureskipverify | TLS insecure skip verify | false |
+| providers.redis.tls.key | TLS key | |
+| providers.redis.username | Username for authentication. | |
+| providers.rest | Enable Rest backend with default settings. | false |
+| providers.rest.insecure | Activate REST Provider directly on the entryPoint named traefik. | false |
+| providers.swarm | Enable Docker Swarm backend with default settings. | false |
+| providers.swarm.allowemptyservices | Disregards the Docker containers health checks with respect to the creation or removal of the corresponding services. | false |
+| providers.swarm.constraints | Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container. | |
+| providers.swarm.defaultrule | Default rule. | Host(`{{ normalize .Name }}`) |
+| providers.swarm.endpoint | Docker server endpoint. Can be a TCP or a Unix socket endpoint. | unix:///var/run/docker.sock |
+| providers.swarm.exposedbydefault | Expose containers by default. | true |
+| providers.swarm.httpclienttimeout | Client timeout for HTTP connections. | 0 |
+| providers.swarm.network | Default Docker network used. | |
+| providers.swarm.password | Password for Basic HTTP authentication. | |
+| providers.swarm.refreshseconds | Polling interval for swarm mode. | 15 |
+| providers.swarm.tls.ca | TLS CA | |
+| providers.swarm.tls.cert | TLS cert | |
+| providers.swarm.tls.insecureskipverify | TLS insecure skip verify | false |
+| providers.swarm.tls.key | TLS key | |
+| providers.swarm.usebindportip | Use the ip address from the bound port, rather than from the inner network. | false |
+| providers.swarm.username | Username for Basic HTTP authentication. | |
+| providers.swarm.watch | Watch Docker events. | true |
+| providers.zookeeper | Enable ZooKeeper backend with default settings. | false |
+| providers.zookeeper.endpoints | KV store endpoints. | 127.0.0.1:2181 |
+| providers.zookeeper.password | Password for authentication. | |
+| providers.zookeeper.rootkey | Root key used for KV store. | traefik |
+| providers.zookeeper.username | Username for authentication. | |
+| serverstransport.forwardingtimeouts.dialtimeout | The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. | 30 |
+| serverstransport.forwardingtimeouts.idleconntimeout | The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself | 90 |
+| serverstransport.forwardingtimeouts.responseheadertimeout | The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. | 0 |
+| serverstransport.insecureskipverify | Disable SSL certificate verification. | false |
+| serverstransport.maxidleconnsperhost | If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used | 200 |
+| serverstransport.rootcas | Add cert file for self-signed certificate. | |
+| serverstransport.spiffe | Defines the SPIFFE configuration. | false |
+| serverstransport.spiffe.ids | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). | |
+| serverstransport.spiffe.trustdomain | Defines the allowed SPIFFE trust domain. | |
+| spiffe.workloadapiaddr | Defines the workload API address. | |
+| tcpserverstransport.dialkeepalive | Defines the interval between keep-alive probes for an active network connection. If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are disabled | 15 |
+| tcpserverstransport.dialtimeout | Defines the amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. | 30 |
+| tcpserverstransport.terminationdelay | Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. | 0 |
+| tcpserverstransport.tls | Defines the TLS configuration. | false |
+| tcpserverstransport.tls.insecureskipverify | Disables SSL certificate verification. | false |
+| tcpserverstransport.tls.rootcas | Defines a list of CA secret used to validate self-signed certificate | |
+| tcpserverstransport.tls.spiffe | Defines the SPIFFE TLS configuration. | false |
+| tcpserverstransport.tls.spiffe.ids | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). | |
+| tcpserverstransport.tls.spiffe.trustdomain | Defines the allowed SPIFFE trust domain. | |
+| tracing | Tracing configuration. | false |
+| tracing.addinternals | Enables tracing for internal services (ping, dashboard, etc...). | false |
+| tracing.capturedrequestheaders | Request headers to add as attributes for server and client spans. | |
+| tracing.capturedresponseheaders | Response headers to add as attributes for server and client spans. | |
+| tracing.globalattributes._name_ | (Deprecated) Defines additional resource attributes (key:value). | |
+| tracing.otlp | Settings for OpenTelemetry. | false |
+| tracing.otlp.grpc | gRPC configuration for the OpenTelemetry collector. | false |
+| tracing.otlp.grpc.endpoint | Sets the gRPC endpoint (host:port) of the collector. | localhost:4317 |
+| tracing.otlp.grpc.headers._name_ | Headers sent with payload. | |
+| tracing.otlp.grpc.insecure | Disables client transport security for the exporter. | false |
+| tracing.otlp.grpc.tls.ca | TLS CA | |
+| tracing.otlp.grpc.tls.cert | TLS cert | |
+| tracing.otlp.grpc.tls.insecureskipverify | TLS insecure skip verify | false |
+| tracing.otlp.grpc.tls.key | TLS key | |
+| tracing.otlp.http | HTTP configuration for the OpenTelemetry collector. | false |
+| tracing.otlp.http.endpoint | Sets the HTTP endpoint (scheme://host:port/path) of the collector. | https://localhost:4318 |
+| tracing.otlp.http.headers._name_ | Headers sent with payload. | |
+| tracing.otlp.http.tls.ca | TLS CA | |
+| tracing.otlp.http.tls.cert | TLS cert | |
+| tracing.otlp.http.tls.insecureskipverify | TLS insecure skip verify | false |
+| tracing.otlp.http.tls.key | TLS key | |
+| tracing.resourceattributes._name_ | Defines additional resource attributes (key:value). | |
+| tracing.safequeryparams | Query params to not redact. | |
+| tracing.samplerate | Sets the rate between 0.0 and 1.0 of requests to trace. | 1.000000 |
+| tracing.servicename | Defines the service name resource attribute. | traefik |

