Fix inaccuracies in reference documentation

Create the redis rate limiter script lazily
Fix broken CRD reference links in IngressRoute page
2026-06-21 16:46:22 +00:00 · 2026-06-19 11:34:05 +02:00 · 2026-06-18 17:12:06 +02:00 · 2026-06-18 14:36:07 +02:00 · 2026-06-18 12:10:05 +02:00 · 2026-06-18 10:46:51 +02:00
134 changed files with 1243 additions and 859 deletions
@@ -12,6 +12,9 @@ on:
 env:
  CGO_ENABLED: 0

+permissions:
+  contents: read
+
 jobs:

  build-webui:
@@ -8,6 +8,9 @@ on:
      - '.github/workflows/check_doc.yaml'
      - 'docs/**'

+permissions:
+  contents: read
+
 jobs:

  docs:
@@ -11,6 +11,9 @@ env:
  STRUCTOR_VERSION: v1.13.2
  MIXTUS_VERSION: v0.4.1

+permissions:
+  contents: read
+
 jobs:

  docs:
@@ -9,6 +9,9 @@ on:
 env:
  CGO_ENABLED: 0

+permissions:
+  contents: read
+
 jobs:

  build-webui:
@@ -14,6 +14,9 @@ on:
 env:
  CGO_ENABLED: 0

+permissions:
+  contents: read
+
 jobs:

  test-gateway-api-conformance:
@@ -12,6 +12,9 @@ on:
 env:
  CGO_ENABLED: 0

+permissions:
+  contents: read
+
 jobs:

  build:
@@ -14,6 +14,9 @@ on:
 env:
  CGO_ENABLED: 0

+permissions:
+  contents: read
+
 jobs:

  test-knative-conformance:
@@ -9,6 +9,9 @@ on:
      - '**.md'
      - 'script/gcg/**'

+permissions:
+  contents: read
+
 jobs:
  generate-packages:
    name: List Go Packages
@@ -9,6 +9,9 @@ env:
  GOLANGCI_LINT_VERSION: v2.10.1
  MISSPELL_VERSION: v0.7.0

+permissions:
+  contents: read
+
 jobs:

  lint:
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.2
-FROM alpine:3.23
+FROM alpine:3.24

 RUN apk add --no-cache --no-progress ca-certificates tzdata

@@ -16,7 +16,7 @@ import (
 	"time"

 	"github.com/coreos/go-systemd/v22/daemon"
-	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v5/challenge"
 	gokitmetrics "github.com/go-kit/kit/metrics"
 	"github.com/rs/zerolog/log"
 	"github.com/sirupsen/logrus"
@@ -1,4 +1,4 @@
-FROM alpine:3.23
+FROM alpine:3.24

 RUN apk --no-cache --no-progress add \
    build-base \
@@ -26,11 +26,10 @@ log:
 ```

 ```yaml tab="Helm Chart Values"
-logs:
-  general:
-    filePath: "/path/to/log-file.log"
-    format: json
-    level: INFO
+log:
+  filePath: "/path/to/log-file.log"
+  format: json
+  level: INFO
 ```

 ## Access Logs
@@ -78,23 +77,22 @@ accessLog:

 ```yaml tab="Helm Chart Values"
 # values.yaml
-logs:
-  access:
-    enabled: true
-    format: json
-    filters:
-      statusCodes:
-        - "200"
-        - "400-404"
-        - "500-503"
-    fields:
+accessLog:
+  enabled: true
+  format: json
+  filters:
+    statusCodes:
+      - "200"
+      - "400-404"
+      - "500-503"
+  fields:
+    names:
+      ClientUsername: drop
+    headers:
+      defaultMode: keep
      names:
-        ClientUsername: drop
-      headers:
-        defaultMode: keep
-        names:
-          User-Agent: redact
-          Content-Type: keep
+        User-Agent: redact
+        Content-Type: keep
 ```

 ## Per-Router Access Logs
@@ -170,10 +170,10 @@ enabling the dashboard [here](https://github.com/traefik/traefik-helm-chart/blob
 | Field      | Description  | Default | Required |
 |:-----------|:---------------------------------|:--------|:---------|
 | <a id="opt-api" href="#opt-api" title="#opt-api">`api`</a> | Enable api/dashboard. When set to `true`, its sub option `api.dashboard` is also set to true.| false     | No      |
-| <a id="opt-api-basepath" href="#opt-api-basepath" title="#opt-api-basepath">api.basepath</a> | Defines the base path where the API and Dashboard will be exposed.<br/>Please note that this option is incompatible with the [insecure mode](#opt-api-insecure). | / | No |
-| <a id="opt-api-dashboard" href="#opt-api-dashboard" title="#opt-api-dashboard">`api.dashboard`</a> | Enable dashboard. | false      | No      |
+| <a id="opt-api-basePath" href="#opt-api-basePath" title="#opt-api-basePath">api.basePath</a> | Defines the base path where the API and Dashboard will be exposed.<br/>Please note that this option is incompatible with the [insecure mode](#opt-api-insecure). | / | No |
+| <a id="opt-api-dashboard" href="#opt-api-dashboard" title="#opt-api-dashboard">`api.dashboard`</a> | Enable dashboard. | true      | No      |
 | <a id="opt-api-debug" href="#opt-api-debug" title="#opt-api-debug">`api.debug`</a> | Enable additional endpoints for debugging and profiling. | false      | No      |
-| <a id="opt-api-disabledashboardad" href="#opt-api-disabledashboardad" title="#opt-api-disabledashboardad">`api.disabledashboardad`</a> | Disable the advertisement from the dashboard. | false      | No      |
+| <a id="opt-api-disableDashboardAd" href="#opt-api-disableDashboardAd" title="#opt-api-disableDashboardAd">`api.disableDashboardAd`</a> | Disable the advertisement from the dashboard. | false      | No      |
 | <a id="opt-api-insecure" href="#opt-api-insecure" title="#opt-api-insecure">`api.insecure`</a> | Enable the API and the dashboard on the entryPoint named traefik.<br/>Please note that this mode is incompatible with the custom API [base path option](#opt-api-basepath).| false      | No      |

 ## Endpoints
@@ -214,7 +214,7 @@ All the following endpoints must be accessed with a `GET` HTTP request.

 !!! note "Base Path Configuration"

-    By default, Traefik exposes its API and Dashboard under the `/` base path. It's possible to configure it with `api.basepath`. When configured, all endpoints (api, dashboard, debug) are using it.
+    By default, Traefik exposes its API and Dashboard under the `/` base path. It's possible to configure it with `api.basePath`. When configured, all endpoints (api, dashboard, debug) are using it.

 ## Dashboard

@@ -123,7 +123,7 @@ ports:
    exposedPort: 443

 additionalArguments:
-  - "--providers.kubernetescrd.ingressClass"
+  - "--providers.kubernetescrd.ingressClass=traefik"
  - "--log.level=INFO"
 ```

@@ -28,8 +28,8 @@ entryPoints:
    http:
      tls: {}
      middlewares:
-        - auth@kubernetescrd
-        - strip@kubernetescrd
+        - default-auth@kubernetescrd
+        - default-strip@kubernetescrd
 ```

 ```toml tab="File (TOML)"
@@ -49,7 +49,7 @@ entryPoints:
  [entryPoints.websecure]
    address = ":443"
    [entryPoints.websecure.http]
-      middlewares = ["auth@kubernetescrd", "strip@kubernetescrd"]
+      middlewares = ["default-auth@kubernetescrd", "default-strip@kubernetescrd"]
      [entryPoints.websecure.http.tls]
 ```

@@ -63,8 +63,8 @@ ports:
    tls:
      enabled: true
    middlewares:
-      - auth@kubernetescrd
-      - strip@kubernetescrd
+      - default-auth@kubernetescrd
+      - default-strip@kubernetescrd
 additionalArguments:
  - --entryPoints.web.http.redirections.entryPoint.to=websecure
  - --entryPoints.web.http.redirections.entryPoint.scheme=https
@@ -88,12 +88,12 @@ additionalArguments:
 | <a id="opt-address" href="#opt-address" title="#opt-address">`address`</a> | Define the port, and optionally the hostname, on which to listen for incoming connections and packets.<br /> It also defines the protocol to use (TCP or UDP).<br /> If no protocol is specified, the default is TCP. The format is:`[host]:port[/tcp\|/udp]                                                                                                                                                                                                                                                                                                                                                                                                                        | -                       | Yes      |
 | <a id="opt-asDefault" href="#opt-asDefault" title="#opt-asDefault">`asDefault`</a> | Mark the `entryPoint` to be in the list of default `entryPoints`.<br /> `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br /> More information [here](#asdefault).                                                                                                                                                                                                                                                                                                                                                                                                                                       | false                   | No       |
 | <a id="opt-allowACMEByPass" href="#opt-allowACMEByPass" title="#opt-allowACMEByPass">`allowACMEByPass`</a> | Enables handling of ACME TLS and HTTP challenges with custom routers instead of the internal ACME router.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | false                   | No       |
-| <a id="opt-forwardedHeaders-connection" href="#opt-forwardedHeaders-connection" title="#opt-forwardedHeaders-connection">`forwardedHeaders.`<br />`connection`</a> | List of Connection headers that are allowed to pass through the middleware chain before being removed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false                   | No       |
+| <a id="opt-forwardedHeaders-connection" href="#opt-forwardedHeaders-connection" title="#opt-forwardedHeaders-connection">`forwardedHeaders.`<br />`connection`</a> | List of Connection headers that are allowed to pass through the middleware chain before being removed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | -                       | No       |
 | <a id="opt-forwardedHeaders-insecure" href="#opt-forwardedHeaders-insecure" title="#opt-forwardedHeaders-insecure">`forwardedHeaders.`<br />`insecure`</a> | Set the insecure mode to always trust the forwarded headers information (`X-Forwarded-*`).<br />We recommend to use this option only for tests purposes, not in production.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false                   | No       |
 | <a id="opt-forwardedHeaders-trustedIPs" href="#opt-forwardedHeaders-trustedIPs" title="#opt-forwardedHeaders-trustedIPs">`forwardedHeaders.`<br />`trustedIPs`</a> | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | -                       | No       |
 | <a id="opt-http-redirections-entryPoint-to" href="#opt-http-redirections-entryPoint-to" title="#opt-http-redirections-entryPoint-to">`http.redirections.`<br />`entryPoint.to`</a> | The target element to enable (permanent) redirecting of all incoming requests on an entry point to another one. <br /> The target element can be an entry point name (ex: `websecure`), or a port (`:443`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | -                       | Yes      |
 | <a id="opt-http-redirections-entryPoint-scheme" href="#opt-http-redirections-entryPoint-scheme" title="#opt-http-redirections-entryPoint-scheme">`http.redirections.`<br />`entryPoint.scheme`</a> | The target scheme to use for (permanent) redirection of all incoming requests.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | https                   | No       |
-| <a id="opt-http-redirections-entryPoint-permanent" href="#opt-http-redirections-entryPoint-permanent" title="#opt-http-redirections-entryPoint-permanent">`http.redirections.`<br />`entryPoint.permanent`</a> | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false                   | No       |
+| <a id="opt-http-redirections-entryPoint-permanent" href="#opt-http-redirections-entryPoint-permanent" title="#opt-http-redirections-entryPoint-permanent">`http.redirections.`<br />`entryPoint.permanent`</a> | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | true                    | No       |
 | <a id="opt-http-redirections-entryPoint-priority" href="#opt-http-redirections-entryPoint-priority" title="#opt-http-redirections-entryPoint-priority">`http.redirections.`<br />`entryPoint.priority`</a> | Default priority applied to the routers attached to the `entryPoint`.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | MaxInt-1 (`2147483646` on 32-bit, `9223372036854775806` on 64-bit) | No       |
 | <a id="opt-http-encodedCharacters" href="#opt-http-encodedCharacters" title="#opt-http-encodedCharacters">`http.encodedCharacters`</a> | Defines which encoded characters are allowed in the request path. More information [here](#encoded-characters).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | false                   | No       |
 | <a id="opt-http-encodedCharacters-allowEncodedSlash" href="#opt-http-encodedCharacters-allowEncodedSlash" title="#opt-http-encodedCharacters-allowEncodedSlash">`http.encodedCharacters.`<br />`allowEncodedSlash`</a> | Defines whether requests with encoded slash characters in the path are allowed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | true                    | No       |
@@ -204,8 +204,16 @@ the request to the service.
 (the Middlewares declared on the [IngressRoute](../../reference/routing-configuration/kubernetes/crd/http/ingressroute.md#middleware)
 or the [Ingress](../../reference/routing-configuration/kubernetes/ingress.md#on-ingress)
 are applied after the ones declared on the Entrypoint)
- The option allows attaching a list of middleware using the format 
-`middlewarename@providername` as described in the example below:
+- Middlewares must be referenced by their **fully qualified name**, including the
+[provider namespace](../../reference/install-configuration/providers/overview.md#provider-namespace)
+suffix (`<middleware-name>@<provider-name>`). The exact value depends on the
+provider that declares the middleware:
+
+    | Provider           | Format                                              | Example                       |
+    |--------------------|-----------------------------------------------------|-------------------------------|
+    | <a id="opt-File" href="#opt-File" title="#opt-File">File</a> | `<middleware-name>@file`                             | `strip@file`                  |
+    | <a id="opt-Docker" href="#opt-Docker" title="#opt-Docker">Docker</a> | `<middleware-name>@docker`                           | `strip@docker`                |
+    | <a id="opt-Kubernetes-CRD" href="#opt-Kubernetes-CRD" title="#opt-Kubernetes-CRD">Kubernetes CRD</a> | `<middleware-namespace>-<middleware-name>@kubernetescrd` | `default-auth@kubernetescrd`  |

 ```yaml tab="File (YAML)"
 entryPoints:
@@ -213,7 +221,7 @@ entryPoints:
    address: :80
    http:
      middlewares:
-        - auth@kubernetescrd
+        - default-auth@kubernetescrd
        - strip@file
 ```

@@ -223,7 +231,7 @@ ports:
    port: :80
    http:
      middlewares:
-        - auth@kubernetescrd
+        - default-auth@kubernetescrd
        - strip@file
 ```

@@ -238,7 +246,7 @@ Behavior examples:
 | <a id="opt-false-2" href="#opt-false-2" title="#opt-false-2">false</a> | foo=bar&baz=bar;foo | foo=bar&baz=bar&foo     |
 | <a id="opt-true-2" href="#opt-true-2" title="#opt-true-2">true</a> | foo=bar&baz=bar;foo | foo=bar&baz=bar%3Bfoo   |

-### SanitizePath
+### sanitizePath

 The `sanitizePath` option defines whether to enable the request path sanitization.
 When disabled, the incoming request path is passed to the backend as is.
@@ -461,7 +469,7 @@ to do
 canary deployments against Traefik itself. Like upgrading Traefik version
 or reloading the static configuration without any service downtime.

-#### Trace Verbosity
+### traceVerbosity

 `observability.traceVerbosity` defines the tracing verbosity level for routers attached to this EntryPoint.
 Routers can override this value in their own observability configuration.
@@ -38,3 +38,9 @@ experimental:
 ```bash tab="CLI"
 --experimental.fastProxy
 ```
+
+## Configuration Options
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| <a id="opt-experimental-fastProxy-debug" href="#opt-experimental-fastProxy-debug" title="#opt-experimental-fastProxy-debug">`experimental.fastProxy.debug`</a> | `bool` | `false` | Enable debug mode for the FastProxy implementation. |
@@ -41,3 +41,47 @@ experimental:
 ```

 To learn more about how to add a new plugin to a Traefik instance, please refer to the [developer documentation](https://plugins.traefik.io/install).
+
+### Plugin Options
+
+| Field | Description | Type | Required |
+|-------|-------------|------|----------|
+| <a id="opt-moduleName" href="#opt-moduleName" title="#opt-moduleName">`moduleName`</a> | Plugin's module name. | string | Yes |
+| <a id="opt-version" href="#opt-version" title="#opt-version">`version`</a> | Plugin's version. | string | Yes |
+| <a id="opt-hash" href="#opt-hash" title="#opt-hash">`hash`</a> | Plugin's hash to validate. | string | No |
+| <a id="opt-settings" href="#opt-settings" title="#opt-settings">`settings`</a> | Plugin's settings (works only for wasm plugins). | object | No |
+| <a id="opt-settings-envs" href="#opt-settings-envs" title="#opt-settings-envs">`settings.envs`</a> | Environment variables to forward to the wasm guest. | []string | No |
+| <a id="opt-settings-mounts" href="#opt-settings-mounts" title="#opt-settings-mounts">`settings.mounts`</a> | Directory to mount to the wasm guest. | []string | No |
+| <a id="opt-settings-useUnsafe" href="#opt-settings-useUnsafe" title="#opt-settings-useUnsafe">`settings.useUnsafe`</a> | Allow the plugin to use unsafe and syscall packages. | bool | No |
+
+## Local Plugins
+
+Local plugins allow you to use plugins from a local directory, without publishing them to the Traefik plugin catalog.
+
+```yaml tab="File (YAML)"
+experimental:
+  localPlugins:
+    plugin-name: # The name of the plugin in the routing configuration
+      moduleName: "github.com/github-organization/github-repository" # The plugin module name
+```
+
+```toml tab="File (TOML)"
+[experimental.localPlugins.plugin-name]
+  moduleName = "github.com/github-organization/github-repository" # The plugin module name
+```
+
+```bash tab="CLI"
+# The plugin module name
+# With plugin-name the name of the plugin in the routing configuration
+--experimental.localplugins.plugin-name.modulename=github.com/github-organization/github-repository
+```
+
+### Local Plugin Options
+
+| Field | Description | Type | Required |
+|-------|-------------|------|----------|
+| <a id="opt-moduleName-2" href="#opt-moduleName-2" title="#opt-moduleName-2">`moduleName`</a> | Plugin's module name. | string | Yes |
+| <a id="opt-settings-2" href="#opt-settings-2" title="#opt-settings-2">`settings`</a> | Plugin's settings (works only for wasm plugins). | object | No |
+| <a id="opt-settings-envs-2" href="#opt-settings-envs-2" title="#opt-settings-envs-2">`settings.envs`</a> | Environment variables to forward to the wasm guest. | []string | No |
+| <a id="opt-settings-mounts-2" href="#opt-settings-mounts-2" title="#opt-settings-mounts-2">`settings.mounts`</a> | Directory to mount to the wasm guest. | []string | No |
+| <a id="opt-settings-useUnsafe-2" href="#opt-settings-useUnsafe-2" title="#opt-settings-useUnsafe-2">`settings.useUnsafe`</a> | Allow the plugin to use unsafe and syscall packages. | bool | No |
@@ -42,7 +42,7 @@ The section below describe how to configure Traefik logs using the static config
 | <a id="opt-log-maxSize" href="#opt-log-maxSize" title="#opt-log-maxSize">`log.maxSize`</a> | Maximum size in megabytes of the log file before it gets rotated. | 100MB      | No      |
 | <a id="opt-log-maxAge" href="#opt-log-maxAge" title="#opt-log-maxAge">`log.maxAge`</a> | Maximum number of days to retain old log files based on the timestamp encoded in their filename.<br /> A day is defined as 24 hours and may not exactly correspond to calendar days due to daylight savings, leap seconds, etc.<br />By default files are not removed based on their age.  |   0   | No      |
 | <a id="opt-log-maxBackups" href="#opt-log-maxBackups" title="#opt-log-maxBackups">`log.maxBackups`</a> | Maximum number of old log files to retain.<br />The default is to retain all old log files. |  0  | No      |
-| <a id="opt-log-compress" href="#opt-log-compress" title="#opt-log-compress">`log.compress`</a> | Compress log files in gzip after rotation. | false | No      |
+| <a id="opt-log-compress" href="#opt-log-compress" title="#opt-log-compress">`log.compress`</a> | Compress log files in gzip after rotation. Compression is always enabled when log rotation is active; this field has no effect. | false | No      |

 ### OpenTelemetry

@@ -104,7 +104,7 @@ log:
 | <a id="opt-log-otlp-serviceName" href="#opt-log-otlp-serviceName" title="#opt-log-otlp-serviceName">`log.otlp.serviceName`</a> | Service name used in selected backend.                                                                                                 | "traefik"                        | No       |
 | <a id="opt-log-otlp-resourceAttributes" href="#opt-log-otlp-resourceAttributes" title="#opt-log-otlp-resourceAttributes">`log.otlp.resourceAttributes`</a> | Defines additional resource attributes to be sent to the collector.  See [resourceAttributes](#resourceattributes) for details.                                                                    | []                               | No       |
 | <a id="opt-log-otlp-http" href="#opt-log-otlp-http" title="#opt-log-otlp-http">`log.otlp.http`</a> | This instructs the exporter to send logs to the OpenTelemetry Collector using HTTP.                                                    |                                  | No       |
-| <a id="opt-log-otlp-http-endpoint" href="#opt-log-otlp-http-endpoint" title="#opt-log-otlp-http-endpoint">`log.otlp.http.endpoint`</a> | The endpoint of the OpenTelemetry Collector. (format=`<scheme>://<host>:<port><path>`)                                                 | `https://localhost:4318/v1/logs` | No       |
+| <a id="opt-log-otlp-http-endpoint" href="#opt-log-otlp-http-endpoint" title="#opt-log-otlp-http-endpoint">`log.otlp.http.endpoint`</a> | The endpoint of the OpenTelemetry Collector. (format=`<scheme>://<host>:<port><path>`)                                                 | `https://localhost:4318` | No       |
 | <a id="opt-log-otlp-http-headers" href="#opt-log-otlp-http-headers" title="#opt-log-otlp-http-headers">`log.otlp.http.headers`</a> | Additional headers sent with logs by the exporter to the OpenTelemetry Collector.                                                      | [ ]                              | No       |
 | <a id="opt-log-otlp-http-tls" href="#opt-log-otlp-http-tls" title="#opt-log-otlp-http-tls">`log.otlp.http.tls`</a> | Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector.                                 |                                  | No       |
 | <a id="opt-log-otlp-http-tls-ca" href="#opt-log-otlp-http-tls-ca" title="#opt-log-otlp-http-tls-ca">`log.otlp.http.tls.ca`</a> | The path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. |                                  | No       |
@@ -226,7 +226,7 @@ The section below describes how to configure Traefik access logs using the stati
 | <a id="opt-accesslog-filters-statusCodes" href="#opt-accesslog-filters-statusCodes" title="#opt-accesslog-filters-statusCodes">`accesslog.filters.statusCodes`</a> | Limit the access logs to requests with a status codes in the specified range. | [ ]      | No      |
 | <a id="opt-accesslog-filters-retryAttempts" href="#opt-accesslog-filters-retryAttempts" title="#opt-accesslog-filters-retryAttempts">`accesslog.filters.retryAttempts`</a> | Keep the access logs when at least one retry has happened. | false      | No      |
 | <a id="opt-accesslog-filters-minDuration" href="#opt-accesslog-filters-minDuration" title="#opt-accesslog-filters-minDuration">`accesslog.filters.minDuration`</a> | Keep access logs when requests take longer than the specified duration (provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)).  |  0   | No      |
-| <a id="opt-accesslog-fields-defaultMode" href="#opt-accesslog-fields-defaultMode" title="#opt-accesslog-fields-defaultMode">`accesslog.fields.defaultMode`</a> | Mode to apply by default to the access logs fields (`keep`, `redact` or `drop`). | keep | No      |
+| <a id="opt-accesslog-fields-defaultMode" href="#opt-accesslog-fields-defaultMode" title="#opt-accesslog-fields-defaultMode">`accesslog.fields.defaultMode`</a> | Mode to apply by default to the access logs fields (`keep` or `drop`). | keep | No      |
 | <a id="opt-accesslog-fields-names" href="#opt-accesslog-fields-names" title="#opt-accesslog-fields-names">`accesslog.fields.names`</a> | Set the fields list to display in the access logs (format `name:mode`).<br /> Available fields list [here](#json-format-fields). |  [ ]    | No      |
 | <a id="opt-accesslog-fields-headers-defaultMode" href="#opt-accesslog-fields-headers-defaultMode" title="#opt-accesslog-fields-headers-defaultMode">`accesslog.fields.headers.defaultMode`</a> | Mode to apply by default to the access logs headers (`keep`, `redact` or `drop`).  | drop | No      |
 | <a id="opt-accesslog-fields-headers-names" href="#opt-accesslog-fields-headers-names" title="#opt-accesslog-fields-headers-names">`accesslog.fields.headers.names`</a> | Set the headers list to display in the access logs (format `name:mode`). |   [ ]   | No      |
@@ -289,7 +289,7 @@ accesslog:
 | <a id="opt-accesslog-otlp-serviceName" href="#opt-accesslog-otlp-serviceName" title="#opt-accesslog-otlp-serviceName">`accesslog.otlp.serviceName`</a> | Defines the service name resource attribute.                                                                                           | "traefik"                        | No       |
 | <a id="opt-accesslog-otlp-resourceAttributes" href="#opt-accesslog-otlp-resourceAttributes" title="#opt-accesslog-otlp-resourceAttributes">`accesslog.otlp.resourceAttributes`</a> | Defines additional resource attributes to be sent to the collector. See [resourceAttributes](#resourceattributes_1) for details.       | []                               | No       |
 | <a id="opt-accesslog-otlp-http" href="#opt-accesslog-otlp-http" title="#opt-accesslog-otlp-http">`accesslog.otlp.http`</a> | This instructs the exporter to send access logs to the OpenTelemetry Collector using HTTP.                                             |                                  | No       |
-| <a id="opt-accesslog-otlp-http-endpoint" href="#opt-accesslog-otlp-http-endpoint" title="#opt-accesslog-otlp-http-endpoint">`accesslog.otlp.http.endpoint`</a> | The endpoint of the OpenTelemetry Collector. (format=`<scheme>://<host>:<port><path>`)                                                 | `https://localhost:4318/v1/logs` | No       |
+| <a id="opt-accesslog-otlp-http-endpoint" href="#opt-accesslog-otlp-http-endpoint" title="#opt-accesslog-otlp-http-endpoint">`accesslog.otlp.http.endpoint`</a> | The endpoint of the OpenTelemetry Collector. (format=`<scheme>://<host>:<port><path>`)                                                 | `https://localhost:4318` | No       |
 | <a id="opt-accesslog-otlp-http-headers" href="#opt-accesslog-otlp-http-headers" title="#opt-accesslog-otlp-http-headers">`accesslog.otlp.http.headers`</a> | Additional headers sent with access logs by the exporter to the OpenTelemetry Collector.                                               | [ ]                              | No       |
 | <a id="opt-accesslog-otlp-http-tls" href="#opt-accesslog-otlp-http-tls" title="#opt-accesslog-otlp-http-tls">`accesslog.otlp.http.tls`</a> | Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector.                          |                                  | No       |
 | <a id="opt-accesslog-otlp-http-tls-ca" href="#opt-accesslog-otlp-http-tls-ca" title="#opt-accesslog-otlp-http-tls-ca">`accesslog.otlp.http.tls.ca`</a> | The path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle. |                                  | No       |
@@ -21,7 +21,7 @@ and [Kubernetes](https://grafana.com/grafana/dashboards/17347) deployments.

 !!! info "Default protocol"

-    The OpenTelemetry exporter will export metrics to the collector using HTTP by default to https://localhost:4318/v1/metrics.
+    The OpenTelemetry exporter will export metrics to the collector using HTTP by default to https://localhost:4318.

 ### Configuration Example

@@ -68,14 +68,14 @@ metrics:
 | <a id="opt-metrics-otlp-addEntryPointsLabels" href="#opt-metrics-otlp-addEntryPointsLabels" title="#opt-metrics-otlp-addEntryPointsLabels">`metrics.otlp.addEntryPointsLabels`</a> | Enable metrics on entry points.                                                                                                                                  | true                                               | No       |
 | <a id="opt-metrics-otlp-addRoutersLabels" href="#opt-metrics-otlp-addRoutersLabels" title="#opt-metrics-otlp-addRoutersLabels">`metrics.otlp.addRoutersLabels`</a> | Enable metrics on routers.                                                                                                                                       | false                                              | No       |
 | <a id="opt-metrics-otlp-addServicesLabels" href="#opt-metrics-otlp-addServicesLabels" title="#opt-metrics-otlp-addServicesLabels">`metrics.otlp.addServicesLabels`</a> | Enable metrics on services.                                                                                                                                      | true                                               | No       |
-| <a id="opt-metrics-otlp-explicitBoundaries" href="#opt-metrics-otlp-explicitBoundaries" title="#opt-metrics-otlp-explicitBoundaries">`metrics.otlp.explicitBoundaries`</a> | Explicit boundaries for Histogram data points.                                                                                                                   | ".005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10" | No       |
+| <a id="opt-metrics-otlp-explicitBoundaries" href="#opt-metrics-otlp-explicitBoundaries" title="#opt-metrics-otlp-explicitBoundaries">`metrics.otlp.explicitBoundaries`</a> | Explicit boundaries for Histogram data points.                                                                                                                   | ".005, .01, .025, .05, .075, .1, .25, .5, .75, 1, 2.5, 5, 7.5, 10" | No       |
 | <a id="opt-metrics-otlp-pushInterval" href="#opt-metrics-otlp-pushInterval" title="#opt-metrics-otlp-pushInterval">`metrics.otlp.pushInterval`</a> | Interval at which metrics are sent to the OpenTelemetry Collector.                                                                                               | 10s                                                | No       |
 | <a id="opt-metrics-otlp-http" href="#opt-metrics-otlp-http" title="#opt-metrics-otlp-http">`metrics.otlp.http`</a> | This instructs the exporter to send the metrics to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values.              | null/false                                         | No       |
-| <a id="opt-metrics-otlp-http-endpoint" href="#opt-metrics-otlp-http-endpoint" title="#opt-metrics-otlp-http-endpoint">`metrics.otlp.http.endpoint`</a> | URL of the OpenTelemetry Collector to send metrics to.<br /> Format="`<scheme>://<host>:<port><path>`"                                                           | "https://localhost:4318/v1/metrics"                 | Yes      |
+| <a id="opt-metrics-otlp-http-endpoint" href="#opt-metrics-otlp-http-endpoint" title="#opt-metrics-otlp-http-endpoint">`metrics.otlp.http.endpoint`</a> | URL of the OpenTelemetry Collector to send metrics to.<br /> Format="`<scheme>://<host>:<port><path>`"                                                           | "https://localhost:4318"                 | Yes      |
 | <a id="opt-metrics-otlp-http-headers" href="#opt-metrics-otlp-http-headers" title="#opt-metrics-otlp-http-headers">`metrics.otlp.http.headers`</a> | Additional headers sent with metrics by the exporter to the OpenTelemetry Collector.                                                                             | -                                                  | No       |
 | <a id="opt-metrics-otlp-http-tls-ca" href="#opt-metrics-otlp-http-tls-ca" title="#opt-metrics-otlp-http-tls-ca">`metrics.otlp.http.tls.ca`</a> | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector,<br />it defaults to the system bundle.                          | ""                                                 | No       |
 | <a id="opt-metrics-otlp-http-tls-cert" href="#opt-metrics-otlp-http-tls-cert" title="#opt-metrics-otlp-http-tls-cert">`metrics.otlp.http.tls.cert`</a> | Path to the public certificate used for the secure connection to the OpenTelemetry Collector.<br />When using this option, setting the `key` option is required. | ""                                                 | No       |
-| <a id="opt-metrics-otlp-http-tls-key" href="#opt-metrics-otlp-http-tls-key" title="#opt-metrics-otlp-http-tls-key">`metrics.otlp.http.tls.key`</a> | This instructs the exporter to send the metrics to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values.              | null/false                                         | No       |
+| <a id="opt-metrics-otlp-http-tls-key" href="#opt-metrics-otlp-http-tls-key" title="#opt-metrics-otlp-http-tls-key">`metrics.otlp.http.tls.key`</a> | Defines the path to the private key used for the TLS connection.              | ""                                         | No       |
 | <a id="opt-metrics-otlp-http-tls-insecureskipverify" href="#opt-metrics-otlp-http-tls-insecureskipverify" title="#opt-metrics-otlp-http-tls-insecureskipverify">`metrics.otlp.http.tls.insecureskipverify`</a> | Allow the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.                   | false                                              | Yes      |
 | <a id="opt-metrics-otlp-grpc" href="#opt-metrics-otlp-grpc" title="#opt-metrics-otlp-grpc">`metrics.otlp.grpc`</a> | This instructs the exporter to send metrics to the OpenTelemetry Collector using gRPC.                                                                           | null/false                                         | No       |
 | <a id="opt-metrics-otlp-grpc-endpoint" href="#opt-metrics-otlp-grpc-endpoint" title="#opt-metrics-otlp-grpc-endpoint">`metrics.otlp.grpc.endpoint`</a> | Address of the OpenTelemetry Collector to send metrics to.<br /> Format="`<host>:<port>`"                                                                        | "localhost:4317"                                   | Yes      |
@@ -83,7 +83,7 @@ metrics:
 | <a id="opt-metrics-otlp-grpc-insecure" href="#opt-metrics-otlp-grpc-insecure" title="#opt-metrics-otlp-grpc-insecure">`metrics.otlp.grpc.insecure`</a> | Allows exporter to send metrics to the OpenTelemetry Collector without using a secured protocol.                                                                 | false                                              | Yes      |
 | <a id="opt-metrics-otlp-grpc-tls-ca" href="#opt-metrics-otlp-grpc-tls-ca" title="#opt-metrics-otlp-grpc-tls-ca">`metrics.otlp.grpc.tls.ca`</a> | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector,<br />it defaults to the system bundle.                          | -                                                  | No       |
 | <a id="opt-metrics-otlp-grpc-tls-cert" href="#opt-metrics-otlp-grpc-tls-cert" title="#opt-metrics-otlp-grpc-tls-cert">`metrics.otlp.grpc.tls.cert`</a> | Path to the public certificate used for the secure connection to the OpenTelemetry Collector.<br />When using this option, setting the `key` option is required. | -                                                  | No       |
-| <a id="opt-metrics-otlp-grpc-tls-key" href="#opt-metrics-otlp-grpc-tls-key" title="#opt-metrics-otlp-grpc-tls-key">`metrics.otlp.grpc.tls.key`</a> | This instructs the exporter to send the metrics to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values.              | null/false                                         | No       |
+| <a id="opt-metrics-otlp-grpc-tls-key" href="#opt-metrics-otlp-grpc-tls-key" title="#opt-metrics-otlp-grpc-tls-key">`metrics.otlp.grpc.tls.key`</a> | Defines the path to the private key used for the TLS connection.              | -                                         | No       |
 | <a id="opt-metrics-otlp-grpc-tls-insecureskipverify" href="#opt-metrics-otlp-grpc-tls-insecureskipverify" title="#opt-metrics-otlp-grpc-tls-insecureskipverify">`metrics.otlp.grpc.tls.insecureskipverify`</a> | Allow the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.                   | false                                              | Yes      |

 ### resourceAttributes
@@ -129,7 +129,7 @@ metrics:
 | Field | Description      | Default              | Required |
 |:------|:-------------------------------|:---------------------|:---------|
 | <a id="opt-metrics-addInternals-2" href="#opt-metrics-addInternals-2" title="#opt-metrics-addInternals-2">`metrics.addInternals`</a> | Enables metrics for internal resources (e.g.: `ping@internal`). | false      | No      |
-| <a id="opt-datadog-address" href="#opt-datadog-address" title="#opt-datadog-address">`datadog.address`</a> | Defines the address for the exporter to send metrics to datadog-agent. More information [here](#address)|  `127.0.0.1:8125`     | Yes   |
+| <a id="opt-datadog-address" href="#opt-datadog-address" title="#opt-datadog-address">`datadog.address`</a> | Defines the address for the exporter to send metrics to datadog-agent. More information [here](#address)|  `localhost:8125`     | Yes   |
 | <a id="opt-datadog-addEntryPointsLabels" href="#opt-datadog-addEntryPointsLabels" title="#opt-datadog-addEntryPointsLabels">`datadog.addEntryPointsLabels`</a> | Enable metrics on entry points. |  true   | No   |
 | <a id="opt-datadog-addRoutersLabels" href="#opt-datadog-addRoutersLabels" title="#opt-datadog-addRoutersLabels">`datadog.addRoutersLabels`</a> | Enable metrics on routers. |  false   | No   |
 | <a id="opt-datadog-addServicesLabels" href="#opt-datadog-addServicesLabels" title="#opt-datadog-addServicesLabels">`datadog.addServicesLabels`</a> | Enable metrics on services. |  true   | No   |
@@ -147,17 +147,17 @@ To explicitly define the socket type and avoid automatic detection, you can use
 ```yaml tab="File (YAML)"
 metrics:
  datadog:
-    address: 127.0.0.1:8125
+    address: localhost:8125
 ```

