Improve the structure of the routing reference pages

Improve Service Reference page
Merge current v2.11 into v3.6
2026-01-16 20:32:51 +03:00 · 2026-01-16 14:48:06 +01:00 · 2026-01-16 11:26:05 +01:00 · 2026-01-16 09:13:54 +01:00 · 2026-01-15 10:00:05 +01:00 · 2026-01-14 18:15:35 +01:00
475 changed files with 12176 additions and 7798 deletions
--- a/.github/workflows/check_doc.yaml
+++ b/.github/workflows/check_doc.yaml
@@ -0,0 +1,63 @@
+name: Check Documentation
+
+on:
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - '.github/workflows/check_doc.yaml'
+      - 'docs/**'
+
+jobs:
+
+  docs:
+    name: lint, build and verify
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Install markdownlint
+        run: |
+          npm install --global markdownlint@0.29.0 markdownlint-cli@0.35.0
+
+      - name: Lint
+        run: ./docs/scripts/lint.sh docs
+
+      - name: Setup python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+          cache-dependency-path: "./docs/requirements.txt"
+
+      - name: Build documentation
+        working-directory: ./docs
+        run: |
+          pip install -r requirements.txt
+          mkdocs build --strict
+
+      - name: Setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+
+      - name: Install html-proofer
+        run: |
+          gem install nokogiri --version 1.18.6 --no-document -- --use-system-libraries
+          gem install html-proofer --version 5.0.10 --no-document -- --use-system-libraries
+        env:
+          NOKOGIRI_USE_SYSTEM_LIBRARIES: "true"
+
+      # Comes from https://github.com/gjtorikian/html-proofer?tab=readme-ov-file#caching-with-continuous-integration
+      - name: Cache HTMLProofer
+        uses: actions/cache@v4
+        with:
+          path: tmp/.htmlproofer
+          key: ${{ runner.os }}-htmlproofer
+
+      - name: Verify
+        run: ./docs/scripts/verify.sh docs/site
--- a/.github/workflows/check_doc.yml
+++ b/.github/workflows/check_doc.yml
@@ -1,25 +0,0 @@
-name: Check Documentation
-
-on:
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-
-  docs:
-    name: Check, verify and build documentation
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-
-      - name: Check documentation
-        run: make docs-pull-images docs
-        env:
-          # These variables are not passed to workflows that are triggered by a pull request from a fork.
-          DOCS_VERIFY_SKIP: ${{ vars.DOCS_VERIFY_SKIP }}
-          DOCS_LINT_SKIP: ${{ vars.DOCS_LINT_SKIP }}
--- a/.github/workflows/documentation.yaml
+++ b/.github/workflows/documentation.yaml
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -7,8 +7,8 @@ on:

 env:
  GO_VERSION: '1.24'
-  GOLANGCI_LINT_VERSION: v2.0.2
-  MISSPELL_VERSION: v0.6.0
+  GOLANGCI_LINT_VERSION: v2.8.0
+  MISSPELL_VERSION: v0.7.0

 jobs:

--- a/.golangci.yml
+++ b/.golangci.yml
@@ -36,6 +36,7 @@ linters:
    - nilnil # Not relevant
    - nlreturn # Not relevant
    - noctx # Too strict
+    - noinlineerr # Too strict
    - nonamedreturns # Too strict
    - paralleltest # Not relevant
    - prealloc # Too many false-positive.
@@ -47,6 +48,7 @@ linters:
    - varnamelen # Not relevant
    - wrapcheck # Too strict
    - wsl # Too strict
+    - wsl_v5 # Too strict

  settings:
    depguard:
@@ -295,15 +297,31 @@ linters:
        source: 'errors.New\("Nomad provider'
        text: 'ST1005: error strings should not be capitalized'
      - path: (.+)\.go
-        text: 'struct-tag: unknown option ''inline'' in JSON tag'
+        text: 'omitzero: Omitempty has no effect on nested struct field'
+        linters:
+          - modernize
+      - path: (.+)\.go
+        text: 'struct-tag: unknown option "inline" in json tag'
        linters:
          - revive
      - path: (.+)\.go
-        text: 'struct-tag: unknown option ''omitzero'' in TOML tag'
+        text: 'struct-tag: unknown option "omitzero" in toml tag'
+        linters:
+          - revive
+      - path: (pkg/types/.+|pkg/api/.+|pkg/observability/types/.+)\.go
+        text: 'var-naming: avoid meaningless package names'
+        linters:
+          - revive
+      - path: (pkg/muxer/http/.+|pkg/provider/http/.+)\.go
+        text: 'var-naming: avoid package names that conflict with Go standard library package names'
        linters:
          - revive
      - path: (.+)\.go$
        text: 'SA1019: http.CloseNotifier has been deprecated' # FIXME must be fixed
+      - path: (.+)\.go$
+        text: 'SA1019: dynamic.(TCPIPWhiteList|IPWhiteList) is deprecated: please use IPAllowList instead.'
+      - path: (.+)\.go$
+        text: 'SA1019: middlewareTCP.Spec.IPWhiteList is deprecated: please use IPAllowList instead.'
      - path: (.+)\.go$
        text: 'SA1019: cfg.(SSLRedirect|SSLTemporaryRedirect|SSLHost|SSLForceHost|FeaturePolicy) is deprecated'
      - path: (.+)\.go$
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,40 @@
+## [v3.6.7](https://github.com/traefik/traefik/tree/v3.6.7) (2026-01-14)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.6...v3.6.7)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.31.0 ([#12529](https://github.com/traefik/traefik/pull/12529) by [ldez](https://github.com/ldez))
+- **[acme]** Add missing renew options ([#12467](https://github.com/traefik/traefik/pull/12467) by [ldez](https://github.com/ldez))
+- **[acme]** Replace hardcoded references to LetsEncrypt in log messages ([#12464](https://github.com/traefik/traefik/pull/12464) by [schildbach](https://github.com/schildbach))
+- **[k8s/ingress-nginx]** Fix use-regex nginx annotation ([#12531](https://github.com/traefik/traefik/pull/12531) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Prevent Ingress Nginx provider http router to attach to an entrypoint with TLS ([#12528](https://github.com/traefik/traefik/pull/12528) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress]** Fix panic for empty defaultBackend and defaultBackend without resources ([#12509](https://github.com/traefik/traefik/pull/12509) by [gndz07](https://github.com/gndz07))
+- **[k8s]** Fix condition used for serving and fenced endpoints ([#12521](https://github.com/traefik/traefik/pull/12521) by [LBF38](https://github.com/LBF38))
+- **[webui]** Validate X-Forwarded-Prefix value for dashboard redirect ([#12514](https://github.com/traefik/traefik/pull/12514) by [LBF38](https://github.com/LBF38))
+- **[acme]** Add timeout to ACME-TLS/1 challenge handshake ([#12516](https://github.com/traefik/traefik/pull/12516) by [LBF38](https://github.com/LBF38))
+- **[server]** Make encoded character options opt-in ([#12540](https://github.com/traefik/traefik/pull/12540) by [gndz07](https://github.com/gndz07))
+
+**Documentation:**
+- **[docker/swarm]** Update swarm.md traefik version ([#12508](https://github.com/traefik/traefik/pull/12508) by [DBouraoui](https://github.com/DBouraoui))
+- **[k8s/ingress-nginx]** Fix ingress-nginx annotations documentation ([#12510](https://github.com/traefik/traefik/pull/12510) by [nmengin](https://github.com/nmengin))
+- **[k8s]** Fix Kubernetes reference yml file ([#12406](https://github.com/traefik/traefik/pull/12406) by [mmatur](https://github.com/mmatur))
+- Fix code copy button positioning ([#12520](https://github.com/traefik/traefik/pull/12520) by [AnuragEkkati](https://github.com/AnuragEkkati))
+- Fix typo in kubernetes.md ([#12515](https://github.com/traefik/traefik/pull/12515) by [EdwardSalkeld](https://github.com/EdwardSalkeld))
+- Bring back security section on API &amp; Dashboard documentation page ([#12507](https://github.com/traefik/traefik/pull/12507) by [gndz07](https://github.com/gndz07))
+- Fix link description in Traefik Proxy documentation ([#12488](https://github.com/traefik/traefik/pull/12488) by [schaerfo](https://github.com/schaerfo))
+- Add product comparison matrix and features page ([#12037](https://github.com/traefik/traefik/pull/12037) by [sheddy-traefik](https://github.com/sheddy-traefik))
+
+**Misc:**
+- Merge branch v2.11 into v3.6 ([#12552](https://github.com/traefik/traefik/pull/12552) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.11 into v3.6 ([#12533](https://github.com/traefik/traefik/pull/12533) by [mmatur](https://github.com/mmatur))
+- Merge branch v2.11 into v3.6 ([#12497](https://github.com/traefik/traefik/pull/12497) by [mmatur](https://github.com/mmatur))
+
+## [v2.11.35](https://github.com/traefik/traefik/tree/v2.11.35) (2026-01-14)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.34...v2.11.35)
+
+**Bug fixes:**
+- **[acme]** Add timeout to ACME-TLS/1 challenge handshake ([#12516](https://github.com/traefik/traefik/pull/12516) by [LBF38](https://github.com/LBF38))
+- **[server]** Make encoded character options opt-in ([#12540](https://github.com/traefik/traefik/pull/12540) by [gndz07](https://github.com/gndz07))
+
 ## [v3.6.6](https://github.com/traefik/traefik/tree/v3.6.6) (2025-12-29)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.5...v3.6.6)

--- a/cmd/configuration.go
+++ b/cmd/configuration.go
@@ -10,6 +10,7 @@ import (
 // TraefikCmdConfiguration wraps the static configuration and extra parameters.
 type TraefikCmdConfiguration struct {
 	static.Configuration `export:"true"`
+
 	// ConfigFile is the path to the configuration file.
 	ConfigFile string `description:"Configuration file to use. If specified all other flags are ignored." export:"true"`
 }
--- a/cmd/internal/gen/main.go
+++ b/cmd/internal/gen/main.go
@@ -83,7 +83,7 @@ func run(dest string) error {
 		return err
 	}

-	return os.WriteFile(filepath.Join(dest, "marshaler.go"), []byte(fmt.Sprintf(marsh, destPkg)), 0o666)
+	return os.WriteFile(filepath.Join(dest, "marshaler.go"), fmt.Appendf(nil, marsh, destPkg), 0o666)
 }

 func cleanType(typ types.Type, base string) string {
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -97,10 +97,10 @@ func runCmd(staticConfiguration *static.Configuration) error {
 		return fmt.Errorf("setting up logger: %w", err)
 	}

-	// Display warning to advertise for new behavior of rejecting encoded characters in the request path.
-	// Deprecated: this has to be removed in the next minor/major version.
-	log.Warn().Msg("Starting with v3.6.4, Traefik now rejects some encoded characters in the request path by default. " +
-		"Refer to the documentation for more details: https://doc.traefik.io/traefik/migrate/v3/#encoded-characters-in-request-path")
+	log.Warn().Msg("Traefik can reject some encoded characters in the request path." +
+		"When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986)," +
+		"it is recommended to set these options to `false` to avoid split-view situation." +
+		"Refer to the documentation for more details: https://doc.traefik.io/traefik/v3.6/migrate/v3/#encoded-characters-configuration-default-values")

 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment

--- a/docs/check.Dockerfile
+++ b/docs/check.Dockerfile
@@ -34,6 +34,7 @@ RUN apk --no-cache --no-progress add \

 COPY ./scripts/verify.sh /verify.sh
 COPY ./scripts/lint.sh /lint.sh
+COPY ./scripts/lint-yaml.sh /lint-yaml.sh