docs/content/reference/install-configuration/entrypoints.md

@@ -100,7 +100,7 @@ additionalArguments:
 | `http.tls.options`                                              | Apply TLS options on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../../routing/providers/kubernetes-crd.md#kind-tlsoption).                                                                                                                                                                                                                                                                                                                                                                                                                                                   | -                       | No       |
 | `http.tls.certResolver`                                         | Apply a certificate resolver on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../install-configuration/tls/certificate-resolvers/overview.md).                                                                                                                                                                                                                                                                                                                                                                                                                                  | -                       | No       |
 | `http2.maxConcurrentStreams`                                    | Set the number of concurrent streams per connection that each client is allowed to initiate. <br /> The value must be greater than zero.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 250                     | No       |
-| `http3`                                                         | Enable HTTP/3 protocol on the `entryPoint`. <br /> HTTP/3 requires a TCP `entryPoint`. as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP. In most scenarios, this `entryPoint` is the same as the one used for TLS traffic.<br /> More information [here](#http3.                                                                                                                                                                                                                                                                                                                                                                                          | -                       | No       |
+| `http3`                                                         | Enable HTTP/3 protocol on the `entryPoint`. <br /> HTTP/3 requires a TCP `entryPoint`. as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP. In most scenarios, this `entryPoint` is the same as the one used for TLS traffic.<br /> More information [here](#http3).                                                                                                                                                                                                                                                                                                                                                                                          | -                       | No       |
 | `http3.advertisedPort`                                          | Set the UDP port to advertise as the HTTP/3 authority. <br /> It defaults to the entryPoint's address port. <br /> It can be used to override the authority in the `alt-svc` header, for example if the public facing port is different from where Traefik is listening.                                                                                                                                                                                                                                                                                                                                                                                                            | -                       | No       |
 | `observability.accessLogs`                                      | Defines whether a router attached to this EntryPoint produces access-logs by default. Nonetheless, a router defining its own observability configuration will opt-out from this default.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | true                    | No       |
 | `observability.metrics`                                         | Defines whether a router attached to this EntryPoint produces metrics by default. Nonetheless, a router defining its own observability configuration will opt-out from this default.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | true                    | No       |