 ```toml tab="File (TOML)"
 [metrics]
  [metrics.datadog]
-    address = "127.0.0.1:8125"
+    address = "localhost:8125"
 ```

 ```bash tab="CLI"
--metrics.datadog.address=127.0.0.1:8125
+--metrics.datadog.address=localhost:8125
 ```

 ### InfluxDB v2
@@ -186,7 +186,7 @@ metrics:

 | Field      | Description      | Default | Required |
 |:-----------|-------------------------|:--------|:---------|
-| <a id="opt-metrics-addInternal" href="#opt-metrics-addInternal" title="#opt-metrics-addInternal">`metrics.addInternal`</a> | Enables metrics for internal resources (e.g.: `ping@internal`). | false      | No      |
+| <a id="opt-metrics-addInternals-3" href="#opt-metrics-addInternals-3" title="#opt-metrics-addInternals-3">`metrics.addInternals`</a> | Enables metrics for internal resources (e.g.: `ping@internal`). | false      | No      |
 | <a id="opt-metrics-influxDB2-addEntryPointsLabels" href="#opt-metrics-influxDB2-addEntryPointsLabels" title="#opt-metrics-influxDB2-addEntryPointsLabels">`metrics.influxDB2.addEntryPointsLabels`</a> | Enable metrics on entry points. | true      | No      |
 | <a id="opt-metrics-influxDB2-addRoutersLabels" href="#opt-metrics-influxDB2-addRoutersLabels" title="#opt-metrics-influxDB2-addRoutersLabels">`metrics.influxDB2.addRoutersLabels`</a> | Enable metrics on routers. | false      | No      |
 | <a id="opt-metrics-influxDB2-addServicesLabels" href="#opt-metrics-influxDB2-addServicesLabels" title="#opt-metrics-influxDB2-addServicesLabels">`metrics.influxDB2.addServicesLabels`</a> | Enable metrics on services.| true      | No      |
@@ -231,7 +231,7 @@ metrics:

 | Field      | Description         | Default | Required |
 |:-----------|---------------------|:--------|:---------|
-| <a id="opt-metrics-addInternals-3" href="#opt-metrics-addInternals-3" title="#opt-metrics-addInternals-3">`metrics.addInternals`</a> | Enables metrics for internal resources (e.g.: `ping@internals`). | false      | No      |
+| <a id="opt-metrics-addInternals-4" href="#opt-metrics-addInternals-4" title="#opt-metrics-addInternals-4">`metrics.addInternals`</a> | Enables metrics for internal resources (e.g.: `ping@internals`). | false      | No      |
 | <a id="opt-metrics-prometheus-addEntryPointsLabels" href="#opt-metrics-prometheus-addEntryPointsLabels" title="#opt-metrics-prometheus-addEntryPointsLabels">`metrics.prometheus.addEntryPointsLabels`</a> | Enable metrics on entry points. | true      | No      |
 | <a id="opt-metrics-prometheus-addRoutersLabels" href="#opt-metrics-prometheus-addRoutersLabels" title="#opt-metrics-prometheus-addRoutersLabels">`metrics.prometheus.addRoutersLabels`</a> | Enable metrics on routers. | false      | No      |
 | <a id="opt-metrics-prometheus-addServicesLabels" href="#opt-metrics-prometheus-addServicesLabels" title="#opt-metrics-prometheus-addServicesLabels">`metrics.prometheus.addServicesLabels`</a> | Enable metrics on services.| true      | No      |
@@ -304,7 +304,7 @@ metrics:

 | Field      | Description       | Default | Required |
 |:-----------|:-------------------------|:--------|:---------|
-| <a id="opt-metrics-addInternals-4" href="#opt-metrics-addInternals-4" title="#opt-metrics-addInternals-4">`metrics.addInternals`</a> | Enables metrics for internal resources (e.g.: `ping@internals`). | false      | No      |
+| <a id="opt-metrics-addInternals-5" href="#opt-metrics-addInternals-5" title="#opt-metrics-addInternals-5">`metrics.addInternals`</a> | Enables metrics for internal resources (e.g.: `ping@internals`). | false      | No      |
 | <a id="opt-metrics-statsD-addEntryPointsLabels" href="#opt-metrics-statsD-addEntryPointsLabels" title="#opt-metrics-statsD-addEntryPointsLabels">`metrics.statsD.addEntryPointsLabels`</a> | Enable metrics on entry points. | true      | No      |
 | <a id="opt-metrics-statsD-addRoutersLabels" href="#opt-metrics-statsD-addRoutersLabels" title="#opt-metrics-statsD-addRoutersLabels">`metrics.statsD.addRoutersLabels`</a> | Enable metrics on routers. | false      | No      |
 | <a id="opt-metrics-statsD-addServicesLabels" href="#opt-metrics-statsD-addServicesLabels" title="#opt-metrics-statsD-addServicesLabels">`metrics.statsD.addServicesLabels`</a> | Enable metrics on services.| true      | No      |
@@ -40,17 +40,17 @@ tracing: {}
 |:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------|:---------|
 | <a id="opt-tracing-addInternals" href="#opt-tracing-addInternals" title="#opt-tracing-addInternals">`tracing.addInternals`</a> | Enables tracing for internal resources (e.g.: `ping@internal`).                                                                                                             | false                               | No       |
 | <a id="opt-tracing-serviceName" href="#opt-tracing-serviceName" title="#opt-tracing-serviceName">`tracing.serviceName`</a> | Defines the service name resource attribute.                                                                                                                                | "traefik"                           | No       |
-| <a id="opt-tracing-resourceAttributes" href="#opt-tracing-resourceAttributes" title="#opt-tracing-resourceAttributes">`tracing.resourceAttributes`</a> | Defines additional resource attributes to be sent to the collector. See [resourceAttributes](#resourceattributes) for details.                                              | []                                  | No       |
+| <a id="opt-tracing-resourceAttributes" href="#opt-tracing-resourceAttributes" title="#opt-tracing-resourceAttributes">`tracing.resourceAttributes`</a> | Defines additional resource attributes to be sent to the collector. See [resourceAttributes](#resourceattributes) for details.                                              | {}                                  | No       |
 | <a id="opt-tracing-sampleRate" href="#opt-tracing-sampleRate" title="#opt-tracing-sampleRate">`tracing.sampleRate`</a> | The proportion of requests to trace, specified between 0.0 and 1.0.<br /> Since Traefik supports parent-based sampling ratios, root spans (i.e., spans initiated by Traefik) are sampled according to this rate, while child spans inherit the sampling decision of their parent (i.e., the tracing context from incoming requests). See [sampleRate](#samplerate) for details.  | 1.0                                 | No       |
 | <a id="opt-tracing-capturedRequestHeaders" href="#opt-tracing-capturedRequestHeaders" title="#opt-tracing-capturedRequestHeaders">`tracing.capturedRequestHeaders`</a> | Defines the list of request headers to add as attributes.<br />It applies to client and server kind spans.                                                                  | []                                  | No       |
 | <a id="opt-tracing-capturedResponseHeaders" href="#opt-tracing-capturedResponseHeaders" title="#opt-tracing-capturedResponseHeaders">`tracing.capturedResponseHeaders`</a> | Defines the list of response headers to add as attributes.<br />It applies to client and server kind spans.                                                                 | []                                  | False    |
 | <a id="opt-tracing-safeQueryParams" href="#opt-tracing-safeQueryParams" title="#opt-tracing-safeQueryParams">`tracing.safeQueryParams`</a> | By default, all query parameters are redacted.<br />Defines the list of query parameters to not redact.                                                                     | []                                  | No       |
 | <a id="opt-tracing-otlp-http" href="#opt-tracing-otlp-http" title="#opt-tracing-otlp-http">`tracing.otlp.http`</a> | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values.                         | null/false                          | No       |
-| <a id="opt-tracing-otlp-http-endpoint" href="#opt-tracing-otlp-http-endpoint" title="#opt-tracing-otlp-http-endpoint">`tracing.otlp.http.endpoint`</a> | URL of the OpenTelemetry Collector to send tracing to.<br /> Format="`<scheme>://<host>:<port><path>`"                                                                      | "https://localhost:4318/v1/tracing" | Yes      |
+| <a id="opt-tracing-otlp-http-endpoint" href="#opt-tracing-otlp-http-endpoint" title="#opt-tracing-otlp-http-endpoint">`tracing.otlp.http.endpoint`</a> | URL of the OpenTelemetry Collector to send tracing to.<br /> Format="`<scheme>://<host>:<port><path>`"                                                                      | "https://localhost:4318" | Yes      |
 | <a id="opt-tracing-otlp-http-headers" href="#opt-tracing-otlp-http-headers" title="#opt-tracing-otlp-http-headers">`tracing.otlp.http.headers`</a> | Additional headers sent with tracing by the exporter to the OpenTelemetry Collector.                                                                                        |                                     | No       |
 | <a id="opt-tracing-otlp-http-tls-ca" href="#opt-tracing-otlp-http-tls-ca" title="#opt-tracing-otlp-http-tls-ca">`tracing.otlp.http.tls.ca`</a> | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle.                                          | ""                                  | No       |
 | <a id="opt-tracing-otlp-http-tls-cert" href="#opt-tracing-otlp-http-tls-cert" title="#opt-tracing-otlp-http-tls-cert">`tracing.otlp.http.tls.cert`</a> | Path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the `key` option is required.                 | ""                                  | No       |
-| <a id="opt-tracing-otlp-http-tls-key" href="#opt-tracing-otlp-http-tls-key" title="#opt-tracing-otlp-http-tls-key">`tracing.otlp.http.tls.key`</a> | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values.                         | ""null/false ""                     | No       |
+| <a id="opt-tracing-otlp-http-tls-key" href="#opt-tracing-otlp-http-tls-key" title="#opt-tracing-otlp-http-tls-key">`tracing.otlp.http.tls.key`</a> | Defines the path to the private key used for the TLS connection.                                                                                                            | ""                                  | No       |
 | <a id="opt-tracing-otlp-http-tls-insecureskipverify" href="#opt-tracing-otlp-http-tls-insecureskipverify" title="#opt-tracing-otlp-http-tls-insecureskipverify">`tracing.otlp.http.tls.insecureskipverify`</a> | If `insecureSkipVerify` is `true`, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers. | false                               | Yes      |
 | <a id="opt-tracing-otlp-grpc" href="#opt-tracing-otlp-grpc" title="#opt-tracing-otlp-grpc">`tracing.otlp.grpc`</a> | This instructs the exporter to send tracing to the OpenTelemetry Collector using gRPC.                                                                                      | false                               | No       |
 | <a id="opt-tracing-otlp-grpc-endpoint" href="#opt-tracing-otlp-grpc-endpoint" title="#opt-tracing-otlp-grpc-endpoint">`tracing.otlp.grpc.endpoint`</a> | Address of the OpenTelemetry Collector to send tracing to.<br /> Format="`<host>:<port>`"                                                                                   | "localhost:4317"                    | Yes      |
@@ -58,7 +58,7 @@ tracing: {}
 | <a id="opt-tracing-otlp-grpc-insecure" href="#opt-tracing-otlp-grpc-insecure" title="#opt-tracing-otlp-grpc-insecure">`tracing.otlp.grpc.insecure`</a> | Allows exporter to send tracing to the OpenTelemetry Collector without using a secured protocol.                                                                            | false                               | Yes      |
 | <a id="opt-tracing-otlp-grpc-tls-ca" href="#opt-tracing-otlp-grpc-tls-ca" title="#opt-tracing-otlp-grpc-tls-ca">`tracing.otlp.grpc.tls.ca`</a> | Path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle.                                          | ""                                  | No       |
 | <a id="opt-tracing-otlp-grpc-tls-cert" href="#opt-tracing-otlp-grpc-tls-cert" title="#opt-tracing-otlp-grpc-tls-cert">`tracing.otlp.grpc.tls.cert`</a> | Path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the `key` option is required.                 | ""                                  | No       |
-| <a id="opt-tracing-otlp-grpc-tls-key" href="#opt-tracing-otlp-grpc-tls-key" title="#opt-tracing-otlp-grpc-tls-key">`tracing.otlp.grpc.tls.key`</a> | This instructs the exporter to send the tracing to the OpenTelemetry Collector using HTTP.<br /> Setting the sub-options with their default values.                         | ""null/false ""                     | No       |
+| <a id="opt-tracing-otlp-grpc-tls-key" href="#opt-tracing-otlp-grpc-tls-key" title="#opt-tracing-otlp-grpc-tls-key">`tracing.otlp.grpc.tls.key`</a> | Defines the path to the private key used for the TLS connection.                                                                                                            | ""                                  | No       |
 | <a id="opt-tracing-otlp-grpc-tls-insecureskipverify" href="#opt-tracing-otlp-grpc-tls-insecureskipverify" title="#opt-tracing-otlp-grpc-tls-insecureskipverify">`tracing.otlp.grpc.tls.insecureskipverify`</a> | If `insecureSkipVerify` is `true`, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers. | false                               | Yes      |

 ## sampleRate
@@ -41,15 +41,15 @@ services:
 | Field | Description                                               | Default              | Required |
 |:------|:----------------------------------------------------------|:---------------------|:---------|
 | <a id="opt-providers-providersThrottleDuration" href="#opt-providers-providersThrottleDuration" title="#opt-providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s  | No |
-| <a id="opt-providers-docker-endpoint" href="#opt-providers-docker-endpoint" title="#opt-providers-docker-endpoint">`providers.docker.endpoint`</a> | Specifies the Docker API endpoint. See [here](#endpoint) for more information|  "unix:///var/run/docker.sock"     | Yes   |
+| <a id="opt-providers-docker-endpoint" href="#opt-providers-docker-endpoint" title="#opt-providers-docker-endpoint">`providers.docker.endpoint`</a> | Specifies the Docker API endpoint. See [here](#endpoint) for more information|  "unix:///var/run/docker.sock"     | No   |
 | <a id="opt-providers-docker-username" href="#opt-providers-docker-username" title="#opt-providers-docker-username">`providers.docker.username`</a> | Defines the username for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.|  ""    | No   |
 | <a id="opt-providers-docker-password" href="#opt-providers-docker-password" title="#opt-providers-docker-password">`providers.docker.password`</a> | Defines the password for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.|  ""    | No   |
 | <a id="opt-providers-docker-useBindPortIP" href="#opt-providers-docker-useBindPortIP" title="#opt-providers-docker-useBindPortIP">`providers.docker.useBindPortIP`</a> | Instructs Traefik to use the IP/Port attached to the container's binding instead of its inner network IP/Port. See [here](#usebindportip) for more information |  false   | No   |
 | <a id="opt-providers-docker-exposedByDefault" href="#opt-providers-docker-exposedByDefault" title="#opt-providers-docker-exposedByDefault">`providers.docker.exposedByDefault`</a> | Expose containers by default through Traefik. If set to _false_, containers that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.<br>See [here](./overview.md#restrict-the-scope-of-service-discovery) for additional information |  true    | No   |
 | <a id="opt-providers-docker-network" href="#opt-providers-docker-network" title="#opt-providers-docker-network">`providers.docker.network`</a> | Defines a default docker network to use for connections to all containers. This option can be overridden on a per-container basis with the `traefik.docker.network` label.|  ""    | No   |
 | <a id="opt-providers-docker-defaultRule" href="#opt-providers-docker-defaultRule" title="#opt-providers-docker-defaultRule">`providers.docker.defaultRule`</a> | Defines what routing rule to apply to a container if no rule is defined by a label. See [here](#defaultrule) for more information. |  ```"Host(`{{ normalize .Name }}`)"```  | No   |
-| <a id="opt-providers-docker-httpClientTimeout" href="#opt-providers-docker-httpClientTimeout" title="#opt-providers-docker-httpClientTimeout">`providers.docker.httpClientTimeout`</a> | Defines the client timeout (in seconds) for HTTP connections. If its value is 0, no timeout is set. |  0   | No   |
-| <a id="opt-providers-docker-watch" href="#opt-providers-docker-watch" title="#opt-providers-docker-watch">`providers.docker.watch`</a> | Instructs Traefik to watch Docker events or not. |  True   | No   |
+| <a id="opt-providers-docker-httpClientTimeout" href="#opt-providers-docker-httpClientTimeout" title="#opt-providers-docker-httpClientTimeout">`providers.docker.httpClientTimeout`</a> | Defines the client timeout for HTTP connections. Accepts a duration string (e.g., `30s`, `1m30s`) or an integer value in seconds. If its value is 0, no timeout is set. |  0   | No   |
+| <a id="opt-providers-docker-watch" href="#opt-providers-docker-watch" title="#opt-providers-docker-watch">`providers.docker.watch`</a> | Instructs Traefik to watch Docker events or not. |  true   | No   |
 | <a id="opt-providers-docker-constraints" href="#opt-providers-docker-constraints" title="#opt-providers-docker-constraints">`providers.docker.constraints`</a> | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information.  |  ""   | No   |
 | <a id="opt-providers-docker-allowEmptyServices" href="#opt-providers-docker-allowEmptyServices" title="#opt-providers-docker-allowEmptyServices">`providers.docker.allowEmptyServices`</a> |  Instructs the provider to create any [servers load balancer](../../../reference/routing-configuration/http/load-balancing/service.md#service-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. |  false   | No   |
 | <a id="opt-providers-docker-tls-ca" href="#opt-providers-docker-tls-ca" title="#opt-providers-docker-tls-ca">`providers.docker.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to Docker, it defaults to the system bundle.  |  ""   | No   |
@@ -34,8 +34,8 @@ Attaching tags to services:
 |:------|:----------------------------------------------------------|:---------------------|:---------|
 | <a id="opt-providers-providersThrottleDuration" href="#opt-providers-providersThrottleDuration" title="#opt-providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s  | No |
 | <a id="opt-providers-consulCatalog-refreshInterval" href="#opt-providers-consulCatalog-refreshInterval" title="#opt-providers-consulCatalog-refreshInterval">`providers.consulCatalog.refreshInterval`</a> | Defines the polling interval.|  15s    | No   |
-| <a id="opt-providers-consulCatalog-prefix" href="#opt-providers-consulCatalog-prefix" title="#opt-providers-consulCatalog-prefix">`providers.consulCatalog.prefix`</a> | Defines the prefix for Consul Catalog tags defining Traefik labels.|  traefik    | yes   |
-| <a id="opt-providers-consulCatalog-requireConsistent" href="#opt-providers-consulCatalog-requireConsistent" title="#opt-providers-consulCatalog-requireConsistent">`providers.consulCatalog.requireConsistent`</a> | Forces the read to be fully consistent. See [here](#requireconsistent) for more information.|  false    | yes   |
+| <a id="opt-providers-consulCatalog-prefix" href="#opt-providers-consulCatalog-prefix" title="#opt-providers-consulCatalog-prefix">`providers.consulCatalog.prefix`</a> | Defines the prefix for Consul Catalog tags defining Traefik labels.|  traefik    | No   |
+| <a id="opt-providers-consulCatalog-requireConsistent" href="#opt-providers-consulCatalog-requireConsistent" title="#opt-providers-consulCatalog-requireConsistent">`providers.consulCatalog.requireConsistent`</a> | Forces the read to be fully consistent. See [here](#requireconsistent) for more information.|  false    | No   |
 | <a id="opt-providers-consulCatalog-exposedByDefault" href="#opt-providers-consulCatalog-exposedByDefault" title="#opt-providers-consulCatalog-exposedByDefault">`providers.consulCatalog.exposedByDefault`</a> | Expose Consul Catalog services by default through Traefik. If set to _false_, services that do not have a `traefik.enable=true` tag are ignored from the resulting routing configuration.<br>See [here](../overview.md#restrict-the-scope-of-service-discovery) for additional information. | true | no |
 | <a id="opt-providers-consulCatalog-defaultRule" href="#opt-providers-consulCatalog-defaultRule" title="#opt-providers-consulCatalog-defaultRule">`providers.consulCatalog.defaultRule`</a> | The Default Host rule for all services. See [here](#defaultrule) for more information. |   ```"Host(`{{ normalize .Name }}`)"```   | No   |
 | <a id="opt-providers-consulCatalog-connectAware" href="#opt-providers-consulCatalog-connectAware" title="#opt-providers-consulCatalog-connectAware">`providers.consulCatalog.connectAware`</a> | Enable Consul Connect support. If set to `true`, Traefik will be enabled to communicate with Connect services.   | false   | No |
@@ -45,7 +45,7 @@ Attaching tags to services:
 | <a id="opt-providers-consulCatalog-namespaces" href="#opt-providers-consulCatalog-namespaces" title="#opt-providers-consulCatalog-namespaces">`providers.consulCatalog.namespaces`</a> | Defines the namespaces to query. See [here](#namespaces) for more information. |  ""     | no   |
 | <a id="opt-providers-consulCatalog-stale" href="#opt-providers-consulCatalog-stale" title="#opt-providers-consulCatalog-stale">`providers.consulCatalog.stale`</a> | Instruct Traefik to use stale consistency for catalog reads. |  false    | no   |
 | <a id="opt-providers-consulCatalog-cache" href="#opt-providers-consulCatalog-cache" title="#opt-providers-consulCatalog-cache">`providers.consulCatalog.cache`</a> | Instruct Traefik to use local agent caching for catalog reads. |  false    | no   |
-| <a id="opt-providers-consulCatalog-endpoint" href="#opt-providers-consulCatalog-endpoint" title="#opt-providers-consulCatalog-endpoint">`providers.consulCatalog.endpoint`</a> | Defines the Consul server endpoint. |  -    | yes   |
+| <a id="opt-providers-consulCatalog-endpoint" href="#opt-providers-consulCatalog-endpoint" title="#opt-providers-consulCatalog-endpoint">`providers.consulCatalog.endpoint`</a> | Defines the Consul server endpoint. |  -    | No   |
 | <a id="opt-providers-consulCatalog-endpoint-address" href="#opt-providers-consulCatalog-endpoint-address" title="#opt-providers-consulCatalog-endpoint-address">`providers.consulCatalog.endpoint.address`</a> | Defines the address of the Consul server. |  127.0.0.1:8500    | no   |
 | <a id="opt-providers-consulCatalog-endpoint-scheme" href="#opt-providers-consulCatalog-endpoint-scheme" title="#opt-providers-consulCatalog-endpoint-scheme">`providers.consulCatalog.endpoint.scheme`</a> | Defines the URI scheme for the Consul server. |  ""   | no   |
 | <a id="opt-providers-consulCatalog-endpoint-datacenter" href="#opt-providers-consulCatalog-endpoint-datacenter" title="#opt-providers-consulCatalog-endpoint-datacenter">`providers.consulCatalog.endpoint.datacenter`</a> | Defines the datacenter to use. If not provided in Traefik, Consul uses the default agent datacenter. |  ""   | no   |
@@ -54,11 +54,11 @@ Attaching tags to services:
 | <a id="opt-providers-consulCatalog-endpoint-httpAuth" href="#opt-providers-consulCatalog-endpoint-httpAuth" title="#opt-providers-consulCatalog-endpoint-httpAuth">`providers.consulCatalog.endpoint.httpAuth`</a> | Defines authentication settings for the HTTP client using HTTP Basic Authentication. |  N/A    | no   |
 | <a id="opt-providers-consulCatalog-endpoint-httpAuth-username" href="#opt-providers-consulCatalog-endpoint-httpAuth-username" title="#opt-providers-consulCatalog-endpoint-httpAuth-username">`providers.consulCatalog.endpoint.httpAuth.username`</a> | Defines the username to use for HTTP Basic Authentication. |  ""    | no   |
 | <a id="opt-providers-consulCatalog-endpoint-httpAuth-password" href="#opt-providers-consulCatalog-endpoint-httpAuth-password" title="#opt-providers-consulCatalog-endpoint-httpAuth-password">`providers.consulCatalog.endpoint.httpAuth.password`</a> | Defines the password to use for HTTP Basic Authentication. |  ""    | no   |
-| <a id="opt-providers-consulCatalog-strictChecks" href="#opt-providers-consulCatalog-strictChecks" title="#opt-providers-consulCatalog-strictChecks">`providers.consulCatalog.strictChecks`</a> | Define which [Consul Service health checks](https://developer.hashicorp.com/consul/docs/services/usage/checks#define-initial-health-check-status) are allowed to take on traffic. |  "passing,warning"    | no   |
-| <a id="opt-providers-consulCatalog-tls-ca" href="#opt-providers-consulCatalog-tls-ca" title="#opt-providers-consulCatalog-tls-ca">`providers.consulCatalog.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to Consul Calatog, it defaults to the system bundle.  |  ""   | No   |
-| <a id="opt-providers-consulCatalog-tls-cert" href="#opt-providers-consulCatalog-tls-cert" title="#opt-providers-consulCatalog-tls-cert">`providers.consulCatalog.tls.cert`</a> | Defines the path to the public certificate used for the secure connection to Consul Calatog. When using this option, setting the `key` option is required. | "" | Yes   |
-| <a id="opt-providers-consulCatalog-tls-key" href="#opt-providers-consulCatalog-tls-key" title="#opt-providers-consulCatalog-tls-key">`providers.consulCatalog.tls.key`</a> | Defines the path to the private key used for the secure connection to Consul Catalog. When using this option, setting the `cert` option is required. | ""   | Yes   |
-| <a id="opt-providers-consulCatalog-tls-insecureSkipVerify" href="#opt-providers-consulCatalog-tls-insecureSkipVerify" title="#opt-providers-consulCatalog-tls-insecureSkipVerify">`providers.consulCatalog.tls.insecureSkipVerify`</a> | Instructs the provider to accept any certificate presented by Consul Catalog when establishing a TLS connection, regardless of the hostnames the certificate covers. | false   | No   |
+| <a id="opt-providers-consulCatalog-strictChecks" href="#opt-providers-consulCatalog-strictChecks" title="#opt-providers-consulCatalog-strictChecks">`providers.consulCatalog.strictChecks`</a> | Define which [Consul Service health checks](https://developer.hashicorp.com/consul/docs/services/usage/checks#define-initial-health-check-status) are allowed to take on traffic. |  ["passing", "warning"]    | no   |
+| <a id="opt-providers-consulCatalog-endpoint-tls-ca" href="#opt-providers-consulCatalog-endpoint-tls-ca" title="#opt-providers-consulCatalog-endpoint-tls-ca">`providers.consulCatalog.endpoint.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to Consul Calatog, it defaults to the system bundle.  |  ""   | No   |
+| <a id="opt-providers-consulCatalog-endpoint-tls-cert" href="#opt-providers-consulCatalog-endpoint-tls-cert" title="#opt-providers-consulCatalog-endpoint-tls-cert">`providers.consulCatalog.endpoint.tls.cert`</a> | Defines the path to the public certificate used for the secure connection to Consul Calatog. When using this option, setting the `key` option is required. | "" | Yes   |
+| <a id="opt-providers-consulCatalog-endpoint-tls-key" href="#opt-providers-consulCatalog-endpoint-tls-key" title="#opt-providers-consulCatalog-endpoint-tls-key">`providers.consulCatalog.endpoint.tls.key`</a> | Defines the path to the private key used for the secure connection to Consul Catalog. When using this option, setting the `cert` option is required. | ""   | Yes   |
+| <a id="opt-providers-consulCatalog-endpoint-tls-insecureSkipVerify" href="#opt-providers-consulCatalog-endpoint-tls-insecureSkipVerify" title="#opt-providers-consulCatalog-endpoint-tls-insecureSkipVerify">`providers.consulCatalog.endpoint.tls.insecureSkipVerify`</a> | Instructs the provider to accept any certificate presented by Consul Catalog when establishing a TLS connection, regardless of the hostnames the certificate covers. | false   | No   |
 | <a id="opt-providers-consulCatalog-watch" href="#opt-providers-consulCatalog-watch" title="#opt-providers-consulCatalog-watch">`providers.consulCatalog.watch`</a> | When set to `true`, watches for Consul changes ([Consul watches checks](https://www.consul.io/docs/dynamic-app-config/watches#checks)). | false   | No   |

 ### `requireConsistent`
@@ -30,8 +30,6 @@ providers:
 | <a id="opt-providers-consul-endpoints" href="#opt-providers-consul-endpoints" title="#opt-providers-consul-endpoints">`providers.consul.endpoints`</a> | Defines the endpoint to access Consul. |  "127.0.0.1:8500"     | yes   |
 | <a id="opt-providers-consul-rootKey" href="#opt-providers-consul-rootKey" title="#opt-providers-consul-rootKey">`providers.consul.rootKey`</a> | Defines the root key of the configuration. |  "traefik"     | yes   |
 | <a id="opt-providers-consul-namespaces" href="#opt-providers-consul-namespaces" title="#opt-providers-consul-namespaces">`providers.consul.namespaces`</a> | Defines the namespaces to query. See [here](#namespaces) for more information |  ""     | no   |
-| <a id="opt-providers-consul-username" href="#opt-providers-consul-username" title="#opt-providers-consul-username">`providers.consul.username`</a> | Defines a username to connect to Consul with. |  ""     | no   |
-| <a id="opt-providers-consul-password" href="#opt-providers-consul-password" title="#opt-providers-consul-password">`providers.consul.password`</a> | Defines a password with which to connect to Consul. |  ""     | no   |
 | <a id="opt-providers-consul-token" href="#opt-providers-consul-token" title="#opt-providers-consul-token">`providers.consul.token`</a> | Defines a token with which to connect to Consul. |  ""     | no   |
 | <a id="opt-providers-consul-tls" href="#opt-providers-consul-tls" title="#opt-providers-consul-tls">`providers.consul.tls`</a> | Defines the TLS configuration used for the secure connection to Consul  |  -   | No   |
 | <a id="opt-providers-consul-tls-ca" href="#opt-providers-consul-tls-ca" title="#opt-providers-consul-tls-ca">`providers.consul.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to Consul, it defaults to the system bundle.  |  -   | Yes   |
@@ -47,10 +47,11 @@ service {
 | <a id="opt-providers-nomad-defaultRule" href="#opt-providers-nomad-defaultRule" title="#opt-providers-nomad-defaultRule">`providers.nomad.defaultRule`</a> | The Default Host rule for all services. See [here](#defaultrule) for more information |   ```"Host(`{{ normalize .Name }}`)"```   | No   |
 | <a id="opt-providers-nomad-constraints" href="#opt-providers-nomad-constraints" title="#opt-providers-nomad-constraints">`providers.nomad.constraints`</a> | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information.  |  ""   | No   |
 | <a id="opt-providers-nomad-exposedByDefault" href="#opt-providers-nomad-exposedByDefault" title="#opt-providers-nomad-exposedByDefault">`providers.nomad.exposedByDefault`</a> | Expose Nomad services by default in Traefik. If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration. See [here](../overview.md#exposedbydefault-and-traefikenable) for additional information |  true    | No   |
-| <a id="opt-providers-nomad-allowEmptyServices" href="#opt-providers-nomad-allowEmptyServices" title="#opt-providers-nomad-allowEmptyServices">`providers.nomad.allowEmptyServices`</a> |  Instructs the provider to create any [servers load balancer](../../../../reference/routing-configuration/http/load-balancing/service.md#service-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. |  false   | No   |
-| <a id="opt-providers-nomad-prefix" href="#opt-providers-nomad-prefix" title="#opt-providers-nomad-prefix">`providers.nomad.prefix`</a> | Defines the prefix for Nomad service tags defining Traefik labels. | `traefik`     | yes   |
+| <a id="opt-providers-nomad-allowEmptyServices" href="#opt-providers-nomad-allowEmptyServices" title="#opt-providers-nomad-allowEmptyServices">`providers.nomad.allowEmptyServices`</a> |  Instructs the provider to create any [servers load balancer](../../../../reference/routing-configuration/http/load-balancing/service.md#service-load-balancer) defined for Nomad services even when those services are scaled to zero instances. |  false   | No   |
+| <a id="opt-providers-nomad-prefix" href="#opt-providers-nomad-prefix" title="#opt-providers-nomad-prefix">`providers.nomad.prefix`</a> | Defines the prefix for Nomad service tags defining Traefik labels. | `traefik`     | No   |
 | <a id="opt-providers-nomad-stale" href="#opt-providers-nomad-stale" title="#opt-providers-nomad-stale">`providers.nomad.stale`</a> | Instructs Traefik to use stale consistency for Nomad service API reads. See [here](#stale) for more information | false   | No   |
 | <a id="opt-providers-nomad-endpoint-address" href="#opt-providers-nomad-endpoint-address" title="#opt-providers-nomad-endpoint-address">`providers.nomad.endpoint.address`</a> | Defines the Address of the Nomad server. | `http://127.0.0.1:4646`  | No   |
+| <a id="opt-providers-nomad-endpoint-region" href="#opt-providers-nomad-endpoint-region" title="#opt-providers-nomad-endpoint-region">`providers.nomad.endpoint.region`</a> | Defines the Nomad region to use. If not provided, the local agent region is used. | ""  | No   |
 | <a id="opt-providers-nomad-endpoint-token" href="#opt-providers-nomad-endpoint-token" title="#opt-providers-nomad-endpoint-token">`providers.nomad.endpoint.token`</a> | Defines a per-request ACL token if Nomad ACLs are enabled. See [here](#token) for more information | ""  | No   |
 | <a id="opt-providers-nomad-endpoint-endpointWaitTime" href="#opt-providers-nomad-endpoint-endpointWaitTime" title="#opt-providers-nomad-endpoint-endpointWaitTime">`providers.nomad.endpoint.endpointWaitTime`</a> | Defines a duration for which a `watch` can block. If not provided, the agent default values will be used. | ""  | No   |
 | <a id="opt-providers-nomad-endpoint-tls" href="#opt-providers-nomad-endpoint-tls" title="#opt-providers-nomad-endpoint-tls">`providers.nomad.endpoint.tls`</a> | Defines the TLS configuration used for the secure connection to the Nomad APi.  |  -   | No   |
@@ -89,18 +89,18 @@ The provider then watches for incoming Knative events and derives the correspond
 | <a id="opt-providers-providersThrottleDuration" href="#opt-providers-providersThrottleDuration" title="#opt-providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s      | No       |
 | <a id="opt-providers-knative-endpoint" href="#opt-providers-knative-endpoint" title="#opt-providers-knative-endpoint">providers.knative.endpoint</a> | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                        |         |
 | <a id="opt-providers-knative-token" href="#opt-providers-knative-token" title="#opt-providers-knative-token">providers.knative.token</a> | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                           |         |
-| <a id="opt-providers-knative-certauthfilepath" href="#opt-providers-knative-certauthfilepath" title="#opt-providers-knative-certauthfilepath">providers.knative.certauthfilepath</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                           |         |
+| <a id="opt-providers-knative-certAuthFilePath" href="#opt-providers-knative-certAuthFilePath" title="#opt-providers-knative-certAuthFilePath">providers.knative.certAuthFilePath</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                           |         |
 | <a id="opt-providers-knative-namespaces" href="#opt-providers-knative-namespaces" title="#opt-providers-knative-namespaces">providers.knative.namespaces</a> | Array of namespaces to watch.<br />If left empty, watch all namespaces.                                                                                                                                                                                                                                                                                                              |         |
 | <a id="opt-providers-knative-labelSelector" href="#opt-providers-knative-labelSelector" title="#opt-providers-knative-labelSelector">providers.knative.labelSelector</a> | Allow filtering Knative Ingress objects using label selectors.                                                                                                                                                                                                                                                                                                                       |         |
-| <a id="opt-providers-knative-throttleduration" href="#opt-providers-knative-throttleduration" title="#opt-providers-knative-throttleduration">providers.knative.throttleduration</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                           | 0       |
-| <a id="opt-providers-knative-privateentrypoints" href="#opt-providers-knative-privateentrypoints" title="#opt-providers-knative-privateentrypoints">providers.knative.privateentrypoints</a> | Entrypoint names used to expose the Ingress privately. If empty local Ingresses are skipped.                                                                                                                                                                                                                                                                                         |         |
-| <a id="opt-providers-knative-privateservice" href="#opt-providers-knative-privateservice" title="#opt-providers-knative-privateservice">providers.knative.privateservice</a> | Kubernetes service used to expose the networking controller privately.                                                                                                                                                                                                                                                                                                               |         |
-| <a id="opt-providers-knative-privateservice-name" href="#opt-providers-knative-privateservice-name" title="#opt-providers-knative-privateservice-name">providers.knative.privateservice.name</a> | Name of the private Kubernetes service.                                                                                                                                                                                                                                                                                                                                              |         |
-| <a id="opt-providers-knative-privateservice-namespace" href="#opt-providers-knative-privateservice-namespace" title="#opt-providers-knative-privateservice-namespace">providers.knative.privateservice.namespace</a> | Namespace of the private Kubernetes service.                                                                                                                                                                                                                                                                                                                                         |         |
-| <a id="opt-providers-knative-publicentrypoints" href="#opt-providers-knative-publicentrypoints" title="#opt-providers-knative-publicentrypoints">providers.knative.publicentrypoints</a> | Entrypoint names used to expose the Ingress publicly. If empty an Ingress is exposed on all entrypoints.                                                                                                                                                                                                                                                                             |         |
-| <a id="opt-providers-knative-publicservice" href="#opt-providers-knative-publicservice" title="#opt-providers-knative-publicservice">providers.knative.publicservice</a> | Kubernetes service used to expose the networking controller publicly.                                                                                                                                                                                                                                                                                                                |         |
-| <a id="opt-providers-knative-publicservice-name" href="#opt-providers-knative-publicservice-name" title="#opt-providers-knative-publicservice-name">providers.knative.publicservice.name</a> | Name of the public Kubernetes service.                                                                                                                                                                                                                                                                                                                                               |         |
-| <a id="opt-providers-knative-publicservice-namespace" href="#opt-providers-knative-publicservice-namespace" title="#opt-providers-knative-publicservice-namespace">providers.knative.publicservice.namespace</a> | Namespace of the public Kubernetes service.                                                                                                                                                                                                                                                                                                                                          |         |
+| <a id="opt-providers-knative-throttleDuration" href="#opt-providers-knative-throttleDuration" title="#opt-providers-knative-throttleDuration">providers.knative.throttleDuration</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                           | 0       |
+| <a id="opt-providers-knative-privateEntrypoints" href="#opt-providers-knative-privateEntrypoints" title="#opt-providers-knative-privateEntrypoints">providers.knative.privateEntrypoints</a> | Entrypoint names used to expose the Ingress privately. If empty local Ingresses are skipped.                                                                                                                                                                                                                                                                                         |         |
+| <a id="opt-providers-knative-privateService" href="#opt-providers-knative-privateService" title="#opt-providers-knative-privateService">providers.knative.privateService</a> | Kubernetes service used to expose the networking controller privately.                                                                                                                                                                                                                                                                                                               |         |
+| <a id="opt-providers-knative-privateService-desc" href="#opt-providers-knative-privateService-desc" title="#opt-providers-knative-privateService-desc">providers.knative.privateService.desc</a> | Name of the private Kubernetes service.                                                                                                                                                                                                                                                                                                                                              |         |
+| <a id="opt-providers-knative-privateService-namespace" href="#opt-providers-knative-privateService-namespace" title="#opt-providers-knative-privateService-namespace">providers.knative.privateService.namespace</a> | Namespace of the private Kubernetes service.                                                                                                                                                                                                                                                                                                                                         |         |
+| <a id="opt-providers-knative-publicEntrypoints" href="#opt-providers-knative-publicEntrypoints" title="#opt-providers-knative-publicEntrypoints">providers.knative.publicEntrypoints</a> | Entrypoint names used to expose the Ingress publicly. If empty an Ingress is exposed on all entrypoints.                                                                                                                                                                                                                                                                             |         |
+| <a id="opt-providers-knative-publicService" href="#opt-providers-knative-publicService" title="#opt-providers-knative-publicService">providers.knative.publicService</a> | Kubernetes service used to expose the networking controller publicly.                                                                                                                                                                                                                                                                                                                |         |
+| <a id="opt-providers-knative-publicService-desc" href="#opt-providers-knative-publicService-desc" title="#opt-providers-knative-publicService-desc">providers.knative.publicService.desc</a> | Name of the public Kubernetes service.                                                                                                                                                                                                                                                                                                                                               |         |
+| <a id="opt-providers-knative-publicService-namespace" href="#opt-providers-knative-publicService-namespace" title="#opt-providers-knative-publicService-namespace">providers.knative.publicService.namespace</a> | Namespace of the public Kubernetes service.                                                                                                                                                                                                                                                                                                                                          |         |

 <!-- markdownlint-enable MD013 -->

@@ -56,7 +56,7 @@ providers:
 |:------|:----------------------------------------------------------|:--------|:---------|
 | <a id="opt-providers-providersThrottleDuration" href="#opt-providers-providersThrottleDuration" title="#opt-providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s      | No |
 | <a id="opt-providers-kubernetesCRD-endpoint" href="#opt-providers-kubernetesCRD-endpoint" title="#opt-providers-kubernetesCRD-endpoint">`providers.kubernetesCRD.endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint). | ""      | No |
-| <a id="opt-providers-kubernetesCRD-token" href="#opt-providers-kubernetesCRD-token" title="#opt-providers-kubernetesCRD-token">`providers.kubernetesCRD.token`</a> | Bearer token used for the Kubernetes client configuration. | ""      | No |
+| <a id="opt-providers-kubernetesCRD-token" href="#opt-providers-kubernetesCRD-token" title="#opt-providers-kubernetesCRD-token">`providers.kubernetesCRD.token`</a> | Bearer token used for the Kubernetes client configuration (not needed for in-cluster client).<br />It accepts either a token value or a file path to the token. | ""      | No |
 | <a id="opt-providers-kubernetesCRD-certAuthFilePath" href="#opt-providers-kubernetesCRD-certAuthFilePath" title="#opt-providers-kubernetesCRD-certAuthFilePath">`providers.kubernetesCRD.certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration. | ""      | No |
 | <a id="opt-providers-kubernetesCRD-namespaces" href="#opt-providers-kubernetesCRD-namespaces" title="#opt-providers-kubernetesCRD-namespaces">`providers.kubernetesCRD.namespaces`</a> | Array of namespaces to watch.<br />If left empty, watch all namespaces. | []      | No |
 | <a id="opt-providers-kubernetesCRD-labelSelector" href="#opt-providers-kubernetesCRD-labelSelector" title="#opt-providers-kubernetesCRD-labelSelector">`providers.kubernetesCRD.labelSelector`</a> | Allow filtering on specific resource objects only using label selectors.<br />Only to Traefik [Custom Resources](#routing-configuration) (they all must match the filter).<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | ""      | No |
@@ -72,10 +72,10 @@ providers:
 | <a id="opt-providers-providersThrottleDuration" href="#opt-providers-providersThrottleDuration" title="#opt-providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s      | No       |
 | <a id="opt-providers-kubernetesGateway-endpoint" href="#opt-providers-kubernetesGateway-endpoint" title="#opt-providers-kubernetesGateway-endpoint">`providers.kubernetesGateway.endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                        | ""      | No       |
 | <a id="opt-providers-kubernetesGateway-experimentalChannel" href="#opt-providers-kubernetesGateway-experimentalChannel" title="#opt-providers-kubernetesGateway-experimentalChannel">`providers.kubernetesGateway.experimentalChannel`</a> | Toggles support for the Experimental Channel resources ([Gateway API release channels documentation](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels)).<br />(ex: `TCPRoute` and `TLSRoute`)                                                                                                                                                                   | false   | No       |
-| <a id="opt-providers-kubernetesGateway-token" href="#opt-providers-kubernetesGateway-token" title="#opt-providers-kubernetesGateway-token">`providers.kubernetesGateway.token`</a> | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                           | ""      | No       |
+| <a id="opt-providers-kubernetesGateway-token" href="#opt-providers-kubernetesGateway-token" title="#opt-providers-kubernetesGateway-token">`providers.kubernetesGateway.token`</a> | Bearer token used for the Kubernetes client configuration. Accepts either the token value directly or a path to a file containing the token.                                                                                                                                                                                                                                         | ""      | No       |
 | <a id="opt-providers-kubernetesGateway-certAuthFilePath" href="#opt-providers-kubernetesGateway-certAuthFilePath" title="#opt-providers-kubernetesGateway-certAuthFilePath">`providers.kubernetesGateway.certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                           | ""      | No       |
 | <a id="opt-providers-kubernetesGateway-namespaces" href="#opt-providers-kubernetesGateway-namespaces" title="#opt-providers-kubernetesGateway-namespaces">`providers.kubernetesGateway.namespaces`</a> | Array of namespaces to watch.<br />If left empty, watch all namespaces.                                                                                                                                                                                                                                                                                                              | []      | No       |
-| <a id="opt-providers-kubernetesGateway-labelselector" href="#opt-providers-kubernetesGateway-labelselector" title="#opt-providers-kubernetesGateway-labelselector">`providers.kubernetesGateway.labelselector`</a> | Allow filtering on `GatewayClass` only. If left empty, Traefik processes all GatewayClass objects in the configured namespaces.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.                                                                                                                   | ""      | No       |
+| <a id="opt-providers-kubernetesGateway-labelSelector" href="#opt-providers-kubernetesGateway-labelSelector" title="#opt-providers-kubernetesGateway-labelSelector">`providers.kubernetesGateway.labelSelector`</a> | Allow filtering on `GatewayClass` only. If left empty, Traefik processes all GatewayClass objects in the configured namespaces.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.                                                                                                                   | ""      | No       |
 | <a id="opt-providers-kubernetesGateway-throttleDuration" href="#opt-providers-kubernetesGateway-throttleDuration" title="#opt-providers-kubernetesGateway-throttleDuration">`providers.kubernetesGateway.throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                           | 0s      | No       |
 | <a id="opt-providers-kubernetesGateway-nativeLBByDefault" href="#opt-providers-kubernetesGateway-nativeLBByDefault" title="#opt-providers-kubernetesGateway-nativeLBByDefault">`providers.kubernetesGateway.nativeLBByDefault`</a> | Defines whether to use Native Kubernetes load-balancing mode by default. For more information, please check out the `traefik.io/service.nativelb` service annotation documentation.                                                                                                                                                                                                  | false   | No       |
 | <a id="opt-providers-kubernetesGateway-statusAddress-hostname" href="#opt-providers-kubernetesGateway-statusAddress-hostname" title="#opt-providers-kubernetesGateway-statusAddress-hostname">`providers.kubernetesGateway.`<br />`statusAddress.hostname`</a> | Hostname copied to the Gateway `status.addresses`.                                                                                                                                                                                                                                                                                                                                   | ""      | No       |
@@ -83,8 +83,8 @@ providers:
 | <a id="opt-providers-kubernetesGateway-statusAddress-service-namespace" href="#opt-providers-kubernetesGateway-statusAddress-service-namespace" title="#opt-providers-kubernetesGateway-statusAddress-service-namespace">`providers.kubernetesGateway.`<br />`statusAddress.service.namespace`</a> | The namespace of the Kubernetes service to copy status addresses from.<br />When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the Gateway `status.addresses`.                                                                                                          | ""      | No       |
 | <a id="opt-providers-kubernetesGateway-statusAddress-service-name" href="#opt-providers-kubernetesGateway-statusAddress-service-name" title="#opt-providers-kubernetesGateway-statusAddress-service-name">`providers.kubernetesGateway.`<br />`statusAddress.service.name`</a> | The name of the Kubernetes service to copy status addresses from.<br />When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the Gateway `status.addresses`.                                                                                                               | ""      | No       |
 | <a id="opt-providers-kubernetesGateway-crossProviderNamespaces" href="#opt-providers-kubernetesGateway-crossProviderNamespaces" title="#opt-providers-kubernetesGateway-crossProviderNamespaces">`providers.kubernetesGateway.crossProviderNamespaces`</a> | List of namespaces from which Gateway API routes (`HTTPRoute`, `TCPRoute`, `TLSRoute`) are allowed to declare a `backendRef` of kind `TraefikService`.<br />When unset, all namespaces are allowed. When set to `[]`, every such backendRef is rejected and the route is dropped.                                                                                                    | []      | No       |
-| <a id="opt-providers-kubernetesgateway-qps" href="#opt-providers-kubernetesgateway-qps" title="#opt-providers-kubernetesgateway-qps">providers.kubernetesgateway.qps</a> | Defines the maximum QPS to the Kubernetes API server. Setting this to a negative value will disable client-side ratelimiting.                                                                                                                                                                                                                                                        | 50 | No       |
-| <a id="opt-providers-kubernetesgateway-burst" href="#opt-providers-kubernetesgateway-burst" title="#opt-providers-kubernetesgateway-burst">providers.kubernetesgateway.burst</a> | Defines the maximum burst of requests to the Kubernetes API server.                                                                                                                                                                                                                                                                                                                  | 100 | No |
+| <a id="opt-providers-kubernetesGateway-qps" href="#opt-providers-kubernetesGateway-qps" title="#opt-providers-kubernetesGateway-qps">`providers.kubernetesGateway.qps`</a> | Defines the maximum QPS to the Kubernetes API server. Setting this to a negative value will disable client-side ratelimiting.                                                                                                                                                                                                                                                        | 50 | No       |
+| <a id="opt-providers-kubernetesGateway-burst" href="#opt-providers-kubernetesGateway-burst" title="#opt-providers-kubernetesGateway-burst">`providers.kubernetesGateway.burst`</a> | Defines the maximum burst of requests to the Kubernetes API server.                                                                                                                                                                                                                                                                                                                  | 100 | No |

 <!-- markdownlint-enable MD013 -->

@@ -130,7 +130,7 @@ This provider watches for incoming Ingress events and automatically translates N
 | <a id="opt-providers-kubernetesIngressNGINX-watchNamespace" href="#opt-providers-kubernetesIngressNGINX-watchNamespace" title="#opt-providers-kubernetesIngressNGINX-watchNamespace">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchNamespace`</a> | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty.                                                                                                                                                                                                                                                      | ""      | No       |
 | <a id="opt-providers-kubernetesIngressNGINX-watchNamespaceSelector" href="#opt-providers-kubernetesIngressNGINX-watchNamespaceSelector" title="#opt-providers-kubernetesIngressNGINX-watchNamespaceSelector">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchNamespaceSelector`</a> | Selector selects namespaces the controller watches for updates to Kubernetes objects.                                                                                                                                                                                                                                                                                                | ""      | No       |
 | <a id="opt-providers-kubernetesIngressNGINX-ingressClass" href="#opt-providers-kubernetesIngressNGINX-ingressClass" title="#opt-providers-kubernetesIngressNGINX-ingressClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ingressClass`</a> | Name of the IngressClass this controller handles. When `ingressClassByName` is `true`, IngressClasses with this name are included in discovery regardless of their `spec.controller` value.                                                                                                                                                                                          | "nginx"      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-controllerClass" href="#opt-providers-kubernetesIngressNGINX-controllerClass" title="#opt-providers-kubernetesIngressNGINX-controllerClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`controllerClass`</a> | Ingress Class Controller value this controller satisfies.                                                                                                                                                                                                                                                                                                                            | ""      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-controllerClass" href="#opt-providers-kubernetesIngressNGINX-controllerClass" title="#opt-providers-kubernetesIngressNGINX-controllerClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`controllerClass`</a> | Ingress Class Controller value this controller satisfies.                                                                                                                                                                                                                                                                                                                            | "k8s.io/ingress-nginx"      | No       |
 | <a id="opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass" href="#opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass" title="#opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchIngressWithoutClass`</a> | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified.                                                                                                                                                                                                                                                                    | false   | No       |
 | <a id="opt-providers-kubernetesIngressNGINX-ingressClassByName" href="#opt-providers-kubernetesIngressNGINX-ingressClassByName" title="#opt-providers-kubernetesIngressNGINX-ingressClassByName">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ingressClassByName`</a> | When `true`, any IngressClass whose **name** matches `ingressClass` is include in discovery, even if its `spec.controller` does not match `controllerClass`. This is evaluated alongside the controller-based selection, not instead of it.                                                                                                                                          | false   | No       |
 | <a id="opt-providers-kubernetesIngressNGINX-publishService" href="#opt-providers-kubernetesIngressNGINX-publishService" title="#opt-providers-kubernetesIngressNGINX-publishService">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`publishService`</a> | Service fronting the Ingress controller. Takes the form `namespace/name`.                                                                                                                                                                                                                                                                                                            | ""      | No       |
@@ -49,12 +49,12 @@ which in turn creates the resulting routers, services, handlers, etc.
 |:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
 | <a id="opt-providers-providersThrottleDuration" href="#opt-providers-providersThrottleDuration" title="#opt-providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.**                                                                                  | 2s      | No       |
 | <a id="opt-providers-kubernetesIngress-endpoint" href="#opt-providers-kubernetesIngress-endpoint" title="#opt-providers-kubernetesIngress-endpoint">`providers.kubernetesIngress.endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                                                                                                         | ""      | No       |
-| <a id="opt-providers-kubernetesIngress-token" href="#opt-providers-kubernetesIngress-token" title="#opt-providers-kubernetesIngress-token">`providers.kubernetesIngress.token`</a> | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                                                                                                            | ""      | No       |
+| <a id="opt-providers-kubernetesIngress-token" href="#opt-providers-kubernetesIngress-token" title="#opt-providers-kubernetesIngress-token">`providers.kubernetesIngress.token`</a> | Bearer token used for the Kubernetes client configuration.<br />Accepts either the token value directly or a path to a file containing the token.                                                                                                                                                                                                                                                                                                                     | ""      | No       |
 | <a id="opt-providers-kubernetesIngress-certAuthFilePath" href="#opt-providers-kubernetesIngress-certAuthFilePath" title="#opt-providers-kubernetesIngress-certAuthFilePath">`providers.kubernetesIngress.certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                                                                            | ""      | No       |
 | <a id="opt-providers-kubernetesIngress-namespaces" href="#opt-providers-kubernetesIngress-namespaces" title="#opt-providers-kubernetesIngress-namespaces">`providers.kubernetesIngress.namespaces`</a> | Array of namespaces to watch.<br />If left empty, watch all namespaces.                                                                                                                                                                                                                                                                                                                                                                                               |         | No       |
-| <a id="opt-providers-kubernetesIngress-labelselector" href="#opt-providers-kubernetesIngress-labelselector" title="#opt-providers-kubernetesIngress-labelselector">`providers.kubernetesIngress.labelselector`</a> | Allow filtering on `Ingress` objects using label selectors.<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.                                                                                                                                                                                               | ""      | No       |
+| <a id="opt-providers-kubernetesIngress-labelSelector" href="#opt-providers-kubernetesIngress-labelSelector" title="#opt-providers-kubernetesIngress-labelSelector">`providers.kubernetesIngress.labelSelector`</a> | Allow filtering on `Ingress` objects using label selectors.<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.                                                                                                                                                                                               | ""      | No       |
 | <a id="opt-providers-kubernetesIngress-ingressClass" href="#opt-providers-kubernetesIngress-ingressClass" title="#opt-providers-kubernetesIngress-ingressClass">`providers.kubernetesIngress.ingressClass`</a> | The `IngressClass` resource name or the `kubernetes.io/ingress.class` annotation value that identifies resource objects to be processed.<br />If empty, resources missing the annotation, having an empty value, or the value `traefik` are processed.                                                                                                                                                                                                                | ""      | No       |
-| <a id="opt-providers-kubernetesIngress-disableIngressClassLookup" href="#opt-providers-kubernetesIngress-disableIngressClassLookup" title="#opt-providers-kubernetesIngress-disableIngressClassLookup">`providers.kubernetesIngress.disableIngressClassLookup`</a> | Prevent to discover IngressClasses in the cluster.<br />It alleviates the requirement of giving Traefik the rights to look IngressClasses up.<br />Ignore Ingresses with IngressClass.<br />Annotations are not affected by this option.                                                                                                                                                                                                                              | false   | No       |
+| <a id="opt-providers-kubernetesIngress-disableIngressClassLookup" href="#opt-providers-kubernetesIngress-disableIngressClassLookup" title="#opt-providers-kubernetesIngress-disableIngressClassLookup">`providers.kubernetesIngress.disableIngressClassLookup`</a> | **Deprecated:** please use [`disableClusterScopeResources`](#opt-providers-kubernetesIngress-disableClusterScopeResources) instead.<br />Prevent to discover IngressClasses in the cluster.<br />It alleviates the requirement of giving Traefik the rights to look IngressClasses up.<br />Ignore Ingresses with IngressClass.<br />Annotations are not affected by this option.                                                                                     | false   | No       |
 | <a id="opt-providers-kubernetesIngress-ingressEndpoint-hostname" href="#opt-providers-kubernetesIngress-ingressEndpoint-hostname" title="#opt-providers-kubernetesIngress-ingressEndpoint-hostname">`providers.kubernetesIngress.`<br />`ingressEndpoint.hostname`</a> | Hostname used for Kubernetes Ingress endpoints.                                                                                                                                                                                                                                                                                                                                                                                                                       | ""      | No       |
 | <a id="opt-providers-kubernetesIngress-ingressEndpoint-ip" href="#opt-providers-kubernetesIngress-ingressEndpoint-ip" title="#opt-providers-kubernetesIngress-ingressEndpoint-ip">`providers.kubernetesIngress.`<br />`ingressEndpoint.ip`</a> | This IP will get copied to the Ingress `status.loadbalancer.ip`, and currently only supports one IP value (IPv4 or IPv6).                                                                                                                                                                                                                                                                                                                                             | ""      | No       |
 | <a id="opt-providers-kubernetesIngress-ingressEndpoint-publishedService" href="#opt-providers-kubernetesIngress-ingressEndpoint-publishedService" title="#opt-providers-kubernetesIngress-ingressEndpoint-publishedService">`providers.kubernetesIngress.`<br />`ingressEndpoint.publishedService`</a> | The Kubernetes service to copy status from.<br />More information [here](#ingressendpointpublishedservice).                                                                                                                                                                                                                                                                                                                                                           | ""      | No       |
@@ -33,8 +33,8 @@ providers:
 | <a id="opt-providers-etcd-password" href="#opt-providers-etcd-password" title="#opt-providers-etcd-password">`providers.etcd.password`</a> | Defines a password for connecting to etcd. |  ""    | No   |
 | <a id="opt-providers-etcd-tls" href="#opt-providers-etcd-tls" title="#opt-providers-etcd-tls">`providers.etcd.tls`</a> | Defines the TLS configuration used for the secure connection to etcd. |  -  | No   |
 | <a id="opt-providers-etcd-tls-ca" href="#opt-providers-etcd-tls-ca" title="#opt-providers-etcd-tls-ca">`providers.etcd.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to etcd, it defaults to the system bundle.  | "" | No   |
-| <a id="opt-providers-etcd-tls-cert" href="#opt-providers-etcd-tls-cert" title="#opt-providers-etcd-tls-cert">`providers.etcd.tls.cert`</a> | Defines the path to the public certificate used for the secure connection to etcd. When using this option, setting the `key` option is required. | "" | Yes   |
-| <a id="opt-providers-etcd-tls-key" href="#opt-providers-etcd-tls-key" title="#opt-providers-etcd-tls-key">`providers.etcd.tls.key`</a> | Defines the path to the private key used for the secure connection to etcd. When using this option, setting the `cert` option is required. | ""  | Yes   |
+| <a id="opt-providers-etcd-tls-cert" href="#opt-providers-etcd-tls-cert" title="#opt-providers-etcd-tls-cert">`providers.etcd.tls.cert`</a> | Defines the path to the public certificate used for the secure connection to etcd. When using this option, setting the `key` option is required. | "" | No   |
+| <a id="opt-providers-etcd-tls-key" href="#opt-providers-etcd-tls-key" title="#opt-providers-etcd-tls-key">`providers.etcd.tls.key`</a> | Defines the path to the private key used for the secure connection to etcd. When using this option, setting the `cert` option is required. | ""  | No   |
 | <a id="opt-providers-etcd-tls-insecureSkipVerify" href="#opt-providers-etcd-tls-insecureSkipVerify" title="#opt-providers-etcd-tls-insecureSkipVerify">`providers.etcd.tls.insecureSkipVerify`</a> | Instructs the provider to accept any certificate presented by etcd when establishing a TLS connection, regardless of the hostnames the certificate covers. | false   | No   |

 ## Routing Configuration
@@ -19,7 +19,7 @@ providers:
 ```

 ```bash tab="CLI"
--providers.redis.endpoints=true
+--providers.redis.endpoints=127.0.0.1:6379
 ```