 WORKDIR /app
 VOLUME ["/tmp","/app"]
--- a/docs/content/assets/css/code-copy.css
+++ b/docs/content/assets/css/code-copy.css
@@ -0,0 +1,18 @@
+/* Fix positioning of the built-in clipboard button for code blocks.
+ * In this theme, the button can end up positioned relative to <body>,
+ * so anchor it to the code block container instead.
+ */
+
+.md-typeset pre.highlight {
+  position: relative;
+}
+
+.md-typeset pre.highlight > button.md-clipboard {
+  position: absolute;
+  top: .25rem;
+  right: .25rem;
+  z-index: 10;
+  opacity: 1;
+  visibility: visible;
+}
+
--- a/docs/content/assets/js/extra.js
+++ b/docs/content/assets/js/extra.js
@@ -1,4 +1,14 @@
 /* Highlight */
 (function(hljs) {
    hljs.initHighlightingOnLoad();
-})(hljs);
+})(hljs);
+
+/* Scarf Analytics - cookieless, anonymous company-level intelligence */
+(function() {
+    var img = document.createElement('img');
+    img.src = 'https://static.scarf.sh/a.png?x-pxid=1a49232a-b165-4015-8ed2-a1092f1f0d83';
+    img.referrerPolicy = 'no-referrer-when-downgrade';
+    img.loading = 'eager';
+    img.style.cssText = 'visibility:hidden;position:absolute;width:1px;height:1px;';
+    document.body.appendChild(img);
+})();
--- a/docs/content/features/index.md
+++ b/docs/content/features/index.md
@@ -0,0 +1,148 @@
+---
+title: "Traefik Product Features Comparison"
+description: "Compare features across Traefik Proxy, Traefik Hub API Gateway (including AI Gateway capabilities), and Traefik Hub API Management to choose the right solution for your needs."
+---
+
+# Traefik Product Features Comparison
+
+The Traefik ecosystem offers multiple products designed to meet different requirements, from basic reverse proxy functionality to comprehensive API management and AI gateway capabilities. This comparison matrix helps you understand the features available in each product and choose the right solution for your use case.
+
+## Product Overview
+
+- **Traefik Proxy** is the open-source application proxy that serves as the foundation for all Traefik products. It provides essential reverse proxy, load balancing, and service discovery capabilities.
+
+- **[Traefik Hub API Gateway](https://traefik.io/solutions/api-gateway/)** builds on Traefik Proxy with enterprise-grade security, distributed features, and advanced access control for cloud-native API gateway scenarios. It includes **AI Gateway capabilities** that transform any AI endpoint into a managed API.
+
+- **[Traefik Hub API Management](https://traefik.io/solutions/api-management/)** adds comprehensive API lifecycle management, developer portals, and organizational features for teams managing multiple APIs across environments.
+
+- **[Traefik AI Gateway](https://traefik.io/solutions/ai-gateway/)** transforms any AI endpoint into a managed API with unified access to multiple LLMs, centralized credential management, semantic caching, local inferencing, and comprehensive AI governance features.
+
+- **[Traefik MCP Gateway](https://traefik.io/solutions/mcp-gateway/)** provides secure, governed access to Model Context Protocol (MCP) servers for AI agents with task-based access control (TBAC), session-smart routing, and comprehensive audit capabilities for enterprise AI workflows.
+
+## Features Matrix
+
+| Feature | Traefik Proxy | Traefik Hub API Gateway | Traefik Hub API Management |
+|---------|---------------|------------------------|---------------------------|
+| **Core Networking** | | | | 
+| Services Auto-Discovery | ✓ | ✓ | ✓ |
+| Graceful Configuration Reload | ✓ | ✓ | ✓ |
+| Websockets, HTTP/2, HTTP/3, TCP, UDP, GRPC | ✓ | ✓ | ✓ |
+| Real-time Logs, Access Logs, Metrics & Distributed Tracing | ✓ | ✓ | ✓ |
+| Canary Deployments | ✓ | ✓ | ✓ |
+| Let's Encrypt | ✓ | ✓ | ✓ |
+| **Plugin Ecosystem** | | | |
+| [Plugin Support](https://plugins.traefik.io/plugins) ([Go](https://github.com/traefik/yaegi), [WASM](https://webassembly.org/)) | ✓ | ✓ | ✓ |
+| **Deployment & Operations** | | | |
+| Hybrid cloud, multi-cloud & on-prem compatible | ✓ | ✓ | ✓ |
+| Per-cluster dashboard | ✓ | ✓ | ✓ |
+| GitOps-native declarative configuration | ✓ | ✓ | ✓ |
+| **Authentication & Authorization** | | | |
+| JWT Authentication | ✗ | ✓ | ✓ |
+| OAuth 2.0 Token Introspection Authentication | ✗ | ✓ | ✓ |
+| OAuth 2.0 Client Credentials Authentication | ✗ | ✓ | ✓ |
+| OpenID Connect Authentication | ✗ | ✓ | ✓ |
+| Lightweight Directory Access Protocol (LDAP) | ✗ | ✓ | ✓ |
+| API Key Authentication | ✗ | ✓ | ✓ |
+| **Security & Policy** | | | |
+| Open Policy Agent | ✗ | ✓ | ✓ |
+| Native Coraza Web Application Firewall (WAF) | ✗ | ✓ | ✓ |
+| HashiCorp Vault Integration | ✗ | ✓ | ✓ |
+| **Distributed Features** | | | |
+| Distributed Let's Encrypt | ✗ | ✓ | ✓ |
+| Distributed Rate Limit | ✗ | ✓ | ✓ |
+| HTTP Caching | ✗ | ✓ | ✓ |
+| **Compliance** | | | |
+| FIPS 140-2 Compliance (Linux & Windows) | ✗ | ✓ | ✓ |
+| **AI Gateway Capabilities** | | | |
+| Unified Multi-LLM API Access | ✗ | ✓ | ✓ |
+| Centralized AI Credential Management | ✗ | ✓ | ✓ |
+| AI Provider Flexibility (OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, etc.) | ✗ | ✓ | ✓ |
+| Semantic Caching for AI Responses | ✗ | ✓ | ✓ |
+| Content Guard & PII Protection | ✗ | ✓ | ✓ |
+| AI-specific Observability & OpenTelemetry Integration | ✗ | ✓ | ✓ |
+| Support for Local/Self-hosted LLMs & Inference (Ollama, Mistral, etc.) | ✗ | ✓ | ✓ |
+| **MCP Gateway Capabilities** | | | |
+| Task-Based Access Control (TBAC) for AI Agents | ✗ | ✓ | ✓ |
+| MCP Servers Governance | ✗ | ✓ | ✓ |
+| Session-Smart Load Balancing for Agent Workflows | ✗ | ✓ | ✓ |
+| OAuth 2.1 / 2.0 Resource Server for MCP | ✗ | ✓ | ✓ |
+| Fine-grained Policy Enforcement for AI Tools | ✗ | ✓ | ✓ |
+| Audit-ready Observability for Agent Interactions | ✗ | ✓ | ✓ |
+| **API Management** | | | |
+| Flexible API grouping and versioning | ✗ | ✗ | ✓ |
+| API Developer Portal | ✗ | ✗ | ✓ |
+| OpenAPI Specifications Support | ✗ | ✗ | ✓ |
+| Multi-cluster dashboard | ✗ | ✗ | ✓ |
+| Built-in identity provider (or use your own) | ✗ | ✗ | ✓ |
+| Configuration linter & change impact analysis | ✗ | ✗ | ✓ |
+| Pre-built Grafana dashboards | ✗ | ✗ | ✓ |
+| Event correlation for quick incident mitigation | ✗ | ✗ | ✓ |
+| Traffic debugger  | ✗ | ✓ | ✓ |
+| **Support** | | | |
+| Built-In Commercial Support | Add-on | ✓ | ✓ |
+
+## Choosing the Right Product
+
+### Start with Traefik Proxy
+
+Traefik Proxy is the ideal starting point for organizations looking for a reliable, open-source application proxy with essential networking capabilities. Deploy it as your default ingress tier if you need:
+
+- Basic reverse proxy and load balancing
+- Service discovery for containerized applications
+- Simple TLS termination and Let's Encrypt integration
+- Cost-effective solution with community support (can upgrade to Traefik Hub for more features)
+
+### Upgrade to Traefik Hub API Gateway
+
+Traefik Hub API Gateway layers enterprise security, distributed coordination, and AI Gateway capabilities on top of Traefik Proxy. Upgrade to it when you need:
+
+- Enterprise security requirements (JWT, OIDC, LDAP)
+- Distributed deployments across multiple clusters
+- Advanced rate limiting and caching
+- WAF and policy enforcement
+- AI Gateway capabilities
+- Commercial support
+
+### Consider Traefik AI Gateway
+
+Traefik AI Gateway unifies hosted and self-hosted LLM access under centralized control and observability. Consider it if you have:
+
+- Multi-LLM applications requiring unified API access
+- Organizations using multiple AI providers (OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, etc.)
+- Local/self-hosted LLM deployments (Ollama, Mistral)
+- Centralized AI credential and security management
+- Cost optimization through semantic caching
+- PII protection and content filtering for AI interactions
+- Comprehensive AI observability and compliance requirements
+
+### Choose Traefik MCP Gateway
+
+Traefik MCP Gateway governs how AI agents interact with Model Context Protocol servers through task-aware policies and session-smart routing. Choose it if you need:
+
+- AI agent deployments requiring secure access to MCP servers
+- Task-based access control (TBAC) for AI workflows
+- Governance of Model Context Protocol interactions
+- Session-smart routing for long-running agent conversations
+- OAuth 2.1 / 2.0 compliant MCP server protection
+- Audit-ready observability for AI agent activities
+- Fine-grained policy enforcement for AI tools and resources
+
+### Choose Traefik Hub API Management
+
+Traefik Hub API Management extends the gateway foundation with API lifecycle tooling, developer experience features, and governance workflows. Choose it when you have:
+
+- Multiple APIs requiring centralized management
+- Developer teams needing self-service portals
+- Complex API versioning and lifecycle requirements
+- Multi-cluster environments requiring unified dashboards
+- Compliance and governance needs
+
+## Migration Path
+
+The Traefik ecosystem is designed for seamless upgrades. You can start with Traefik Proxy and add capabilities as your requirements grow:
+
+1. **Traefik Proxy** → **Hub API Gateway**: Add enterprise security, distributed features, and AI Gateway capabilities
+2. **Hub API Gateway** → **Hub API Management**: Add comprehensive API management and governance features
+3. **MCP Gateway**: Specialized solution for AI agent governance and Model Context Protocol management
+
+All products share the same core configuration concepts, making migration straightforward while preserving your existing configurations and operational knowledge.
--- a/docs/content/getting-started/concepts.md
+++ b/docs/content/getting-started/concepts.md
@@ -57,4 +57,4 @@ You no longer need to create and synchronize configuration files cluttered with
    Traefik is able to use your cluster API to discover the services and read the attached information.
    In Traefik, these connectors are called [providers](../providers/overview.md "Link to overview about Traefik providers") because they *provide* the configuration to Traefik.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -92,4 +92,4 @@ All the configuration options are documented in their related section.

 You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/getting-started/docker.md
+++ b/docs/content/getting-started/docker.md
@@ -159,4 +159,4 @@ That's it! You've successfully deployed Traefik and configured routing in Docker
 - [Enable Metrics](../reference/install-configuration/observability/metrics.md)
 - [Learn more about Docker provider](../reference/install-configuration/providers/docker.md)

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/getting-started/faq.md
+++ b/docs/content/getting-started/faq.md
@@ -252,4 +252,4 @@ In which case, you should make sure your infrastructure is properly set up for a
 LEGO_DISABLE_CNAME_SUPPORT=true
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -144,4 +144,4 @@ And run it:

 All the details are available in the [Contributing Guide](../contributing/building-testing.md)

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/getting-started/kubernetes.md
+++ b/docs/content/getting-started/kubernetes.md
@@ -331,4 +331,4 @@ That's it! You've successfully deployed Traefik and configured routing in a Kube
 - [Learn more about Kubernetes CRD provider](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md)
 - [Learn more about Kubernetes Gateway API provider](../reference/install-configuration/providers/kubernetes/kubernetes-gateway.md)

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -1211,4 +1211,4 @@ If Let's Encrypt is not reachable, the following certificates will apply:
 !!! important
    For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/https/overview.md
+++ b/docs/content/https/overview.md
@@ -20,4 +20,4 @@ That is to say, how to obtain [TLS certificates](./tls.md#certificates-definitio
 either through a definition in the dynamic configuration, or through [Let's Encrypt](./acme.md) (ACME).
 And how to configure [TLS options](./tls.md#tls-options), and [certificates stores](./tls.md#certificates-stores).

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -587,4 +587,4 @@ spec:
  disableSessionTickets: true
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/index.md
+++ b/docs/content/index.md
@@ -11,6 +11,8 @@ Traefik is an [open-source](https://github.com/traefik/traefik) Application Prox

 If you start with Traefik for service discovery and routing, you can seamlessly add [API management](https://traefik.io/solutions/api-management/), [API gateway](https://traefik.io/solutions/api-gateway/), [AI gateway](https://traefik.io/solutions/ai-gateway/), and [API mocking](https://traefik.io/solutions/api-mocking/) capabilities as needed.

+For a detailed comparison of all Traefik products and their capabilities, see our [Product Features Comparison](./features/).
+
 With 3.3 billion downloads and over 55k stars on GitHub, Traefik is used globally across hybrid cloud, multi-cloud, on prem, and bare metal environments running Kubernetes, Docker Swarm, AWS, [the list goes on](https://doc.traefik.io/traefik/reference/install-configuration/providers/overview/).

 Here’s how it works—Traefik receives requests on behalf of your system, identifies which components are responsible for handling them, and routes them securely. It automatically discovers the right configuration for your services by inspecting your infrastructure to identify relevant information and which service serves which request.
--- a/docs/content/middlewares/http/basicauth.md
+++ b/docs/content/middlewares/http/basicauth.md
@@ -340,4 +340,4 @@ http:
    removeHeader = true
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/middlewares/http/forwardauth.md
+++ b/docs/content/middlewares/http/forwardauth.md
@@ -785,4 +785,4 @@ http:
  preserveRequestMethod = true
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/middlewares/http/headers.md
+++ b/docs/content/middlewares/http/headers.md
@@ -422,4 +422,4 @@ Set `isDevelopment` to `true` when developing to mitigate the unwanted effects o
 Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.
 If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false`.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/middlewares/http/overview.md
+++ b/docs/content/middlewares/http/overview.md
@@ -127,4 +127,4 @@ http:

 Please take a look at the community-contributed plugins in the [plugin catalog](https://plugins.traefik.io/plugins).