docs/content/reference/install-configuration/observability/healthcheck/cli.md

@@ -0,0 +1,28 @@
+---
+title: "Traefik Health Check CLI Command Documentation"
+description: "In Traefik Proxy, the healthcheck CLI command lets you check the health of your Traefik instances. Read the technical documentation for configuration examples and options."
+---
+
+# Healthcheck Command
+
+Checking the Health of your Traefik Instances.
+{: .subtitle }
+
+## Usage
+
+The healthcheck command allows you to make a request to the `/ping` endpoint (defined in the install (static) configuration) to check the health of Traefik. Its exit status is `0` if Traefik is healthy and `1` otherwise.
+
+This can be used with [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction or any other health check orchestration mechanism.
+
+```sh
+traefik healthcheck [command] [flags] [arguments]
+```
+
+Example:
+
+```sh
+$ traefik healthcheck
+OK: http://:8082/ping
+```
+
+The command uses the [ping](./ping.md) endpoint that is defined in the Traefik install (static) configuration.

docs/content/reference/install-configuration/observability/healthcheck/ping.md

@@ -0,0 +1,66 @@
+---
+title: "Traefik Ping Option Documentation"
+description: "In Traefik Proxy, the option Ping lets you check the health of your Traefik instances. Read the technical documentation for configuration examples and options."
+---
+
+# Ping 
+
+Checking the Health of your Traefik Instances
+{: .subtitle }
+
+The `ping` options allows you to enable the ping endpoint to check Traefik liveness.
+
+The ping endpoint is reachable using the path `/ping` and the methods `GET`and `HEAD`.
+
+If the Traefik instance is alive, it returns the `200` HTTP code with the content: `OK`.
+
+## Configuration Example
+
+To enable the API handler:
+
+```yaml tab="File (YAML)"
+ping: {}
+```
+
+```toml tab="File (TOML)"
+[ping]
+```
+
+```bash tab="CLI"
+--ping=true
+```
+
+## Configuration Options
+
+The `ping` option is defined in the install (static) configuration.
+You can define it using the same [configuration methods](../../boot-environment.md#configuration-methods) as Traefik.
+
+| Field | Description                                               | Default              | Required |
+|:------|:----------------------------------------------------------|:---------------------|:---------|
+| `ping.entryPoint` | Enables `/ping` on a dedicated EntryPoint. | traefik  | No   |
+| `ping.manualRouting` | Disables the default internal router in order to allow one to create a custom router for the `ping@internal` service when set to `true`. | false | No   |
+| `ping.terminatingStatusCode` | Defines the status code for the ping handler during a graceful shut down. See more information [here](#terminatingstatuscode) | 503 | No   |
+
+### `terminatingStatusCode`
+
+During the period in which Traefik is gracefully shutting down, the ping handler
+returns a `503` status code by default.  
+If Traefik is behind, for example a load-balancer
+doing health checks (such as the Kubernetes LivenessProbe), another code might
+be expected as the signal for graceful termination.  
+In that case, the terminatingStatusCode can be used to set the code returned by the ping
+handler during termination.
+
+```yaml tab="File (YAML)"
+ping:
+  terminatingStatusCode: 204
+```
+
+```toml tab="File (TOML)"
+[ping]
+  terminatingStatusCode = 204
+```
+
+```bash tab="CLI"
+--ping.terminatingStatusCode=204
+```

docs/content/reference/install-configuration/observability/logs-and-accesslogs.md