 ## Configuration Options
@@ -43,7 +43,7 @@ providers:
 | <a id="opt-providers-redis-sentinel-password" href="#opt-providers-redis-sentinel-password" title="#opt-providers-redis-sentinel-password">`providers.redis.sentinel.password`</a> | Defines the password for Sentinel authentication. | "" | No   |
 | <a id="opt-providers-redis-sentinel-latencyStrategy" href="#opt-providers-redis-sentinel-latencyStrategy" title="#opt-providers-redis-sentinel-latencyStrategy">`providers.redis.sentinel.latencyStrategy`</a> | Defines whether to route commands to the closest master or replica nodes (mutually exclusive with RandomStrategy and ReplicaStrategy). | false   | No   |
 | <a id="opt-providers-redis-sentinel-randomStrategy" href="#opt-providers-redis-sentinel-randomStrategy" title="#opt-providers-redis-sentinel-randomStrategy">`providers.redis.sentinel.randomStrategy`</a> | Defines whether to route commands randomly to master or replica nodes (mutually exclusive with LatencyStrategy and ReplicaStrategy). | false   | No   |
-| <a id="opt-providers-redis-sentinel-replicaStrategy" href="#opt-providers-redis-sentinel-replicaStrategy" title="#opt-providers-redis-sentinel-replicaStrategy">`providers.redis.sentinel.replicaStrategy`</a> | Defines whether to route commands randomly to master or replica nodes (mutually exclusive with LatencyStrategy and ReplicaStrategy). | false   | No   |
+| <a id="opt-providers-redis-sentinel-replicaStrategy" href="#opt-providers-redis-sentinel-replicaStrategy" title="#opt-providers-redis-sentinel-replicaStrategy">`providers.redis.sentinel.replicaStrategy`</a> | Routes all commands exclusively to replica nodes (mutually exclusive with LatencyStrategy and RandomStrategy). | false   | No   |
 | <a id="opt-providers-redis-sentinel-useDisconnectedReplicas" href="#opt-providers-redis-sentinel-useDisconnectedReplicas" title="#opt-providers-redis-sentinel-useDisconnectedReplicas">`providers.redis.sentinel.useDisconnectedReplicas`</a> | Defines whether to use replicas disconnected with master when cannot get connected replicas. | false   | false   |

 ## Routing Configuration
@@ -31,11 +31,6 @@ providers:
 | <a id="opt-providers-zooKeeper-rootKey" href="#opt-providers-zooKeeper-rootKey" title="#opt-providers-zooKeeper-rootKey">`providers.zooKeeper.rootKey`</a> | Defines the root key for the configuration. |  "traefik"   | Yes   |
 | <a id="opt-providers-zooKeeper-username" href="#opt-providers-zooKeeper-username" title="#opt-providers-zooKeeper-username">`providers.zooKeeper.username`</a> | Defines a username with which to connect to zooKeeper. |  ""   | No   |
 | <a id="opt-providers-zooKeeper-password" href="#opt-providers-zooKeeper-password" title="#opt-providers-zooKeeper-password">`providers.zooKeeper.password`</a> | Defines a password for connecting to zooKeeper. |  ""    | No   |
-| <a id="opt-providers-zooKeeper-tls" href="#opt-providers-zooKeeper-tls" title="#opt-providers-zooKeeper-tls">`providers.zooKeeper.tls`</a> | Defines the TLS configuration used for the secure connection to zooKeeper. |  -  | No   |
-| <a id="opt-providers-zooKeeper-tls-ca" href="#opt-providers-zooKeeper-tls-ca" title="#opt-providers-zooKeeper-tls-ca">`providers.zooKeeper.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to zooKeeper, it defaults to the system bundle.  |  ""   | No   |
-| <a id="opt-providers-zooKeeper-tls-cert" href="#opt-providers-zooKeeper-tls-cert" title="#opt-providers-zooKeeper-tls-cert">`providers.zooKeeper.tls.cert`</a> | Defines the path to the public certificate used for the secure connection to zooKeeper. When using this option, setting the `key` option is required. |  ""   | Yes   |
-| <a id="opt-providers-zooKeeper-tls-key" href="#opt-providers-zooKeeper-tls-key" title="#opt-providers-zooKeeper-tls-key">`providers.zooKeeper.tls.key`</a> | Defines the path to the private key used for the secure connection to zooKeeper. When using this option, setting the `cert` option is required. |  ""   | Yes   |
-| <a id="opt-providers-zooKeeper-tls-insecureSkipVerify" href="#opt-providers-zooKeeper-tls-insecureSkipVerify" title="#opt-providers-zooKeeper-tls-insecureSkipVerify">`providers.zooKeeper.tls.insecureSkipVerify`</a> | Instructs the provider to accept any certificate presented by etcd when establishing a TLS connection, regardless of the hostnames the certificate covers. | false   | No   |