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/middlewares/http/redirectregex.md
+++ b/docs/content/middlewares/http/redirectregex.md
@@ -85,4 +85,4 @@ The `replacement` option defines how to modify the URL to have the new target UR

    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/middlewares/http/stripprefix.md
+++ b/docs/content/middlewares/http/stripprefix.md
@@ -146,4 +146,4 @@ http:
    forceSlash = false
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/middlewares/overview.md
+++ b/docs/content/middlewares/overview.md
@@ -112,4 +112,4 @@ A list of HTTP middlewares can be found [here](http/overview.md).

 A list of TCP middlewares can be found [here](tcp/overview.md).

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/migrate/v2-to-v3.md
+++ b/docs/content/migrate/v2-to-v3.md
@@ -158,4 +158,4 @@ core:
 - ✅ All applications functioning correctly
 - ✅ Performance metrics stable

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/migrate/v3.md
+++ b/docs/content/migrate/v3.md
@@ -576,3 +576,30 @@ Here is the list of the encoded characters that are rejected by default, along w
 | `%23`             | `#` (hash)              | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedHash`          |

 Please check out the entrypoint [encodedCharacters option](../reference/install-configuration/entrypoints.md#opt-http-encodedCharacters) documentation for more details.
+
+## v3.6.7
+
+### Encoded Characters Configuration Default Values
+
+Since `v3.6.7`, the options for encoded characters now have a `true` default value.
+This means that Traefik will not reject requests with a path containing a specific set of encoded characters by default.
+It is now up to the users to configure the security hardening of encoded characters.
+
+Here is the list of the encoded characters that can be configured to `false` to disallow them:
+
+| Encoded Character | Character               | Config options                                                                       | Default value |
+|-------------------|-------------------------|--------------------------------------------------------------------------------------|---------------|
+| `%2f` or `%2F`    | `/` (slash)             | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSlash`          | `true`        |
+| `%5c` or `%5C`    | `\` (backslash)         | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedBackSlash`     | `true`        |
+| `%00`             | `NULL` (null character) | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedNullCharacter` | `true`        |
+| `%3b` or `%3B`    | `;` (semicolon)         | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSemicolon`     | `true`        |
+| `%25`             | `%` (percent)           | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedPercent`       | `true`        |
+| `%3f` or `%3F`    | `?` (question mark)     | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedQuestionMark`  | `true`        |
+| `%23`             | `#` (hash)              | `entryPoints.<name>.`<br/>`.http.encodedCharacters`<br/>`.allowEncodedHash`          | `true`        |
+
+Note: This check is not done against query parameters,
+but only against the request path as defined
+in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3).
+
+Please check out the entrypoint [encodedCharacters option](../routing/entrypoints.md#encoded-characters) documentation
+for more details.
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -780,4 +780,4 @@ accesslog:
 --accesslog.otlp.grpc.tls.insecureSkipVerify=true
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/observability/logs.md
+++ b/docs/content/observability/logs.md
@@ -644,4 +644,4 @@ log:
 --log.otlp.grpc.tls.insecureSkipVerify=true
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/observe/overview.md
+++ b/docs/content/observe/overview.md
@@ -77,4 +77,4 @@ additionalArguments:
 !!! note
    A router with its own observability configuration will override the global default.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/operations/api.md
+++ b/docs/content/operations/api.md
@@ -176,4 +176,4 @@ All the following endpoints must be accessed with a `GET` HTTP request.
 | `/debug/pprof/symbol`          | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation.             |
 | `/debug/pprof/trace`           | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation.               |

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/operations/dashboard.md
+++ b/docs/content/operations/dashboard.md
@@ -168,4 +168,4 @@ api:
 --api.dashboard=false
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/plugins/index.md
+++ b/docs/content/plugins/index.md
@@ -31,4 +31,4 @@ The experience of implementing a Traefik plugin is comparable to writing a web b

 To learn more about Traefik plugin creation, please refer to the [developer documentation](https://plugins.traefik.io/create).

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -702,4 +702,4 @@ providers:
 --providers.docker.allowEmptyServices=true
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/providers/file.md
+++ b/docs/content/providers/file.md
@@ -292,4 +292,4 @@ To illustrate, it is possible to easily define multiple routers, services, and T
    {{ end }}
    ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -16,7 +16,7 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku

 ## Requirements

-{!kubernetes-requirements.md!}
+{% include-markdown "includes/kubernetes-requirements.md" %}

 !!! tip "All Steps for a Successful Deployment"

@@ -365,4 +365,4 @@ providers:

 For additional information, refer to the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/providers/kubernetes-gateway.md
+++ b/docs/content/providers/kubernetes-gateway.md
@@ -16,7 +16,7 @@ For more details, check out the conformance [report](https://github.com/kubernet

 ## Requirements

-{!kubernetes-requirements.md!}
+{% include-markdown "includes/kubernetes-requirements.md" %}

 !!! info "Helm Chart"

@@ -357,4 +357,4 @@ providers:
 --providers.kubernetesgateway.throttleDuration=10s
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/providers/kubernetes-ingress.md
+++ b/docs/content/providers/kubernetes-ingress.md
@@ -13,7 +13,7 @@ it manages access to cluster services by supporting the [Ingress](https://kubern

 ## Requirements

-{!kubernetes-requirements.md!}
+{% include-markdown "includes/kubernetes-requirements.md" %}

 ## Routing Configuration

@@ -557,4 +557,4 @@ providers:
 To learn more about the various aspects of the Ingress specification that Traefik supports,
 many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.6/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/providers/overview.md
+++ b/docs/content/providers/overview.md
@@ -227,4 +227,4 @@ List of providers that support constraints:
 - [Kubernetes Ingress](./kubernetes-ingress.md#labelselector)
 - [Kubernetes Gateway](./kubernetes-gateway.md#labelselector)

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/providers/swarm.md
+++ b/docs/content/providers/swarm.md
@@ -769,4 +769,4 @@ providers:
 --providers.swarm.allowEmptyServices=true
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
@@ -1,9 +1,8 @@
---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: ingressroutes.traefik.io
 spec:
  group: traefik.io
@@ -374,6 +373,7 @@ spec:
                      description: |-
                        Syntax defines the router's rule syntax.
                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/#rulesyntax
+
                        Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
                      type: string
                  required:
@@ -465,7 +465,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: ingressroutetcps.traefik.io
 spec:
  group: traefik.io
@@ -585,6 +585,7 @@ spec:
                            description: |-
                              ProxyProtocol defines the PROXY protocol configuration.
                              More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/service/#proxy-protocol
+
                              Deprecated: ProxyProtocol will not be supported in future APIVersions, please use ServersTransport to configure ProxyProtocol instead.
                            properties:
                              version:
@@ -607,6 +608,7 @@ spec:
                              hence fully terminating the connection.
                              It is a duration in milliseconds, defaulting to 100.
                              A negative value means an infinite deadline (i.e. the reading capability is never closed).
+
                              Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead.
                            type: integer
                          tls:
@@ -627,6 +629,7 @@ spec:
                      description: |-
                        Syntax defines the router's rule syntax.
                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/#rulesyntax
+
                        Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
                      enum:
                      - v3
@@ -721,7 +724,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: ingressrouteudps.traefik.io
 spec:
  group: traefik.io
@@ -833,7 +836,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: middlewares.traefik.io
 spec:
  group: traefik.io
@@ -1061,6 +1064,7 @@ spec:
                    description: |-
                      AutoDetect specifies whether to let the `Content-Type` header, if it has not been set by the backend,
                      be automatically set to a value derived from the contents of the response.
+
                      Deprecated: AutoDetect option is deprecated, Content-Type middleware is only meant to be used to enable the content-type detection, please remove any usage of this option.
                    type: boolean
                type: object
@@ -2147,7 +2151,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: middlewaretcps.traefik.io
 spec:
  group: traefik.io
@@ -2213,8 +2217,9 @@ spec:
                description: |-
                  IPWhiteList defines the IPWhiteList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
-                  Deprecated: please use IPAllowList instead.
                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/ipwhitelist/
+
+                  Deprecated: please use IPAllowList instead.
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -2235,7 +2240,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: serverstransports.traefik.io
 spec:
  group: traefik.io
@@ -2371,6 +2376,7 @@ spec:
              rootCAsSecrets:
                description: |-
                  RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
+
                  Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
                items:
                  type: string
@@ -2404,7 +2410,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: serverstransporttcps.traefik.io
 spec:
  group: traefik.io
@@ -2525,6 +2531,7 @@ spec:
                  rootCAsSecrets:
                    description: |-
                      RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
+
                      Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
                    items:
                      type: string
@@ -2560,7 +2567,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: tlsoptions.traefik.io
 spec:
  group: traefik.io
@@ -2660,6 +2667,7 @@ spec:
                description: |-
                  PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
                  It is enabled automatically when minVersion or maxVersion is set.
+
                  Deprecated: https://github.com/golang/go/issues/45430
                type: boolean
              sniStrict:
@@ -2678,7 +2686,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: tlsstores.traefik.io
 spec:
  group: traefik.io
@@ -2775,7 +2783,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: traefikservices.traefik.io
 spec:
  group: traefik.io
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd.md
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd.md
@@ -26,4 +26,4 @@ Dynamic configuration with Kubernetes Custom Resource
 --8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
@@ -1,4 +1,3 @@
---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-resource.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-resource.yml
@@ -1,4 +1,3 @@
---
 apiVersion: gateway.networking.k8s.io/v1
 kind: GatewayClass
 metadata:
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml
@@ -1,4 +1,3 @@
---
 apiVersion: gateway.networking.k8s.io/v1
 kind: GatewayClass
 metadata:
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
@@ -1,4 +1,3 @@
---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
--- a/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml
@@ -1,4 +1,3 @@
---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
--- a/docs/content/reference/dynamic-configuration/kubernetes-knative-rbac.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-knative-rbac.yml
@@ -1,4 +1,3 @@
---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
--- a/docs/content/reference/dynamic-configuration/kubernetes-whoami-svc.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-whoami-svc.yml
@@ -1,4 +1,3 @@
---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml
@@ -1,114 +0,0 @@
---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
-  name: tlsoptions.traefik.containo.us
-spec:
-  group: traefik.containo.us
-  names:
-    kind: TLSOption
-    listKind: TLSOptionList
-    plural: tlsoptions
-    singular: tlsoption
-  scope: Namespaced
-  versions:
-  - name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        description: |-
-          TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v2.11/https/tls/#tls-options
-        properties:
-          apiVersion:
-            description: |-
-              APIVersion defines the versioned schema of this representation of an object.
-              Servers should convert recognized schemas to the latest internal value, and
-              may reject unrecognized values.
-              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-            type: string
-          kind:
-            description: |-
-              Kind is a string value representing the REST resource this object represents.
-              Servers may infer this from the endpoint the client submits requests to.
-              Cannot be updated.
-              In CamelCase.
-              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: TLSOptionSpec defines the desired state of a TLSOption.
-            properties:
-              alpnProtocols:
-                description: |-
-                  ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v2.11/https/tls/#alpn-protocols
-                items:
-                  type: string
-                type: array
-              cipherSuites:
-                description: |-
-                  CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v2.11/https/tls/#cipher-suites
-                items:
-                  type: string
-                type: array
-              clientAuth:
-                description: ClientAuth defines the server's policy for TLS Client
-                  Authentication.
-                properties:
-                  clientAuthType:
-                    description: ClientAuthType defines the client authentication
-                      type to apply.
-                    enum:
-                    - NoClientCert
-                    - RequestClientCert
-                    - RequireAnyClientCert
-                    - VerifyClientCertIfGiven
-                    - RequireAndVerifyClientCert
-                    type: string
-                  secretNames:
-                    description: SecretNames defines the names of the referenced Kubernetes
-                      Secret storing certificate details.
-                    items:
-                      type: string
-                    type: array
-                type: object
-              curvePreferences:
-                description: |-
-                  CurvePreferences defines the preferred elliptic curves.
-                  More info: https://doc.traefik.io/traefik/v2.11/https/tls/#curve-preferences
-                items:
-                  type: string
-                type: array
-              maxVersion:
-                description: |-
-                  MaxVersion defines the maximum TLS version that Traefik will accept.
-                  Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
-                  Default: None.
-                type: string
-              minVersion:
-                description: |-
-                  MinVersion defines the minimum TLS version that Traefik will accept.
-                  Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
-                  Default: VersionTLS10.
-                type: string
-              preferServerCipherSuites:
-                description: |-
-                  PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
-                  It is enabled automatically when minVersion or maxVersion is set.
-                  Deprecated: https://github.com/golang/go/issues/45430
-                type: boolean
-              sniStrict:
-                description: SniStrict defines whether Traefik allows connections
-                  from clients connections that do not specify a server_name extension.
-                type: boolean
-            type: object
-        required:
-        - metadata
-        - spec
-        type: object
-    served: true
-    storage: true
--- a/docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: ingressroutes.traefik.io
 spec:
  group: traefik.io
@@ -374,6 +374,7 @@ spec:
                      description: |-
                        Syntax defines the router's rule syntax.
                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/#rulesyntax
+
                        Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
                      type: string
                  required:
--- a/docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: ingressroutetcps.traefik.io
 spec:
  group: traefik.io
@@ -123,6 +123,7 @@ spec:
                            description: |-
                              ProxyProtocol defines the PROXY protocol configuration.
                              More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/service/#proxy-protocol
+
                              Deprecated: ProxyProtocol will not be supported in future APIVersions, please use ServersTransport to configure ProxyProtocol instead.
                            properties:
                              version:
@@ -145,6 +146,7 @@ spec:
                              hence fully terminating the connection.
                              It is a duration in milliseconds, defaulting to 100.
                              A negative value means an infinite deadline (i.e. the reading capability is never closed).
+
                              Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead.
                            type: integer
                          tls:
@@ -165,6 +167,7 @@ spec:
                      description: |-
                        Syntax defines the router's rule syntax.
                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/#rulesyntax
+
                        Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
                      enum:
                      - v3
--- a/docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: ingressrouteudps.traefik.io
 spec:
  group: traefik.io
--- a/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: middlewares.traefik.io
 spec:
  group: traefik.io
@@ -231,6 +231,7 @@ spec:
                    description: |-
                      AutoDetect specifies whether to let the `Content-Type` header, if it has not been set by the backend,
                      be automatically set to a value derived from the contents of the response.
+
                      Deprecated: AutoDetect option is deprecated, Content-Type middleware is only meant to be used to enable the content-type detection, please remove any usage of this option.
                    type: boolean
                type: object
--- a/docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: middlewaretcps.traefik.io
 spec:
  group: traefik.io
@@ -69,8 +69,9 @@ spec:
                description: |-
                  IPWhiteList defines the IPWhiteList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
-                  Deprecated: please use IPAllowList instead.
                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/ipwhitelist/
+
+                  Deprecated: please use IPAllowList instead.
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
--- a/docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: serverstransports.traefik.io
 spec:
  group: traefik.io
@@ -139,6 +139,7 @@ spec:
              rootCAsSecrets:
                description: |-
                  RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
+
                  Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
                items:
                  type: string
--- a/docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: serverstransporttcps.traefik.io
 spec:
  group: traefik.io
@@ -124,6 +124,7 @@ spec:
                  rootCAsSecrets:
                    description: |-
                      RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
+
                      Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
                    items:
                      type: string
--- a/docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: tlsoptions.traefik.io
 spec:
  group: traefik.io
@@ -103,6 +103,7 @@ spec:
                description: |-
                  PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
                  It is enabled automatically when minVersion or maxVersion is set.
+
                  Deprecated: https://github.com/golang/go/issues/45430
                type: boolean
              sniStrict:
--- a/docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: tlsstores.traefik.io
 spec:
  group: traefik.io
--- a/docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
  name: traefikservices.traefik.io
 spec:
  group: traefik.io
--- a/docs/content/reference/install-configuration/api-dashboard.md
+++ b/docs/content/reference/install-configuration/api-dashboard.md
@@ -3,13 +3,27 @@ title: "Traefik API & Dashboard Documentation"
 description: "Traefik Proxy exposes information through API handlers and showcase them on the Dashboard. Learn about the security, configuration, and endpoints of the APIs and Dashboard. Read the technical documentation."
 ---