@@ -195,7 +195,7 @@ The section below describes how to configure Traefik access logs using the stati
 | Field      | Description    | Default | Required |
 |:-----------|:--------------------------|:--------|:---------|
 | `accesslog.filePath` | By default, the access logs are written to the standard output.<br />You can configure a file path instead using the `filePath` option.|  | No      |
-| `accesslog.format` | By default, logs are written using the Common Log Format (CLF).<br />To write logs in JSON, use `json` in the `format` option.<br />If the given format is unsupported, the default (CLF) is used instead.<br />More information about CLF fields [here](#clf-format-fields). | "common" | No      |
+| `accesslog.format` | By default, logs are written using the Traefik Common Log Format (CLF).<br />Available formats: `common` (Traefik's extended CLF), `genericCLF` (standard CLF compatible with analyzers), or `json`.<br />If the given format is unsupported, the default (`common`) is used instead.<br />More information about CLF fields [here](#clf-format-fields). | "common" | No      |
 | `accesslog.bufferingSize` | To write the logs in an asynchronous fashion, specify a  `bufferingSize` option.<br />This option represents the number of log lines Traefik will keep in memory before writing them to the selected output.<br />In some cases, this option can greatly help performances.| 0 | No      |
 | `accesslog.addInternals` | Enables access logs for internal resources (e.g.: `ping@internal`). | false  | No      |
 | `accesslog.filters.statusCodes` | Limit the access logs to requests with a status codes in the specified range. | [ ]      | No      |
@@ -203,8 +203,8 @@ The section below describes how to configure Traefik access logs using the stati
 | `accesslog.filters.minDuration` | Keep access logs when requests take longer than the specified duration (provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)).  |  0   | No      |
 | `accesslog.fields.defaultMode` | Mode to apply by default to the access logs fields (`keep`, `redact` or `drop`). | keep | No      |
 | `accesslog.fields.names` | Set the fields list to display in the access logs (format `name:mode`).<br /> Available fields list [here](#available-fields). |  [ ]    | No      |
-| `accesslog.headers.defaultMode` | Mode to apply by default to the access logs headers (`keep`, `redact` or `drop`).  | drop | No      |
-| `accesslog.headers.names` | Set the headers list to display in the access logs (format `name:mode`). |   [ ]   | No      |
+| `accesslog.fields.headers.defaultMode` | Mode to apply by default to the access logs headers (`keep`, `redact` or `drop`).  | drop | No      |
+| `accesslog.fields.headers.names` | Set the headers list to display in the access logs (format `name:mode`). |   [ ]   | No      |
 
 ### OpenTelemetry
 

docs/content/reference/install-configuration/providers/swarm.md

@@ -97,7 +97,7 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati
     ```
 
     ```bash tab="CLI"
-    --providers.docker.endpoint=unix:///var/run/docker.sock
+    --providers.swarm.endpoint=unix:///var/run/docker.sock
     # ...
     ```
 

docs/content/reference/install-configuration/tls/ocsp.md

@@ -28,7 +28,7 @@ The OCSP response is cached in memory and is not persisted between Traefik resta
 
 ### General
 
-Enabling OCSP is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
+Enabling OCSP is part of the [install configuration](../boot-environment.md).
 It can be defined by using a file (YAML or TOML) or CLI arguments:
 
 ```yaml tab="File (YAML)"
@@ -67,5 +67,5 @@ ocsp:
 