 ## Routing Configuration

@@ -31,7 +31,7 @@ providers:
 | <a id="opt-providers-ecs-ecsAnywhere" href="#opt-providers-ecs-ecsAnywhere" title="#opt-providers-ecs-ecsAnywhere">`providers.ecs.ecsAnywhere`</a> | Enable ECS Anywhere support. |  false    | No   |
 | <a id="opt-providers-ecs-clusters" href="#opt-providers-ecs-clusters" title="#opt-providers-ecs-clusters">`providers.ecs.clusters`</a> | Search for services in cluster list. This option is ignored if `autoDiscoverClusters` is set to `true`. |  `["default"]`  | No   |
 | <a id="opt-providers-ecs-exposedByDefault" href="#opt-providers-ecs-exposedByDefault" title="#opt-providers-ecs-exposedByDefault">`providers.ecs.exposedByDefault`</a> | Expose ECS services by default through Traefik. If set to _false_, containers that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.<br>See [here](../overview.md#restrict-the-scope-of-service-discovery) for additional information. | true  | No   |
-| <a id="opt-providers-ecs-constraints" href="#opt-providers-ecs-constraints" title="#opt-providers-ecs-constraints">`providers.ecs.constraints`</a> |  Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information.  | true  | No   |
+| <a id="opt-providers-ecs-constraints" href="#opt-providers-ecs-constraints" title="#opt-providers-ecs-constraints">`providers.ecs.constraints`</a> |  Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information.  | `""`  | No   |
 | <a id="opt-providers-ecs-healthyTasksOnly" href="#opt-providers-ecs-healthyTasksOnly" title="#opt-providers-ecs-healthyTasksOnly">`providers.ecs.healthyTasksOnly`</a> |  Defines whether Traefik discovers only healthy tasks (`HEALTHY` healthStatus).  | false  | No   |
 | <a id="opt-providers-ecs-defaultRule" href="#opt-providers-ecs-defaultRule" title="#opt-providers-ecs-defaultRule">`providers.ecs.defaultRule`</a> | The Default Host rule for all services. See [here](#defaultrule) for more information. |   ```"Host(`{{ normalize .Name }}`)"```  | No   |
 | <a id="opt-providers-ecs-refreshSeconds" href="#opt-providers-ecs-refreshSeconds" title="#opt-providers-ecs-refreshSeconds">`providers.ecs.refreshSeconds`</a> | Defines the polling interval (in seconds).   | 15   | No |
@@ -102,8 +102,9 @@ http:
 |:------|:----------------------------------------------------------|:---------------------|:---------|
 | <a id="opt-providers-providersThrottleDuration" href="#opt-providers-providersThrottleDuration" title="#opt-providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s  | No |
 | <a id="opt-providers-file-filename" href="#opt-providers-file-filename" title="#opt-providers-file-filename">`providers.file.filename`</a> | Defines the path to the configuration file.  |  ""    | Yes   |
-| <a id="opt-providers-file-directory" href="#opt-providers-file-directory" title="#opt-providers-file-directory">`providers.file.directory`</a> | Defines the path to the directory that contains the configuration files. The `filename` and `directory` options are mutually exclusive. It is recommended to use `directory`.  |  ""    | Yes   |
+| <a id="opt-providers-file-directory" href="#opt-providers-file-directory" title="#opt-providers-file-directory">`providers.file.directory`</a> | Defines the path to the directory that contains the configuration files. The `filename` and `directory` options are mutually exclusive. It is recommended to use `directory`.  |  ""    | Yes  |
 | <a id="opt-providers-file-watch" href="#opt-providers-file-watch" title="#opt-providers-file-watch">`providers.file.watch`</a> | Set the `watch` option to `true` to allow Traefik to automatically watch for file changes. It works with both the `filename` and the `directory` options. | true | No |
+| <a id="opt-providers-file-debugLogGeneratedTemplate" href="#opt-providers-file-debugLogGeneratedTemplate" title="#opt-providers-file-debugLogGeneratedTemplate">`providers.file.debugLogGeneratedTemplate`</a> | Enable debug logging of generated configuration template. | false | No |

 !!! warning "Limitations"

@@ -34,10 +34,11 @@ providers:
 | <a id="opt-providers-http-endpoint" href="#opt-providers-http-endpoint" title="#opt-providers-http-endpoint">`providers.http.endpoint`</a> | Defines the HTTP(S) endpoint to poll. |  ""    | Yes   |
 | <a id="opt-providers-http-pollInterval" href="#opt-providers-http-pollInterval" title="#opt-providers-http-pollInterval">`providers.http.pollInterval`</a> | Defines the polling interval. |  5s    | No   |
 | <a id="opt-providers-http-pollTimeout" href="#opt-providers-http-pollTimeout" title="#opt-providers-http-pollTimeout">`providers.http.pollTimeout`</a> | Defines the polling timeout when connecting to the endpoint. |  5s    | No   |
-| <a id="opt-providers-http-headers" href="#opt-providers-http-headers" title="#opt-providers-http-headers">`providers.http.headers`</a> | Defines custom headers to be sent to the endpoint. |  ""    | No   |
-| <a id="opt-providers-http-tls-ca" href="#opt-providers-http-tls-ca" title="#opt-providers-http-tls-ca">`providers.http.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to the endpoint, it defaults to the system bundle.  |  ""   | No   |
-| <a id="opt-providers-http-tls-cert" href="#opt-providers-http-tls-cert" title="#opt-providers-http-tls-cert">`providers.http.tls.cert`</a> | Defines the path to the public certificate used for the secure connection to the endpoint. When using this option, setting the `key` option is required. |  ""   | Yes   |
-| <a id="opt-providers-http-tls-key" href="#opt-providers-http-tls-key" title="#opt-providers-http-tls-key">`providers.http.tls.key`</a> | Defines the path to the private key used for the secure connection to the endpoint. When using this option, setting the `cert` option is required. |  ""  | Yes   |
+| <a id="opt-providers-http-headers" href="#opt-providers-http-headers" title="#opt-providers-http-headers">`providers.http.headers`</a> | Defines custom headers to be sent to the endpoint. |  {}    | No   |
+| <a id="opt-providers-http-maxResponseBodySize" href="#opt-providers-http-maxResponseBodySize" title="#opt-providers-http-maxResponseBodySize">`providers.http.maxResponseBodySize`</a> | Defines the maximum size of the response body in bytes. A value of `-1` means unlimited. |  -1    | No   |
+| <a id="opt-providers-http-tls-ca" href="#opt-providers-http-tls-ca" title="#opt-providers-http-tls-ca">`providers.http.tls.ca`</a> | Defines the certificate authority used for the secure connection to the endpoint, it defaults to the system bundle. The value can be a file path or the PEM content directly.  |  ""   | No   |
+| <a id="opt-providers-http-tls-cert" href="#opt-providers-http-tls-cert" title="#opt-providers-http-tls-cert">`providers.http.tls.cert`</a> | Defines the public certificate used for the secure connection to the endpoint. The value can be a file path or the PEM content directly. When using this option, setting the `key` option is required. |  ""   | Yes   |
+| <a id="opt-providers-http-tls-key" href="#opt-providers-http-tls-key" title="#opt-providers-http-tls-key">`providers.http.tls.key`</a> | Defines the private key used for the secure connection to the endpoint. The value can be a file path or the PEM content directly. When using this option, setting the `cert` option is required. |  ""  | Yes   |
 | <a id="opt-providers-http-tls-insecureSkipVerify" href="#opt-providers-http-tls-insecureSkipVerify" title="#opt-providers-http-tls-insecureSkipVerify">`providers.http.tls.insecureSkipVerify`</a> | Instructs the provider to accept any certificate presented by endpoint when establishing a TLS connection, regardless of the hostnames the certificate covers. | false   | No   |

 ### headers
@@ -55,6 +55,7 @@ Below is the list of the currently supported providers in Traefik.
 | <a id="opt-Docker-Swarm" href="#opt-Docker-Swarm" title="#opt-Docker-Swarm">[Docker Swarm](./swarm.md)</a> | Orchestrator | Label                | `swarm`             |
 | <a id="opt-Kubernetes-IngressRoute" href="#opt-Kubernetes-IngressRoute" title="#opt-Kubernetes-IngressRoute">[Kubernetes IngressRoute](./kubernetes/kubernetes-crd.md)</a> | Orchestrator | Custom Resource      | `kubernetescrd`     |
 | <a id="opt-Kubernetes-Ingress" href="#opt-Kubernetes-Ingress" title="#opt-Kubernetes-Ingress">[Kubernetes Ingress](./kubernetes/kubernetes-ingress.md)</a> | Orchestrator | Ingress              | `kubernetes`        |
+| <a id="opt-Kubernetes-Ingress-NGINX" href="#opt-Kubernetes-Ingress-NGINX" title="#opt-Kubernetes-Ingress-NGINX">[Kubernetes Ingress NGINX](./kubernetes/kubernetes-ingress-nginx.md)</a> | Orchestrator | Ingress-NGINX              | `kubernetesIngressNGINX`        |
 | <a id="opt-Kubernetes-Gateway-API" href="#opt-Kubernetes-Gateway-API" title="#opt-Kubernetes-Gateway-API">[Kubernetes Gateway API](./kubernetes/kubernetes-gateway.md)</a> | Orchestrator | Gateway API Resource | `kubernetesgateway` |
 | <a id="opt-Consul-Catalog" href="#opt-Consul-Catalog" title="#opt-Consul-Catalog">[Consul Catalog](./hashicorp/consul-catalog.md)</a> | Orchestrator | Label                | `consulcatalog`     |
 | <a id="opt-Nomad" href="#opt-Nomad" title="#opt-Nomad">[Nomad](./hashicorp/nomad.md)</a> | Orchestrator | Label                | `nomad`             |
@@ -54,8 +54,8 @@ services:
 | <a id="opt-providers-swarm-network" href="#opt-providers-swarm-network" title="#opt-providers-swarm-network">`providers.swarm.network`</a> | Defines a default docker network to use for connections to all containers. This option can be overridden on a per-container basis with the `traefik.swarm.network` label.                                                                                                                                                                                                            | ""                                    | No       |
 | <a id="opt-providers-swarm-defaultRule" href="#opt-providers-swarm-defaultRule" title="#opt-providers-swarm-defaultRule">`providers.swarm.defaultRule`</a> | Defines what routing rule to apply to a container if no rule is defined by a label. See [here](#defaultrule) for more information                                                                                                                                                                                                                                                    | ```"Host(`{{ normalize .Name }}`)"``` | No       |
 | <a id="opt-providers-swarm-refreshSeconds" href="#opt-providers-swarm-refreshSeconds" title="#opt-providers-swarm-refreshSeconds">`providers.swarm.refreshSeconds`</a> | Defines the polling interval for Swarm Mode.                                                                                                                                                                                                                                                                                                                                         | "15s"                                 | No       |
-| <a id="opt-providers-swarm-httpClientTimeout" href="#opt-providers-swarm-httpClientTimeout" title="#opt-providers-swarm-httpClientTimeout">`providers.swarm.httpClientTimeout`</a> | Defines the client timeout (in seconds) for HTTP connections. If its value is 0, no timeout is set.                                                                                                                                                                                                                                                                                  | 0                                     | No       |
-| <a id="opt-providers-swarm-watch" href="#opt-providers-swarm-watch" title="#opt-providers-swarm-watch">`providers.swarm.watch`</a> | Instructs Traefik to watch Docker events or not.                                                                                                                                                                                                                                                                                                                                     | True                                  | No       |
+| <a id="opt-providers-swarm-httpClientTimeout" href="#opt-providers-swarm-httpClientTimeout" title="#opt-providers-swarm-httpClientTimeout">`providers.swarm.httpClientTimeout`</a> | Defines the client timeout for HTTP connections. Accepts a duration string (e.g., `"30s"`, `"1m"`). If its value is `0`, no timeout is set.                                                                                                                                                                                                                                          | 0                                     | No       |
+| <a id="opt-providers-swarm-watch" href="#opt-providers-swarm-watch" title="#opt-providers-swarm-watch">`providers.swarm.watch`</a> | Instructs Traefik to watch Docker events or not.                                                                                                                                                                                                                                                                                                                                     | true                                  | No       |
 | <a id="opt-providers-swarm-constraints" href="#opt-providers-swarm-constraints" title="#opt-providers-swarm-constraints">`providers.swarm.constraints`</a> | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information.                                                                                                                                                                                                  | ""                                    | No       |
 | <a id="opt-providers-swarm-allowEmptyServices" href="#opt-providers-swarm-allowEmptyServices" title="#opt-providers-swarm-allowEmptyServices">`providers.swarm.allowEmptyServices`</a> | Instructs the provider to create any [servers load balancer](../../../reference/routing-configuration/http/load-balancing/service.md#service-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers.                                                                                                 | false                                 | No       |
 | <a id="opt-providers-swarm-tls-ca" href="#opt-providers-swarm-tls-ca" title="#opt-providers-swarm-tls-ca">`providers.swarm.tls.ca`</a> | Defines the path to the certificate authority used for the secure connection to Docker, it defaults to the system bundle.                                                                                                                                                                                                                                                            | ""                                    | No       |
@@ -79,12 +79,12 @@ ACME certificate resolvers have the following configuration options:
 | <a id="opt-acme-caServer" href="#opt-acme-caServer" title="#opt-acme-caServer">`acme.caServer`</a> | CA server to use. | https://acme-v02.api.letsencrypt.org/directory | No |
 | <a id="opt-acme-preferredChain" href="#opt-acme-preferredChain" title="#opt-acme-preferredChain">`acme.preferredChain`</a> | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used. | "" | No |
 | <a id="opt-acme-keyType" href="#opt-acme-keyType" title="#opt-acme-keyType">`acme.keyType`</a> | KeyType to use. | "RSA4096" | No |
-| <a id="opt-acme-disableCommonName" href="#opt-acme-disableCommonName" title="#opt-acme-disableCommonName">`acme.disableCommonName`</a> | Disable common name inside CSR and certificates.                                                                                                                                                                                                                        | false                                          | No       |
+| <a id="opt-acme-disableCommonName" href="#opt-acme-disableCommonName" title="#opt-acme-disableCommonName">`acme.disableCommonName`</a> | Disable the common name in the CSR.                                                                                                                                                                                                                        | false                                          | No       |
 | <a id="opt-acme-profile" href="#opt-acme-profile" title="#opt-acme-profile">`acme.profile`</a> | Certificate profile to use. | "" | No |
 | <a id="opt-acme-caCertificates" href="#opt-acme-caCertificates" title="#opt-acme-caCertificates">`acme.caCertificates`</a> | Specify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. | [] | No |
 | <a id="opt-acme-caSystemCertPool" href="#opt-acme-caSystemCertPool" title="#opt-acme-caSystemCertPool">`acme.caSystemCertPool`</a> | Defines if the certificates pool must use a copy of the system cert pool. | false | No |
 | <a id="opt-acme-caServerName" href="#opt-acme-caServerName" title="#opt-acme-caServerName">`acme.caServerName`</a> | Specify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. | "" | No |
-| <a id="opt-acme-emailAddresses" href="#opt-acme-emailAddresses" title="#opt-acme-emailAddresses">`acme.emailAddresses`</a> | CSR email addresses to use. | "" | No |
+| <a id="opt-acme-emailAddresses" href="#opt-acme-emailAddresses" title="#opt-acme-emailAddresses">`acme.emailAddresses`</a> | CSR email addresses to use. | [] | No |
 | <a id="opt-acme-eab" href="#opt-acme-eab" title="#opt-acme-eab">`acme.eab`</a> | Enable external account binding. | | No |
 | <a id="opt-acme-eab-kid" href="#opt-acme-eab-kid" title="#opt-acme-eab-kid">`acme.eab.kid`</a> | Key identifier from External CA. | "" | No |
 | <a id="opt-acme-eab-hmacEncoded" href="#opt-acme-eab-hmacEncoded" title="#opt-acme-eab-hmacEncoded">`acme.eab.hmacEncoded`</a> | HMAC key from External CA, should be in Base64 URL Encoding without padding format. | "" | No |
@@ -141,9 +141,9 @@ with instructions about which environment variables need to be setup.
      For example, if you have `example.org` (account foo) and `example.com` (account bar) you can create a CNAME on `example.org` called `_acme-challenge.example.org` pointing to `challenge.example.com`.
      This way, you can obtain certificates for `example.org` with the bar account.

-??? info "`delayBeforeCheck`"
+??? info "`delayBeforeChecks`"
    By default, the `provider` verifies the TXT record _before_ letting ACME verify.
-    You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).
+    You can delay this operation by specifying a delay (in seconds) with `delayBeforeChecks` (value must be greater than zero).
    This option is useful when internal networks block external DNS queries.      

 ### `tlsChallenge`
@@ -33,7 +33,7 @@ spiffe:
 ```toml tab="File (TOML)"
 ## Static configuration
 [spiffe]
-    workloadAPIAddr: localhost
+    workloadAPIAddr = "localhost"
 ```

 ```bash tab="CLI"
@@ -126,7 +126,6 @@ For Kubernetes providers, you can configure Traefik using the native Ingress or
                backend:
                  service:
                    name: whoami
-                    namespace: apps
                    port:
                      number: 80
      tls:
@@ -18,7 +18,7 @@ http:
        - "/path/to/cert1.pem"
        - "/path/to/cert2.pem"
      insecureSkipVerify: true
-      rootcas:
+      rootCAs:
        - "/path/to/rootca1.pem"
        - "/path/to/rootca2.pem"
      maxIdleConnsPerHost: 100
@@ -42,7 +42,7 @@ http:
  serverName = "myhost"
  certificates = ["/path/to/cert1.pem", "/path/to/cert2.pem"]
  insecureSkipVerify = true
-  rootcas = ["/path/to/rootca1.pem", "/path/to/rootca2.pem"]
+  rootCAs = ["/path/to/rootca1.pem", "/path/to/rootca2.pem"]
  maxIdleConnsPerHost = 100
  disableHTTP2 = true
  peerCertURI = "spiffe://example.org/peer"
@@ -99,8 +99,8 @@ labels:
 | <a id="opt-serverName" href="#opt-serverName" title="#opt-serverName">`serverName`</a> | Configures the server name that will be used as the SNI.                                                                                 | ""      | No       |
 | <a id="opt-certificates" href="#opt-certificates" title="#opt-certificates">`certificates`</a> | Defines the list of certificates (as file paths, or data bytes) that will be set as client certificates for mTLS.                        | []      | No       |
 | <a id="opt-insecureSkipVerify" href="#opt-insecureSkipVerify" title="#opt-insecureSkipVerify">`insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified.                                                               | false   | No       |
-| <a id="opt-rootcas" href="#opt-rootcas" title="#opt-rootcas">`rootcas`</a> | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections).                                   | []      | No       |
-| <a id="opt-maxIdleConnsPerHost" href="#opt-maxIdleConnsPerHost" title="#opt-maxIdleConnsPerHost">`maxIdleConnsPerHost`</a> | Maximum idle (keep-alive) connections to keep per-host.                                                                                  | 200     | No       |
+| <a id="opt-rootCAs" href="#opt-rootCAs" title="#opt-rootCAs">`rootCAs`</a> | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections).                                   | []      | No       |
+| <a id="opt-maxIdleConnsPerHost" href="#opt-maxIdleConnsPerHost" title="#opt-maxIdleConnsPerHost">`maxIdleConnsPerHost`</a> | Maximum idle (keep-alive) connections to keep per-host. If zero, `DefaultMaxIdleConnsPerHost` (2) is used.                               | 0       | No       |
 | <a id="opt-disableHTTP2" href="#opt-disableHTTP2" title="#opt-disableHTTP2">`disableHTTP2`</a> | Disables HTTP/2 for connections with servers.                                                                                            | false   | No       |
 | <a id="opt-peerCertURI" href="#opt-peerCertURI" title="#opt-peerCertURI">`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification.                                             | ""      | No       |
 | <a id="opt-forwardingTimeouts-dialTimeout" href="#opt-forwardingTimeouts-dialTimeout" title="#opt-forwardingTimeouts-dialTimeout">`forwardingTimeouts.dialTimeout`</a> | Amount of time to wait until a connection to a server can be established.<br />0 = no timeout                                            | 30s     | No       |
@@ -40,9 +40,9 @@ http:
          path: "/health"
          interval: "10s"
          timeout: "3s"
-        passiveHealthcheck:
+        passiveHealthCheck:
          failureWindow: "3s"
-          maxFailedAttempts: "3"
+          maxFailedAttempts: 3
        passHostHeader: true
        serversTransport: "customTransport@file"
        responseForwarding:
@@ -64,9 +64,9 @@ http:
      interval = "10s"
      timeout = "3s"

-    [http.services.my-service.loadBalancer.passiveHealthcheck]
+    [http.services.my-service.loadBalancer.passiveHealthCheck]
      failureWindow = "3s"
-      maxFailedAttempts = "3"
+      maxFailedAttempts = 3
    
    passHostHeader = true
    serversTransport = "customTransport@file"
@@ -85,8 +85,8 @@ labels:
  - "traefik.http.services.my-service.loadBalancer.healthcheck.path=/health"
  - "traefik.http.services.my-service.loadBalancer.healthcheck.interval=10s"
  - "traefik.http.services.my-service.loadBalancer.healthcheck.timeout=3s"
-  - "traefik.http.services.my-service.loadBalancer.passiveHealthcheck.failureWindow=3s"
-  - "traefik.http.services.my-service.loadBalancer.passiveHealthcheck.maxFailedAttempts=3"
+  - "traefik.http.services.my-service.loadBalancer.passiveHealthCheck.failureWindow=3s"
+  - "traefik.http.services.my-service.loadBalancer.passiveHealthCheck.maxFailedAttempts=3"
  - "traefik.http.services.my-service.loadBalancer.passHostHeader=true"
  - "traefik.http.services.my-service.loadBalancer.serversTransport=customTransport@file"
  - "traefik.http.services.my-service.loadBalancer.responseForwarding.flushInterval=150ms"
@@ -103,8 +103,8 @@ labels:
    "traefik.http.services.my-service.loadBalancer.healthcheck.path=/health",
    "traefik.http.services.my-service.loadBalancer.healthcheck.interval=10s",
    "traefik.http.services.my-service.loadBalancer.healthcheck.timeout=3s",
-    "traefik.http.services.my-service.loadBalancer.passiveHealthcheck.failureWindow=3s",
-    "traefik.http.services.my-service.loadBalancer.passiveHealthcheck.maxFailedAttempts=3",
+    "traefik.http.services.my-service.loadBalancer.passiveHealthCheck.failureWindow=3s",
+    "traefik.http.services.my-service.loadBalancer.passiveHealthCheck.maxFailedAttempts=3",
    "traefik.http.services.my-service.loadBalancer.passHostHeader=true",
    "traefik.http.services.my-service.loadBalancer.serversTransport=customTransport@file",
    "traefik.http.services.my-service.loadBalancer.responseForwarding.flushInterval=150ms"
@@ -120,11 +120,11 @@ labels:
 | <a id="opt-strategy" href="#opt-strategy" title="#opt-strategy">`strategy`</a> | Load balancing strategy for distributing traffic among servers. Valid values: `wrr` (default), `p2c`, `hrw`, `leasttime`.                                                                                                                                                                                                                                                                     | No       |
 | <a id="opt-sticky" href="#opt-sticky" title="#opt-sticky">`sticky`</a> | Defines a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.                                                                                                                                                                                                                                                                  | No       |
 | <a id="opt-healthcheck" href="#opt-healthcheck" title="#opt-healthcheck">`healthcheck`</a> | Configures health check to remove unhealthy servers from the load balancing rotation.                                                                                                                                                                                                                                                                                                         | No       |
-| <a id="opt-passiveHealthcheck" href="#opt-passiveHealthcheck" title="#opt-passiveHealthcheck">`passiveHealthcheck`</a> | Configures the passive health check to remove unhealthy servers from the load balancing rotation.                                                                                                                                                                                                                                                                                             | No       |
+| <a id="opt-passiveHealthCheck" href="#opt-passiveHealthCheck" title="#opt-passiveHealthCheck">`passiveHealthCheck`</a> | Configures the passive health check to remove unhealthy servers from the load balancing rotation.                                                                                                                                                                                                                                                                                             | No       |
 | <a id="opt-passHostHeader" href="#opt-passHostHeader" title="#opt-passHostHeader">`passHostHeader`</a> | Allows forwarding of the client Host header to server. By default, `passHostHeader` is true.                                                                                                                                                                                                                                                                                                  | No       |
 | <a id="opt-serversTransport" href="#opt-serversTransport" title="#opt-serversTransport">`serversTransport`</a> | Allows to reference an [HTTP ServersTransport](./serverstransport.md) configuration for the communication between Traefik and your servers. If no `serversTransport` is specified, the `default@internal` will be used.                                                                                                                                                                       | No       |
 | <a id="opt-responseForwarding" href="#opt-responseForwarding" title="#opt-responseForwarding">`responseForwarding`</a> | Configures how Traefik forwards the response from the backend server to the client.                                                                                                                                                                                                                                                                                                           | No       |
-| <a id="opt-responseForwarding-FlushInterval" href="#opt-responseForwarding-FlushInterval" title="#opt-responseForwarding-FlushInterval">`responseForwarding.FlushInterval`</a> | Specifies the interval in between flushes to the client while copying the response body. It is a duration in milliseconds, defaulting to 100ms. A negative value means to flush immediately after each write to the client. The `FlushInterval` is ignored when ReverseProxy recognizes a response as a streaming response; for such responses, writes are flushed to the client immediately. | No       |
+| <a id="opt-responseForwarding-flushInterval" href="#opt-responseForwarding-flushInterval" title="#opt-responseForwarding-flushInterval">`responseForwarding.flushInterval`</a> | Specifies the interval in between flushes to the client while copying the response body. It is a duration in milliseconds, defaulting to 100ms. A negative value means to flush immediately after each write to the client. The `FlushInterval` is ignored when ReverseProxy recognizes a response as a streaming response; for such responses, writes are flushed to the client immediately. | No       |

 #### Servers

@@ -300,7 +300,7 @@ Below are the available options for the health check mechanism:
 | <a id="opt-hostname" href="#opt-hostname" title="#opt-hostname">`hostname`</a> | Defines the value of hostname in the Host header of the health check request.                                                 | ""      | No       |
 | <a id="opt-port" href="#opt-port" title="#opt-port">`port`</a> | Replaces the server URL port for the health check endpoint.                                                                   |         | No       |
 | <a id="opt-interval" href="#opt-interval" title="#opt-interval">`interval`</a> | Defines the frequency of the health check calls for healthy targets.                                                          | 30s     | No       |
-| <a id="opt-unhealthyInterval" href="#opt-unhealthyInterval" title="#opt-unhealthyInterval">`unhealthyInterval`</a> | Defines the frequency of the health check calls for unhealthy targets. When not defined, it defaults to the `interval` value. | 30s     | No       |
+| <a id="opt-unhealthyInterval" href="#opt-unhealthyInterval" title="#opt-unhealthyInterval">`unhealthyInterval`</a> | Defines the frequency of the health check calls for unhealthy targets. When not defined, it defaults to the `interval` value. | -       | No       |
 | <a id="opt-timeout" href="#opt-timeout" title="#opt-timeout">`timeout`</a> | Defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.            | 5s      | No       |
 | <a id="opt-headers" href="#opt-headers" title="#opt-headers">`headers`</a> | Defines custom headers to be sent to the health check endpoint.                                                               |         | No       |
 | <a id="opt-followRedirects" href="#opt-followRedirects" title="#opt-followRedirects">`followRedirects`</a> | Defines whether redirects should be followed during the health check calls.                                                   | true    | No       |
@@ -467,7 +467,7 @@ curl -b "lvl1=whoami1; lvl2=http://127.0.0.1:8081" http://localhost:8000

 ### Passive Health Check

-The `passiveHealthcheck` option configures passive health check to remove unhealthy servers from the load balancing rotation.
+The `passiveHealthCheck` option configures passive health check to remove unhealthy servers from the load balancing rotation.

 Passive health checks rely on real traffic to assess server health.
 Traefik forwards requests as usual and evaluates each response or timeout,
@@ -77,7 +77,7 @@ Use `htpasswd` to generate the passwords.

 ### users & usersFile

- If both `users` and `usersFile` are provided, they are merged. The contents of `usersFile` have precedence over the values in users.
+- If both `users` and `usersFile` are provided, they are merged. The values in `users` have precedence over the contents of `usersFile`.
 - Because referencing a file path isn’t feasible on Kubernetes, the `users` & `usersFile` field isn’t used in Kubernetes IngressRoute. Instead, use the `secret` field.

 #### Kubernetes Secrets
@@ -38,7 +38,7 @@ labels:
 {
  // ...
  "Tags": [
-    "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+    "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
  ]
 }
 ```
@@ -59,9 +59,9 @@ spec:
 | Field | Description | Default | Required |
 |:------|:------------|:--------|:---------|
 | <a id="opt-maxRequestBodyBytes" href="#opt-maxRequestBodyBytes" title="#opt-maxRequestBodyBytes">`maxRequestBodyBytes`</a> | Maximum allowed body size for the request (in bytes). <br /> If the request exceeds the allowed size, it is not forwarded to the Service, and the client gets a `413` (Request Entity Too Large) response. | 0 | No |
-| <a id="opt-memRequestBodyBytes" href="#opt-memRequestBodyBytes" title="#opt-memRequestBodyBytes">`memRequestBodyBytes`</a> | Threshold (in bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.| 1048576 | No |
+| <a id="opt-memRequestBodyBytes" href="#opt-memRequestBodyBytes" title="#opt-memRequestBodyBytes">`memRequestBodyBytes`</a> | Threshold (in bytes) from which the request will be buffered on disk instead of in memory.| 1048576 | No |
 | <a id="opt-maxResponseBodyBytes" href="#opt-maxResponseBodyBytes" title="#opt-maxResponseBodyBytes">`maxResponseBodyBytes`</a> | Maximum allowed response size from the Service (in bytes). <br /> If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `500` (Internal Server Error) response instead. | 0 | No |
-| <a id="opt-memResponseBodyBytes" href="#opt-memResponseBodyBytes" title="#opt-memResponseBodyBytes">`memResponseBodyBytes`</a> | Threshold (in bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.| 1048576 | No |
+| <a id="opt-memResponseBodyBytes" href="#opt-memResponseBodyBytes" title="#opt-memResponseBodyBytes">`memResponseBodyBytes`</a> | Threshold (in bytes) from which the response will be buffered on disk instead of in memory.| 1048576 | No |
 | <a id="opt-retryExpression" href="#opt-retryExpression" title="#opt-retryExpression">`retryExpression`</a> | Replay the request using `retryExpression`.<br /> More information [here](#retryexpression). | "" | No |

 ### retryExpression
@@ -65,7 +65,7 @@ spec:

 | Field | Description | Default | Required |
 |:------|:------------|:--------|:---------|
-| <a id="opt-expression" href="#opt-expression" title="#opt-expression">`expression`</a> | Condition to open the circuit breaker and applies the fallback mechanism instead of calling your services.<br />More information [here](#expression) | 100ms | No |
+| <a id="opt-expression" href="#opt-expression" title="#opt-expression">`expression`</a> | Condition to open the circuit breaker and applies the fallback mechanism instead of calling your services.<br />More information [here](#expression) | "" | No |
 | <a id="opt-checkPeriod" href="#opt-checkPeriod" title="#opt-checkPeriod">`checkPeriod`</a> | The interval between successive checks of the circuit breaker condition (when in standby state). | 100ms | No |
 | <a id="opt-fallbackDuration" href="#opt-fallbackDuration" title="#opt-fallbackDuration">`fallbackDuration`</a> | The duration for which the circuit breaker will wait before trying to recover (from a tripped state). | 10s | No |
 | <a id="opt-recoveryDuration" href="#opt-recoveryDuration" title="#opt-recoveryDuration">`recoveryDuration`</a> | The duration for which the circuit breaker will try to recover (as soon as it is in recovering state). | 10s | No |
@@ -65,6 +65,7 @@ Responses are compressed when the following criteria are all met:

 - The `Accept-Encoding` request header contains `gzip`, `*`, and/or `br`, and/or `zstd` with or without [quality values](https://developer.mozilla.org/en-US/docs/Glossary/Quality_values).
 If the `Accept-Encoding` request header is absent, the response won't be encoded.
+When `defaultEncoding` is configured, the response is encoded even when `Accept-Encoding` is absent.
 If it is present, but its value is the empty string, then compression is turned off.
 - The response is not already compressed, that is the `Content-Encoding` response header is not already set.
 - The response`Content-Type` header is not one among the `excludedContentTypes` options, or is one among the `includedContentTypes` options.
@@ -71,7 +71,7 @@ Use `htdigest` to generate the passwords.

 ### users & usersFile

- If both `users` and `usersFile` are provided, they are merged. The contents of `usersFile` have precedence over the values in users.
+- If both `users` and `usersFile` are provided, they are merged. The values in `users` have precedence over the contents of `usersFile`.
 - Because referencing a file path isn’t feasible on Kubernetes, the `users` & `usersFile` field isn’t used in Kubernetes IngressRoute. Instead, use the `secret` field.