-The dashboard is the central place that shows you the current active routes handled by Traefik.
+Traefik exposes a number of information through API endpoints, such as the configuration of your routers, services, middlewares, etc.
+
+The dashboard, which is the central place that displays the current active routes handled by Traefik, fetches the data from this API.

 <figure>
    <img src="../../../assets/img/webui-dashboard.png" alt="Dashboard - Providers" />
    <figcaption>The dashboard in action</figcaption>
 </figure>

+## Security
+
+Enabling the API and the dashboard in production is not recommended, because it will expose all configuration elements,
+including sensitive data, for which access should be reserved to administrators.
+
+In production, it should be at least secured by authentication and authorizations.
+
+!!! info
+
+    It's recommended to NOT publicly exposing the API's port, keeping it restricted to internal networks
+    (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).
+
 ## Configuration Example

 Enable the dashboard:
@@ -187,6 +201,7 @@ All the following endpoints must be accessed with a `GET` HTTP request.
 | <a id="opt-apientrypoints" href="#opt-apientrypoints" title="#opt-apientrypoints">`/api/entrypoints`</a> | Lists all the entry points information.                                                     |
 | <a id="opt-apientrypointsname" href="#opt-apientrypointsname" title="#opt-apientrypointsname">`/api/entrypoints/{name}`</a> | Returns the information of the entry point specified by `name`.                             |
 | <a id="opt-apioverview" href="#opt-apioverview" title="#opt-apioverview">`/api/overview`</a> | Returns statistic information about HTTP, TCP and about enabled features and providers. |
+| <a id="opt-apisupport-dump" href="#opt-apisupport-dump" title="#opt-apisupport-dump">`/api/support-dump`</a> | Returns an archive that contains the anonymized static configuration and the runtime configuration. |
 | <a id="opt-apirawdata" href="#opt-apirawdata" title="#opt-apirawdata">`/api/rawdata`</a> | Returns information about dynamic configurations, errors, status and dependency relations.  |
 | <a id="opt-apiversion" href="#opt-apiversion" title="#opt-apiversion">`/api/version`</a> | Returns information about Traefik version.                                                  |
 | <a id="opt-debugvars" href="#opt-debugvars" title="#opt-debugvars">`/debug/vars`</a> | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                          |
@@ -203,14 +218,16 @@ All the following endpoints must be accessed with a `GET` HTTP request.

 ## Dashboard

-The dashboard is available at the same location as the API, but by default on the path  `/dashboard/`.
+The dashboard is available by default on the path  `/dashboard/`.

 !!! note

    - The trailing slash `/` in `/dashboard/` is mandatory. This limitation can be mitigated using the the [RedirectRegex Middleware](../../middlewares/http/redirectregex.md).
-	  - There is also a redirect from the path `/` to `/dashboard/`, but you should not rely on this behavior, as it is subject to change and may complicate routing rules.
+    - There is also a redirect from the path `/` to `/dashboard/`.

-To securely access the dashboard, you need to define a routing configuration within Traefik. This involves setting up a router attached to the service `api@internal`, which allows you to:
+As mentioned above in the [Security](#security) section, it is important to secure access to both the dashboard and the API.
+You need to define a routing configuration within Traefik.
+This involves setting up a router attached to the service `api@internal`, which allows you to:

 - Implement security features using [middlewares](../../middlewares/overview.md), such as authentication ([basicAuth](../../middlewares/http/basicauth.md), [digestAuth](../../middlewares/http/digestauth.md),
  [forwardAuth](../../middlewares/http/forwardauth.md)) or [allowlisting](../../middlewares/http/ipallowlist.md).
@@ -238,4 +255,4 @@ rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
 rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/install-configuration/configuration-options.md
+++ b/docs/content/reference/install-configuration/configuration-options.md
@@ -85,13 +85,13 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-entrypoints-name-forwardedheaders-insecure" href="#opt-entrypoints-name-forwardedheaders-insecure" title="#opt-entrypoints-name-forwardedheaders-insecure">entrypoints._name_.forwardedheaders.insecure</a> | Trust all forwarded headers. | false |
 | <a id="opt-entrypoints-name-forwardedheaders-trustedips" href="#opt-entrypoints-name-forwardedheaders-trustedips" title="#opt-entrypoints-name-forwardedheaders-trustedips">entrypoints._name_.forwardedheaders.trustedips</a> | Trust only forwarded headers from selected IPs. | |
 | <a id="opt-entrypoints-name-http" href="#opt-entrypoints-name-http" title="#opt-entrypoints-name-http">entrypoints._name_.http</a> | HTTP configuration. | |
-| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash">entrypoints._name_.http.encodedcharacters.allowencodedbackslash</a> | Defines whether requests with encoded back slash characters in the path are allowed. | false |
-| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedhash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedhash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedhash">entrypoints._name_.http.encodedcharacters.allowencodedhash</a> | Defines whether requests with encoded hash characters in the path are allowed. | false |
-| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter" href="#opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter" title="#opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter">entrypoints._name_.http.encodedcharacters.allowencodednullcharacter</a> | Defines whether requests with encoded null characters in the path are allowed. | false |
-| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedpercent" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedpercent" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedpercent">entrypoints._name_.http.encodedcharacters.allowencodedpercent</a> | Defines whether requests with encoded percent characters in the path are allowed. | false |
-| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark">entrypoints._name_.http.encodedcharacters.allowencodedquestionmark</a> | Defines whether requests with encoded question mark characters in the path are allowed. | false |
-| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon">entrypoints._name_.http.encodedcharacters.allowencodedsemicolon</a> | Defines whether requests with encoded semicolon characters in the path are allowed. | false |
-| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedslash">entrypoints._name_.http.encodedcharacters.allowencodedslash</a> | Defines whether requests with encoded slash characters in the path are allowed. | false |
+| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash">entrypoints._name_.http.encodedcharacters.allowencodedbackslash</a> | Defines whether requests with encoded back slash characters in the path are allowed. | true |
+| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedhash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedhash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedhash">entrypoints._name_.http.encodedcharacters.allowencodedhash</a> | Defines whether requests with encoded hash characters in the path are allowed. | true |
+| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter" href="#opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter" title="#opt-entrypoints-name-http-encodedcharacters-allowencodednullcharacter">entrypoints._name_.http.encodedcharacters.allowencodednullcharacter</a> | Defines whether requests with encoded null characters in the path are allowed. | true |
+| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedpercent" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedpercent" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedpercent">entrypoints._name_.http.encodedcharacters.allowencodedpercent</a> | Defines whether requests with encoded percent characters in the path are allowed. | true |
+| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedquestionmark">entrypoints._name_.http.encodedcharacters.allowencodedquestionmark</a> | Defines whether requests with encoded question mark characters in the path are allowed. | true |
+| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedsemicolon">entrypoints._name_.http.encodedcharacters.allowencodedsemicolon</a> | Defines whether requests with encoded semicolon characters in the path are allowed. | true |
+| <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedslash">entrypoints._name_.http.encodedcharacters.allowencodedslash</a> | Defines whether requests with encoded slash characters in the path are allowed. | true |
 | <a id="opt-entrypoints-name-http-encodequerysemicolons" href="#opt-entrypoints-name-http-encodequerysemicolons" title="#opt-entrypoints-name-http-encodequerysemicolons">entrypoints._name_.http.encodequerysemicolons</a> | Defines whether request query semicolons should be URLEncoded. | false |
 | <a id="opt-entrypoints-name-http-maxheaderbytes" href="#opt-entrypoints-name-http-maxheaderbytes" title="#opt-entrypoints-name-http-maxheaderbytes">entrypoints._name_.http.maxheaderbytes</a> | Maximum size of request headers in bytes. | 1048576 |
 | <a id="opt-entrypoints-name-http-middlewares" href="#opt-entrypoints-name-http-middlewares" title="#opt-entrypoints-name-http-middlewares">entrypoints._name_.http.middlewares</a> | Default middlewares for the routers linked to the entry point. | |
--- a/docs/content/reference/install-configuration/entrypoints.md
+++ b/docs/content/reference/install-configuration/entrypoints.md
@@ -84,8 +84,8 @@ additionalArguments:

 ## Configuration Options

-| Field                                                           | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Default                 | Required |
-|:----------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------|:---------|
+| Field                                                                                                                                                                                                                                                  | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Default                 | Required |
+|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------|:---------|
 | <a id="opt-address" href="#opt-address" title="#opt-address">`address`</a> | Define the port, and optionally the hostname, on which to listen for incoming connections and packets.<br /> It also defines the protocol to use (TCP or UDP).<br /> If no protocol is specified, the default is TCP. The format is:`[host]:port[/tcp\|/udp]                                                                                                                                                                                                                                                                                                                                                                                                                        | -                       | Yes      |
 | <a id="opt-asDefault" href="#opt-asDefault" title="#opt-asDefault">`asDefault`</a> | Mark the `entryPoint` to be in the list of default `entryPoints`.<br /> `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br /> More information [here](#asdefault).                                                                                                                                                                                                                                                                                                                                                                                                                                       | false                   | No       |
 | <a id="opt-forwardedHeaders-trustedIPs" href="#opt-forwardedHeaders-trustedIPs" title="#opt-forwardedHeaders-trustedIPs">`forwardedHeaders.trustedIPs`</a> | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | -                       | No       |
@@ -95,16 +95,16 @@ additionalArguments:
 | <a id="opt-http-redirections-entryPoint-permanent" href="#opt-http-redirections-entryPoint-permanent" title="#opt-http-redirections-entryPoint-permanent">`http.redirections.`<br />`entryPoint.permanent`</a> | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false                   | No       |
 | <a id="opt-http-redirections-entryPoint-priority" href="#opt-http-redirections-entryPoint-priority" title="#opt-http-redirections-entryPoint-priority">`http.redirections.`<br />`entryPoint.priority`</a> | Default priority applied to the routers attached to the `entryPoint`.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | MaxInt32-1 (2147483646) | No       |
 | <a id="opt-http-encodedCharacters" href="#opt-http-encodedCharacters" title="#opt-http-encodedCharacters">`http.encodedCharacters`</a> | Defines which encoded characters are allowed in the request path. More information [here](#encoded-characters).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | false                   | No       |
-| <a id="opt-http-encodedCharacters-allowEncodedSlash" href="#opt-http-encodedCharacters-allowEncodedSlash" title="#opt-http-encodedCharacters-allowEncodedSlash">`http.encodedCharacters.`<br />`allowEncodedSlash`</a> | Defines whether requests with encoded slash characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | false                   | No       |
-| <a id="opt-http-encodedCharacters-allowEncodedBackSlash" href="#opt-http-encodedCharacters-allowEncodedBackSlash" title="#opt-http-encodedCharacters-allowEncodedBackSlash">`http.encodedCharacters.`<br />`allowEncodedBackSlash`</a> | Defines whether requests with encoded back slash characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | false                   | No       |
-| <a id="opt-http-encodedCharacters-allowEncodedNullCharacter" href="#opt-http-encodedCharacters-allowEncodedNullCharacter" title="#opt-http-encodedCharacters-allowEncodedNullCharacter">`http.encodedCharacters.`<br />`allowEncodedNullCharacter`</a> | Defines whether requests with encoded null characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | false                   | No       |
-| <a id="opt-http-encodedCharacters-allowEncodedSemicolon" href="#opt-http-encodedCharacters-allowEncodedSemicolon" title="#opt-http-encodedCharacters-allowEncodedSemicolon">`http.encodedCharacters.`<br />`allowEncodedSemicolon`</a> | Defines whether requests with encoded semicolon characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | false                   | No       |
-| <a id="opt-http-encodedCharacters-allowEncodedPercent" href="#opt-http-encodedCharacters-allowEncodedPercent" title="#opt-http-encodedCharacters-allowEncodedPercent">`http.encodedCharacters.`<br />`allowEncodedPercent`</a> | Defines whether requests with encoded percent characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | false                   | No       |
-| <a id="opt-http-encodedCharacters-allowEncodedQuestionMark" href="#opt-http-encodedCharacters-allowEncodedQuestionMark" title="#opt-http-encodedCharacters-allowEncodedQuestionMark">`http.encodedCharacters.`<br />`allowEncodedQuestionMark`</a> | Defines whether requests with encoded question mark characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | false                   | No       |
-| <a id="opt-http-encodedCharacters-allowEncodedHash" href="#opt-http-encodedCharacters-allowEncodedHash" title="#opt-http-encodedCharacters-allowEncodedHash">`http.encodedCharacters.`<br />`allowEncodedHash`</a> | Defines whether requests with encoded hash characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | false                   | No       |
+| <a id="opt-http-encodedCharacters-allowEncodedSlash" href="#opt-http-encodedCharacters-allowEncodedSlash" title="#opt-http-encodedCharacters-allowEncodedSlash">`http.encodedCharacters.`<br />`allowEncodedSlash`</a> | Defines whether requests with encoded slash characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | true                    | No       |
+| <a id="opt-http-encodedCharacters-allowEncodedBackSlash" href="#opt-http-encodedCharacters-allowEncodedBackSlash" title="#opt-http-encodedCharacters-allowEncodedBackSlash">`http.encodedCharacters.`<br />`allowEncodedBackSlash`</a> | Defines whether requests with encoded back slash characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | true                    | No       |
+| <a id="opt-http-encodedCharacters-allowEncodedNullCharacter" href="#opt-http-encodedCharacters-allowEncodedNullCharacter" title="#opt-http-encodedCharacters-allowEncodedNullCharacter">`http.encodedCharacters.`<br />`allowEncodedNullCharacter`</a> | Defines whether requests with encoded null characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | true                    | No       |
+| <a id="opt-http-encodedCharacters-allowEncodedSemicolon" href="#opt-http-encodedCharacters-allowEncodedSemicolon" title="#opt-http-encodedCharacters-allowEncodedSemicolon">`http.encodedCharacters.`<br />`allowEncodedSemicolon`</a> | Defines whether requests with encoded semicolon characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | true                    | No       |
+| <a id="opt-http-encodedCharacters-allowEncodedPercent" href="#opt-http-encodedCharacters-allowEncodedPercent" title="#opt-http-encodedCharacters-allowEncodedPercent">`http.encodedCharacters.`<br />`allowEncodedPercent`</a> | Defines whether requests with encoded percent characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | true                    | No       |
+| <a id="opt-http-encodedCharacters-allowEncodedQuestionMark" href="#opt-http-encodedCharacters-allowEncodedQuestionMark" title="#opt-http-encodedCharacters-allowEncodedQuestionMark">`http.encodedCharacters.`<br />`allowEncodedQuestionMark`</a> | Defines whether requests with encoded question mark characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | true                    | No       |
+| <a id="opt-http-encodedCharacters-allowEncodedHash" href="#opt-http-encodedCharacters-allowEncodedHash" title="#opt-http-encodedCharacters-allowEncodedHash">`http.encodedCharacters.`<br />`allowEncodedHash`</a> | Defines whether requests with encoded hash characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | true                    | No       |
 | <a id="opt-http-encodeQuerySemicolons" href="#opt-http-encodeQuerySemicolons" title="#opt-http-encodeQuerySemicolons">`http.encodeQuerySemicolons`</a> | Enable query semicolons encoding. <br /> Use this option to avoid non-encoded semicolons to be interpreted as query parameter separators by Traefik. <br /> When using this option, the non-encoded semicolons characters in query will be transmitted encoded to the backend.<br /> More information [here](#encodequerysemicolons).                                                                                                                                                                                                                                                                                                                                               | false                   | No       |
 | <a id="opt-http-sanitizePath" href="#opt-http-sanitizePath" title="#opt-http-sanitizePath">`http.sanitizePath`</a> | Defines whether to enable the request path sanitization.<br /> More information [here](#sanitizepath).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | false                   | No       |
-| <a id="opt-http-maxHeaderBytes" href="#opt-http-maxHeaderBytes" title="#opt-http-maxHeaderBytes">`http.maxHeaderBytes`</a> | Set the maximum size of request headers in bytes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 1048576                       | No       |
+| <a id="opt-http-maxHeaderBytes" href="#opt-http-maxHeaderBytes" title="#opt-http-maxHeaderBytes">`http.maxHeaderBytes`</a> | Set the maximum size of request headers in bytes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 1048576                 | No       |
 | <a id="opt-http-middlewares" href="#opt-http-middlewares" title="#opt-http-middlewares">`http.middlewares`</a> | Set the list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point. <br />More information [here](#httpmiddlewares).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | -                       | No       |
 | <a id="opt-http-tls" href="#opt-http-tls" title="#opt-http-tls">`http.tls`</a> | Enable TLS on every router attached to the `entryPoint`. <br /> If no certificate are set, a default self-signed certificate is generated by Traefik. <br /> We recommend to not use self signed certificates in production.                                                                                                                                                                                                                                                                                                                                                                                                                                                        | -                       | No       |
 | <a id="opt-http-tls-options" href="#opt-http-tls-options" title="#opt-http-tls-options">`http.tls.options`</a> | Apply TLS options on every router attached to the `entryPoint`. <br /> The TLS options can be overidden per router. <br /> More information in the [dedicated section](../../routing/providers/kubernetes-crd.md#kind-tlsoption).                                                                                                                                                                                                                                                                                                                                                                                                                                                   | -                       | No       |
@@ -220,16 +220,22 @@ it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
 ### Encoded Characters

 You can configure Traefik to control the handling of encoded characters in request paths for security purposes.
-By default, Traefik rejects requests containing certain encoded characters that could be used in path traversal or other security attacks.
+By default, Traefik do not reject requests with path containing certain encoded characters that could be used in path traversal or other security attacks.

-!!! warning "Security Considerations"
+!!! info 
+    
+    This check is not done against the request query parameters,
+    but only against the request path as defined in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3).

-    Allowing certain encoded characters may expose your application to security vulnerabilities.
+!!! info "Security Considerations"
+
+    When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986) and notably decode encoded reserved characters in the requets path,
+    it is recommended to set these options to `false` to avoid split-view situation and helps prevent path traversal attacks or other malicious attempts to bypass security controls.

 Here is the list of the encoded characters that are rejected by default:

-| Encoded Character | Character               |
-|-------------------|-------------------------|
+| Encoded Character                                                                  | Character               |
+|------------------------------------------------------------------------------------|-------------------------|
 | <a id="opt-2f-or-2F" href="#opt-2f-or-2F" title="#opt-2f-or-2F">`%2f` or `%2F`</a> | `/` (slash)             |
 | <a id="opt-5c-or-5C" href="#opt-5c-or-5C" title="#opt-5c-or-5C">`%5c` or `%5C`</a> | `\` (backslash)         |
 | <a id="opt-00" href="#opt-00" title="#opt-00">`%00`</a> | `NULL` (null character) |
--- a/docs/content/reference/install-configuration/observability/logs-and-accesslogs.md
+++ b/docs/content/reference/install-configuration/observability/logs-and-accesslogs.md
@@ -409,4 +409,4 @@ services:
      - /var/run/docker.sock:/var/run/docker.sock
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/install-configuration/providers/docker.md
+++ b/docs/content/reference/install-configuration/providers/docker.md
@@ -420,11 +420,11 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
        - [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.traefik.io/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
        - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
        - [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/)
-        - [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
+        - [A thread on Hacker News about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
        - [To DinD or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
        - [Traefik issue GH-4174 about security with Docker socket](https://github.com/traefik/traefik/issues/4174)
        - [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
        - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
        - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/install-configuration/providers/kubernetes/knative.md
+++ b/docs/content/reference/install-configuration/providers/kubernetes/knative.md
@@ -15,7 +15,7 @@ enabling seamless integration between Traefik's networking capabilities and Knat

 ## Requirements

-{!kubernetes-requirements.md!}
+{% include-markdown "includes/kubernetes-requirements.md" %}

 1. Install/update the Knative CRDs.

@@ -139,4 +139,4 @@ providers:

 See the dedicated section in [routing](../../../routing-configuration/kubernetes/knative.md).

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-crd.md
+++ b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-crd.md
@@ -130,4 +130,4 @@ See the dedicated section in [routing](../../../../routing/providers/kubernetes-

 For additional information, refer to the [full example](../../../../user-guides/crd-acme/index.md) with Let's Encrypt.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-gateway.md
+++ b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-gateway.md
@@ -21,7 +21,7 @@ For more details, check out the conformance [report](https://github.com/kubernet

 ## Requirements

-{!kubernetes-requirements.md!}
+{% include-markdown "includes/kubernetes-requirements.md" %}

 1. Install/update the Kubernetes Gateway API CRDs.

@@ -137,4 +137,4 @@ See the dedicated section in [routing](../../../../routing/providers/kubernetes-
    and the dedicated [routing section](../../../../routing/providers/kubernetes-gateway.md)
    in the Traefik documentation.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md
+++ b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md
@@ -176,4 +176,4 @@ providers:

 See the dedicated section in [routing](../../../routing-configuration/kubernetes/ingress-nginx.md).

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress.md
+++ b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress.md
@@ -149,4 +149,4 @@ many examples of Ingresses definitions are located in the test
 [examples](https://github.com/traefik/traefik/tree/v3.1/pkg/provider/kubernetes/ingress/fixtures)
 of the Traefik repository.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/install-configuration/providers/others/file.md
+++ b/docs/content/reference/install-configuration/providers/others/file.md
@@ -121,4 +121,4 @@ http:
    As it is very difficult to listen to all file system notifications, Traefik uses [fsnotify](https://github.com/fsnotify/fsnotify).
    If using a directory with a mounted directory does not fix your issue, please check your file system compatibility with fsnotify.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/install-configuration/providers/overview.md
+++ b/docs/content/reference/install-configuration/providers/overview.md
@@ -160,4 +160,4 @@ List of providers that support constraints:
 - [Consul Catalog](./hashicorp/consul-catalog.md#constraints)
 - [Nomad](./hashicorp/nomad.md#constraints)

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/install-configuration/providers/swarm.md
+++ b/docs/content/reference/install-configuration/providers/swarm.md
@@ -464,4 +464,4 @@ It allows different implementation levels of the [AAA (Authentication, Authoriza
 - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
 - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md
+++ b/docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md
@@ -330,4 +330,4 @@ If Let's Encrypt is not reachable, the following certificates will apply:
 !!! important
    For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/install-configuration/tls/certificate-resolvers/overview.md
+++ b/docs/content/reference/install-configuration/tls/certificate-resolvers/overview.md
@@ -17,4 +17,4 @@ The Certificates resolvers are defined in the static configuration.
    Defining a certificate resolver does not imply that routers are going to use it automatically.
    Each router or entrypoint that is meant to use the resolver must explicitly reference it.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/load-balancing/service.md
+++ b/docs/content/reference/routing-configuration/http/load-balancing/service.md
@@ -4,14 +4,23 @@ description: "A service is in charge of connecting incoming requests to the Serv
 ---

 Traefik services define how to distribute incoming traffic across your backend servers.
-Each service implements one of the load balancing strategies detailed on this page to ensure optimal traffic distribution and high availability.
+This page covers two main concepts:
+
+- **Service Load Balancer**: Routes traffic to backend servers using various load balancing strategies
+- **Advanced Service Types**: Compose multiple services together for weighted distribution, mirroring, or failover

 ## Service Load Balancer

-The load balancers are able to load balance the requests between multiple instances of your programs.
-
+The `loadBalancer` service type routes incoming requests to a list of backend servers.
 Each service has a load-balancer, even if there is only one server to forward traffic to.