 ```bash tab="CLI"
 ## Static configuration
--ocsp.responderoverrides.foo=bar
+--ocsp.responderoverrides.foo=bar
 ```

docs/content/reference/routing-configuration/http/load-balancing/service.md

@@ -133,6 +133,164 @@ Below are the available options for the health check mechanism:
 | `method`            | Defines the HTTP method that will be used while connecting to the endpoint.                                                   | GET     | No       |
 | `status`            | Defines the expected HTTP status code of the response to the health check request.                                            |         | No       |
 
+#### Sticky sessions
+
+When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.
+On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.
+
+##### Stickiness on multiple levels
+
+    When chaining or mixing load-balancers (e.g. a load-balancer of servers is one of the "children" of a load-balancer of services), for stickiness to work all the way, the option needs to be specified at all required levels. Which means the client needs to send a cookie with as many key/value pairs as there are sticky levels.
+
+##### Stickiness & Unhealthy Servers
+
+    If the server specified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).
+
+##### Cookie Name
+
+    The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`).
+
+##### MaxAge
+
+    By default, the affinity cookie will never expire as the `MaxAge` option is set to zero.
+
+    This option indicates the number of seconds until the cookie expires.  
+    When set to a negative number, the cookie expires immediately.
+    
+##### Secure & HTTPOnly & SameSite flags
+
+    By default, the affinity cookie is created without those flags.
+    One however can change that through configuration.
+
+    `SameSite` can be `none`, `lax`, `strict` or empty.
+
+##### Domain
+
+    The Domain attribute of a cookie specifies the domain for which the cookie is valid. 
+    
+    By setting the Domain attribute, the cookie can be shared across subdomains (for example, a cookie set for example.com would be accessible to www.example.com, api.example.com, etc.). This is particularly useful in cases where sticky sessions span multiple subdomains, ensuring that the session is maintained even when the client interacts with different parts of the infrastructure.
+
+??? example "Adding Stickiness -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
+
+    ```yaml tab="YAML"
+    ## Dynamic configuration
+    http:
+      services:
+        my-service:
+          loadBalancer:
+            sticky:
+             cookie: {}
+    ```
+
+    ```toml tab="TOML"
+    ## Dynamic configuration
+    [http.services]
+      [http.services.my-service]
+        [http.services.my-service.loadBalancer.sticky.cookie]
+    ```
+
+??? example "Adding Stickiness with custom Options -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
+
+    ```yaml tab="YAML"
+    ## Dynamic configuration
+    http:
+      services:
+        my-service:
+          loadBalancer:
+            sticky:
+              cookie:
+                name: my_sticky_cookie_name
+                secure: true
+                domain: mysite.site
+                httpOnly: true
+    ```
+
+    ```toml tab="TOML"
+    ## Dynamic configuration
+    [http.services]
+      [http.services.my-service]
+        [http.services.my-service.loadBalancer.sticky.cookie]
+          name = "my_sticky_cookie_name"
+          secure = true
+          httpOnly = true
+          domain = "mysite.site"
+          sameSite = "none"
+    ```
+
+??? example "Setting Stickiness on all the required levels -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
+
+    ```yaml tab="YAML"
+    ## Dynamic configuration
+    http:
+      services:
+        wrr1:
+          weighted:
+            sticky:
+              cookie:
+                name: lvl1
+            services:
+              - name: whoami1
+                weight: 1
+              - name: whoami2
+                weight: 1
+
+        whoami1:
+          loadBalancer:
+            sticky:
+              cookie:
+                name: lvl2
+            servers:
+              - url: http://127.0.0.1:8081
+              - url: http://127.0.0.1:8082
+
+        whoami2:
+          loadBalancer:
+            sticky:
+              cookie:
+                name: lvl2
+            servers:
+              - url: http://127.0.0.1:8083
+              - url: http://127.0.0.1:8084
+    ```
+
+    ```toml tab="TOML"
+    ## Dynamic configuration
+    [http.services]
+      [http.services.wrr1]
+        [http.services.wrr1.weighted.sticky.cookie]
+          name = "lvl1"
+        [[http.services.wrr1.weighted.services]]
+          name = "whoami1"
+          weight = 1
+        [[http.services.wrr1.weighted.services]]
+          name = "whoami2"
+          weight = 1
+
+      [http.services.whoami1]
+        [http.services.whoami1.loadBalancer]
+          [http.services.whoami1.loadBalancer.sticky.cookie]
+            name = "lvl2"
+          [[http.services.whoami1.loadBalancer.servers]]
+            url = "http://127.0.0.1:8081"
+          [[http.services.whoami1.loadBalancer.servers]]
+            url = "http://127.0.0.1:8082"
+
+      [http.services.whoami2]
+        [http.services.whoami2.loadBalancer]
+          [http.services.whoami2.loadBalancer.sticky.cookie]
+            name = "lvl2"
+          [[http.services.whoami2.loadBalancer.servers]]
+            url = "http://127.0.0.1:8083"
+          [[http.services.whoami2.loadBalancer.servers]]
+            url = "http://127.0.0.1:8084"
+    ```
+
+    To keep a session open with the same server, the client would then need to specify the two levels within the cookie for each request, e.g. with curl:
+
+    ```
+    curl -b "lvl1=whoami1; lvl2=http://127.0.0.1:8081" http://localhost:8000
+    ```
+
 ## Weighted Round Robin (WRR)
 
 The WRR is able to load balance the requests between multiple services based on weights.
@@ -141,7 +299,7 @@ This strategy is only available to load balance between services and not between
 
 !!! info "Supported Providers"
 
-    This strategy can be defined currently with the [File](../../../install-configuration/providers/others/file.md) or [IngressRoute](../../../install-configuration/providers/kubernetes/kubernetes-ingress.md) providers. To load balance between servers based on weights, the Load Balancer service should be used instead.
+    This strategy can be defined currently with the [File](../../../install-configuration/providers/others/file.md) or [IngressRoute](../../../install-configuration/providers/kubernetes/kubernetes-crd.md) providers. To load balance between servers based on weights, the Load Balancer service should be used instead.
 