 ### Kubernetes Secrets
@@ -28,9 +28,9 @@ spec:
  plugin:
    distributedRateLimit:
      burst: 200
-      denyOnError: false
      limit: 100
      period: 1s
+      denyOnError: false
      responseHeaders: true
      sourceCriterion:
        ipStrategy:
@@ -88,20 +88,21 @@ When the bucket is not full, on token is generated every 10 seconds (6 every 1 m
 | <a id="opt-limit" href="#opt-limit" title="#opt-limit">`limit`</a> | Number of requests used to define the rate using the `period`.<br /> 0 means **no rate limiting**.<br />More information [here](#rate-and-burst).| 0      | No      |
 | <a id="opt-period" href="#opt-period" title="#opt-period">`period`</a> | Period of time used to define the rate.<br />More information [here](#rate-and-burst).| 1s | No |
 | <a id="opt-burst" href="#opt-burst" title="#opt-burst">`burst`</a> | Maximum number of requests allowed to go through at the very same moment.<br />More information [here](#rate-and-burst). | 1 | No |
-| <a id="opt-denyOnError" href="#opt-denyOnError" title="#opt-denyOnError">`denyOnError`</a> | Forces to return a 429 error if the number of remaining requests accepted cannot be get.<br /> Set to `false`, this option allows the request to reach the backend. | true    | No       |
-| <a id="opt-responseHeaders" href="#opt-responseHeaders" title="#opt-responseHeaders">`responseHeaders`</a> | Injects the following rate limiting headers in the response:<br />- `X-Rate-Limit-Remaining`<br />- `X-Rate-Limit-Limit`<br />- `X-Rate-Limit-Period`<br />- `X-Rate-Limit-Reset`<br />The added headers indicate how many tokens are left in the bucket (in the token bucket analogy) after the reservation for the request was made. | false   | No       |
+| <a id="opt-denyOnError" href="#opt-denyOnError" title="#opt-denyOnError">`denyOnError`</a> | Whether to deny requests when the rate limit store (Redis) is unavailable. When `false`, requests are allowed through if Redis cannot be reached. | true | No |
+| <a id="opt-responseHeaders" href="#opt-responseHeaders" title="#opt-responseHeaders">`responseHeaders`</a> | Whether to inject rate limit headers (`X-RateLimit-Limit`, `X-RateLimit-Remaining`, `X-RateLimit-Reset`) into responses. | false | No |
 | <a id="opt-store-redis-endpoints" href="#opt-store-redis-endpoints" title="#opt-store-redis-endpoints">`store.redis.endpoints`</a> | Endpoints of the Redis instances to connect to (example: `redis.traefik-hub.svc.cluster.local:6379`) | "" | Yes      |
 | <a id="opt-store-redis-username" href="#opt-store-redis-username" title="#opt-store-redis-username">`store.redis.username`</a> | The username Traefik Hub will use to connect to Redis                                                | "" | No       |
 | <a id="opt-store-redis-password" href="#opt-store-redis-password" title="#opt-store-redis-password">`store.redis.password`</a> | The password Traefik Hub will use to connect to Redis                                                | "" | No       |
-| <a id="opt-store-redis-database" href="#opt-store-redis-database" title="#opt-store-redis-database">`store.redis.database`</a> | The database Traefik Hub will use to sore information (default: `0`)                                 | "" | No       |
-| <a id="opt-store-redis-cluster" href="#opt-store-redis-cluster" title="#opt-store-redis-cluster">`store.redis.cluster`</a> | Enable Redis Cluster                                                                                 | "" | No       |
-| <a id="opt-store-redis-tls-caBundle" href="#opt-store-redis-tls-caBundle" title="#opt-store-redis-tls-caBundle">`store.redis.tls.caBundle`</a> | Custom CA bundle                                                                                     | "" | No       |
+| <a id="opt-store-redis-database" href="#opt-store-redis-database" title="#opt-store-redis-database">`store.redis.database`</a> | The database Traefik Hub will use to store information. Not available in Redis Cluster mode (only database `0` is supported). | 0 | No       |
+| <a id="opt-store-redis-timeout" href="#opt-store-redis-timeout" title="#opt-store-redis-timeout">`store.redis.timeout`</a> | Timeout applied to dial, read, and write operations on the Redis connection. | "" | No       |
+| <a id="opt-store-redis-cluster" href="#opt-store-redis-cluster" title="#opt-store-redis-cluster">`store.redis.cluster`</a> | Enable Redis Cluster mode. Set to `{}` to enable; omit to disable. Cannot be used together with `store.redis.sentinel`. | - | No       |
+| <a id="opt-store-redis-sentinel-masterSet" href="#opt-store-redis-sentinel-masterSet" title="#opt-store-redis-sentinel-masterSet">`store.redis.sentinel.masterSet`</a> | Name of the Redis Sentinel master set. Cannot be used together with `store.redis.cluster`. | "" | Yes (when using Sentinel)       |
+| <a id="opt-store-redis-sentinel-username" href="#opt-store-redis-sentinel-username" title="#opt-store-redis-sentinel-username">`store.redis.sentinel.username`</a> | Username for authenticating with the Redis Sentinel. | "" | No       |
+| <a id="opt-store-redis-sentinel-password" href="#opt-store-redis-sentinel-password" title="#opt-store-redis-sentinel-password">`store.redis.sentinel.password`</a> | Password for authenticating with the Redis Sentinel. | "" | No       |
+| <a id="opt-store-redis-tls-ca" href="#opt-store-redis-tls-ca" title="#opt-store-redis-tls-ca">`store.redis.tls.ca`</a> | Custom CA bundle                                                                                     | "" | No       |
 | <a id="opt-store-redis-tls-cert" href="#opt-store-redis-tls-cert" title="#opt-store-redis-tls-cert">`store.redis.tls.cert`</a> | TLS certificate                                                                                      | "" | No       |
 | <a id="opt-store-redis-tls-key" href="#opt-store-redis-tls-key" title="#opt-store-redis-tls-key">`store.redis.tls.key`</a> | TLS key                                                                                              | "" | No       |
-| <a id="opt-store-redis-tls-insecureSkipVerify" href="#opt-store-redis-tls-insecureSkipVerify" title="#opt-store-redis-tls-insecureSkipVerify">`store.redis.tls.insecureSkipVerify`</a> | Allow skipping the TLS verification                                                                  | "" | No       |
-| <a id="opt-store-redis-sentinel-masterSet" href="#opt-store-redis-sentinel-masterSet" title="#opt-store-redis-sentinel-masterSet">`store.redis.sentinel.masterSet`</a> | Name of the set of main nodes to use for main selection. Required when using Sentinel.               | "" | No       |
-| <a id="opt-store-redis-sentinel-username" href="#opt-store-redis-sentinel-username" title="#opt-store-redis-sentinel-username">`store.redis.sentinel.username`</a> | Username to use for sentinel authentication (can be different from `username`)                       | "" | No       |
-| <a id="opt-store-redis-sentinel-password" href="#opt-store-redis-sentinel-password" title="#opt-store-redis-sentinel-password">`store.redis.sentinel.password`</a> | Password to use for sentinel authentication (can be different from `password`)                       | "" | No       |
+| <a id="opt-store-redis-tls-insecureSkipVerify" href="#opt-store-redis-tls-insecureSkipVerify" title="#opt-store-redis-tls-insecureSkipVerify">`store.redis.tls.insecureSkipVerify`</a> | Allow skipping the TLS verification                                                                  | false | No       |
 | <a id="opt-sourceCriterion-requestHost" href="#opt-sourceCriterion-requestHost" title="#opt-sourceCriterion-requestHost">`sourceCriterion.requestHost`</a> | Whether to consider the request host as the source.<br />More information about `sourceCriterion`[here](#sourcecriterion). | false      | No      |
 | <a id="opt-sourceCriterion-requestHeaderName" href="#opt-sourceCriterion-requestHeaderName" title="#opt-sourceCriterion-requestHeaderName">`sourceCriterion.requestHeaderName`</a> | Name of the header used to group incoming requests.<br />More information about `sourceCriterion`[here](#sourcecriterion). | ""      | No      |
 | <a id="opt-sourceCriterion-ipStrategy-depth" href="#opt-sourceCriterion-ipStrategy-depth" title="#opt-sourceCriterion-ipStrategy-depth">`sourceCriterion.ipStrategy.depth`</a> | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br />If higher than 0, the `excludedIPs` options is not evaluated.<br />More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy`](#ipstrategy), and [`depth`](#sourcecriterionipstrategydepth) below. | 0      | No      |
@@ -37,8 +37,8 @@ http:
    query = "/{status}.html"

    [http.middlewares.test-errors.errors.statusRewrites]
-      "418" = "404"
-      "502-504" = "500"
+      "418" = 404
+      "502-504" = 500

 [http.services]
  # ... definition of the error-handler-service
@@ -83,8 +83,8 @@ spec:
      - "503"
      - "505-599"
    statusRewrites:
-      "418": "404"
-      "502-504": "500"
+      "418": 404
+      "502-504": 500
    query: /{status}.html
    service:
      name: error-handler-service
@@ -99,6 +99,7 @@ spec:
 | <a id="opt-statusRewrites" href="#opt-statusRewrites" title="#opt-statusRewrites">`statusRewrites`</a> | An optional mapping of status codes to be rewritten. More information [here](#statusrewrites).  | []     | No      |
 | <a id="opt-service" href="#opt-service" title="#opt-service">`service`</a> | The service that will serve the new requested error page.<br /> More information [here](#service-and-hostheader). | ""      | No      |
 | <a id="opt-query" href="#opt-query" title="#opt-query">`query`</a> | The URL for the error page (hosted by `service`).<br /> More information [here](#query) | ""      | No      |
+| <a id="opt-errorRequestHeaders" href="#opt-errorRequestHeaders" title="#opt-errorRequestHeaders">`errorRequestHeaders`</a> | Defines the list of original request headers forwarded to the error page service.<br /> More information [here](#errorrequestheaders) | []      | No      |

 ### service and HostHeader

@@ -56,14 +56,14 @@ spec:
 | Field      | Description                                                                                                                                                                                                                                                                                                                                     | Default | Required |
 |:-----------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
 | <a id="opt-address" href="#opt-address" title="#opt-address">`address`</a> | Authentication server address.                                                                                                                                                                                                                                                                                                                  | "" | Yes      |
-| <a id="opt-trustForwardHeader" href="#opt-trustForwardHeader" title="#opt-trustForwardHeader">`trustForwardHeader`</a> | Trust all `X-Forwarded-*` headers. <br/>The trustForwardHeader option is deprecated and will be removed in the next major version. <br/>More information [here](#trustforwardheader)                                                                                                                                                            | false | No      |
+| <a id="opt-trustForwardHeader" href="#opt-trustForwardHeader" title="#opt-trustForwardHeader">`trustForwardHeader`</a> | Trust all `X-Forwarded-*` headers. <br/>The trustForwardHeader option is deprecated and will be removed in the next major version. <br/>More information [here](#trustforwardheader)                                                                                                                                                            | - | No      |
 | <a id="opt-authResponseHeaders" href="#opt-authResponseHeaders" title="#opt-authResponseHeaders">`authResponseHeaders`</a> | List of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.                                                                                                                                                                                                       | [] | No      |
 | <a id="opt-authResponseHeadersRegex" href="#opt-authResponseHeadersRegex" title="#opt-authResponseHeadersRegex">`authResponseHeadersRegex`</a> | Regex to match by the headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.<br /> More information [here](#authresponseheadersregex).                                                                                                                         | "" | No      |
 | <a id="opt-authRequestHeaders" href="#opt-authRequestHeaders" title="#opt-authRequestHeaders">`authRequestHeaders`</a> | List of the headers to copy from the request to the authentication server. <br /> It allows filtering headers that should not be passed to the authentication server. <br /> If not set or empty, then all request headers are passed.                                                                                                          | [] | No      |
 | <a id="opt-addAuthCookiesToResponse" href="#opt-addAuthCookiesToResponse" title="#opt-addAuthCookiesToResponse">`addAuthCookiesToResponse`</a> | List of cookies to copy from the authentication server to the response, replacing any existing conflicting cookie from the forwarded response.<br /> Please note that all backend cookies matching the configured list will not be added to the response.                                                                                       | [] | No      |
 | <a id="opt-forwardBody" href="#opt-forwardBody" title="#opt-forwardBody">`forwardBody`</a> | Sets the `forwardBody` option to `true` to send the Body. As body is read inside Traefik before forwarding, this breaks streaming.                                                                                                                                                                                                              | false | No      |
 | <a id="opt-maxBodySize" href="#opt-maxBodySize" title="#opt-maxBodySize">`maxBodySize`</a> | Set the `maxBodySize` to limit the body size in bytes. If body is bigger than this, it returns a 401 (unauthorized). If left unset, the request body size is unrestricted which can have performance or security implications. <br/>More information [here](#maxbodysize).                                                                     | -1 | No      |
-| <a id="opt-maxResponseBodySize" href="#opt-maxResponseBodySize" title="#opt-maxResponseBodySize">`maxResponseBodySize`</a> | Set the `maxResponseBodySize` to limit the response body size from the authentication server in bytes. If the response body exceeds this limit, it returns a 401 (unauthorized). If left unset, the response body size is unrestricted which can have performance or security implications. <br/>More information [here](#maxresponsebodysize). | -1 | No      |
+| <a id="opt-maxResponseBodySize" href="#opt-maxResponseBodySize" title="#opt-maxResponseBodySize">`maxResponseBodySize`</a> | Set the `maxResponseBodySize` to limit the response body size from the authentication server in bytes. If the response body exceeds this limit, it returns a 401 (unauthorized). If left unset, the response body size is unrestricted which can have performance or security implications. <br/>More information [here](#maxresponsebodysize). | - | No      |
 | <a id="opt-headerField" href="#opt-headerField" title="#opt-headerField">`headerField`</a> | Defines a header field to store the authenticated user.                                                                                                                                                                                                                                                                                         | "" | No      |
 | <a id="opt-preserveLocationHeader" href="#opt-preserveLocationHeader" title="#opt-preserveLocationHeader">`preserveLocationHeader`</a> | Defines whether to forward the Location header to the client as is or prefix it with the domain name of the authentication server.                                                                                                                                                                                                              | false | No      |
 | <a id="opt-preserveRequestMethod" href="#opt-preserveRequestMethod" title="#opt-preserveRequestMethod">`preserveRequestMethod`</a> | Defines whether to preserve the original request method while forwarding the request to the authentication server.                                                                                                                                                                                                                              | false | No      |
@@ -195,7 +195,8 @@ http:
          - GET
          - OPTIONS
          - PUT
-        accessControlAllowHeaders: "*"
+        accessControlAllowHeaders:
+          - "*"
        accessControlAllowOriginList:
          - https://foo.bar.org
          - https://example.org
@@ -279,7 +280,7 @@ spec:
 | <a id="opt-allowedHosts" href="#opt-allowedHosts" title="#opt-allowedHosts">`allowedHosts`</a> | Lists allowed domain names.                      | []      | No |
 | <a id="opt-hostsProxyHeaders" href="#opt-hostsProxyHeaders" title="#opt-hostsProxyHeaders">`hostsProxyHeaders`</a> | Specifies header keys for proxied hostname.      | []      | No |
 | <a id="opt-sslProxyHeaders" href="#opt-sslProxyHeaders" title="#opt-sslProxyHeaders">`sslProxyHeaders`</a> | Defines a set of header keys with associated values that would indicate a valid HTTPS request. It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`).        |   {}   | No |
-| <a id="opt-stsSeconds" href="#opt-stsSeconds" title="#opt-stsSeconds">`stsSeconds`</a> | Max age for `Strict-Transport-Security` header.    | 0         | No |
+| <a id="opt-stsSeconds" href="#opt-stsSeconds" title="#opt-stsSeconds">`stsSeconds`</a> | Max age for `Strict-Transport-Security` header.    | -         | No |
 | <a id="opt-stsIncludeSubdomains" href="#opt-stsIncludeSubdomains" title="#opt-stsIncludeSubdomains">`stsIncludeSubdomains`</a> | If set to `true`, the `includeSubDomains` directive is appended to the `Strict-Transport-Security` header.    | false     | No |
 | <a id="opt-stsPreload" href="#opt-stsPreload" title="#opt-stsPreload">`stsPreload`</a> | Adds preload flag to STS header.                 | false     | No |
 | <a id="opt-forceSTSHeader" href="#opt-forceSTSHeader" title="#opt-forceSTSHeader">`forceSTSHeader`</a> | Adds STS header for HTTP connections.            | false     | No |
@@ -287,8 +288,8 @@ spec:
 | <a id="opt-customFrameOptionsValue" href="#opt-customFrameOptionsValue" title="#opt-customFrameOptionsValue">`customFrameOptionsValue`</a> | allows the `X-Frame-Options` header value to be set with a custom value. This overrides the `FrameDeny` option.  |    ""  | No |
 | <a id="opt-contentTypeNosniff" href="#opt-contentTypeNosniff" title="#opt-contentTypeNosniff">`contentTypeNosniff`</a> | Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with the value `nosniff`.  | false     | No |
 | <a id="opt-browserXssFilter" href="#opt-browserXssFilter" title="#opt-browserXssFilter">`browserXssFilter`</a> | Set `browserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.  | false     | No |
-| <a id="opt-customBrowserXSSValue" href="#opt-customBrowserXSSValue" title="#opt-customBrowserXSSValue">`customBrowserXSSValue`</a> | allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the `BrowserXssFilter` option.   | false | No |
-| <a id="opt-contentSecurityPolicy" href="#opt-contentSecurityPolicy" title="#opt-contentSecurityPolicy">`contentSecurityPolicy`</a> | allows the `Content-Security-Policy` header value to be set with a custom value.           | false | No |
+| <a id="opt-customBrowserXSSValue" href="#opt-customBrowserXSSValue" title="#opt-customBrowserXSSValue">`customBrowserXSSValue`</a> | allows the `X-XSS-Protection` header value to be set with a custom value. This overrides the `BrowserXssFilter` option.   | "" | No |
+| <a id="opt-contentSecurityPolicy" href="#opt-contentSecurityPolicy" title="#opt-contentSecurityPolicy">`contentSecurityPolicy`</a> | allows the `Content-Security-Policy` header value to be set with a custom value.           | "" | No |
 | <a id="opt-contentSecurityPolicyReportOnly" href="#opt-contentSecurityPolicyReportOnly" title="#opt-contentSecurityPolicyReportOnly">`contentSecurityPolicyReportOnly`</a> | allows the `Content-Security-Policy-Report-Only` header value to be set with a custom value.    |   ""  | No |
 | <a id="opt-publicKey" href="#opt-publicKey" title="#opt-publicKey">`publicKey`</a> | Implements HPKP for certificate pinning.         |  "" | No |
 | <a id="opt-referrerPolicy" href="#opt-referrerPolicy" title="#opt-referrerPolicy">`referrerPolicy`</a> | Controls forwarding of `Referer` header.         | "" | No |
@@ -82,7 +82,7 @@ If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed i

 This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.

- `ipv6Subnet` is ignored if its value is outside 0-128 interval
+- `ipv6Subnet` causes middleware creation to fail if its value is ≤ 0 or > 128.

 #### Example of ipv6Subnet

@@ -60,6 +60,7 @@ spec:
 | <a id="opt-ipStrategy-depth" href="#opt-ipStrategy-depth" title="#opt-ipStrategy-depth">`ipStrategy.depth`</a> | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br /> If higher than 0, the `excludedIPs` options is not evaluated.<br /> More information about [`ipStrategy](#ipstrategy), and [`depth`](#example-of-depth--x-forwarded-for) below. | 0      | No      |
 | <a id="opt-ipStrategy-excludedIPs" href="#opt-ipStrategy-excludedIPs" title="#opt-ipStrategy-excludedIPs">`ipStrategy.excludedIPs`</a> | Allows Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br /> More information about [`ipStrategy](#ipstrategy), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. |       | No      |
 | <a id="opt-ipStrategy-ipv6Subnet" href="#opt-ipStrategy-ipv6Subnet" title="#opt-ipStrategy-ipv6Subnet">`ipStrategy.ipv6Subnet`</a> |  If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to. <br />More information about [`ipStrategy.ipv6Subnet`](#ipstrategyipv6subnet), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. |       | No      |
+| <a id="opt-rejectStatusCode" href="#opt-rejectStatusCode" title="#opt-rejectStatusCode">`rejectStatusCode`</a> | Defines the HTTP status code used for refused requests. | `403`  | No      |

 ### ipStrategy

@@ -87,7 +88,7 @@ If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed i

 This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.

- `ipv6Subnet` is ignored if its value is outside 0-128 interval
+- Middleware creation fails if `ipv6Subnet` is ≤ 0 or > 128. Valid range: 1–128.

 #### Example of ipv6Subnet

@@ -45,11 +45,11 @@ spec:
 | <a id="opt-tokenKey" href="#opt-tokenKey" title="#opt-tokenKey">`tokenKey`</a> | Defines the name of the query and form data parameter used for passing the JWT, for applications that can't pass it in the `Authorization` header. <br /> The middleware always looks in the `Authorization` header first, even with this option enabled. <br /> This option should only be enabled if the JWT cannot be passed as an Authorization header, as it is not recommended by the [RFC](https://www.rfc-editor.org/rfc/rfc6750#section-2). | "" | No |
 | <a id="opt-claims" href="#opt-claims" title="#opt-claims">`claims`</a> | Defines the claims to validate in order to authorize the request. <br /> The `claims` option can only be used with JWT-formatted token. (More information [here](#claims)) | "" | No |
 | <a id="opt-usernameClaim" href="#opt-usernameClaim" title="#opt-usernameClaim">`usernameClaim`</a> | Defines the claim that will be evaluated to populate the `clientusername` in the access logs. <br /> The `usernameClaim` option can only be used with JWT-formatted token.| ""      | No       |
-| <a id="opt-forwardHeaders" href="#opt-forwardHeaders" title="#opt-forwardHeaders">`forwardHeaders`</a> | Defines the HTTP headers to add to requests and populates them with values extracted from the access token claims returned by the authorization server. <br /> Claims to be forwarded that are not found in the JWT result in empty headers. <br /> The `forwardHeaders` option can only be used with JWT-formatted token. | []      | No       |
+| <a id="opt-forwardHeaders" href="#opt-forwardHeaders" title="#opt-forwardHeaders">`forwardHeaders`</a> | Defines the HTTP headers to add to requests and populates them with values extracted from the access token claims returned by the authorization server. <br /> Claims to be forwarded that are not found in the JWT result in empty headers. <br /> The `forwardHeaders` option can only be used with JWT-formatted token. | {}      | No       |
 | <a id="opt-clientConfig-tls-ca" href="#opt-clientConfig-tls-ca" title="#opt-clientConfig-tls-ca">`clientConfig.tls.ca`</a> | PEM-encoded certificate bundle or a URN referencing a secret containing the certificate bundle used to establish a TLS connection with the authorization server  (More information [here](#clientconfig)) | ""      | No       |
 | <a id="opt-clientConfig-tls-cert" href="#opt-clientConfig-tls-cert" title="#opt-clientConfig-tls-cert">`clientConfig.tls.cert`</a> | PEM-encoded certificate or a URN referencing a secret containing the certificate used to establish a TLS connection with the Vault server (More information [here](#clientconfig)) | ""      | No       |
 | <a id="opt-clientConfig-tls-key" href="#opt-clientConfig-tls-key" title="#opt-clientConfig-tls-key">`clientConfig.tls.key`</a> | PEM-encoded key or a URN referencing a secret containing the key used to establish a TLS connection with the Vault server. (More information [here](#clientconfig)) | ""      | No       |
-| <a id="opt-clientConfig-tls-insecureSkipVerify" href="#opt-clientConfig-tls-insecureSkipVerify" title="#opt-clientConfig-tls-insecureSkipVerify">`clientConfig.tls.insecureSkipVerify`</a> | Disables TLS certificate verification when communicating with the authorization server. <br /> Useful for testing purposes but strongly discouraged for production. (More information [here](#clientconfig)) | ""      | No       |
+| <a id="opt-clientConfig-tls-insecureSkipVerify" href="#opt-clientConfig-tls-insecureSkipVerify" title="#opt-clientConfig-tls-insecureSkipVerify">`clientConfig.tls.insecureSkipVerify`</a> | Disables TLS certificate verification when communicating with the authorization server. <br /> Useful for testing purposes but strongly discouraged for production. (More information [here](#clientconfig)) | false      | No       |
 | <a id="opt-clientConfig-timeoutSeconds" href="#opt-clientConfig-timeoutSeconds" title="#opt-clientConfig-timeoutSeconds">`clientConfig.timeoutSeconds`</a> | Defines the time before giving up requests to the authorization server.   | 5       | No       |
 | <a id="opt-clientConfig-maxRetries" href="#opt-clientConfig-maxRetries" title="#opt-clientConfig-maxRetries">`clientConfig.maxRetries`</a> | Defines the number of retries for requests to authorization server that fail. | 3       | No       |

@@ -109,7 +109,7 @@ user.name
    "office",
    "home"
  ],
-  "user" {
+  "user": {
    "name": "John Snow",
    "status": "undead"
  }
@@ -54,23 +54,24 @@ stringData:
 | <a id="opt-clientConfig-tls-ca" href="#opt-clientConfig-tls-ca" title="#opt-clientConfig-tls-ca">`clientConfig.tls.ca`</a> | PEM-encoded certificate bundle or a URN referencing a secret containing the certificate bundle used to establish a TLS connection with the authorization server  (More information [here](#clientconfig)) | ""      | No       |
 | <a id="opt-clientConfig-tls-cert" href="#opt-clientConfig-tls-cert" title="#opt-clientConfig-tls-cert">`clientConfig.tls.cert`</a> | PEM-encoded certificate or a URN referencing a secret containing the certificate used to establish a TLS connection with the Vault server (More information [here](#clientconfig)) | ""      | No       |
 | <a id="opt-clientConfig-tls-key" href="#opt-clientConfig-tls-key" title="#opt-clientConfig-tls-key">`clientConfig.tls.key`</a> | PEM-encoded key or a URN referencing a secret containing the key used to establish a TLS connection with the Vault server. (More information [here](#clientconfig)) | ""      | No       |
-| <a id="opt-clientConfig-tls-insecureSkipVerify" href="#opt-clientConfig-tls-insecureSkipVerify" title="#opt-clientConfig-tls-insecureSkipVerify">`clientConfig.tls.insecureSkipVerify`</a> | Disables TLS certificate verification when communicating with the authorization server. <br /> Useful for testing purposes but strongly discouraged for production. (More information [here](#clientconfig)) | ""      | No       |
+| <a id="opt-clientConfig-tls-insecureSkipVerify" href="#opt-clientConfig-tls-insecureSkipVerify" title="#opt-clientConfig-tls-insecureSkipVerify">`clientConfig.tls.insecureSkipVerify`</a> | Disables TLS certificate verification when communicating with the authorization server. <br /> Useful for testing purposes but strongly discouraged for production. (More information [here](#clientconfig)) | false      | No       |
 | <a id="opt-clientConfig-timeoutSeconds" href="#opt-clientConfig-timeoutSeconds" title="#opt-clientConfig-timeoutSeconds">`clientConfig.timeoutSeconds`</a> | Defines the time before giving up requests to the authorization server.   | 5       | No       |
 | <a id="opt-clientConfig-maxRetries" href="#opt-clientConfig-maxRetries" title="#opt-clientConfig-maxRetries">`clientConfig.maxRetries`</a> | Defines the number of retries for requests to authorization server that fail. | 3       | No       |
 | <a id="opt-clientID" href="#opt-clientID" title="#opt-clientID">`clientID`</a> | Defines the unique client identifier for an account on the OpenID Connect provider, must be set when the `clientSecret` option is set.<br />More information [here](#storing-secret-values-in-kubernetes-secrets). | ""      | Yes       |
 | <a id="opt-clientSecret" href="#opt-clientSecret" title="#opt-clientSecret">`clientSecret`</a> | Defines the unique client secret for an account on the OpenID Connect provider, must be set when the `clientID` option is set.<br />More information [here](#storing-secret-values-in-kubernetes-secrets). | ""      | Yes       |
 | <a id="opt-forwardHeaders" href="#opt-forwardHeaders" title="#opt-forwardHeaders">`forwardHeaders`</a> | Defines the HTTP headers to add to requests and populates them with values extracted from the access token claims returned by the authorization server. <br /> Claims to be forwarded that are not found in the JWT result in empty headers. <br /> The `forwardHeaders` option can only be used with JWT-formatted token. | []      | No       |
 | <a id="opt-store-keyPrefix" href="#opt-store-keyPrefix" title="#opt-store-keyPrefix">`store.keyPrefix`</a> | Defines the prefix of the key for the entries that store the sessions. | ""      | No       |
+| <a id="opt-store-secret" href="#opt-store-secret" title="#opt-store-secret">`store.secret`</a> | Defines the encryption secret used to store access tokens in Redis. Must be 16, 24, or 32 characters long. Required when `store` is configured. | ""      | Yes (if store is configured)       |
 | <a id="opt-store-redis-endpoints" href="#opt-store-redis-endpoints" title="#opt-store-redis-endpoints">`store.redis.endpoints`</a> | Endpoints of the Redis instances to connect to (example: `redis.traefik-hub.svc.cluster.local:6379`) | "" | Yes      |
 | <a id="opt-store-redis-username" href="#opt-store-redis-username" title="#opt-store-redis-username">`store.redis.username`</a> | The username Traefik Hub will use to connect to Redis          | "" | No       |
 | <a id="opt-store-redis-password" href="#opt-store-redis-password" title="#opt-store-redis-password">`store.redis.password`</a> | The password Traefik Hub will use to connect to Redis    | "" | No       |
-| <a id="opt-store-redis-database" href="#opt-store-redis-database" title="#opt-store-redis-database">`store.redis.database`</a> | The database Traefik Hub will use to sore information (default: `0`)                                 | "" | No       |
-| <a id="opt-store-redis-cluster" href="#opt-store-redis-cluster" title="#opt-store-redis-cluster">`store.redis.cluster`</a> | Enable Redis Cluster           | "" | No       |
-| <a id="opt-store-redis-tls-caBundle" href="#opt-store-redis-tls-caBundle" title="#opt-store-redis-tls-caBundle">`store.redis.tls.caBundle`</a> | Custom CA bundle    | "" | No       |
+| <a id="opt-store-redis-database" href="#opt-store-redis-database" title="#opt-store-redis-database">`store.redis.database`</a> | The database Traefik Hub will use to sore information (default: `0`)                                 | 0 | No       |
+| <a id="opt-store-redis-cluster" href="#opt-store-redis-cluster" title="#opt-store-redis-cluster">`store.redis.cluster`</a> | Enable Redis Cluster mode. Set to `{}` to enable; omit to disable. | - | No       |
+| <a id="opt-store-redis-tls-ca" href="#opt-store-redis-tls-ca" title="#opt-store-redis-tls-ca">`store.redis.tls.ca`</a> | Custom CA bundle    | "" | No       |
 | <a id="opt-store-redis-tls-cert" href="#opt-store-redis-tls-cert" title="#opt-store-redis-tls-cert">`store.redis.tls.cert`</a> | TLS certificate         | "" | No       |
 | <a id="opt-store-redis-tls-key" href="#opt-store-redis-tls-key" title="#opt-store-redis-tls-key">`store.redis.tls.key`</a> | TLS   | "" | No       |
-| <a id="opt-store-redis-tls-insecureSkipVerify" href="#opt-store-redis-tls-insecureSkipVerify" title="#opt-store-redis-tls-insecureSkipVerify">`store.redis.tls.insecureSkipVerify`</a> | Allow skipping the TLS verification | "" | No       |
-| <a id="opt-store-redis-sentinel-masterSet" href="#opt-store-redis-sentinel-masterSet" title="#opt-store-redis-sentinel-masterSet">`store.redis.sentinel.masterSet`</a> | Name of the set of main nodes to use for main selection. Required when using Sentinel.               | "" | No       |
+| <a id="opt-store-redis-tls-insecureSkipVerify" href="#opt-store-redis-tls-insecureSkipVerify" title="#opt-store-redis-tls-insecureSkipVerify">`store.redis.tls.insecureSkipVerify`</a> | Allow skipping the TLS verification | false | No       |
+| <a id="opt-store-redis-sentinel-masterSet" href="#opt-store-redis-sentinel-masterSet" title="#opt-store-redis-sentinel-masterSet">`store.redis.sentinel.masterSet`</a> | Name of the set of main nodes to use for main selection. Required when using Sentinel.               | "" | Yes (when using Sentinel)       |
 | <a id="opt-store-redis-sentinel-username" href="#opt-store-redis-sentinel-username" title="#opt-store-redis-sentinel-username">`store.redis.sentinel.username`</a> | Username to use for sentinel authentication (can be different from `username`)  | "" | No       |
 | <a id="opt-store-redis-sentinel-password" href="#opt-store-redis-sentinel-password" title="#opt-store-redis-sentinel-password">`store.redis.sentinel.password`</a> | Password to use for sentinel authentication (can be different from `password`)        | "" | No       |
 | <a id="opt-url" href="#opt-url" title="#opt-url">`url`</a> | Defines the authorization server URL (for example: `https://tenant.auth0.com/oauth/token`). | ""      | Yes      |
@@ -141,7 +142,7 @@ user.name
    "office",
    "home"
  ],
-  "user" {
+  "user": {
    "name": "John Snow",
    "status": "undead"
  }
@@ -29,7 +29,7 @@ spec:
        url: "https://YOUR-KEYCLOAK-ADDRESS/realms/YOUR-REALM/protocol/openid-connect/token/introspect"
        headers:
          Authorization: Basic ZXhhbXBsZTpleGFtcGxl # echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64
-      tokenTypeHint: access_token
+        tokenTypeHint: access_token
      forwardHeaders:
        Group: grp
        Expires-At: exp
@@ -45,9 +45,9 @@ spec:
 | <a id="opt-clientConfig-headers" href="#opt-clientConfig-headers" title="#opt-clientConfig-headers">`clientConfig.headers`</a> | Defines the headers to send in every introspection request. Values can be plain strings or a valid [Go template](https://pkg.go.dev/text/template). <br /> Currently, a variable of type [`Request`](https://pkg.go.dev/net/http#Request) corresponding to the request being introspected is accessible in templates. | ""      | No       |
 | <a id="opt-clientConfig-tokenTypeHint" href="#opt-clientConfig-tokenTypeHint" title="#opt-clientConfig-tokenTypeHint">`clientConfig.tokenTypeHint`</a> | Defines the type of token being introspected, sent as a hint to the introspection server. <br /> Please refer to the [official documentation](https://tools.ietf.org/html/rfc7662) for more details. | ""      | No       |
 | <a id="opt-clientConfig-tls-ca" href="#opt-clientConfig-tls-ca" title="#opt-clientConfig-tls-ca">`clientConfig.tls.ca`</a> | PEM-encoded certificate bundle or a URN referencing a secret containing the certificate bundle used to establish a TLS connection with the authorization server  (More information [here](#clientconfig)) | ""      | No       |
-| <a id="opt-clientConfig-tls-cert" href="#opt-clientConfig-tls-cert" title="#opt-clientConfig-tls-cert">`clientConfig.tls.cert`</a> | PEM-encoded certificate or a URN referencing a secret containing the certificate used to establish a TLS connection with the Vault server (More information [here](#clientconfig)) | ""      | No       |
-| <a id="opt-clientConfig-tls-key" href="#opt-clientConfig-tls-key" title="#opt-clientConfig-tls-key">`clientConfig.tls.key`</a> | PEM-encoded key or a URN referencing a secret containing the key used to establish a TLS connection with the Vault server. (More information [here](#clientconfig)) | ""      | No       |
-| <a id="opt-clientConfig-tls-insecureSkipVerify" href="#opt-clientConfig-tls-insecureSkipVerify" title="#opt-clientConfig-tls-insecureSkipVerify">`clientConfig.tls.insecureSkipVerify`</a> | Disables TLS certificate verification when communicating with the authorization server. <br /> Useful for testing purposes but strongly discouraged for production. (More information [here](#clientconfig)) | ""      | No       |
+| <a id="opt-clientConfig-tls-cert" href="#opt-clientConfig-tls-cert" title="#opt-clientConfig-tls-cert">`clientConfig.tls.cert`</a> | PEM-encoded certificate or a URN referencing a secret containing the certificate used to establish a TLS connection with the authorization server. (More information [here](#clientconfig)) | ""      | No       |
+| <a id="opt-clientConfig-tls-key" href="#opt-clientConfig-tls-key" title="#opt-clientConfig-tls-key">`clientConfig.tls.key`</a> | PEM-encoded key or a URN referencing a secret containing the key used to establish a TLS connection with the authorization server. (More information [here](#clientconfig)) | ""      | No       |
+| <a id="opt-clientConfig-tls-insecureSkipVerify" href="#opt-clientConfig-tls-insecureSkipVerify" title="#opt-clientConfig-tls-insecureSkipVerify">`clientConfig.tls.insecureSkipVerify`</a> | Disables TLS certificate verification when communicating with the authorization server. <br /> Useful for testing purposes but strongly discouraged for production. (More information [here](#clientconfig)) | false   | No       |
 | <a id="opt-clientConfig-timeoutSeconds" href="#opt-clientConfig-timeoutSeconds" title="#opt-clientConfig-timeoutSeconds">`clientConfig.timeoutSeconds`</a> | Defines the time before giving up requests to the authorization server.   | 5       | No       |
 | <a id="opt-clientConfig-maxRetries" href="#opt-clientConfig-maxRetries" title="#opt-clientConfig-maxRetries">`clientConfig.maxRetries`</a> | Defines the number of retries for requests to authorization server that fail. | 3       | No       |
 | <a id="opt-forwardAuthorization" href="#opt-forwardAuthorization" title="#opt-forwardAuthorization">`forwardAuthorization`</a> | Defines whether the authorization header will be forwarded or stripped from a request after it has been approved by the middleware. | false   | No       |
@@ -23,7 +23,7 @@ spec:
    oidc:
      issuer: "https://tenant.auth0.com/realms/myrealm"
      redirectUrl: "/callback"
-      clientID: "urn:k8s:secret:my-secret:clientId"
+      clientId: "urn:k8s:secret:my-secret:clientId"
      clientSecret: "urn:k8s:secret:my-secret:clientSecret"
      session:
        name: customsessioncookiename
@@ -61,9 +61,11 @@ stringData:
 | Field | Description | Default | Required |
 |:------|:------------|:--------|:---------|
 | <a id="opt-issuer" href="#opt-issuer" title="#opt-issuer">`issuer`</a> | Defines the URL to the OpenID Connect provider (for example, `https://accounts.google.com`). <br /> It should point to the server which provides the OpenID Connect configuration. | "" | Yes |
+| <a id="opt-trustedIssuer" href="#opt-trustedIssuer" title="#opt-trustedIssuer">`trustedIssuer`</a> | Defines a trusted issuer URL to validate against in addition to the one discovered from the OpenID Connect provider. | "" | No |
+| <a id="opt-disableIssuerCheck" href="#opt-disableIssuerCheck" title="#opt-disableIssuerCheck">`disableIssuerCheck`</a> | Disables the issuer validation check during token verification. | false | No |
 | <a id="opt-redirectUrl" href="#opt-redirectUrl" title="#opt-redirectUrl">`redirectUrl`</a> | Defines the URL used by the OpenID Connect provider to redirect back to the middleware once the authorization is complete. (More information [here](#redirecturl)) | "" | Yes |
-| <a id="opt-clientID" href="#opt-clientID" title="#opt-clientID">`clientID`</a> | Defines the unique client identifier for an account on the OpenID Connect provider, must be set when the `clientSecret` option is set. (More information [here](#clientid-clientsecret)) | ""      | Yes       |
-| <a id="opt-clientSecret" href="#opt-clientSecret" title="#opt-clientSecret">`clientSecret`</a> | Defines the unique client secret for an account on the OpenID Connect provider, must be set when the `clientID` option is set. (More information [here](#clientid-clientsecret)) | ""      | Yes       |
+| <a id="opt-clientId" href="#opt-clientId" title="#opt-clientId">`clientId`</a> | Defines the unique client identifier for an account on the OpenID Connect provider, must be set when the `clientSecret` option is set. (More information [here](#clientid-clientsecret)) | ""      | Yes       |
+| <a id="opt-clientSecret" href="#opt-clientSecret" title="#opt-clientSecret">`clientSecret`</a> | Defines the unique client secret for an account on the OpenID Connect provider, must be set when the `clientId` option is set. (More information [here](#clientid-clientsecret)) | ""      | Yes       |
 | <a id="opt-claims" href="#opt-claims" title="#opt-claims">`claims`</a> | Defines the claims to validate in order to authorize the request. <br /> The `claims` option can only be used with JWT-formatted token.  (More information [here](#claims)) | ""      | No       |
 | <a id="opt-usernameClaim" href="#opt-usernameClaim" title="#opt-usernameClaim">`usernameClaim`</a> | Defines the claim that will be evaluated to populate the `clientusername` in the access logs. <br /> The `usernameClaim` option can only be used with JWT-formatted token.| ""      | No       |
 | <a id="opt-forwardHeaders" href="#opt-forwardHeaders" title="#opt-forwardHeaders">`forwardHeaders`</a> | Defines the HTTP headers to add to requests and populates them with values extracted from the access token claims returned by the authorization server. <br /> Claims to be forwarded that are not found in the JWT result in empty headers. <br /> The `forwardHeaders` option can only be used with JWT-formatted token. | []      | No       |
@@ -112,9 +114,10 @@ stringData:
 | <a id="opt-session-store-redis-sentinel-masterSet" href="#opt-session-store-redis-sentinel-masterSet" title="#opt-session-store-redis-sentinel-masterSet">`session.store.redis.sentinel.masterSet`</a> | Name of the set of main nodes to use for main selection. Required when using Sentinel.               | "" | No       |
 | <a id="opt-session-store-redis-sentinel-username" href="#opt-session-store-redis-sentinel-username" title="#opt-session-store-redis-sentinel-username">`session.store.redis.sentinel.username`</a> | Username to use for sentinel authentication (can be different from `username`)                       | "" | No       |
 | <a id="opt-session-store-redis-sentinel-password" href="#opt-session-store-redis-sentinel-password" title="#opt-session-store-redis-sentinel-password">`session.store.redis.sentinel.password`</a> | Password to use for sentinel authentication (can be different from `password`)                       | "" | No       |
-| <a id="opt-csrf" href="#opt-csrf" title="#opt-csrf">`csrf`</a> | When enabled, a CSRF cookie, named `traefikee-csrf-token`, is bound to the OIDC session to protect service from CSRF attacks. <br /> It is based on the [Signed Double Submit Cookie](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#signed-double-submit-cookie) implementation as defined by the OWASP Foundation.<br />Moreinformation [here](#csrf). | "" | No |
+| <a id="opt-session-store-keyPrefix" href="#opt-session-store-keyPrefix" title="#opt-session-store-keyPrefix">`session.store.keyPrefix`</a> | Defines the prefix of the key for the entries that store the sessions. | "" | No |
+| <a id="opt-csrf" href="#opt-csrf" title="#opt-csrf">`csrf`</a> | When enabled, a CSRF cookie, named `hub-csrf-token`, is bound to the OIDC session to protect service from CSRF attacks. <br /> It is based on the [Signed Double Submit Cookie](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#signed-double-submit-cookie) implementation as defined by the OWASP Foundation.<br />Moreinformation [here](#csrf). | "" | No |
 | <a id="opt-csrf-secure" href="#opt-csrf-secure" title="#opt-csrf-secure">`csrf.secure`</a> | Defines whether the CSRF cookie is only sent to the server when a request is made with the `https` scheme. | false | No |
-| <a id="opt-csrf-headerName" href="#opt-csrf-headerName" title="#opt-csrf-headerName">`csrf.headerName`</a> | Defines the name of the header used to send the CSRF token value received previously in the CSRF cookie. | TraefikHub-Csrf-Token | No |
+| <a id="opt-csrf-headerName" href="#opt-csrf-headerName" title="#opt-csrf-headerName">`csrf.headerName`</a> | Defines the name of the header used to send the CSRF token value received previously in the CSRF cookie. | Hub-Csrf-Token | No |