+The load balancer supports multiple **strategies** for distributing traffic among servers:
+
+- `wrr` (Weighted Round Robin) - Default strategy, distributes requests evenly across servers in rotation
+- `p2c` (Power of Two Choices) - Selects two random servers and routes to the one with fewer active connections
+- `hrw` (Highest Random Weight) - Uses consistent hashing based on client IP for session affinity
+- `leasttime` - Routes to the server with lowest response time combined with fewest active connections
+
 ### Configuration Example

 ```yaml tab="Structured (YAML)"
@@ -19,6 +28,7 @@ http:
  services:
    my-service:
      loadBalancer:
+        strategy: "wrr"
        servers:
          - url: "http://private-ip-server-1/"
            weight: 2
@@ -42,6 +52,7 @@ http:
 ```toml tab="Structured (TOML)"
 [http.services]
  [http.services.my-service.loadBalancer]
+    strategy = "wrr"
    [[http.services.my-service.loadBalancer.servers]]
      url = "http://private-ip-server-1/"
    
@@ -66,6 +77,7 @@ http:

 ```yaml tab="Labels"
 labels:
+  - "traefik.http.services.my-service.loadBalancer.strategy=wrr"
  - "traefik.http.services.my-service.loadBalancer.servers[0].url=http://private-ip-server-1/"
  - "traefik.http.services.my-service.loadBalancer.servers[0].weight=2"
  - "traefik.http.services.my-service.loadBalancer.servers[0].preservePath=true"
@@ -83,6 +95,7 @@ labels:
 ```json tab="Tags"
 {
  "Tags": [
+    "traefik.http.services.my-service.loadBalancer.strategy=wrr",
    "traefik.http.services.my-service.loadBalancer.servers[0].url=http://private-ip-server-1/",
    "traefik.http.services.my-service.loadBalancer.servers[0].weight=2",
    "traefik.http.services.my-service.loadBalancer.servers[0].preservePath=true",
@@ -104,6 +117,7 @@ labels:
 | Field                              | Description                                                                                                                                                                                                                                                                                                                                                                                   | Required |
 |------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
 | <a id="opt-servers" href="#opt-servers" title="#opt-servers">`servers`</a> | Represents individual backend instances for your service                                                                                                                                                                                                                                                                                                                                      | Yes      |
+| <a id="opt-strategy" href="#opt-strategy" title="#opt-strategy">`strategy`</a> | Load balancing strategy for distributing traffic among servers. Valid values: `wrr` (default), `p2c`, `hrw`, `leasttime`.                                                                                                                                                                                                                                                                     | No       |
 | <a id="opt-sticky" href="#opt-sticky" title="#opt-sticky">`sticky`</a> | Defines a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.                                                                                                                                                                                                                                                                  | No       |
 | <a id="opt-healthcheck" href="#opt-healthcheck" title="#opt-healthcheck">`healthcheck`</a> | Configures health check to remove unhealthy servers from the load balancing rotation.                                                                                                                                                                                                                                                                                                         | No       |
 | <a id="opt-passiveHealthcheck" href="#opt-passiveHealthcheck" title="#opt-passiveHealthcheck">`passiveHealthcheck`</a> | Configures the passive health check to remove unhealthy servers from the load balancing rotation.                                                                                                                                                                                                                                                                                             | No       |
@@ -124,7 +138,151 @@ Servers represent individual backend instances for your service. The [service lo
 | <a id="opt-weight" href="#opt-weight" title="#opt-weight">`weight`</a> | Allows for weighted load balancing on the servers. | No                                                                               |
 | <a id="opt-preservePath" href="#opt-preservePath" title="#opt-preservePath">`preservePath`</a> | Allows to preserve the URL path.                   | No                                                                               |

-#### Health Check
+### Load Balancing Strategies
+
+The `strategy` option on the load balancer determines how traffic is distributed among the backend servers.
+
+#### Weighted Round Robin (wrr)
+
+The default strategy. Distributes requests evenly across all servers in rotation, respecting server weights.
+This strategy uses Earliest Deadline First (EDF) scheduling to provide weighted round-robin behavior.
+
+??? example "WRR Load Balancing -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
+
+    ```yaml tab="Structured (YAML)"
+    ## Routing configuration
+    http:
+      services:
+        my-service:
+          loadBalancer:
+            strategy: "wrr"
+            servers:
+            - url: "http://private-ip-server-1/"
+              weight: 3
+            - url: "http://private-ip-server-2/"
+              weight: 1
+    ```
+
+    ```toml tab="Structured (TOML)"
+    ## Routing configuration
+    [http.services]
+      [http.services.my-service.loadBalancer]
+        strategy = "wrr"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-1/"
+          weight = 3
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-2/"
+          weight = 1
+    ```
+
+#### Power of Two Choices (p2c)
+
+Selects two servers at random and routes the request to the one with the fewest active connections.
+This algorithm provides better load distribution when servers have varying response times.
+
+??? example "P2C Load Balancing -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
+
+    ```yaml tab="Structured (YAML)"
+    ## Routing configuration
+    http:
+      services:
+        my-service:
+          loadBalancer:
+            strategy: "p2c"
+            servers:
+            - url: "http://private-ip-server-1/"
+            - url: "http://private-ip-server-2/"
+            - url: "http://private-ip-server-3/"
+    ```
+
+    ```toml tab="Structured (TOML)"
+    ## Routing configuration
+    [http.services]
+      [http.services.my-service.loadBalancer]
+        strategy = "p2c"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-1/"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-2/"       
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-3/"
+    ```
+
+#### Highest Random Weight (hrw)
+
+Uses consistent hashing (Rendezvous Hashing) based on the client's IP address to ensure requests from the same client are consistently routed to the same server.
+This provides session affinity without requiring sticky cookies.
+
+The algorithm computes a score for each available backend using a hash of the client's source IP combined with the backend's identifier, and assigns the client to the backend with the highest score.
+
+??? example "HRW Load Balancing -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
+
+    ```yaml tab="Structured (YAML)"
+    ## Routing configuration
+    http:
+      services:
+        my-service:
+          loadBalancer:
+            strategy: "hrw"
+            servers:
+            - url: "http://private-ip-server-1/"
+            - url: "http://private-ip-server-2/"
+            - url: "http://private-ip-server-3/"
+    ```
+
+    ```toml tab="Structured (TOML)"
+    ## Routing configuration
+    [http.services]
+      [http.services.my-service.loadBalancer]
+        strategy = "hrw"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-1/"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-2/"       
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-3/"
+    ```
+
+#### Least-Time
+
+Selects the server with the lowest average response time (Time To First Byte - TTFB), combined with the fewest active connections, weighted by server capacity.
+This strategy is ideal for heterogeneous backend environments where servers have varying performance characteristics, different hardware capabilities, or varying network latency.
+
+The algorithm continuously measures each backend's response time and tracks active connection counts.
+When routing a request, it calculates a score for each healthy server using the formula: `(avg_response_time × (1 + active_connections)) / weight`.
+The server with the lowest score receives the request.
+When multiple servers have identical scores, Weighted Round Robin (WRR) with Earliest Deadline First (EDF) scheduling is used as a tie-breaker.
+
+??? example "Least-Time Load Balancing -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
+
+    ```yaml tab="Structured (YAML)"
+    ## Routing configuration
+    http:
+      services:
+        my-service:
+          loadBalancer:
+            strategy: "leasttime"
+            servers:
+            - url: "http://private-ip-server-1/"
+            - url: "http://private-ip-server-2/"
+            - url: "http://private-ip-server-3/"
+    ```
+
+    ```toml tab="Structured (TOML)"
+    ## Routing configuration
+    [http.services]
+      [http.services.my-service.loadBalancer]
+        strategy = "leasttime"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-1/"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-2/"
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-3/"
+    ```
+
+### Health Check

 The `healthcheck` option configures health check to remove unhealthy servers from the load balancing rotation.
 Traefik will consider HTTP(s) servers healthy as long as they return a status code to the health check request (carried out every interval) between `2XX` and `3XX`, or matching the configured status.
@@ -146,42 +304,41 @@ Below are the available options for the health check mechanism:
 | <a id="opt-timeout" href="#opt-timeout" title="#opt-timeout">`timeout`</a> | Defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.            | 5s      | No       |
 | <a id="opt-headers" href="#opt-headers" title="#opt-headers">`headers`</a> | Defines custom headers to be sent to the health check endpoint.                                                               |         | No       |
 | <a id="opt-followRedirects" href="#opt-followRedirects" title="#opt-followRedirects">`followRedirects`</a> | Defines whether redirects should be followed during the health check calls.                                                   | true    | No       |
-| <a id="opt-hostname-2" href="#opt-hostname-2" title="#opt-hostname-2">`hostname`</a> | Defines the value of hostname in the Host header of the health check request.                                                 | ""      | No       |
 | <a id="opt-method" href="#opt-method" title="#opt-method">`method`</a> | Defines the HTTP method that will be used while connecting to the endpoint.                                                   | GET     | No       |
 | <a id="opt-status" href="#opt-status" title="#opt-status">`status`</a> | Defines the expected HTTP status code of the response to the health check request.                                            |         | No       |

-#### Sticky sessions
+### Sticky Sessions

 When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.
 On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.

-##### Stickiness on multiple levels
+#### Stickiness on multiple levels

 When chaining or mixing load-balancers (e.g. a load-balancer of servers is one of the "children" of a load-balancer of services), for stickiness to work all the way, the option needs to be specified at all required levels. Which means the client needs to send a cookie with as many key/value pairs as there are sticky levels.

-##### Stickiness & Unhealthy Servers
+#### Stickiness & Unhealthy Servers

 If the server specified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).

-##### Cookie Name
+#### Cookie Name

 The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`).

-##### MaxAge
+#### MaxAge

 By default, the affinity cookie will never expire as the `MaxAge` option is set to zero.

 This option indicates the number of seconds until the cookie expires.  
 When set to a negative number, the cookie expires immediately.

-##### Secure & HTTPOnly & SameSite flags
+#### Secure & HTTPOnly & SameSite flags

 By default, the affinity cookie is created without those flags.
 One however can change that through configuration.

 `SameSite` can be `none`, `lax`, `strict` or empty.

-##### Domain
+#### Domain

 The Domain attribute of a cookie specifies the domain for which the cookie is valid. 

@@ -190,7 +347,7 @@ By setting the Domain attribute, the cookie can be shared across subdomains (for
 ??? example "Adding Stickiness -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"

    ```yaml tab="Structured (YAML)"
-    ## Dynamic configuration
+    ## Routing configuration
    http:
      services:
        my-service:
@@ -200,7 +357,7 @@ By setting the Domain attribute, the cookie can be shared across subdomains (for
    ```

    ```toml tab="Structured (TOML)"
-    ## Dynamic configuration
+    ## Routing configuration
    [http.services]
      [http.services.my-service]
        [http.services.my-service.loadBalancer.sticky.cookie]
@@ -209,7 +366,7 @@ By setting the Domain attribute, the cookie can be shared across subdomains (for
 ??? example "Adding Stickiness with custom Options -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"

    ```yaml tab="Structured (YAML)"
-    ## Dynamic configuration
+    ## Routing configuration
    http:
      services:
        my-service:
@@ -223,7 +380,7 @@ By setting the Domain attribute, the cookie can be shared across subdomains (for
    ```

    ```toml tab="Structured (TOML)"
-    ## Dynamic configuration
+    ## Routing configuration
    [http.services]
      [http.services.my-service]
        [http.services.my-service.loadBalancer.sticky.cookie]
@@ -237,7 +394,7 @@ By setting the Domain attribute, the cookie can be shared across subdomains (for
 ??? example "Setting Stickiness on all the required levels -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"

    ```yaml tab="Structured (YAML)"
-    ## Dynamic configuration
+    ## Routing configuration
    http:
      services:
        wrr1:
@@ -271,7 +428,7 @@ By setting the Domain attribute, the cookie can be shared across subdomains (for
    ```

    ```toml tab="Structured (TOML)"
-    ## Dynamic configuration
+    ## Routing configuration
    [http.services]
      [http.services.wrr1]
        [http.services.wrr1.weighted.sticky.cookie]
@@ -308,7 +465,7 @@ To keep a session open with the same server, the client would then need to speci
 curl -b "lvl1=whoami1; lvl2=http://127.0.0.1:8081" http://localhost:8000
 ```

-#### Passive Health Check
+### Passive Health Check

 The `passiveHealthcheck` option configures passive health check to remove unhealthy servers from the load balancing rotation.

@@ -326,18 +483,27 @@ Below are the available options for the passive health check mechanism:
 | <a id="opt-failureWindow" href="#opt-failureWindow" title="#opt-failureWindow">`failureWindow`</a> | Defines the time window during which the failed attempts must occur for the server to be marked as unhealthy. It also defines for how long the server will be considered unhealthy. | 10s     | No       |
 | <a id="opt-maxFailedAttempts" href="#opt-maxFailedAttempts" title="#opt-maxFailedAttempts">`maxFailedAttempts`</a> | Defines the number of consecutive failed attempts allowed within the failure window before marking the server as unhealthy.                                                         | 1       | No       |

-## Weighted Round Robin (WRR)
+## Advanced Service Types

-The WRR is able to load balance the requests between multiple services based on weights.
+Advanced service types allow you to compose multiple services together for weighted distribution, consistent hashing, mirroring, or failover scenarios.
+These are distinct from load balancing strategies - they operate at the **service level** rather than the **server level**.

-This strategy is only available to load balance between services and not between servers.
+!!! info "Key Difference"
+
+    - **Load Balancing Strategies** (wrr, p2c, hrw, leasttime): Distribute traffic among **servers** within a single `loadBalancer` service
+    - **Advanced Service Types** (weighted, highestRandomWeight, mirroring, failover): Distribute or manage traffic among multiple **services**
+
+### Weighted Round robin
+
+The `weighted` service type load balances requests between multiple services based on weights.
+This is different from the `wrr` strategy - it operates on services, not servers.

 !!! info "Supported Providers"

-    This strategy can be defined currently with the [File](../../../install-configuration/providers/others/file.md) or [IngressRoute](../../../install-configuration/providers/kubernetes/kubernetes-crd.md) providers. To load balance between servers based on weights, the Load Balancer service should be used instead.
+    This service type can be defined currently with the [File](../../../install-configuration/providers/others/file.md) provider or [IngressRoute](../../../routing-configuration/kubernetes/crd/http/ingressroute.md).