 ```yaml tab="Structured (YAML)"
 ## Dynamic configuration
@@ -260,6 +418,37 @@ http:
       [[http.services.appv2.loadBalancer.servers]]
         url = "http://private-ip-server-2/"
 ```
+## P2C
+
+Power of two choices algorithm is a load balancing strategy that selects two servers at random and chooses the one with the least number of active requests.
+
+??? example "P2C Load Balancing -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
+
+    ```yaml tab="YAML"
+    ## Dynamic configuration
+    http:
+      services:
+        my-service:
+          loadBalancer:
+            strategy: "p2c"
+            servers:
+            - url: "http://private-ip-server-1/"
+            - url: "http://private-ip-server-2/"
+            - url: "http://private-ip-server-3/"
+    ```
+
+    ```toml tab="TOML"
+    ## Dynamic configuration
+    [http.services]
+      [http.services.my-service.loadBalancer]
+        strategy = "p2c"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-1/"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-2/"       
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-3/"
+    ```
 
 ## Mirroring
 
@@ -271,7 +460,7 @@ The mirroring is able to mirror requests sent to a service to other services. Pl
     
 !!! info "Supported Providers"
 
-    This strategy can be defined currently with the [File](../../../install-configuration/providers/others/file.md) or [IngressRoute](../../../install-configuration/providers/kubernetes/kubernetes-ingress.md) providers.
+    This strategy can be defined currently with the [File](../../../install-configuration/providers/others/file.md) or [IngressRoute](../../../install-configuration/providers/kubernetes/kubernetes-crd.md) providers.
     
 ```yaml tab="Structured (YAML)"
 ## Dynamic configuration

docs/content/reference/routing-configuration/http/middlewares/addprefix.md

@@ -3,8 +3,6 @@ title: "Traefik AddPrefix Documentation"
 description: "Learn how to implement the HTTP AddPrefix middleware in Traefik Proxy to updates request paths before being forwarded. Read the technical documentation."
 ---
 
-![AddPrefix](../../../../assets/img/middleware/addprefix.png)
-
 The `addPrefix` middleware updates the path of a request before forwarding it.
 