 ### redirectUrl

@@ -182,15 +185,15 @@ spec:
    oidc:
      issuer: "https://tenant.auth0.com/realms/myrealm"
      redirectUrl: "/callback"
-      clientID: my-oidc-client-name
+      clientId: my-oidc-client-name
      clientSecret: mysecret
 ```

-### clientID, clientSecret
+### clientId, clientSecret

 #### Storing secret values in Kubernetes secrets

-When configuring the `clientID` and the `clientSecret`, it is possible to reference Kubernetes secrets defined in the same namespace as the Middleware.
+When configuring the `clientId` and the `clientSecret`, it is possible to reference Kubernetes secrets defined in the same namespace as the Middleware.
 The reference to a Kubernetes secret takes the form of a URN:

 ```text
@@ -398,7 +401,7 @@ spec:
    oidc:
      issuer: "https://tenant.auth0.com/realms/myrealm"
      redirectUrl: "/callback"
-      clientID: my-oidc-client-name
+      clientId: my-oidc-client-name
      clientSecret: mysecret
      session:
        store:
@@ -11,7 +11,8 @@ The OPA middleware works as an [OPA agent](https://www.openpolicyagent.org/).

 !!! note "OPA Version"

-    This middleware uses the [v1.3.0 of the OPA specification](https://www.openpolicyagent.org/docs).
+    This middleware uses [OPA v1.x](https://www.openpolicyagent.org/) with Rego v0-compatible syntax.
+    Policies written in Rego v0 style (e.g. `allow { ... }` without the `if` keyword) are fully supported.

 ## Configuration Example

@@ -67,6 +68,6 @@ spec:
 | <a id="opt-policy" href="#opt-policy" title="#opt-policy">`policy`</a> | Path or the content of a [policy file](https://www.openpolicyagent.org/docs/v0.66.0/kubernetes-primer/#writing-policies). | ""      | No (one of `policy` or `bundlePath` must be set) |
 | <a id="opt-bundlePath" href="#opt-bundlePath" title="#opt-bundlePath">`bundlePath`</a> | The `bundlePath` option should contain the path to an OPA [bundle](https://www.openpolicyagent.org/docs/v0.66.0/management-bundles/). | ""      | No (one of `policy` or `bundlePath` must be set) |
 | <a id="opt-allow" href="#opt-allow" title="#opt-allow">`allow`</a> | The `allow` option sets the expression to evaluate that determines if the request should be authorized. | ""      | No (one of `allow` or `forwardHeaders` must be set) |
-| <a id="opt-forwardHeaders" href="#opt-forwardHeaders" title="#opt-forwardHeaders">`forwardHeaders`</a> | The `forwardHeaders` option sets the HTTP headers to add to requests and populates them with the result of the given expression. | ""      | No (one of `allow` or `forwardHeaders` must be set) |   
+| <a id="opt-forwardHeaders" href="#opt-forwardHeaders" title="#opt-forwardHeaders">`forwardHeaders`</a> | The `forwardHeaders` option sets the HTTP headers to add to requests and populates them with the result of the given expression. | {}      | No (one of `allow` or `forwardHeaders` must be set) |   

 {% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -259,5 +259,5 @@ If there are more than one certificate, they are separated by a `,`.
 The following example shows such a concatenation, when all the available fields are selected:

 ```text
-Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1747282426";NA="1778818426"SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
+Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";SerialNumber="1";NB="1747282426";NA="1778818426";SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
 ```
@@ -197,7 +197,7 @@ data:
 | <a id="opt-sourceCriterion-ipStrategy-excludedIPs" href="#opt-sourceCriterion-ipStrategy-excludedIPs" title="#opt-sourceCriterion-ipStrategy-excludedIPs">`sourceCriterion.ipStrategy.excludedIPs`</a> | Allows scanning the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br />More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy`](#ipstrategy), and [`excludedIPs`](#sourcecriterionipstrategyexcludedips) below. |       | No      |
 | <a id="opt-sourceCriterion-ipStrategy-ipv6Subnet" href="#opt-sourceCriterion-ipStrategy-ipv6Subnet" title="#opt-sourceCriterion-ipStrategy-ipv6Subnet">`sourceCriterion.ipStrategy.ipv6Subnet`</a> |  If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to. <br />More information about [`sourceCriterion`](#sourcecriterion), [`ipStrategy.ipv6Subnet`](#sourcecriterionipstrategyipv6subnet) below. |       | No      |
 | <a id="opt-redis" href="#opt-redis" title="#opt-redis">`redis`</a> | The `redis` configuration enables distributed rate limiting by using Redis to store rate limit tokens across multiple Traefik instances. This allows you to enforce consistent rate limits across a cluster of Traefik proxies. <br />When Redis is not configured, Traefik uses in-memory storage for rate limiting, which works only for the individual Traefik instance.|       | No      |
-| <a id="opt-redis-endpoints" href="#opt-redis-endpoints" title="#opt-redis-endpoints">`redis.endpoints`</a> | List of Redis server endpoints for distributed rate limiting. You can specify multiple endpoints for Redis cluster or high availability setups. | "127.0.0.1:6379" | No |
+| <a id="opt-redis-endpoints" href="#opt-redis-endpoints" title="#opt-redis-endpoints">`redis.endpoints`</a> | List of Redis server endpoints for distributed rate limiting. You can specify multiple endpoints for Redis cluster or high availability setups. | "localhost:6379" | No |
 | <a id="opt-redis-username" href="#opt-redis-username" title="#opt-redis-username">`redis.username`</a> | Username for Redis authentication. | "" | No |
 | <a id="opt-redis-password" href="#opt-redis-password" title="#opt-redis-password">`redis.password`</a> | Password for Redis authentication. In Kubernetes, these can be provided via secrets. | "" | No |
 | <a id="opt-redis-db" href="#opt-redis-db" title="#opt-redis-db">`redis.db`</a> | Redis database number to select. | 0 | No |
@@ -46,7 +46,7 @@ labels:
 {
  // ...
  "Tags": [
-    "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+    "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https",
    "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
  ]
 }
@@ -87,14 +87,14 @@ Request → EntryPoint → Parent Router → Middleware → Child Router A → S

        # Child router for admin users
        api-admin:
-          rule: "HeadersRegexp(`X-User-Role`, `admin`)"
+          rule: "HeaderRegexp(`X-User-Role`, `admin`)"
          service: admin-service
          parentRefs:
            - api-parent

        # Child router for regular users
        api-user:
-          rule: "HeadersRegexp(`X-User-Role`, `user`)"
+          rule: "HeaderRegexp(`X-User-Role`, `user`)"
          service: user-service
          parentRefs:
            - api-parent
@@ -132,13 +132,13 @@ Request → EntryPoint → Parent Router → Middleware → Child Router A → S

      # Child router for admin users
      [http.routers.api-admin]
-        rule = "HeadersRegexp(`X-User-Role`, `admin`)"
+        rule = "HeaderRegexp(`X-User-Role`, `admin`)"
        service = "admin-service"
        parentRefs = ["api-parent"]

      # Child router for regular users
      [http.routers.api-user]
-        rule = "HeadersRegexp(`X-User-Role`, `user`)"
+        rule = "HeaderRegexp(`X-User-Role`, `user`)"
        service = "user-service"
        parentRefs = ["api-parent"]

@@ -164,10 +164,10 @@ Request → EntryPoint → Parent Router → Middleware → Child Router A → S
    | `traefik/http/routers/api-parent/middlewares/0`                        | `auth-middleware`               |
    | `traefik/http/routers/api-parent/entrypoints/0`                        | `websecure`                     |
    | `traefik/http/routers/api-parent/tls`                                  | `true`                          |
-    | `traefik/http/routers/api-admin/rule`                                  | `HeadersRegexp(\`X-User-Role\`, \`admin\`)` |
+    | `traefik/http/routers/api-admin/rule`                                  | `HeaderRegexp(\`X-User-Role\`, \`admin\`)` |
    | `traefik/http/routers/api-admin/service`                               | `admin-service`                 |
    | `traefik/http/routers/api-admin/parentrefs/0`                          | `api-parent`                    |
-    | `traefik/http/routers/api-user/rule`                                   | `HeadersRegexp(\`X-User-Role\`, \`user\`)` |
+    | `traefik/http/routers/api-user/rule`                                   | `HeaderRegexp(\`X-User-Role\`, \`user\`)` |
    | `traefik/http/routers/api-user/service`                                | `user-service`                  |
    | `traefik/http/routers/api-user/parentrefs/0`                           | `api-parent`                    |
    | `traefik/http/middlewares/auth-middleware/forwardauth/address`         | `http://auth-service:8080/auth` |
@@ -110,6 +110,7 @@ labels:
 | <a id="opt-tls-options" href="#opt-tls-options" title="#opt-tls-options">`tls.options`</a> | The name of the TLS options to use for configuring TLS parameters (cipher suites, min/max TLS version, client authentication, etc.). See [TLS Options](../tls/tls-options.md) for detailed configuration.                                                                                                            | `default`                   | No       |
 | <a id="opt-tls-domains" href="#opt-tls-domains" title="#opt-tls-domains">`tls.domains`</a> | List of domains and Subject Alternative Names (SANs) for explicit certificate domain specification. When using ACME certificate resolvers, domains are automatically extracted from router rules, making this option optional.                                                                                       |                             | No       |
 | <a id="opt-observability" href="#opt-observability" title="#opt-observability">`observability`</a> | Observability configuration for the router. Allows fine-grained control over access logs, metrics, and tracing per router. See [Observability](./observability.md) for details.                                                                                                                                      | Inherited from entry points | No       |
+| <a id="opt-observability-traceVerbosity" href="#opt-observability-traceVerbosity" title="#opt-observability-traceVerbosity">`observability.traceVerbosity`</a> | Defines the verbosity level of tracing for this router. Accepted values are `minimal` and `detailed`.                                                                                                                                                                                                               | `minimal`                   | No       |
 | <a id="opt-parentRefs" href="#opt-parentRefs" title="#opt-parentRefs">`parentRefs`</a> | References to parent router names for multi-layer routing. When specified, this router becomes a child router that processes requests after parent routers have applied their middlewares. See [Multi-Layer Routing](../routing/multi-layer-routing.md) for details.                                        |                             | No       |
 | <a id="opt-service" href="#opt-service" title="#opt-service">`service`</a> | The name of the service that will handle the matched requests. Services can be load balancer services, weighted round robin, mirroring, or failover services. See [Service](../load-balancing/service.md) for details.                                                                                               |                             | Yes      |

@@ -119,7 +119,7 @@ It only matches the request client IP and does not use the `X-Forwarded-For` hea

 In Traefik v3 a new rule syntax has been introduced ([migration guide](../../../../migrate/v3.md)). the `ruleSyntax` option allows to configure the rule syntax to be used for parsing the rule on a per-router basis. This allows to have heterogeneous router configurations and ease migration.

-The default value of the `ruleSyntax` option is inherited from the `defaultRuleSyntax` option in the install configuration (formerly known as static configuration). By default, the `defaultRuleSyntax` static option is v3, meaning that the default rule syntax is also v3
+The default value of the `ruleSyntax` option is inherited from the `core.defaultRuleSyntax` option in the install configuration (formerly known as static configuration). By default, the `core.defaultRuleSyntax` static option is v3, meaning that the default rule syntax is also v3

 #### Configuration Example

@@ -142,10 +142,10 @@ http:
 [http.routers]
  [http.routers.Router-v3]
    rule = "HostRegexp(`[a-z]+\\.traefik\\.com`)"
-    ruleSyntax = v3
+    ruleSyntax = "v3"
  [http.routers.Router-v2]
    rule = "HostRegexp(`{subdomain:[a-z]+}.traefik.com`)"
-    ruleSyntax = v2
+    ruleSyntax = "v2"
 ```

 ```yaml tab="Labels"
@@ -74,7 +74,7 @@ labels:

 | Field                                                                              | Description                                                                                                                                                                                                    | Default   | Required |
 |:-----------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------|:---------|
-| <a id="opt-options" href="#opt-options" title="#opt-options">`options`</a> | The name of the TLS options to use for configuring TLS parameters (cipher suites, min/max TLS version, client authentication, etc.). See [TLS Options](./tls-options.md) for detailed configuration.           | `default` | No       |
+| <a id="opt-options" href="#opt-options" title="#opt-options">`options`</a> | The name of the TLS options to use for configuring TLS parameters (cipher suites, min/max TLS version, client authentication, etc.). See [TLS Options](./tls-options.md) for detailed configuration.           | `""` (resolves to `default` at runtime) | No       |
 | <a id="opt-certResolver" href="#opt-certResolver" title="#opt-certResolver">`certResolver`</a> | The name of the certificate resolver to use for automatic certificate generation via ACME providers (such as Let's Encrypt). See the [Certificate Resolver](./#certificate-resolver) section for more details. | ""        | No       |
 | <a id="opt-domains" href="#opt-domains" title="#opt-domains">`domains`</a> | List of domains and Subject Alternative Names (SANs) for explicit certificate domain specification. See the [Custom Domains](./#custom-domains) section for more details.                                      | []        | No       |

@@ -231,8 +231,8 @@ _Optional, Default="false"_

 When set to true, Traefik disables the use of session tickets, forcing every client to perform a full TLS handshake instead of resuming sessions.

-```yaml tab="File (YAML)"
-# Dynamic configuration
+```yaml tab="Structured (YAML)"
+# routing configuration