 ```yaml tab="Structured (YAML)"
-## Dynamic configuration
+## Routing configuration
 http:
  services:
    app:
@@ -360,7 +526,7 @@ http:
 ```

 ```toml tab="Structured (TOML)"
-## Dynamic configuration
+## Routing configuration
 [http.services]
  [http.services.app]
    [[http.services.app.weighted.services]]
@@ -381,7 +547,7 @@ http:
        url = "http://private-ip-server-2/"
 ```

-### Health Check
+#### Health Check

 HealthCheck enables automatic self-healthcheck for this service, i.e. whenever one of its children is reported as down, this service becomes aware of it, and takes it into account (i.e. it ignores the down child) when running the load-balancing algorithm. In addition, if the parent of this service also has HealthCheck enabled, this service reports to its parent any status change.

@@ -392,7 +558,7 @@ HealthCheck enables automatic self-healthcheck for this service, i.e. whenever o
    HealthCheck on Weighted services can be defined currently only with the [File provider](../../../install-configuration/providers/others/file.md).  

 ```yaml tab="Structured (YAML)"
-## Dynamic configuration
+## Routing configuration
 http:
  services:
    app:
@@ -424,7 +590,7 @@ http:
 ```

 ```toml tab="Structured (TOML)"
-## Dynamic configuration
+## Routing configuration
 [http.services]
  [http.services.app]
    [http.services.app.weighted.healthCheck]
@@ -454,83 +620,138 @@ http:
        url = "http://private-ip-server-2/"
 ```

-## P2C
+### Highest Random Weight

-Power of two choices algorithm is a load balancing strategy that selects two servers at random and chooses the one with the least number of active requests.
+The `highestRandomWeight` service type uses consistent hashing (Rendezvous Hashing) to load balance requests between multiple services.
+This ensures that requests from the same client IP are consistently routed to the same service.

-??? example "P2C Load Balancing -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
+This is different from the `hrw` strategy on a loadBalancer - it operates on **services**, not servers.

-    ```yaml tab="Structured (YAML)"
-    ## Dynamic configuration
-    http:
-      services:
-        my-service:
-          loadBalancer:
-            strategy: "p2c"
-            servers:
-            - url: "http://private-ip-server-1/"
-            - url: "http://private-ip-server-2/"
-            - url: "http://private-ip-server-3/"
-    ```
+!!! info "Supported Providers"

-    ```toml tab="Structured (TOML) "
-    ## Dynamic configuration
-    [http.services]
-      [http.services.my-service.loadBalancer]
-        strategy = "p2c"
-        [[http.services.my-service.loadBalancer.servers]]
-          url = "http://private-ip-server-1/"
-        [[http.services.my-service.loadBalancer.servers]]
-          url = "http://private-ip-server-2/"       
-        [[http.services.my-service.loadBalancer.servers]]
-          url = "http://private-ip-server-3/"
-    ```
+    This service type can be defined currently only with the [File](../../../install-configuration/providers/others/file.md) provider.

-## Least-Time
+```yaml tab="Structured (YAML)"
+## Routing configuration
+http:
+  services:
+    app:
+      highestRandomWeight:
+        services:
+        - name: appv1
+          weight: 1
+        - name: appv2
+          weight: 1

-The Least-Time load balancing algorithm selects the server with the lowest average response time (Time To First Byte - TTFB),
-combined with the fewest active connections, weighted by server capacity.
-This strategy is ideal for heterogeneous backend environments where servers have varying performance characteristics,
-different hardware capabilities, or varying network latency.
+    appv1:
+      loadBalancer:
+        servers:
+        - url: "http://private-ip-server-1/"

-The algorithm continuously measures each backend's response time and tracks active connection counts.
-When routing a request,
-it calculates a score for each healthy server using the formula: `(avg_response_time × (1 + active_connections)) / weight`.
-The server with the lowest score receives the request.
-When multiple servers have identical scores,
-Weighted Round Robin (WRR) with Earliest Deadline First (EDF) scheduling is used as a tie-breaker to ensure fair distribution.
+    appv2:
+      loadBalancer:
+        servers:
+        - url: "http://private-ip-server-2/"
+```

-??? example "Basic Least-Time Load Balancing -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
+```toml tab="Structured (TOML)"
+## Routing configuration
+[http.services]
+  [http.services.app]
+    [[http.services.app.highestRandomWeight.services]]
+      name = "appv1"
+      weight = 1
+    [[http.services.app.highestRandomWeight.services]]
+      name = "appv2"
+      weight = 1

-    ```yaml tab="Structured (YAML)"
-    ## Dynamic configuration
-    http:
-      services:
-        my-service:
-          loadBalancer:
-            strategy: "leasttime"
-            servers:
-            - url: "http://private-ip-server-1/"
-            - url: "http://private-ip-server-2/"
-            - url: "http://private-ip-server-3/"
-    ```
+  [http.services.appv1]
+    [http.services.appv1.loadBalancer]
+      [[http.services.appv1.loadBalancer.servers]]
+        url = "http://private-ip-server-1/"

-    ```toml tab="Structured (TOML)"
-    ## Dynamic configuration
-    [http.services]
-      [http.services.my-service.loadBalancer]
-        strategy = "leasttime"
-        [[http.services.my-service.loadBalancer.servers]]
-          url = "http://private-ip-server-1/"
-        [[http.services.my-service.loadBalancer.servers]]
-          url = "http://private-ip-server-2/"
-        [[http.services.my-service.loadBalancer.servers]]
-          url = "http://private-ip-server-3/"
-    ```
+  [http.services.appv2]
+    [http.services.appv2.loadBalancer]
+      [[http.services.appv2.loadBalancer.servers]]
+        url = "http://private-ip-server-2/"
+```

-## Mirroring
+#### Health Check

-The mirroring is able to mirror requests sent to a service to other services. Please note that by default the whole request is buffered in memory while it is being mirrored. See the `maxBodySize` option in the example below for how to modify this behaviour. You can also omit the request body by setting the `mirrorBody` option to false.
+HealthCheck enables automatic self-healthcheck for this service, similar to the Weighted Round Robin service type.
+
+!!! note "Behavior"
+
+    If HealthCheck is enabled for a given service and any of its descendants does not have it enabled, the creation of the service will fail.
+
+    HealthCheck on Highest Random Weight services can be defined currently only with the [File provider](../../../install-configuration/providers/others/file.md).  
+
+```yaml tab="Structured (YAML)"
+## Routing configuration
+http:
+  services:
+    app:
+      highestRandomWeight:
+        healthCheck: {}
+        services:
+        - name: appv1
+          weight: 1
+        - name: appv2
+          weight: 1
+
+    appv1:
+      loadBalancer:
+        healthCheck:
+          path: /status
+          interval: 10s
+          timeout: 3s
+        servers:
+        - url: "http://private-ip-server-1/"
+
+    appv2:
+      loadBalancer:
+        healthCheck:
+          path: /status
+          interval: 10s
+          timeout: 3s
+        servers:
+        - url: "http://private-ip-server-2/"
+```
+
+```toml tab="Structured (TOML)"
+## Routing configuration
+[http.services]
+  [http.services.app]
+    [http.services.app.highestRandomWeight.healthCheck]
+    [[http.services.app.highestRandomWeight.services]]
+      name = "appv1"
+      weight = 1
+    [[http.services.app.highestRandomWeight.services]]
+      name = "appv2"
+      weight = 1
+
+  [http.services.appv1]
+    [http.services.appv1.loadBalancer]
+      [http.services.appv1.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "10s"
+        timeout = "3s"
+      [[http.services.appv1.loadBalancer.servers]]
+        url = "http://private-ip-server-1/"
+
+  [http.services.appv2]
+    [http.services.appv2.loadBalancer]
+      [http.services.appv2.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "10s"
+        timeout = "3s"
+      [[http.services.appv2.loadBalancer.servers]]
+        url = "http://private-ip-server-2/"
+```
+
+### Mirroring
+
+The `mirroring` service type mirrors requests sent to a service to other services. Please note that by default the whole request is buffered in memory while it is being mirrored. See the `maxBodySize` option in the example below for how to modify this behaviour. You can also omit the request body by setting the `mirrorBody` option to false.

 !!! warning "Default behavior of `percent`"

@@ -538,10 +759,10 @@ The mirroring is able to mirror requests sent to a service to other services. Pl
    
 !!! info "Supported Providers"

-    This strategy can be defined currently with the [File](../../../install-configuration/providers/others/file.md) or [IngressRoute](../../../install-configuration/providers/kubernetes/kubernetes-crd.md) providers.
+    This service type can be defined currently with the [File](../../../install-configuration/providers/others/file.md) provider or [IngressRoute](../../../routing-configuration/kubernetes/crd/http/ingressroute.md).
    
 ```yaml tab="Structured (YAML)"
-## Dynamic configuration
+## Routing configuration
 http:
  services:
    mirrored-api:
@@ -572,7 +793,7 @@ http:
 ```

 ```toml tab="Structured (TOML)"
-## Dynamic configuration
+## Routing configuration
 [http.services]
  [http.services.mirrored-api]
    [http.services.mirrored-api.mirroring]
@@ -599,7 +820,7 @@ http:
        url = "http://private-ip-server-2/"
 ```

-### Health Check
+#### Health Check

 HealthCheck enables automatic self-healthcheck for this service, i.e. if the main handler of the service becomes unreachable, the information is propagated upwards to its parent.

@@ -610,7 +831,7 @@ HealthCheck enables automatic self-healthcheck for this service, i.e. if the mai
    HealthCheck on Mirroring services can be defined currently only with the [File provider](../../../install-configuration/providers/others/file.md).  

 ```yaml tab="Structured (YAML)"
-## Dynamic configuration
+## Routing configuration
 http:
  services:
    mirrored-api:
@@ -637,7 +858,7 @@ http:
 ```

 ```toml tab="Structured (TOML)"
-## Dynamic configuration
+## Routing configuration
 [http.services]
  [http.services.mirrored-api]
    [http.services.mirrored-api.mirroring]
@@ -658,7 +879,7 @@ http:

  [http.services.appv2]
    [http.services.appv2.loadBalancer]
-      [http.services.appv1.loadBalancer.healthCheck]
+      [http.services.appv2.loadBalancer.healthCheck]
        path = "/health"
        interval = "10s"
        timeout = "3s"
@@ -666,17 +887,17 @@ http:
        url = "http://private-ip-server-2/"
 ```

-## Failover 
+### Failover 

-A failover service job is to forward all requests to a fallback service when the main service becomes unreachable.
+The `failover` service type forwards all requests to a fallback service when the main service becomes unreachable.

 !!! info "Relation to HealthCheck"
    The failover service relies on the HealthCheck system to get notified when its main service becomes unreachable, which means HealthCheck needs to be enabled and functional on the main service. However, HealthCheck does not need to be enabled on the failover service itself for it to be functional. It is only required in order to propagate upwards the information when the failover itself becomes down (i.e. both its main and its fallback are down too).

 !!! info "Supported Provider"
-    This strategy can currently only be defined with the [File](../../../install-configuration/providers/others/file.md) provider.
+    This service type can currently only be defined with the [File](../../../install-configuration/providers/others/file.md) provider.

-### HealthCheck
+#### HealthCheck

 HealthCheck enables automatic self-healthcheck for this service, i.e. if the main and the fallback services become unreachable, the information is propagated upwards to its parent.

@@ -687,7 +908,7 @@ HealthCheck enables automatic self-healthcheck for this service, i.e. if the mai
    HealthCheck on a Failover service can be defined currently only with the [File provider](../../../install-configuration/providers/others/file.md).  