 ## Configuration Examples

docs/content/reference/routing-configuration/http/middlewares/apikey.md

@@ -0,0 +1,56 @@
+---
+title: 'API Key Authentication'
+description: 'Traefik Hub API Gateway - The API Key authentication middleware allows you to secure an API by requiring a secret key, base64 encoded or not, to be given, via an HTTP header, a cookie or a query parameter.'
+---
+
+!!! info "Traefik Hub Feature"
+    This middleware is available exclusively in [Traefik Hub](https://traefik.io/traefik-hub/). Learn more about [Traefik Hub's advanced features](https://doc.traefik.io/traefik-hub/api-gateway/intro).
+
+The API Key authentication middleware allows you to secure an API by requiring a secret key, base64 encoded or not, to be given, via an HTTP header, a cookie or a query parameter.
+
+---
+
+## Configuration Example
+
+```yaml tab="Middleware API Key"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-apikey
+  namespace: apps
+spec:
+  plugin:
+    apiKey:
+      keySource:
+        headerAuthScheme: Bearer
+        header: Authorization
+      secretNonBase64Encoded: true
+      secretValues:
+        - "urn:k8s:secret:apikey:secret"
+        - "urn:k8s:secret:apikey:othersecret" 
+```
+
+```yaml tab="Values Secret"
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: apikey
+  namespace: whoami
+stringData:
+  secret: $2y$05$D4SPFxzfWKcx1OXfVhRbvOTH/QB0Lm6AXTk8.NOmU4rPLX2t6UUuW # htpasswd -nbB "" foo | cut -c 2-
+  othersecret: $2y$05$HbLL.g5dUqJippH0RuAGL.RaM9wNS2cT7hp6.vbv5okdCmVBSDzzK # htpasswd -nbB "" bar | cut -c 2-
+```
+
+## Configuration Options
+
+| Field                        | Description   | Default | Required |
+|:-----------------------------|:------------------------------------------------|:--------|:---------|
+| `keySource.header`           | Defines the header name containing the secret sent by the client.<br /> Either `keySource.header` or `keySource.query` or `keySource.cookie` must be set.                                                 | ""      | No       |
+| `keySource.headerAuthScheme` | Defines the scheme when using `Authorization` as header name. <br /> Check out the `Authorization` header [documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization#syntax). | ""      | No       |
+| `keySource.query`            | Defines the query parameter name containing the secret sent by the client.<br /> Either `keySource.header` or `keySource.query` or `keySource.cookie` must be set.                                       | ""      | No       |
+| `keySource.cookie`           | Defines the cookie name containing the secret sent by the client.<br /> Either `keySource.header` or `keySource.query` or `keySource.cookie` must be set.                                                | ""      | No       |
+| `secretNonBase64Encoded`     | Defines whether the secret sent by the client is base64 encoded. | false   | No       |
+| `secretValues`               | Contain the hash of the API keys. <br /> Supported hashing algorithms are Bcrypt, SHA1 and MD5. <br /> The hash should be generated using `htpasswd`.<br />Can reference a Kubernetes Secret using the URN format: `urn:k8s:secret:[name]:[valueKey]` | []      | Yes      |
+
+{!traefik-for-business-applications.md!}

docs/content/reference/routing-configuration/http/middlewares/basicauth.md

@@ -3,8 +3,6 @@ title: "Traefik BasicAuth Documentation"
 description: "The HTTP basic authentication (BasicAuth) middleware in Traefik Proxy restricts access to your Services to known users. Read the technical documentation."
 ---
 
-![BasicAuth](../../../../assets/img/middleware/basicauth.png)
-
 The `basicAuth` middleware grants access to services to authorized users only.
 
 ## Configuration Examples

docs/content/reference/routing-configuration/http/middlewares/buffering.md

@@ -3,8 +3,6 @@ title: "Traefik Buffering Documentation"
 description: "The HTTP buffering middleware in Traefik Proxy limits the size of requests that can be forwarded to Services. Read the technical documentation."
 ---
 
-![Buffering](../../../../assets/img/middleware/buffering.png)
-
 The `buffering` middleware limits the size of requests that can be forwarded to services.
 
 With buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified size limit.