 tls:
  options:
@@ -240,8 +240,8 @@ tls:
      disableSessionTickets: true
 ```

-```toml tab="File (TOML)"
-# Dynamic configuration
+```toml tab="Structured (TOML)"
+# routing configuration

 [tls.options]
  [tls.options.default]
@@ -5,7 +5,7 @@ description: "An IngressRoute is a Traefik CRD is in charge of connecting incomi

 `IngressRoute` is the CRD implementation of a [Traefik HTTP router](../../../http/routing/rules-and-priority.md).

-Before creating `IngressRoute` objects, you need to apply the Traefik Kubernetes CRDs such as [Definitions](/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml) and [RBAC](/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml) to your Kubernetes cluster.
+Before creating `IngressRoute` objects, you need to apply the Traefik Kubernetes CRDs such as [Definitions](../../../../dynamic-configuration/kubernetes-crd-definition-v1.yml) and [RBAC](../../../../dynamic-configuration/kubernetes-crd-rbac.yml) to your Kubernetes cluster.

 This registers the `IngressRoute` kind and other Traefik-specific resources.

@@ -93,6 +93,7 @@ spec:
 | <a id="opt-routesn-observability-accessLogs" href="#opt-routesn-observability-accessLogs" title="#opt-routesn-observability-accessLogs">`routes[n].`<br />`observability.`<br />`accessLogs`</a> | Defines whether the route will produce [access-logs](../../../../install-configuration/observability/logs-and-accesslogs.md). See [here](../../../http/routing/observability.md) for more information.                                                                                                                                                                           | false   | No       |
 | <a id="opt-routesn-observability-metrics" href="#opt-routesn-observability-metrics" title="#opt-routesn-observability-metrics">`routes[n].`<br />`observability.`<br />`metrics`</a> | Defines whether the route will produce [metrics](../../../../install-configuration/observability/metrics.md). See [here](../../../http/routing/observability.md) for more information.                                                                                                                                                                                           | false   | No       |
 | <a id="opt-routesn-observability-tracing" href="#opt-routesn-observability-tracing" title="#opt-routesn-observability-tracing">`routes[n].`<br />`observability.`<br />`tracing`</a> | Defines whether the route will produce [traces](../../../../install-configuration/observability/tracing.md). See [here](../../../http/routing/observability.md) for more information.                                                                                                                                                                                            | false   | No       |
+| <a id="opt-routesn-observability-traceVerbosity" href="#opt-routesn-observability-traceVerbosity" title="#opt-routesn-observability-traceVerbosity">`routes[n].`<br />`observability.`<br />`traceVerbosity`</a> | Defines the verbosity level of the tracing for this route. Valid values are `minimal` and `detailed`. See [here](../../../http/routing/observability.md) for more information.                                                                                                                                                                                                   | minimal | No       |
 | <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | TLS configuration.<br />Can be an empty value(`{}`):<br />A self signed is generated in such a case<br />(or the [default certificate](../tls/tlsstore.md) is used if it is defined.)                                                                                                                                                                                                   |         | No       |
 | <a id="opt-routesn-services" href="#opt-routesn-services" title="#opt-routesn-services">`routes[n].`<br />`services`</a> | List of any combination of [TraefikService](./traefikservice.md) and [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). <br /> Exhaustive list of option in the [`Service`](./service.md#configuration-options) documentation.                                                                                                              |         | No       |
 | <a id="opt-tls-secretName" href="#opt-tls-secretName" title="#opt-tls-secretName">`tls.secretName`</a> | [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the same namesapce as the `IngressRoute`)                                                                                                                                                                                                                             | ""      | No       |
@@ -57,14 +57,16 @@ spec:
 |:------|:----------------------------------------------------------|:---------------------|:---------|
 | <a id="opt-serverstransport-serverName" href="#opt-serverstransport-serverName" title="#opt-serverstransport-serverName">`serverstransport.`<br />`serverName`</a> | Defines the server name that will be used for SNI. |  | No |
 | <a id="opt-serverstransport-insecureSkipVerify" href="#opt-serverstransport-insecureSkipVerify" title="#opt-serverstransport-insecureSkipVerify">`serverstransport.`<br />`insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified. | false  | No |
-| <a id="opt-serverstransport-rootcas" href="#opt-serverstransport-rootcas" title="#opt-serverstransport-rootcas">`serverstransport.`<br />`rootcas`</a> | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections). |  | No |
+| <a id="opt-serverstransport-rootCAs" href="#opt-serverstransport-rootCAs" title="#opt-serverstransport-rootCAs">`serverstransport.`<br />`rootCAs`</a> | Set of root certificate authorities to use when verifying server certificates. |  | No |
 | <a id="opt-serverstransport-certificatesSecrets" href="#opt-serverstransport-certificatesSecrets" title="#opt-serverstransport-certificatesSecrets">`serverstransport.`<br />`certificatesSecrets`</a> | Certificates to present to the server for mTLS. |  | No |
-| <a id="opt-serverstransport-maxIdleConnsPerHost" href="#opt-serverstransport-maxIdleConnsPerHost" title="#opt-serverstransport-maxIdleConnsPerHost">`serverstransport.`<br />`maxIdleConnsPerHost`</a> | Maximum idle (keep-alive) connections to keep per-host. | 200 | No |
+| <a id="opt-serverstransport-maxIdleConnsPerHost" href="#opt-serverstransport-maxIdleConnsPerHost" title="#opt-serverstransport-maxIdleConnsPerHost">`serverstransport.`<br />`maxIdleConnsPerHost`</a> | Maximum idle (keep-alive) connections to keep per-host. | 0 | No |
 | <a id="opt-serverstransport-disableHTTP2" href="#opt-serverstransport-disableHTTP2" title="#opt-serverstransport-disableHTTP2">`serverstransport.`<br />`disableHTTP2`</a> | Disables HTTP/2 for connections with servers. | false | No |
 | <a id="opt-serverstransport-peerCertURI" href="#opt-serverstransport-peerCertURI" title="#opt-serverstransport-peerCertURI">`serverstransport.`<br />`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
 | <a id="opt-serverstransport-forwardingTimeouts-dialTimeout" href="#opt-serverstransport-forwardingTimeouts-dialTimeout" title="#opt-serverstransport-forwardingTimeouts-dialTimeout">`serverstransport.`<br />`forwardingTimeouts.dialTimeout`</a> | Amount of time to wait until a connection to a server can be established.<br />Zero means no timeout. | 30s  | No |
 | <a id="opt-serverstransport-forwardingTimeouts-responseHeaderTimeout" href="#opt-serverstransport-forwardingTimeouts-responseHeaderTimeout" title="#opt-serverstransport-forwardingTimeouts-responseHeaderTimeout">`serverstransport.`<br />`forwardingTimeouts.responseHeaderTimeout`</a> | Amount of time to wait for a server's response headers after fully writing the request (including its body, if any).<br />Zero means no timeout | 0s  | No |
 | <a id="opt-serverstransport-forwardingTimeouts-idleConnTimeout" href="#opt-serverstransport-forwardingTimeouts-idleConnTimeout" title="#opt-serverstransport-forwardingTimeouts-idleConnTimeout">`serverstransport.`<br />`forwardingTimeouts.idleConnTimeout`</a> | Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.<br />Zero means no timeout. | 90s  | No |
+| <a id="opt-serverstransport-forwardingTimeouts-readIdleTimeout" href="#opt-serverstransport-forwardingTimeouts-readIdleTimeout" title="#opt-serverstransport-forwardingTimeouts-readIdleTimeout">`serverstransport.`<br />`forwardingTimeouts.readIdleTimeout`</a> | Timeout after which a health check using a ping frame will be carried out if no frame is received on the HTTP/2 connection.<br />Zero means no timeout. | 0s  | No |
+| <a id="opt-serverstransport-forwardingTimeouts-pingTimeout" href="#opt-serverstransport-forwardingTimeouts-pingTimeout" title="#opt-serverstransport-forwardingTimeouts-pingTimeout">`serverstransport.`<br />`forwardingTimeouts.pingTimeout`</a> | Timeout after which the HTTP/2 connection will be closed if a response to a ping is not received.<br />Zero means no timeout. | 0s  | No |
 | <a id="opt-serverstransport-spiffe-ids" href="#opt-serverstransport-spiffe-ids" title="#opt-serverstransport-spiffe-ids">`serverstransport.`<br />`spiffe.ids`</a> | Allow SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain. |  | No |
 | <a id="opt-serverstransport-spiffe-trustDomain" href="#opt-serverstransport-spiffe-trustDomain" title="#opt-serverstransport-spiffe-trustDomain">`serverstransport.`<br />`spiffe.trustDomain`</a> | Allow SPIFFE trust domain. | ""  | No |

@@ -93,8 +93,8 @@ spec:
 | <a id="opt-healthCheck-scheme" href="#opt-healthCheck-scheme" title="#opt-healthCheck-scheme">`healthCheck.scheme`</a> | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                      | ""                                                                   | No       |
 | <a id="opt-healthCheck-mode" href="#opt-healthCheck-mode" title="#opt-healthCheck-mode">`healthCheck.mode`</a> | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                             | "http"                                                               | No       |
 | <a id="opt-healthCheck-path" href="#opt-healthCheck-path" title="#opt-healthCheck-path">`healthCheck.path`</a> | Server URL path for the health check endpoint. <br />The configured path must be relative URL. <br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                             | ""                                                                   | No       |
-| <a id="opt-healthCheck-interval" href="#opt-healthCheck-interval" title="#opt-healthCheck-interval">`healthCheck.interval`</a> | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                              | "100ms"                                                              | No       |
-| <a id="opt-healthCheck-unhealthyInterval" href="#opt-healthCheck-unhealthyInterval" title="#opt-healthCheck-unhealthyInterval">`healthCheck.unhealthyInterval`</a> | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                | "100ms"                                                              | No       |
+| <a id="opt-healthCheck-interval" href="#opt-healthCheck-interval" title="#opt-healthCheck-interval">`healthCheck.interval`</a> | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                              | "30s"                                                                | No       |
+| <a id="opt-healthCheck-unhealthyInterval" href="#opt-healthCheck-unhealthyInterval" title="#opt-healthCheck-unhealthyInterval">`healthCheck.unhealthyInterval`</a> | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                | "30s"                                                                | No       |
 | <a id="opt-healthCheck-method" href="#opt-healthCheck-method" title="#opt-healthCheck-method">`healthCheck.method`</a> | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                            | "GET"                                                                | No       |
 | <a id="opt-healthCheck-status" href="#opt-healthCheck-status" title="#opt-healthCheck-status">`healthCheck.status`</a> | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                   |                                                                      | No       |
 | <a id="opt-healthCheck-port" href="#opt-healthCheck-port" title="#opt-healthCheck-port">`healthCheck.port`</a> | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                               |                                                                      | No       |
@@ -103,11 +103,13 @@ spec:
 | <a id="opt-healthCheck-followRedirect" href="#opt-healthCheck-followRedirect" title="#opt-healthCheck-followRedirect">`healthCheck.`<br />`followRedirect`</a> | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                      | true                                                                 | No       |
 | <a id="opt-healthCheck-headers" href="#opt-healthCheck-headers" title="#opt-healthCheck-headers">`healthCheck.headers`</a> | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service)).                                                                                                                                                                                                                                                                                                   |                                                                      | No       |
 | <a id="opt-sticky-cookie-name" href="#opt-sticky-cookie-name" title="#opt-sticky-cookie-name">`sticky.`<br />`cookie.name`</a> | Name of the cookie used for the stickiness.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />Evaluated only if the kind is **Service**. | ""                                                                   | No       |
-| <a id="opt-sticky-cookie-httpOnly" href="#opt-sticky-cookie-httpOnly" title="#opt-sticky-cookie-httpOnly">`sticky.`<br />`cookie.httpOnly`</a> | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                 | false                                                                | No       |
+| <a id="opt-sticky-cookie-httpOnly" href="#opt-sticky-cookie-httpOnly" title="#opt-sticky-cookie-httpOnly">`sticky.`<br />`cookie.httpOnly`</a> | Prevents client-side APIs, such as JavaScript, from accessing the cookie.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                 | false                                                                | No       |
 | <a id="opt-sticky-cookie-secure" href="#opt-sticky-cookie-secure" title="#opt-sticky-cookie-secure">`sticky.`<br />`cookie.secure`</a> | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                       | false                                                                | No       |
 | <a id="opt-sticky-cookie-sameSite" href="#opt-sticky-cookie-sameSite" title="#opt-sticky-cookie-sameSite">`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                              | ""                                                                   | No       |
 | <a id="opt-sticky-cookie-maxAge" href="#opt-sticky-cookie-maxAge" title="#opt-sticky-cookie-maxAge">`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                       | 0                                                                    | No       |
-| <a id="opt-strategy" href="#opt-strategy" title="#opt-strategy">`strategy`</a> | Strategy defines the load balancing strategy between the servers.<br />Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                              | "RoundRobin"                                                         | No       |
+| <a id="opt-sticky-cookie-path" href="#opt-sticky-cookie-path" title="#opt-sticky-cookie-path">`sticky.`<br />`cookie.path`</a> | Path that must exist in the requested URL for the browser to send the Cookie header.<br />When not provided the cookie will be sent on every request to the domain.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                       | "/"                                                                  | No       |
+| <a id="opt-sticky-cookie-domain" href="#opt-sticky-cookie-domain" title="#opt-sticky-cookie-domain">`sticky.`<br />`cookie.domain`</a> | Host to which the cookie will be sent.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | ""                                                                   | No       |
+| <a id="opt-strategy" href="#opt-strategy" title="#opt-strategy">`strategy`</a> | Strategy defines the load balancing strategy between the servers.<br />Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                              | "wrr"                                                                | No       |
 | <a id="opt-nativeLB" href="#opt-nativeLB" title="#opt-nativeLB">`nativeLB`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br /> Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                               | false                                                                | No       |
 | <a id="opt-nodePortLB" href="#opt-nodePortLB" title="#opt-nodePortLB">`nodePortLB`</a> | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                 | false                                                                | No       |

@@ -332,8 +332,8 @@ spec:
 | <a id="opt-servicesm-healthCheck-scheme" href="#opt-servicesm-healthCheck-scheme" title="#opt-servicesm-healthCheck-scheme">`services[m].`<br />`healthCheck.scheme`</a> | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                        | ""                                                                   | No       |
 | <a id="opt-servicesm-healthCheck-mode" href="#opt-servicesm-healthCheck-mode" title="#opt-servicesm-healthCheck-mode">`services[m].`<br />`healthCheck.mode`</a> | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                               | "http"                                                               | No       |
 | <a id="opt-servicesm-healthCheck-path" href="#opt-servicesm-healthCheck-path" title="#opt-servicesm-healthCheck-path">`services[m].`<br />`healthCheck.path`</a> | Server URL path for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                          | ""                                                                   | No       |
-| <a id="opt-servicesm-healthCheck-interval" href="#opt-servicesm-healthCheck-interval" title="#opt-servicesm-healthCheck-interval">`services[m].`<br />`healthCheck.interval`</a> | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                  | "100ms"                                                              | No       |
-| <a id="opt-servicesm-healthCheck-unhealthyInterval" href="#opt-servicesm-healthCheck-unhealthyInterval" title="#opt-servicesm-healthCheck-unhealthyInterval">`services[m].`<br />`healthCheck.unhealthyInterval`</a> | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                    | "100ms"                                                              | No       |
+| <a id="opt-servicesm-healthCheck-interval" href="#opt-servicesm-healthCheck-interval" title="#opt-servicesm-healthCheck-interval">`services[m].`<br />`healthCheck.interval`</a> | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                  | "30s"                                                                | No       |
+| <a id="opt-servicesm-healthCheck-unhealthyInterval" href="#opt-servicesm-healthCheck-unhealthyInterval" title="#opt-servicesm-healthCheck-unhealthyInterval">`services[m].`<br />`healthCheck.unhealthyInterval`</a> | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                    | "30s"                                                              | No       |
 | <a id="opt-servicesm-healthCheck-method" href="#opt-servicesm-healthCheck-method" title="#opt-servicesm-healthCheck-method">`services[m].`<br />`healthCheck.method`</a> | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                              | "GET"                                                                | No       |
 | <a id="opt-servicesm-healthCheck-status" href="#opt-servicesm-healthCheck-status" title="#opt-servicesm-healthCheck-status">`services[m].`<br />`healthCheck.status`</a> | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                              |                                                                      | No       |
 | <a id="opt-servicesm-healthCheck-port" href="#opt-servicesm-healthCheck-port" title="#opt-servicesm-healthCheck-port">`services[m].`<br />`healthCheck.port`</a> | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                                 |                                                                      | No       |
@@ -346,7 +346,7 @@ spec:
 | <a id="opt-servicesm-sticky-cookie-secure" href="#opt-servicesm-sticky-cookie-secure" title="#opt-servicesm-sticky-cookie-secure">`services[m].`<br />`sticky.`<br />`cookie.secure`</a> | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | false                                                                | No       |
 | <a id="opt-servicesm-sticky-cookie-sameSite" href="#opt-servicesm-sticky-cookie-sameSite" title="#opt-servicesm-sticky-cookie-sameSite">`services[m].`<br />`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values (case-insensitive):<br />-`none`<br />-`lax`<br />-`strict`<br />-`None`<br />-`Lax`<br />-`Strict`<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                        | ""                                                                   | No       |
 | <a id="opt-servicesm-sticky-cookie-maxAge" href="#opt-servicesm-sticky-cookie-maxAge" title="#opt-servicesm-sticky-cookie-maxAge">`services[m].`<br />`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                  | 0                                                                    | No       |
-| <a id="opt-servicesm-strategy" href="#opt-servicesm-strategy" title="#opt-servicesm-strategy">`services[m].`<br />`strategy`</a> | Load balancing strategy between the servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | "RoundRobin"                                                         | No       |
+| <a id="opt-servicesm-strategy" href="#opt-servicesm-strategy" title="#opt-servicesm-strategy">`services[m].`<br />`strategy`</a> | Load balancing strategy between the servers.<br />Supported values: `wrr`, `p2c`, `hrw`, `leasttime`.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | "wrr"                                                         | No       |
 | <a id="opt-servicesm-nativeLB" href="#opt-servicesm-nativeLB" title="#opt-servicesm-nativeLB">`services[m].`<br />`nativeLB`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                           | false                                                                | No       |
 | <a id="opt-servicesm-nodePortLB" href="#opt-servicesm-nodePortLB" title="#opt-servicesm-nodePortLB">`services[m].`<br />`nodePortLB`</a> | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                            | false                                                                | No       |

@@ -415,8 +415,8 @@ spec:
  mirroring:
    name: svc1                      # svc1 receives 100% of the traffic
    port: 80
-    mirrorBody: true                # Set to false by default
-    maxBodySize: 1M
+    mirrorBody: true                # Default: true
+    maxBodySize: 1048576
    mirrors:
      - name: svc2                  # svc2 receives a copy of 20% of this traffic
        port: 80
@@ -66,11 +66,13 @@ spec:
 | <a id="opt-routesn-middlewaresn-namespace" href="#opt-routesn-middlewaresn-namespace" title="#opt-routesn-middlewaresn-namespace">`routes[n].middlewares[n].namespace`</a> | Defines the [MiddlewareTCP](./middlewaretcp.md) namespace.                                                                                                                                                                                                                                   | ""| No|
 | <a id="opt-routesn-services" href="#opt-routesn-services" title="#opt-routesn-services">`routes[n].services`</a> | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions.                                                                                                                                                                                  | | No |
 | <a id="opt-routesn-servicesn-name" href="#opt-routesn-servicesn-name" title="#opt-routesn-servicesn-name">`routes[n].services[n].name`</a> | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/).                                                                                                                                                                                | | Yes |
+| <a id="opt-routesn-servicesn-namespace" href="#opt-routesn-servicesn-namespace" title="#opt-routesn-servicesn-namespace">`routes[n].services[n].namespace`</a> | Defines the namespace of the referenced [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/).                                                                                                                                                               | "" | No |
 | <a id="opt-routesn-servicesn-port" href="#opt-routesn-servicesn-port" title="#opt-routesn-servicesn-port">`routes[n].services[n].port`</a> | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.                                                                                                                                       | | Yes |
 | <a id="opt-routesn-servicesn-weight" href="#opt-routesn-servicesn-weight" title="#opt-routesn-servicesn-weight">`routes[n].services[n].weight`</a> | Defines the weight to apply to the server load balancing.                                                                                                                                                                                                                                    | 1 | No |
 | <a id="opt-routesn-servicesn-proxyProtocol" href="#opt-routesn-servicesn-proxyProtocol" title="#opt-routesn-servicesn-proxyProtocol">`routes[n].services[n].proxyProtocol`</a> | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) configuration.                                                                                                                                                               |  | No |
 | <a id="opt-routesn-servicesn-proxyProtocol-version" href="#opt-routesn-servicesn-proxyProtocol-version" title="#opt-routesn-servicesn-proxyProtocol-version">`routes[n].services[n].proxyProtocol.version`</a> | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) version.                                                                                                                                                                     |  | No |
 | <a id="opt-routesn-servicesn-serversTransport" href="#opt-routesn-servicesn-serversTransport" title="#opt-routesn-servicesn-serversTransport">`routes[n].services[n].serversTransport`</a> | Defines the [ServersTransportTCP](./serverstransporttcp.md).<br />The `ServersTransport` namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace.                                                                    |  | No |
+| <a id="opt-routesn-servicesn-tls" href="#opt-routesn-servicesn-tls" title="#opt-routesn-servicesn-tls">`routes[n].services[n].tls`</a> | Determines whether to use TLS when dialing with the backend.                                                                                                                                                                                                                                 | false | No |
 | <a id="opt-routesn-servicesn-nativeLB" href="#opt-routesn-servicesn-nativeLB" title="#opt-routesn-servicesn-nativeLB">`routes[n].services[n].nativeLB`</a> | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. See [here](#nativelb) for more information.                                                                                         | false | No |
 | <a id="opt-routesn-servicesn-nodePortLB" href="#opt-routesn-servicesn-nodePortLB" title="#opt-routesn-servicesn-nodePortLB">`routes[n].services[n].nodePortLB`</a> | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is `NodePort`. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. | false | No |
 | <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | Defines [TLS](../../../../install-configuration/tls/certificate-resolvers/overview.md) certificate configuration.                                                                                                                                                                            |  | No |
@@ -78,6 +80,7 @@ spec:
 | <a id="opt-tls-options" href="#opt-tls-options" title="#opt-tls-options">`tls.options`</a> | Defines the reference to a [TLSOption](../tls/tlsoption.md).                                                                                                                                                                                                                                        | "" | No |
 | <a id="opt-tls-options-name" href="#opt-tls-options-name" title="#opt-tls-options-name">`tls.options.name`</a> | Defines the [TLSOption](../tls/tlsoption.md) name.                                                                                                                                                                                                                                                  | "" | No |
 | <a id="opt-tls-options-namespace" href="#opt-tls-options-namespace" title="#opt-tls-options-namespace">`tls.options.namespace`</a> | Defines the [TLSOption](../tls/tlsoption.md) namespace.                                                                                                                                                                                                                                             | "" | No |
+| <a id="opt-tls-store" href="#opt-tls-store" title="#opt-tls-store">`tls.store`</a> | Defines the reference to a [TLSStore](../tls/tlsstore.md). Note that only the `default` TLSStore can be used.                                                                                                                                                                                       |  | No |
 | <a id="opt-tls-certResolver" href="#opt-tls-certResolver" title="#opt-tls-certResolver">`tls.certResolver`</a> | Defines the reference to a [CertResolver](../../../../install-configuration/tls/certificate-resolvers/overview.md).                                                                                                                                                                          | "" | No |
 | <a id="opt-tls-domains" href="#opt-tls-domains" title="#opt-tls-domains">`tls.domains`</a> | List of domains.                                                                                                                                                                                                                                                                             | "" | No |
 | <a id="opt-tls-domainsn-main" href="#opt-tls-domainsn-main" title="#opt-tls-domainsn-main">`tls.domains[n].main`</a> | Defines the main domain name.                                                                                                                                                                                                                                                                | "" | No |
@@ -107,7 +110,6 @@ Thus, in case of two sides port definition, Traefik expects a match between port
        - foo
      routes:
      - match: Host(`example.net`)
-        kind: Rule
        services:
        - name: external-svc
          port: 80
@@ -139,7 +141,6 @@ Thus, in case of two sides port definition, Traefik expects a match between port
        - foo
      routes:
      - match: Host(`example.net`)
-        kind: Rule
        services:
        - name: external-svc
    ```
@@ -172,7 +173,6 @@ Thus, in case of two sides port definition, Traefik expects a match between port
        - foo
      routes:
      - match: Host(`example.net`)
-        kind: Rule
        services:
        - name: external-svc
          port: 80
@@ -36,7 +36,7 @@ spec:
  entryPoints:
    - web
  routes:
-  - match: Host(`example.com`) && PathPrefix(`/allowlist`)
+  - match: HostSNI(`example.com`)
    kind: Rule
    services:
    - name: whoami
@@ -49,7 +49,8 @@ spec:
 | <a id="opt-tls-serverName" href="#opt-tls-serverName" title="#opt-tls-serverName">`tls.serverName`</a> | ServerName used to contact the server.                                                                                                                                                                                                                                                                                                                                                     | ""      | No       |
 | <a id="opt-tls-insecureSkipVerify" href="#opt-tls-insecureSkipVerify" title="#opt-tls-insecureSkipVerify">`tls.insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified.                                                                                                                                                                                                                                                                                                                 | false   | No       |
 | <a id="opt-tls-peerCertURI" href="#opt-tls-peerCertURI" title="#opt-tls-peerCertURI">`tls.peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification.                                                                                                                                                                                                                                                                                               | ""      | No       |
-| <a id="opt-tls-rootCAsSecrets" href="#opt-tls-rootCAsSecrets" title="#opt-tls-rootCAsSecrets">`tls.rootCAsSecrets`</a> | Defines the set of root certificate authorities to use when verifying server certificates.<br />The CA secret must contain a base64 encoded certificate under either a `tls.ca` or a `ca.crt` key.                                                                                                                                                                                         | ""      | No       |
+| <a id="opt-tls-rootCAs" href="#opt-tls-rootCAs" title="#opt-tls-rootCAs">`tls.rootCAs`</a> | Defines a list of CA certificate Secrets or ConfigMaps used to validate server certificates.<br />Each entry can reference either a Secret (`secret`) or a ConfigMap (`configMap`) by name. The referenced resource must contain a certificate under either a `tls.ca` or a `ca.crt` key.                                                                                                  |         | No       |
+| <a id="opt-tls-rootCAsSecrets" href="#opt-tls-rootCAsSecrets" title="#opt-tls-rootCAsSecrets">`tls.rootCAsSecrets`</a> | **Deprecated: use `tls.rootCAs` instead.** Defines the set of root certificate authorities to use when verifying server certificates.<br />The CA secret must contain a base64 encoded certificate under either a `tls.ca` or a `ca.crt` key.                                                                                                                                             | ""      | No       |
 | <a id="opt-tls-certificatesSecrets" href="#opt-tls-certificatesSecrets" title="#opt-tls-certificatesSecrets">`tls.certificatesSecrets`</a> | Certificates to present to the server for mTLS.                                                                                                                                                                                                                                                                                                                                            | ""      | No       |
 | <a id="opt-spiffe" href="#opt-spiffe" title="#opt-spiffe">`spiffe`</a> | Configures [SPIFFE](../../../../install-configuration/tls/spiffe.md) options.                                                                                                                                                                                                                                                                                                              | ""      | No       |
 | <a id="opt-spiffe-ids" href="#opt-spiffe-ids" title="#opt-spiffe-ids">`spiffe.ids`</a> | Defines the allowed SPIFFE IDs. This takes precedence over the SPIFFE `trustDomain`.                                                                                                                                                                                                                                                                                                       | ""      | No       |
@@ -56,7 +56,7 @@ spec:
 | <a id="opt-clientAuth-clientAuthType" href="#opt-clientAuth-clientAuthType" title="#opt-clientAuth-clientAuthType">`clientAuth.clientAuthType`</a> | Client Authentication (mTLS) option.<br />Client authentication type to apply. Available values [here](#client-authentication-mtls).                                                                                                                                                                                                                                                                     |                            | No       |
 | <a id="opt-sniStrict" href="#opt-sniStrict" title="#opt-sniStrict">`sniStrict`</a> | Allow rejecting connections from clients connections that do not specify a server_name extension.<br />The [default certificate](../../../http/tls/tls-certificates.md#default-certificate) is never served is the option is enabled.                                                                                                                                                                    | false                      | No       |
 | <a id="opt-alpnProtocols" href="#opt-alpnProtocols" title="#opt-alpnProtocols">`alpnProtocols`</a> | List of supported application level protocols for the TLS handshake, in order of preference.<br />If the client supports ALPN, the selected protocol will be one from this list, and the connection will fail if there is no mutually supported protocol.                                                                                                                                                | "h2, http/1.1, acme-tls/1" | No       |
-| <a id="opt-disableSessiontTickets" href="#opt-disableSessiontTickets" title="#opt-disableSessiontTickets">`disableSessiontTickets`</a> | Allow disabling the use of session tickets, forcing every client to perform a full TLS handshake instead of resuming sessions.                                                                                                                                                                                                                                                                           | false                      | No       |
+| <a id="opt-disableSessionTickets" href="#opt-disableSessionTickets" title="#opt-disableSessionTickets">`disableSessionTickets`</a> | Allow disabling the use of session tickets, forcing every client to perform a full TLS handshake instead of resuming sessions.                                                                                                                                                                                                                                                                           | false                      | No       |

 ### Client Authentication (mTLS)

@@ -35,7 +35,7 @@ spec:
 | <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | List of entrypoints names.  | | No |
 | <a id="opt-routes" href="#opt-routes" title="#opt-routes">` routes `</a> | List of routes.  | | Yes |
 | <a id="opt-routesn-services" href="#opt-routesn-services" title="#opt-routesn-services">`routes[n].services`</a> | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions. See [here](#externalname-service) for `ExternalName Service` setup. | | No |
-| <a id="opt-servicesn-name" href="#opt-servicesn-name" title="#opt-servicesn-name">`services[n].name`</a> | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). |  | Yes |
+| <a id="opt-routesn-servicesn-name" href="#opt-routesn-servicesn-name" title="#opt-routesn-servicesn-name">`routes[n].services[n].name`</a> | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). |  | Yes |
 | <a id="opt-routesn-servicesn-port" href="#opt-routesn-servicesn-port" title="#opt-routesn-servicesn-port">`routes[n].services[n].port`</a> | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.|  | Yes |
 | <a id="opt-routesn-servicesn-weight" href="#opt-routesn-servicesn-weight" title="#opt-routesn-servicesn-weight">`routes[n].services[n].weight`</a> | Defines the weight to apply to the server load balancing. | 1 | No |
 | <a id="opt-routesn-servicesn-nativeLB" href="#opt-routesn-servicesn-nativeLB" title="#opt-routesn-servicesn-nativeLB">`routes[n].services[n].nativeLB`</a> | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. | false | No |
@@ -63,9 +63,7 @@ Thus, in case of two sides port definition, Traefik expects a match between port
      entryPoints:
        - foo
      routes:
-      - match: Host(`example.net`)
-        kind: Rule
-        services:
+      - services:
        - name: external-svc
          port: 80
    ```
@@ -95,9 +93,7 @@ Thus, in case of two sides port definition, Traefik expects a match between port
      entryPoints:
        - foo
      routes:
-      - match: Host(`example.net`)
-        kind: Rule
-        services:
+      - services:
        - name: external-svc
    ```

@@ -128,9 +124,7 @@ Thus, in case of two sides port definition, Traefik expects a match between port
      entryPoints:
        - foo
      routes:
-      - match: Host(`example.net`)
-        kind: Rule
-        services:
+      - services:
        - name: external-svc
          port: 80
    ```
@@ -292,7 +292,7 @@ There are three types of filters:

 !!! info "ExtensionRef Filters"

-    To use Traefik middlewares as `ExtensionRef` filters, the Kubernetes IngressRoute provider must be enabled in the static configuration, as detailed in the [documentation](../../install-configuration/providers/kubernetes/kubernetes-ingress.md). 
+    To use Traefik middlewares as `ExtensionRef` filters, the Kubernetes CRD provider must be enabled in the static configuration, as detailed in the [documentation](../../install-configuration/providers/kubernetes/kubernetes-crd.md). 

 For example, the following manifests configure an `HTTPRoute` using the Traefik `AddPrefix` middleware, 
 reachable through the [deployed `Gateway`](#deploying-a-gateway) at the `http://whoami.localhost` address:
@@ -270,7 +270,7 @@ The following annotations are organized by category for easier navigation.
 | <a id="opt-nginx-ingress-kubernetes-ioauth-secret-type" href="#opt-nginx-ingress-kubernetes-ioauth-secret-type" title="#opt-nginx-ingress-kubernetes-ioauth-secret-type">`nginx.ingress.kubernetes.io/auth-secret-type`</a> |                                                                                            |
 | <a id="opt-nginx-ingress-kubernetes-ioauth-realm" href="#opt-nginx-ingress-kubernetes-ioauth-realm" title="#opt-nginx-ingress-kubernetes-ioauth-realm">`nginx.ingress.kubernetes.io/auth-realm`</a> |                                                                                            |
 | <a id="opt-nginx-ingress-kubernetes-ioauth-url" href="#opt-nginx-ingress-kubernetes-ioauth-url" title="#opt-nginx-ingress-kubernetes-ioauth-url">`nginx.ingress.kubernetes.io/auth-url`</a> | Only URL and response headers copy supported. Forward auth behaves differently than NGINX. |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-method" href="#opt-nginx-ingress-kubernetes-ioauth-method" title="#opt-nginx-ingress-kubernetes-ioauth-method">`nginx.ingress.kubernetes.io/auth-method`</a> |                                                                                            |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-method" href="#opt-nginx-ingress-kubernetes-ioauth-method" title="#opt-nginx-ingress-kubernetes-ioauth-method">`nginx.ingress.kubernetes.io/auth-method`</a> | Not implemented; silently ignored.                                                         |
 | <a id="opt-nginx-ingress-kubernetes-ioauth-response-headers" href="#opt-nginx-ingress-kubernetes-ioauth-response-headers" title="#opt-nginx-ingress-kubernetes-ioauth-response-headers">`nginx.ingress.kubernetes.io/auth-response-headers`</a> |                                                                                            |

 ### SSL/TLS
@@ -290,7 +290,7 @@ The following annotations are organized by category for easier navigation.
 | Annotation                                            | Limitations / Notes                                                                        |
 |-------------------------------------------------------|--------------------------------------------------------------------------------------------|
 | <a id="opt-nginx-ingress-kubernetes-ioaffinity" href="#opt-nginx-ingress-kubernetes-ioaffinity" title="#opt-nginx-ingress-kubernetes-ioaffinity">`nginx.ingress.kubernetes.io/affinity`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioaffinity-mode" href="#opt-nginx-ingress-kubernetes-ioaffinity-mode" title="#opt-nginx-ingress-kubernetes-ioaffinity-mode">`nginx.ingress.kubernetes.io/affinity-mode`</a> | Only persistent mode supported; balanced/canary not supported.                             |
+| <a id="opt-nginx-ingress-kubernetes-ioaffinity-mode" href="#opt-nginx-ingress-kubernetes-ioaffinity-mode" title="#opt-nginx-ingress-kubernetes-ioaffinity-mode">`nginx.ingress.kubernetes.io/affinity-mode`</a> | Not implemented; silently ignored.                                                         |
 | <a id="opt-nginx-ingress-kubernetes-iosession-cookie-name" href="#opt-nginx-ingress-kubernetes-iosession-cookie-name" title="#opt-nginx-ingress-kubernetes-iosession-cookie-name">`nginx.ingress.kubernetes.io/session-cookie-name`</a> |                                                                                            |
 | <a id="opt-nginx-ingress-kubernetes-iosession-cookie-secure" href="#opt-nginx-ingress-kubernetes-iosession-cookie-secure" title="#opt-nginx-ingress-kubernetes-iosession-cookie-secure">`nginx.ingress.kubernetes.io/session-cookie-secure`</a> |                                                                                            |
 | <a id="opt-nginx-ingress-kubernetes-iosession-cookie-path" href="#opt-nginx-ingress-kubernetes-iosession-cookie-path" title="#opt-nginx-ingress-kubernetes-iosession-cookie-path">`nginx.ingress.kubernetes.io/session-cookie-path`</a> |                                                                                            |
@@ -302,7 +302,7 @@ The following annotations are organized by category for easier navigation.

 | Annotation                                            | Limitations / Notes                                                                        |
 |-------------------------------------------------------|--------------------------------------------------------------------------------------------|
-| <a id="opt-nginx-ingress-kubernetes-ioload-balance" href="#opt-nginx-ingress-kubernetes-ioload-balance" title="#opt-nginx-ingress-kubernetes-ioload-balance">`nginx.ingress.kubernetes.io/load-balance`</a> | Only round_robin supported; ewma and IP hash not supported.                                |
+| <a id="opt-nginx-ingress-kubernetes-ioload-balance" href="#opt-nginx-ingress-kubernetes-ioload-balance" title="#opt-nginx-ingress-kubernetes-ioload-balance">`nginx.ingress.kubernetes.io/load-balance`</a> | Not implemented; silently ignored.                                                         |