 ```yaml tab="Structured (YAML)"
-## Dynamic configuration
+## Routing configuration
 http:
  services:
    app:
@@ -716,7 +937,7 @@ http:
 ```

 ```toml tab="Structured (TOML)"
-## Dynamic configuration
+## Routing configuration
 [http.services]
  [http.services.app]
    [http.services.app.failover.healthCheck]
--- a/docs/content/reference/routing-configuration/http/middlewares/apikey.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/apikey.md
@@ -53,4 +53,4 @@ stringData:
 | <a id="opt-secretNonBase64Encoded" href="#opt-secretNonBase64Encoded" title="#opt-secretNonBase64Encoded">`secretNonBase64Encoded`</a> | Defines whether the secret sent by the client is base64 encoded. | false   | No       |
 | <a id="opt-secretValues" href="#opt-secretValues" title="#opt-secretValues">`secretValues`</a> | Contain the hash of the API keys. <br /> Supported hashing algorithms are Bcrypt, SHA1 and MD5. <br /> The hash should be generated using `htpasswd`.<br />Can reference a Kubernetes Secret using the URN format: `urn:k8s:secret:[name]:[valueKey]` | []      | Yes      |

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/middlewares/basicauth.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/basicauth.md
@@ -92,4 +92,4 @@ The option `users` supports Kubernetes secrets.
    Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than other methods.
    You can find more information on the [Kubernetes Basic Authentication Secret Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret)

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/middlewares/digestauth.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/digestauth.md
@@ -82,4 +82,4 @@ On Kubernetes, you don’t use the `users` or `usersFile` fields. Instead, you r
 - `kubernetes.io/basic-auth secret`: This secret type contains two keys—`username` and `password`—but is generally suited for a smaller number of users. Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than the other method.
 - Opaque secret with a users field: Here, the secret contains a single string field (often called `users`) where each line represents a user. This approach allows you to store multiple users in one secret.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/middlewares/forwardauth.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/forwardauth.md
@@ -127,4 +127,4 @@ The following request properties are provided to the forward-auth target endpoin
 | <a id="opt-Request-URI" href="#opt-Request-URI" title="#opt-Request-URI">Request URI</a> | `X-Forwarded-Uri`        |
 | <a id="opt-Source-IP-Address" href="#opt-Source-IP-Address" title="#opt-Source-IP-Address">Source IP-Address</a> | `X-Forwarded-For`        |

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/middlewares/headers.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/headers.md
@@ -323,4 +323,4 @@ It allows all origins that contain any match of a regular expression in the `acc

    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/middlewares/hmac.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/hmac.md
@@ -204,4 +204,4 @@ Only SHA-256 and SHA-512 checksums are supported for checksum computation.

    To disable this feature and only perform authentication, set the `validateDigest` option to `false` in the middleware configuration.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/middlewares/jwt.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/jwt.md
@@ -230,4 +230,4 @@ The reference to a Kubernetes secret takes the form of a URN:
 urn:k8s:secret:[name]:[valueKey]
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/middlewares/ldap.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/ldap.md
@@ -102,4 +102,4 @@ and a `bindPassword`, then the middleware runs in search mode. In this mode, a s
 issued to the LDAP server before trying to bind. If result of this search returns only 1 record,
 it tries to issue a bind request with this record, otherwise it aborts a `401 Unauthorized` status code.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/middlewares/oauth2-client-credentials.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/oauth2-client-credentials.md
@@ -252,4 +252,4 @@ The following Redis modes are supported:

 For more information about Redis, we recommend the [official Redis documentation](https://redis.io/docs/ "Link to official Redis documentation").

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/middlewares/oauth2-token-introspection.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/oauth2-token-introspection.md
@@ -206,4 +206,4 @@ stringData:
    -----END EC PRIVATE KEY-----
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/middlewares/oidc.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/oidc.md
@@ -427,4 +427,4 @@ This means that a new CSRF token will be generated and sent to the client whenev
 When a request is sent and uses a non-safe method (see [RFC7231#section-4.2.1](https://datatracker.ietf.org/doc/html/rfc7231.html#section-4.2.1)),
 the CSRF token value (extracted from the cookie) have to be sent to the server in the header configured with the [headerName option](#configuration-options).

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/middlewares/opa.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/opa.md
@@ -69,4 +69,4 @@ spec:
 | <a id="opt-allow" href="#opt-allow" title="#opt-allow">`allow`</a> | The `allow` option sets the expression to evaluate that determines if the request should be authorized. | ""      | No (one of `allow` or `forwardHeaders` must be set) |
 | <a id="opt-forwardHeaders" href="#opt-forwardHeaders" title="#opt-forwardHeaders">`forwardHeaders`</a> | The `forwardHeaders` option sets the HTTP headers to add to requests and populates them with the result of the given expression. | ""      | No (one of `allow` or `forwardHeaders` must be set) |   

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/middlewares/overview.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/overview.md
@@ -48,4 +48,4 @@ Middlewares that use the same protocol can be combined into chains to fit every

 Please take a look at the community-contributed plugins in the [plugin catalog](https://plugins.traefik.io/plugins).

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/middlewares/redirectregex.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/redirectregex.md
@@ -85,4 +85,4 @@ The `replacement` option defines how to modify the URL to have the new target UR

    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/middlewares/stripprefix.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/stripprefix.md
@@ -63,4 +63,4 @@ spec:
 |:-----------------------------|:--------------------------------------------------------------|:--------|:---------|
 | <a id="opt-prefixes" href="#opt-prefixes" title="#opt-prefixes">`prefixes`</a> | List of prefixes to strip from the request URL.<br />If your backend is serving assets (for example, images or JavaScript files), it can use the `X-Forwarded-Prefix` header to construct relative URLs. | [] | No |

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/middlewares/waf.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/waf.md
@@ -61,4 +61,4 @@ spec:
 | <a id="opt-directives" href="#opt-directives" title="#opt-directives">`directives`</a> | List of WAF rules to enforce. |  | Yes |
 | <a id="opt-crsEnabled" href="#opt-crsEnabled" title="#opt-crsEnabled">`crsEnabled`</a> | Enable [CRS rulesets](https://github.com/corazawaf/coraza-coreruleset/tree/main/rules/%40owasp_crs).<br /> Once the ruleset is enabled, it can be used in the middleware. | false |  False |

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/routing/multi-layer-routing.md
+++ b/docs/content/reference/routing-configuration/http/routing/multi-layer-routing.md
@@ -185,4 +185,4 @@ Request → EntryPoint → Parent Router → Middleware → Child Router A → S
    4. If `X-User-Role: admin`, `api-admin` router matches and forwards to `admin-service`
    5. If `X-User-Role: user`, `api-user` router matches and forwards to `user-service`

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/routing/router.md
+++ b/docs/content/reference/routing-configuration/http/routing/router.md
@@ -103,7 +103,7 @@ labels:
 |----------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|----------|
 | <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | The list of entry points to which the router is attached. If not specified, HTTP routers are attached to all entry points.                                                                                                                                                                                           | All entry points            | No       |
 | <a id="opt-rule" href="#opt-rule" title="#opt-rule">`rule`</a> | Rules are a set of matchers configured with values, that determine if a particular request matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service. See [Rules & Priority](./rules-and-priority.md) for details.              |                             | Yes      |
-| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid path overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length                 | No       |
+| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid path overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. Negative values are supported. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length                 | No       |
 | <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | The list of middlewares that are applied to the router. Middlewares are applied in the order they are declared. See [Middlewares overview](../middlewares/overview.md) for available middlewares.                                                                                                                    |                             | No       |
 | <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | TLS configuration for the router. When specified, the router will only handle HTTPS requests.                                                                                                                                                                                                                        |                             | No       |
 | <a id="opt-tls-certResolver" href="#opt-tls-certResolver" title="#opt-tls-certResolver">`tls.certResolver`</a> | The name of the certificate resolver to use for automatic certificate generation. See [Certificate Resolver](../tls/overview.md#certificate-resolver) for details.                                                                                                                                                   |                             | No       |
@@ -118,4 +118,4 @@ labels:
 - The character `@` is not authorized in the router name
 - In provider-specific configurations (Docker, Kubernetes), router names are often auto-generated based on service names and rules

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
--- a/docs/content/reference/routing-configuration/http/routing/rules-and-priority.md
+++ b/docs/content/reference/routing-configuration/http/routing/rules-and-priority.md
@@ -225,6 +225,8 @@ The priority is directly equal to the length of the rule, and so the longest len

 A value of `0` for the priority is ignored: `priority: 0` means that the default rules length sorting is used.

+Negative priority values are supported.
+
 Traefik reserves a range of priorities for its internal routers, the maximum user-defined router priority value is:

 - `(MaxInt32 - 1000)` for 32-bit platforms,
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Sheddy	bb35197d5a	Improve the structure of the routing reference pages	2026-01-16 14:48:06 +01:00
Sheddy	6cd85caa99	Improve Service Reference page	2026-01-16 11:26:05 +01:00
mmatur	3315a9fbec	Merge current v2.11 into v3.6	2026-01-16 09:13:54 +01:00
understood-the-assignment	27b27e9b1f	Document negative priority support for routers	2026-01-15 10:00:05 +01:00
Jesper Noordsij	34d8491ac2	Bump github.com/quic-go/quic-go to v0.59.0	2026-01-14 18:15:35 +01:00
Alessandro Marotta	105bf1cfd6	Fix migration guide URLs in deprecation notice	2026-01-14 17:12:07 +01:00
Kevin Pollet	1728364341	Prepare release v3.6.7	2026-01-14 14:56:04 +01:00
romain	8479d66d18	Merge branch v2.11 into v3.6	2026-01-14 11:49:11 +01:00
Kevin Pollet	9e5d4ba5a1	Prepare release v2.11.35	2026-01-14 10:28:04 +01:00
Gina A.	adf47fba31	Make encoded character options opt-in	2026-01-14 10:16:04 +01:00
Jesper Noordsij	794916a183	Update code generator	2026-01-13 16:34:05 +01:00
LBF38	2e6dfbae57	Fix condition used for serving and fenced endpoints Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2026-01-13 11:38:05 +01:00
Sheddy	ee265a8509	Add Scarf Analytics to documentation	2026-01-13 11:16:05 +01:00
Barbara Soraggi	5a9f3e6999	Replace markdown-include dependency with mkdocs-include-markdown-plugin	2026-01-13 10:10:05 +01:00
Barbara Soraggi	fc67185987	Replace markdown-include dependency with mkdocs-include-markdown-plugin	2026-01-13 10:08:04 +01:00
Ludovic Fernandez	d054299ed0	Bump github.com/go-acme/lego/v4 to v4.31.0	2026-01-12 17:52:04 +01:00
mmatur	dc04dc1940	Merge current v2.11 into v3.6	2026-01-09 19:41:31 +01:00
Romain	26f4a669b8	Prevent Ingress Nginx provider http router to attach to an entrypoint with TLS Co-authored-by: Gina A. <70909035+gndz07@users.noreply.github.com>	2026-01-09 17:38:05 +01:00
Michel Loiseleur	e8067f4e01	Refactor CI on documentation	2026-01-09 17:24:04 +01:00
LBF38	1881434ac6	Fix use-regex nginx annotation Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2026-01-09 17:18:05 +01:00
Anurag Ekkati	862488569d	Fix code copy button positioning	2026-01-09 16:56:04 +01:00
Michael	2b710f05b3	Fix Kubernetes reference yml file	2026-01-09 10:12:04 +01:00
Andreas Schildbach	c7487c4a69	Replace hardcoded references to LetsEncrypt in log messages	2026-01-09 09:36:04 +01:00
LBF38	e9f3089e90	Add timeout to ACME-TLS/1 challenge handshake Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2026-01-08 16:16:05 +01:00
DBouraoui	7e703742cb	Update swarm.md traefik version	2026-01-08 15:24:04 +01:00
LBF38	4de6d6b902	Validate X-Forwarded-Prefix value for dashboard redirect Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2026-01-08 14:26:04 +01:00
Gina A.	1778ff3bac	Bring back security section on API & Dashboard documentation page	2026-01-08 10:24:04 +01:00
Ed Salkeld	7e1654ae27	Fix typo in kubernetes.md	2026-01-07 14:10:04 +01:00
Gina A.	5d00096f82	Fix panic for empty defaultBackend and defaultBackend without resources	2026-01-07 09:38:05 +01:00
Nicolas Mengin	be27044099	Fix ingress-nginx annotations documenation	2026-01-06 17:46:04 +01:00
Sheddy	dbebe5fa3e	Add product comparison matrix and features page	2026-01-06 16:46:05 +01:00
Christian Schärf	413b7c8cca	Fix link description in Traefik Proxy documentation	2026-01-05 16:14:04 +01:00
Ludovic Fernandez	3b6949c18c	fix(acme): add missing renew options	2026-01-05 14:50:05 +01:00
Jesper Noordsij	66bf4632e2	Remove unused empty code-gen-docker.sh script	2026-01-05 14:34:05 +01:00
Michael	1de72c715d	Fix flaky tests on hrw	2026-01-02 10:56:04 +01:00
mmatur	cabcf19303	Merge current v2.11 into v3.6	2026-01-02 10:05:07 +01:00
Michael	47d7094dfb	Welcome 2026	2026-01-02 09:58:04 +01:00