 | <a id="opt-nginx-ingress-kubernetes-iobackend-protocol" href="#opt-nginx-ingress-kubernetes-iobackend-protocol" title="#opt-nginx-ingress-kubernetes-iobackend-protocol">`nginx.ingress.kubernetes.io/backend-protocol`</a> | FCGI and AUTO_HTTP not supported.                                                          |
 | <a id="opt-nginx-ingress-kubernetes-ioservice-upstream" href="#opt-nginx-ingress-kubernetes-ioservice-upstream" title="#opt-nginx-ingress-kubernetes-ioservice-upstream">`nginx.ingress.kubernetes.io/service-upstream`</a> |                                                                                            |

@@ -66,6 +66,7 @@ spec:
 | <a id="opt-traefik-ingress-kubernetes-iorouter-observability-accesslogs" href="#opt-traefik-ingress-kubernetes-iorouter-observability-accesslogs" title="#opt-traefik-ingress-kubernetes-iorouter-observability-accesslogs">`traefik.ingress.kubernetes.io/router.observability.accesslogs`</a> | Controls whether the router produces access logs.<br/>See [observability](../http/routing/observability.md) for more information. | `true` |
 | <a id="opt-traefik-ingress-kubernetes-iorouter-observability-metrics" href="#opt-traefik-ingress-kubernetes-iorouter-observability-metrics" title="#opt-traefik-ingress-kubernetes-iorouter-observability-metrics">`traefik.ingress.kubernetes.io/router.observability.metrics`</a> | Controls whether the router produces metrics.<br/>See [observability](../http/routing/observability.md) for more information. | `true` |
 | <a id="opt-traefik-ingress-kubernetes-iorouter-observability-tracing" href="#opt-traefik-ingress-kubernetes-iorouter-observability-tracing" title="#opt-traefik-ingress-kubernetes-iorouter-observability-tracing">`traefik.ingress.kubernetes.io/router.observability.tracing`</a> | Controls whether the router produces traces.<br/>See [observability](../http/routing/observability.md) for more information. | `true` |
+| <a id="opt-traefik-ingress-kubernetes-iorouter-observability-traceVerbosity" href="#opt-traefik-ingress-kubernetes-iorouter-observability-traceVerbosity" title="#opt-traefik-ingress-kubernetes-iorouter-observability-traceVerbosity">`traefik.ingress.kubernetes.io/router.observability.traceVerbosity`</a> | Defines the verbosity level of tracing for the router.<br/>Valid values: `minimal`, `detailed`.<br/>Default: `minimal`.<br/>See [observability](../http/routing/observability.md) for more information. | `detailed` |

 ### On Service

@@ -114,7 +114,7 @@ The Service automatically gets a server per instance in this consul Catalog serv

 ### Routers

-To update the configuration of the Router automatically attached to the service, add tags starting with `traefik.routers.{name-of-your-choice}.` and followed by the option you want to change.
+To update the configuration of the Router automatically attached to the service, add tags starting with `traefik.http.routers.{name-of-your-choice}.` and followed by the option you want to change.

 For example, to change the rule, you could add the tag ```traefik.http.routers.my-service.rule=Host(`example.com`)```.

@@ -255,7 +255,7 @@ More information about available middlewares in the dedicated [middlewares secti
    ```yaml
    # ...
    # Declaring a middleware
-    traefik.tcp.middlewares.test-inflightconn.amount=10
+    traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10
    # Referencing a middleware
    traefik.tcp.routers.my-service.middlewares=test-inflightconn
    ```
@@ -294,7 +294,7 @@ More information about available middlewares in the dedicated [middlewares secti
    ```yaml
    # ...
    # Declaring a middleware
-    traefik.tcp.middlewares.test-inflightconn.amount=10
+    traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10
    # Referencing a middleware
    traefik.tcp.routers.my-service.middlewares=test-inflightconn
    ```
@@ -250,7 +250,6 @@ You can declare TCP Routers and/or Services using labels.
 |------|-------------|-------|
 | <a id="opt-traefik-tcp-services-service-name-loadbalancer-server-port" href="#opt-traefik-tcp-services-service-name-loadbalancer-server-port" title="#opt-traefik-tcp-services-service-name-loadbalancer-server-port">`traefik.tcp.services.<service_name>.loadbalancer.server.port`</a> | Registers a port of the application. | `423` |
 | <a id="opt-traefik-tcp-services-service-name-loadbalancer-server-tls" href="#opt-traefik-tcp-services-service-name-loadbalancer-server-tls" title="#opt-traefik-tcp-services-service-name-loadbalancer-server-tls">`traefik.tcp.services.<service_name>.loadbalancer.server.tls`</a> | Determines whether to use TLS when dialing with the backend. | `true` |
-| <a id="opt-traefik-tcp-services-service-name-loadbalancer-server-weight" href="#opt-traefik-tcp-services-service-name-loadbalancer-server-weight" title="#opt-traefik-tcp-services-service-name-loadbalancer-server-weight">`traefik.tcp.services.<service_name>.loadbalancer.server.weight`</a> | Overrides the default weight. | `42` |
 | <a id="opt-traefik-tcp-services-service-name-loadbalancer-serverstransport" href="#opt-traefik-tcp-services-service-name-loadbalancer-serverstransport" title="#opt-traefik-tcp-services-service-name-loadbalancer-serverstransport">`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`</a> | Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.<br/>See [serverstransport](../tcp/serverstransport.md) for more information. | `foobar@file` |

 ### UDP
@@ -282,7 +281,7 @@ More information about available middlewares in the dedicated [middlewares secti
    ```yaml
    # ...
    # Declaring a middleware
-    traefik.tcp.middlewares.test-inflightconn.amount=10
+    traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10
    # Referencing a middleware
    traefik.tcp.routers.my-service.middlewares=test-inflightconn
    ```
@@ -287,9 +287,6 @@ Define HTTP services under `http.services.<service_name>`.
 | <a id="opt-http-services-service-name-failover-service" href="#opt-http-services-service-name-failover-service" title="#opt-http-services-service-name-failover-service">`http.services.<service_name>.failover.service`</a> | See [failover](../http/load-balancing/service.md#failover) for more information. | `app-main` |
 | <a id="opt-http-services-service-name-failover-fallback" href="#opt-http-services-service-name-failover-fallback" title="#opt-http-services-service-name-failover-fallback">`http.services.<service_name>.failover.fallback`</a> | See [failover](../http/load-balancing/service.md#failover) for more information. | `app-backup` |
 | <a id="opt-http-services-service-name-failover-healthCheck" href="#opt-http-services-service-name-failover-healthCheck" title="#opt-http-services-service-name-failover-healthCheck">`http.services.<service_name>.failover.healthCheck`</a> | See [failover](../http/load-balancing/service.md#failover) for more information. | `{}` |
-| <a id="opt-http-services-service-name-failover-errors-maxRequestBodyBytes" href="#opt-http-services-service-name-failover-errors-maxRequestBodyBytes" title="#opt-http-services-service-name-failover-errors-maxRequestBodyBytes">`http.services.<service_name>.failover.errors.maxRequestBodyBytes`</a> | See [failover errors](../http/load-balancing/service.md#errors) for more information. | `1048576` |
-| <a id="opt-http-services-service-name-failover-errors-statusn" href="#opt-http-services-service-name-failover-errors-statusn" title="#opt-http-services-service-name-failover-errors-statusn">`http.services.<service_name>.failover.errors.status[n]`</a> | See [failover errors](../http/load-balancing/service.md#errors) for more information. | `500-599` |
-| <a id="opt-http-services-service-name-middlewaresn" href="#opt-http-services-service-name-middlewaresn" title="#opt-http-services-service-name-middlewaresn">`http.services.<service_name>.middlewares[n]`</a> | Adds middlewares to the service. | `service-ratelimit` |

 #### Middlewares

@@ -438,7 +435,7 @@ You can declare TLS certificates, options, and stores with the file provider.
 | <a id="opt-tls-options-options-name-sniStrict" href="#opt-tls-options-options-name-sniStrict" title="#opt-tls-options-options-name-sniStrict">`tls.options.<options_name>.sniStrict`</a> | See [strict SNI checking](../http/tls/tls-options.md#strict-sni-checking) for more information. | `true` |
 | <a id="opt-tls-options-options-name-alpnProtocolsn" href="#opt-tls-options-options-name-alpnProtocolsn" title="#opt-tls-options-options-name-alpnProtocolsn">`tls.options.<options_name>.alpnProtocols[n]`</a> | See [TLS options](../http/tls/tls-options.md) for more information. | `h2` |
 | <a id="opt-tls-options-options-name-disableSessionTickets" href="#opt-tls-options-options-name-disableSessionTickets" title="#opt-tls-options-options-name-disableSessionTickets">`tls.options.<options_name>.disableSessionTickets`</a> | See [TLS options](../http/tls/tls-options.md) for more information. | `true` |
-| <a id="opt-tls-options-options-name-preferServerCipherSuites" href="#opt-tls-options-options-name-preferServerCipherSuites" title="#opt-tls-options-options-name-preferServerCipherSuites">`tls.options.<options_name>.preferServerCipherSuites`</a> | See [TLS options](../http/tls/tls-options.md) for more information. | `true` |
+| <a id="opt-tls-options-options-name-preferServerCipherSuites" href="#opt-tls-options-options-name-preferServerCipherSuites" title="#opt-tls-options-options-name-preferServerCipherSuites">`tls.options.<options_name>.preferServerCipherSuites`</a> | **Deprecated:** This option is no longer effective and will be ignored by the Go TLS stack. See [TLS options](../http/tls/tls-options.md) for more information. | `true` |

 #### TLS Stores

@@ -97,29 +97,29 @@ description: "Read the technical documentation to learn the Traefik Routing Conf

 !!! warning "The character `@` is not authorized in the service name `<service_name>`."

-| Key (Path)                                                      | Description                                                      |  Value                                   |
-|-----------------------------------------------------------------|-----------------------------------------------------------------|-----------------------------------------|
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerservers0url" href="#opt-traefikhttpservicesmyserviceloadbalancerservers0url" title="#opt-traefikhttpservicesmyserviceloadbalancerservers0url">`traefik/http/services/myservice/loadbalancer/servers/0/url`</a> | See [servers](../http/load-balancing/service.md#servers) for more information. | `http://<ip-server-1>:<port-server-1>/` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerservers0preservePath" href="#opt-traefikhttpservicesmyserviceloadbalancerservers0preservePath" title="#opt-traefikhttpservicesmyserviceloadbalancerservers0preservePath">`traefik/http/services/myservice/loadbalancer/servers/0/preservePath`</a> | See [servers](../http/load-balancing/service.md#servers) for more information. | `true` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerservers0weight" href="#opt-traefikhttpservicesmyserviceloadbalancerservers0weight" title="#opt-traefikhttpservicesmyserviceloadbalancerservers0weight">`traefik/http/services/myservice/loadbalancer/servers/0/weight`</a> | See [servers](../http/load-balancing/service.md#servers) for more information. | `1` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerserverstransport" href="#opt-traefikhttpservicesmyserviceloadbalancerserverstransport" title="#opt-traefikhttpservicesmyserviceloadbalancerserverstransport">`traefik/http/services/myservice/loadbalancer/serverstransport`</a> | Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.<br/> See [serverstransport](../http/load-balancing/serverstransport.md) for more information. | `foobar@file` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerpasshostheader" href="#opt-traefikhttpservicesmyserviceloadbalancerpasshostheader" title="#opt-traefikhttpservicesmyserviceloadbalancerpasshostheader">`traefik/http/services/myservice/loadbalancer/passhostheader`</a> | See [Service](../http/load-balancing/service.md) for more information. | `true` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerhealthcheckheadersX-Foo" href="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckheadersX-Foo" title="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckheadersX-Foo">`traefik/http/services/myservice/loadbalancer/healthcheck/headers/X-Foo`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `foobar` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerhealthcheckhostname" href="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckhostname" title="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckhostname">`traefik/http/services/myservice/loadbalancer/healthcheck/hostname`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `example.org` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerhealthcheckinterval" href="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckinterval" title="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckinterval">`traefik/http/services/myservice/loadbalancer/healthcheck/interval`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `10`  |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerhealthcheckpath" href="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckpath" title="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckpath">`traefik/http/services/myservice/loadbalancer/healthcheck/path`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `/foo` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerhealthcheckmethod" href="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckmethod" title="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckmethod">`traefik/http/services/myservice/loadbalancer/healthcheck/method`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `foobar` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerhealthcheckstatus" href="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckstatus" title="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckstatus">`traefik/http/services/myservice/loadbalancer/healthcheck/status`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `42`  |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerhealthcheckport" href="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckport" title="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckport">`traefik/http/services/myservice/loadbalancer/healthcheck/port`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `42`  |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerhealthcheckscheme" href="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckscheme" title="#opt-traefikhttpservicesmyserviceloadbalancerhealthcheckscheme">`traefik/http/services/myservice/loadbalancer/healthcheck/scheme`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `http` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerhealthchecktimeout" href="#opt-traefikhttpservicesmyserviceloadbalancerhealthchecktimeout" title="#opt-traefikhttpservicesmyserviceloadbalancerhealthchecktimeout">`traefik/http/services/myservice/loadbalancer/healthcheck/timeout`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `10`  |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancersticky" href="#opt-traefikhttpservicesmyserviceloadbalancersticky" title="#opt-traefikhttpservicesmyserviceloadbalancersticky">`traefik/http/services/myservice/loadbalancer/sticky`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `true` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerstickycookiehttponly" href="#opt-traefikhttpservicesmyserviceloadbalancerstickycookiehttponly" title="#opt-traefikhttpservicesmyserviceloadbalancerstickycookiehttponly">`traefik/http/services/myservice/loadbalancer/sticky/cookie/httponly`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `true` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerstickycookiename" href="#opt-traefikhttpservicesmyserviceloadbalancerstickycookiename" title="#opt-traefikhttpservicesmyserviceloadbalancerstickycookiename">`traefik/http/services/myservice/loadbalancer/sticky/cookie/name`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `foobar` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerstickycookiepath" href="#opt-traefikhttpservicesmyserviceloadbalancerstickycookiepath" title="#opt-traefikhttpservicesmyserviceloadbalancerstickycookiepath">`traefik/http/services/myservice/loadbalancer/sticky/cookie/path`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `/foobar` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerstickycookiesecure" href="#opt-traefikhttpservicesmyserviceloadbalancerstickycookiesecure" title="#opt-traefikhttpservicesmyserviceloadbalancerstickycookiesecure">`traefik/http/services/myservice/loadbalancer/sticky/cookie/secure`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `true` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerstickycookiesamesite" href="#opt-traefikhttpservicesmyserviceloadbalancerstickycookiesamesite" title="#opt-traefikhttpservicesmyserviceloadbalancerstickycookiesamesite">`traefik/http/services/myservice/loadbalancer/sticky/cookie/samesite`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `none` |
-| <a id="opt-traefikhttpservicesmyserviceloadbalancerstickycookiemaxage" href="#opt-traefikhttpservicesmyserviceloadbalancerstickycookiemaxage" title="#opt-traefikhttpservicesmyserviceloadbalancerstickycookiemaxage">`traefik/http/services/myservice/loadbalancer/sticky/cookie/maxage`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `42`  |
+| Key (Path)                                                                                                                                                                                                                                                                                                                                       | Description                                                      |  Value                                   |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|-----------------------------------------|
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerservers0url" href="#opt-traefikhttpservicesservice-nameloadbalancerservers0url" title="#opt-traefikhttpservicesservice-nameloadbalancerservers0url">`traefik/http/services/<service_name>/loadbalancer/servers/0/url`</a> | See [servers](../http/load-balancing/service.md#servers) for more information. | `http://<ip-server-1>:<port-server-1>/` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerservers0preservePath" href="#opt-traefikhttpservicesservice-nameloadbalancerservers0preservePath" title="#opt-traefikhttpservicesservice-nameloadbalancerservers0preservePath">`traefik/http/services/<service_name>/loadbalancer/servers/0/preservePath`</a> | See [servers](../http/load-balancing/service.md#servers) for more information. | `true` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerservers0weight" href="#opt-traefikhttpservicesservice-nameloadbalancerservers0weight" title="#opt-traefikhttpservicesservice-nameloadbalancerservers0weight">`traefik/http/services/<service_name>/loadbalancer/servers/0/weight`</a> | See [servers](../http/load-balancing/service.md#servers) for more information. | `1` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerserverstransport" href="#opt-traefikhttpservicesservice-nameloadbalancerserverstransport" title="#opt-traefikhttpservicesservice-nameloadbalancerserverstransport">`traefik/http/services/<service_name>/loadbalancer/serverstransport`</a> | Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.<br/> See [serverstransport](../http/load-balancing/serverstransport.md) for more information. | `foobar@file` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerpasshostheader" href="#opt-traefikhttpservicesservice-nameloadbalancerpasshostheader" title="#opt-traefikhttpservicesservice-nameloadbalancerpasshostheader">`traefik/http/services/<service_name>/loadbalancer/passhostheader`</a> | See [Service](../http/load-balancing/service.md) for more information. | `true` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerhealthcheckheadersX-Foo" href="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckheadersX-Foo" title="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckheadersX-Foo">`traefik/http/services/<service_name>/loadbalancer/healthcheck/headers/X-Foo`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `foobar` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerhealthcheckhostname" href="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckhostname" title="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckhostname">`traefik/http/services/<service_name>/loadbalancer/healthcheck/hostname`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `example.org` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerhealthcheckinterval" href="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckinterval" title="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckinterval">`traefik/http/services/<service_name>/loadbalancer/healthcheck/interval`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `10`  |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerhealthcheckpath" href="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckpath" title="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckpath">`traefik/http/services/<service_name>/loadbalancer/healthcheck/path`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `/foo` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerhealthcheckmethod" href="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckmethod" title="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckmethod">`traefik/http/services/<service_name>/loadbalancer/healthcheck/method`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `foobar` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerhealthcheckstatus" href="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckstatus" title="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckstatus">`traefik/http/services/<service_name>/loadbalancer/healthcheck/status`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `42`  |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerhealthcheckport" href="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckport" title="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckport">`traefik/http/services/<service_name>/loadbalancer/healthcheck/port`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `42`  |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerhealthcheckscheme" href="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckscheme" title="#opt-traefikhttpservicesservice-nameloadbalancerhealthcheckscheme">`traefik/http/services/<service_name>/loadbalancer/healthcheck/scheme`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `http` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerhealthchecktimeout" href="#opt-traefikhttpservicesservice-nameloadbalancerhealthchecktimeout" title="#opt-traefikhttpservicesservice-nameloadbalancerhealthchecktimeout">`traefik/http/services/<service_name>/loadbalancer/healthcheck/timeout`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `10`  |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancersticky" href="#opt-traefikhttpservicesservice-nameloadbalancersticky" title="#opt-traefikhttpservicesservice-nameloadbalancersticky">`traefik/http/services/<service_name>/loadbalancer/sticky`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `true` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerstickycookiehttponly" href="#opt-traefikhttpservicesservice-nameloadbalancerstickycookiehttponly" title="#opt-traefikhttpservicesservice-nameloadbalancerstickycookiehttponly">`traefik/http/services/<service_name>/loadbalancer/sticky/cookie/httponly`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `true` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerstickycookiename" href="#opt-traefikhttpservicesservice-nameloadbalancerstickycookiename" title="#opt-traefikhttpservicesservice-nameloadbalancerstickycookiename">`traefik/http/services/<service_name>/loadbalancer/sticky/cookie/name`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `foobar` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerstickycookiepath" href="#opt-traefikhttpservicesservice-nameloadbalancerstickycookiepath" title="#opt-traefikhttpservicesservice-nameloadbalancerstickycookiepath">`traefik/http/services/<service_name>/loadbalancer/sticky/cookie/path`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `/foobar` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerstickycookiesecure" href="#opt-traefikhttpservicesservice-nameloadbalancerstickycookiesecure" title="#opt-traefikhttpservicesservice-nameloadbalancerstickycookiesecure">`traefik/http/services/<service_name>/loadbalancer/sticky/cookie/secure`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `true` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerstickycookiesamesite" href="#opt-traefikhttpservicesservice-nameloadbalancerstickycookiesamesite" title="#opt-traefikhttpservicesservice-nameloadbalancerstickycookiesamesite">`traefik/http/services/<service_name>/loadbalancer/sticky/cookie/samesite`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `none` |
+| <a id="opt-traefikhttpservicesservice-nameloadbalancerstickycookiemaxage" href="#opt-traefikhttpservicesservice-nameloadbalancerstickycookiemaxage" title="#opt-traefikhttpservicesservice-nameloadbalancerstickycookiemaxage">`traefik/http/services/<service_name>/loadbalancer/sticky/cookie/maxage`</a> | See [Service](../http/load-balancing/service.md#sticky-sessions) for more information. | `42`  |
 | <a id="opt-traefikhttpservicesmyserviceloadbalancerresponseforwardingflushinterval" href="#opt-traefikhttpservicesmyserviceloadbalancerresponseforwardingflushinterval" title="#opt-traefikhttpservicesmyserviceloadbalancerresponseforwardingflushinterval">`traefik/http/services/myservice/loadbalancer/responseforwarding/flushinterval`</a> | See [Service](../http/load-balancing/service.md) for more information. | `10`  |
 | <a id="opt-traefikhttpservicesservice-namemirroringservice" href="#opt-traefikhttpservicesservice-namemirroringservice" title="#opt-traefikhttpservicesservice-namemirroringservice">`traefik/http/services/<service_name>/mirroring/service`</a> | See [Service](../http/load-balancing/service.md#mirroring) for more information. | `foobar` |
 | <a id="opt-traefikhttpservicesservice-namemirroringmirrorsnname" href="#opt-traefikhttpservicesservice-namemirroringmirrorsnname" title="#opt-traefikhttpservicesservice-namemirroringmirrorsnname">`traefik/http/services/<service_name>/mirroring/mirrors/<n>/name`</a> | See [Service](../http/load-balancing/service.md#mirroring) for more information. | `foobar` |
@@ -139,9 +139,9 @@ description: "Read the technical documentation to learn the Traefik Routing Conf

 ##### Configuration Options

-| Key (Path)                                                      | Description                                                      |  Value                                   |
-|-----------------------------------------------------------------|-----------------------------------------------------------------|-----------------------------------------|
-| <a id="opt-traefikhttpmiddlewaresmymiddlewaremiddleware-typemiddleware-option" href="#opt-traefikhttpmiddlewaresmymiddlewaremiddleware-typemiddleware-option" title="#opt-traefikhttpmiddlewaresmymiddlewaremiddleware-typemiddleware-option">`traefik/http/middlewares/mymiddleware/middleware_type/middleware_option`</a> | With `middleware_type` the type of middleware (ex: `forwardAuth`, `headers`, etc)<br/>and `middleware_option` the middleware option to set (ex for the middleware `addPrefix`: `prefix`).<br/> More information about available middlewares in the dedicated [middlewares section](../http/middlewares/overview.md). | `foobar` |
+| Key (Path)                                                                                                                                                                                                                                                                                                                       | Description                                                      |  Value                                   |
+|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|-----------------------------------------|
+| <a id="opt-traefikhttpmiddlewaresmiddleware-namemiddleware-typemiddleware-option" href="#opt-traefikhttpmiddlewaresmiddleware-namemiddleware-typemiddleware-option" title="#opt-traefikhttpmiddlewaresmiddleware-namemiddleware-typemiddleware-option">`traefik/http/middlewares/<middleware_name>/middleware_type/middleware_option`</a> | With `middleware_type` the type of middleware (ex: `forwardAuth`, `headers`, etc)<br/>and `middleware_option` the middleware option to set (ex for the middleware `addPrefix`: `prefix`).<br/> More information about available middlewares in the dedicated [middlewares section](../http/middlewares/overview.md). | `foobar` |

 !!! warning "The character `@` is not authorized in the middleware name."

@@ -153,9 +153,9 @@ description: "Read the technical documentation to learn the Traefik Routing Conf

 ##### Configuration Options

-| Key (Path)                                                      | Description                                                      |  Value                                   |
-|-----------------------------------------------------------------|-----------------------------------------------------------------|-----------------------------------------|
-| <a id="opt-traefikhttpserversTransportsserversTransportNamest-option" href="#opt-traefikhttpserversTransportsserversTransportNamest-option" title="#opt-traefikhttpserversTransportsserversTransportNamest-option">`traefik/http/serversTransports/<serversTransportName>/st_option`</a> | With  `st_option` the ServerTransport option to set (ex `maxIdleConnsPerHost`).<br/> More information about available options in the dedicated [ServerTransport section](../http/load-balancing/serverstransport.md). | ServerTransport Options |
+| Key (Path)                                                                                                                                                                                                                                                                                 | Description                                                      |  Value                                   |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|-----------------------------------------|
+| <a id="opt-traefikhttpserversTransportsservers-transport-namest-option" href="#opt-traefikhttpserversTransportsservers-transport-namest-option" title="#opt-traefikhttpserversTransportsservers-transport-namest-option">`traefik/http/serversTransports/<servers_transport_name>/st_option`</a> | With  `st_option` the ServerTransport option to set (ex `maxIdleConnsPerHost`).<br/> More information about available options in the dedicated [ServerTransport section](../http/load-balancing/serverstransport.md). | ServerTransport Options |

 ### TCP

@@ -163,28 +163,28 @@ You can declare TCP Routers and/or Services using KV.

 #### Routers

-| Key (Path)                                      |  Description | Value |
-|-------------------------------------------------|-------------------------------------------------|-------|
-| <a id="opt-traefiktcproutersmytcprouterentrypoints0" href="#opt-traefiktcproutersmytcprouterentrypoints0" title="#opt-traefiktcproutersmytcprouterentrypoints0">`traefik/tcp/routers/mytcprouter/entrypoints/0`</a> | See [entry points](../../install-configuration/entrypoints.md) for more information. | `ep1` |
-| <a id="opt-traefiktcproutersmytcprouterentrypoints1" href="#opt-traefiktcproutersmytcprouterentrypoints1" title="#opt-traefiktcproutersmytcprouterentrypoints1">`traefik/tcp/routers/mytcprouter/entrypoints/1`</a> | See [entry points](../../install-configuration/entrypoints.md) for more information. | `ep2` |
+| Key (Path)                                                                                                                                                                                                                               |  Description | Value |
+|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------|-------|
+| <a id="opt-traefiktcproutersrouter-nameentrypoints0" href="#opt-traefiktcproutersrouter-nameentrypoints0" title="#opt-traefiktcproutersrouter-nameentrypoints0">`traefik/tcp/routers/<router_name>/entrypoints/0`</a> | See [entry points](../../install-configuration/entrypoints.md) for more information. | `ep1` |
+| <a id="opt-traefiktcproutersrouter-nameentrypoints1" href="#opt-traefiktcproutersrouter-nameentrypoints1" title="#opt-traefiktcproutersrouter-nameentrypoints1">`traefik/tcp/routers/<router_name>/entrypoints/1`</a> | See [entry points](../../install-configuration/entrypoints.md) for more information. | `ep2` |
 | <a id="opt-traefiktcproutersmy-routerrule" href="#opt-traefiktcproutersmy-routerrule" title="#opt-traefiktcproutersmy-routerrule">`traefik/tcp/routers/my-router/rule`</a> | See [entry points](../../install-configuration/entrypoints.md) for more information. | ```HostSNI(`example.com`)``` |
-| <a id="opt-traefiktcproutersmytcprouterservice" href="#opt-traefiktcproutersmytcprouterservice" title="#opt-traefiktcproutersmytcprouterservice">`traefik/tcp/routers/mytcprouter/service`</a> | See [service](../tcp/service.md) for more information. | `myservice` |
-| <a id="opt-traefiktcproutersmytcproutertls" href="#opt-traefiktcproutersmytcproutertls" title="#opt-traefiktcproutersmytcproutertls">`traefik/tcp/routers/mytcprouter/tls`</a> | See [TLS](../tcp/tls.md) for more information. | `true` |
-| <a id="opt-traefiktcproutersmytcproutertlscertresolver" href="#opt-traefiktcproutersmytcproutertlscertresolver" title="#opt-traefiktcproutersmytcproutertlscertresolver">`traefik/tcp/routers/mytcprouter/tls/certresolver`</a> | See [certResolver](../tcp/tls.md#configuration-options) for more information. | `myresolver` |
-| <a id="opt-traefiktcproutersmytcproutertlsdomains0main" href="#opt-traefiktcproutersmytcproutertlsdomains0main" title="#opt-traefiktcproutersmytcproutertlsdomains0main">`traefik/tcp/routers/mytcprouter/tls/domains/0/main`</a> | See [TLS](../tcp/tls.md) for more information. | `example.org` |
-| <a id="opt-traefiktcproutersmytcproutertlsdomains0sans0" href="#opt-traefiktcproutersmytcproutertlsdomains0sans0" title="#opt-traefiktcproutersmytcproutertlsdomains0sans0">`traefik/tcp/routers/mytcprouter/tls/domains/0/sans/0`</a> | See [TLS](../tcp/tls.md) for more information. | `test.example.org` |
-| <a id="opt-traefiktcproutersmytcproutertlsdomains0sans1" href="#opt-traefiktcproutersmytcproutertlsdomains0sans1" title="#opt-traefiktcproutersmytcproutertlsdomains0sans1">`traefik/tcp/routers/mytcprouter/tls/domains/0/sans/1`</a> | See [TLS](../tcp/tls.md) for more information. | `dev.example.org`  |
-| <a id="opt-traefiktcproutersmytcproutertlsoptions" href="#opt-traefiktcproutersmytcproutertlsoptions" title="#opt-traefiktcproutersmytcproutertlsoptions">`traefik/tcp/routers/mytcprouter/tls/options`</a> | See [TLS](../tcp/tls.md) for more information. | `foobar` |
-| <a id="opt-traefiktcproutersmytcproutertlspassthrough" href="#opt-traefiktcproutersmytcproutertlspassthrough" title="#opt-traefiktcproutersmytcproutertlspassthrough">`traefik/tcp/routers/mytcprouter/tls/passthrough`</a> | See [TLS](../tcp/tls.md) for more information. | `true` |
-| <a id="opt-traefiktcproutersmytcprouterpriority" href="#opt-traefiktcproutersmytcprouterpriority" title="#opt-traefiktcproutersmytcprouterpriority">`traefik/tcp/routers/mytcprouter/priority`</a> | See [priority](../tcp/routing/rules-and-priority.md#priority-calculation) for more information. | `42`  |
+| <a id="opt-traefiktcproutersrouter-nameservice" href="#opt-traefiktcproutersrouter-nameservice" title="#opt-traefiktcproutersrouter-nameservice">`traefik/tcp/routers/<router_name>/service`</a> | See [service](../tcp/service.md) for more information. | `myservice` |
+| <a id="opt-traefiktcproutersrouter-nametls" href="#opt-traefiktcproutersrouter-nametls" title="#opt-traefiktcproutersrouter-nametls">`traefik/tcp/routers/<router_name>/tls`</a> | See [TLS](../tcp/tls.md) for more information. | `true` |
+| <a id="opt-traefiktcproutersrouter-nametlscertresolver" href="#opt-traefiktcproutersrouter-nametlscertresolver" title="#opt-traefiktcproutersrouter-nametlscertresolver">`traefik/tcp/routers/<router_name>/tls/certresolver`</a> | See [certResolver](../tcp/tls.md#configuration-options) for more information. | `myresolver` |
+| <a id="opt-traefiktcproutersrouter-nametlsdomains0main" href="#opt-traefiktcproutersrouter-nametlsdomains0main" title="#opt-traefiktcproutersrouter-nametlsdomains0main">`traefik/tcp/routers/<router_name>/tls/domains/0/main`</a> | See [TLS](../tcp/tls.md) for more information. | `example.org` |
+| <a id="opt-traefiktcproutersrouter-nametlsdomains0sans0" href="#opt-traefiktcproutersrouter-nametlsdomains0sans0" title="#opt-traefiktcproutersrouter-nametlsdomains0sans0">`traefik/tcp/routers/<router_name>/tls/domains/0/sans/0`</a> | See [TLS](../tcp/tls.md) for more information. | `test.example.org` |
+| <a id="opt-traefiktcproutersrouter-nametlsdomains0sans1" href="#opt-traefiktcproutersrouter-nametlsdomains0sans1" title="#opt-traefiktcproutersrouter-nametlsdomains0sans1">`traefik/tcp/routers/<router_name>/tls/domains/0/sans/1`</a> | See [TLS](../tcp/tls.md) for more information. | `dev.example.org`  |
+| <a id="opt-traefiktcproutersrouter-nametlsoptions" href="#opt-traefiktcproutersrouter-nametlsoptions" title="#opt-traefiktcproutersrouter-nametlsoptions">`traefik/tcp/routers/<router_name>/tls/options`</a> | See [TLS](../tcp/tls.md) for more information. | `foobar` |
+| <a id="opt-traefiktcproutersrouter-nametlspassthrough" href="#opt-traefiktcproutersrouter-nametlspassthrough" title="#opt-traefiktcproutersrouter-nametlspassthrough">`traefik/tcp/routers/<router_name>/tls/passthrough`</a> | See [TLS](../tcp/tls.md) for more information. | `true` |
+| <a id="opt-traefiktcproutersrouter-namepriority" href="#opt-traefiktcproutersrouter-namepriority" title="#opt-traefiktcproutersrouter-namepriority">`traefik/tcp/routers/<router_name>/priority`</a> | See [priority](../tcp/routing/rules-and-priority.md#priority-calculation) for more information. | `42`  |

 #### Services

-| Key (Path)                                                         | Description                                                         | Value            |
-|--------------------------------------------------------------------|--------------------------------------------------------------------|------------------|
-| <a id="opt-traefiktcpservicesmytcpserviceloadbalancerservers0address" href="#opt-traefiktcpservicesmytcpserviceloadbalancerservers0address" title="#opt-traefiktcpservicesmytcpserviceloadbalancerservers0address">`traefik/tcp/services/mytcpservice/loadbalancer/servers/0/address`</a> | See [servers](../tcp/service.md#servers-load-balancer) for more information. | `xx.xx.xx.xx:xx` |
-| <a id="opt-traefiktcpservicesmytcpserviceloadbalancerservers0tls" href="#opt-traefiktcpservicesmytcpserviceloadbalancerservers0tls" title="#opt-traefiktcpservicesmytcpserviceloadbalancerservers0tls">`traefik/tcp/services/mytcpservice/loadbalancer/servers/0/tls`</a> | See [servers](../tcp/service.md#servers-load-balancer) for more information. | `true` |
-| <a id="opt-traefiktcpservicesmyserviceloadbalancerserverstransport" href="#opt-traefiktcpservicesmyserviceloadbalancerserverstransport" title="#opt-traefiktcpservicesmyserviceloadbalancerserverstransport">`traefik/tcp/services/myservice/loadbalancer/serverstransport`</a> | Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.<br/>See [serverstransport](../tcp/serverstransport.md) for more information. | `foobar@file` |
+| Key (Path)                                                                                                                                                                                                                                                                                  | Description                                                         | Value            |
+|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------|------------------|
+| <a id="opt-traefiktcpservicesservice-nameloadbalancerservers0address" href="#opt-traefiktcpservicesservice-nameloadbalancerservers0address" title="#opt-traefiktcpservicesservice-nameloadbalancerservers0address">`traefik/tcp/services/<service_name>/loadbalancer/servers/0/address`</a> | See [servers](../tcp/service.md#servers-load-balancer) for more information. | `xx.xx.xx.xx:xx` |
+| <a id="opt-traefiktcpservicesservice-nameloadbalancerservers0tls" href="#opt-traefiktcpservicesservice-nameloadbalancerservers0tls" title="#opt-traefiktcpservicesservice-nameloadbalancerservers0tls">`traefik/tcp/services/<service_name>/loadbalancer/servers/0/tls`</a> | See [servers](../tcp/service.md#servers-load-balancer) for more information. | `true` |
+| <a id="opt-traefiktcpservicesservice-nameloadbalancerserverstransport" href="#opt-traefiktcpservicesservice-nameloadbalancerserverstransport" title="#opt-traefiktcpservicesservice-nameloadbalancerserverstransport">`traefik/tcp/services/<service_name>/loadbalancer/serverstransport`</a> | Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.<br/>See [serverstransport](../tcp/serverstransport.md) for more information. | `foobar@file` |
 | <a id="opt-traefiktcpservicesservice-nameweightedservices0name" href="#opt-traefiktcpservicesservice-nameweightedservices0name" title="#opt-traefiktcpservicesservice-nameweightedservices0name">`traefik/tcp/services/<service_name>/weighted/services/0/name`</a> | See [Service](../tcp/service.md#weighted-round-robin) for more information. | `foobar` |
 | <a id="opt-traefiktcpservicesservice-nameweightedservices0weight" href="#opt-traefiktcpservicesservice-nameweightedservices0weight" title="#opt-traefiktcpservicesservice-nameweightedservices0weight">`traefik/tcp/services/<service_name>/weighted/services/0/weight`</a> | See [Service](../tcp/service.md#weighted-round-robin) for more information. | `42`  |

@@ -198,9 +198,9 @@ For example, to declare a middleware [`InFlightConn`](../tcp/middlewares/infligh

 More information about available middlewares in the dedicated [middlewares section](../tcp/middlewares/overview.md).

-| Key (Path)                                                      | Description                                                      |  Value                                   |
-|-----------------------------------------------------------------|-----------------------------------------------------------------|-----------------------------------------|
-| <a id="opt-traefiktcpmiddlewaresmymiddlewaremiddleware-typemiddleware-option" href="#opt-traefiktcpmiddlewaresmymiddlewaremiddleware-typemiddleware-option" title="#opt-traefiktcpmiddlewaresmymiddlewaremiddleware-typemiddleware-option">`traefik/tcp/middlewares/mymiddleware/middleware_type/middleware_option`</a> | With `middleware_type` the type of middleware (ex: `inflightconn`)<br/>and `middleware_option` the middleware option to set (ex for the middleware `inflightconn`: `amount`).<br/> More information about available middlewares in the dedicated [middlewares section](../tcp/middlewares/overview.md). | `foobar` |
+| Key (Path)                                                                                                                                                                                                                                                                                                                   | Description                                                      |  Value                                   |
+|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|-----------------------------------------|
+| <a id="opt-traefiktcpmiddlewaresmiddleware-namemiddleware-typemiddleware-option" href="#opt-traefiktcpmiddlewaresmiddleware-namemiddleware-typemiddleware-option" title="#opt-traefiktcpmiddlewaresmiddleware-namemiddleware-typemiddleware-option">`traefik/tcp/middlewares/<middleware_name>/middleware_type/middleware_option`</a> | With `middleware_type` the type of middleware (ex: `inflightconn`)<br/>and `middleware_option` the middleware option to set (ex for the middleware `inflightconn`: `amount`).<br/> More information about available middlewares in the dedicated [middlewares section](../tcp/middlewares/overview.md). | `foobar` |

 !!! warning "Conflicts in Declaration"

@@ -210,9 +210,9 @@ More information about available middlewares in the dedicated [middlewares secti

 ##### Configuration Options

-| Key (Path)                                                      | Description                                                      |  Value                                   |
-|-----------------------------------------------------------------|-----------------------------------------------------------------|-----------------------------------------|
-| <a id="opt-traefiktcpserversTransportsserversTransportNamest-option" href="#opt-traefiktcpserversTransportsserversTransportNamest-option" title="#opt-traefiktcpserversTransportsserversTransportNamest-option">`traefik/tcp/serversTransports/<serversTransportName>/st_option`</a> | With  `st_option` the ServerTransport option to set (ex `maxIdleConnsPerHost`).<br/> More information about available options in the dedicated [ServerTransport section](../tcp/serverstransport.md). | ServerTransport Options |
+| Key (Path)                                                                                                                                                                                                                                                                             | Description                                                      |  Value                                   |
+|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|-----------------------------------------|
+| <a id="opt-traefiktcpserversTransportsservers-transport-namest-option" href="#opt-traefiktcpserversTransportsservers-transport-namest-option" title="#opt-traefiktcpserversTransportsservers-transport-namest-option">`traefik/tcp/serversTransports/<servers_transport_name>/st_option`</a> | With  `st_option` the ServerTransport option to set (ex `maxIdleConnsPerHost`).<br/> More information about available options in the dedicated [ServerTransport section](../tcp/serverstransport.md). | ServerTransport Options |

 ### UDP

@@ -220,18 +220,18 @@ You can declare UDP Routers and/or Services using KV.

 #### Routers

-| Key (Path)                                                       | Description                                                       | Value |
-|------------------------------------------------------------------|------------------------------------------------------------------|-------|
-| <a id="opt-traefikudproutersmyudprouterentrypoints0" href="#opt-traefikudproutersmyudprouterentrypoints0" title="#opt-traefikudproutersmyudprouterentrypoints0">`traefik/udp/routers/myudprouter/entrypoints/0`</a> | See [UDP Router](../udp/routing/rules-priority.md#entrypoints) for more information. | `foobar`  |
-| <a id="opt-traefikudproutersmyudprouterservice" href="#opt-traefikudproutersmyudprouterservice" title="#opt-traefikudproutersmyudprouterservice">`traefik/udp/routers/myudprouter/service`</a> | See [UDP Router](../udp/routing/rules-priority.md#configuration-example) for more information. | `foobar`  |
+| Key (Path)                                                                                                                                                                                                            | Description                                                       | Value |
+|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------|-------|
+| <a id="opt-traefikudproutersrouter-nameentrypoints0" href="#opt-traefikudproutersrouter-nameentrypoints0" title="#opt-traefikudproutersrouter-nameentrypoints0">`traefik/udp/routers/<router_name>/entrypoints/0`</a> | See [UDP Router](../udp/routing/rules-priority.md#entrypoints) for more information. | `foobar`  |
+| <a id="opt-traefikudproutersrouter-nameservice" href="#opt-traefikudproutersrouter-nameservice" title="#opt-traefikudproutersrouter-nameservice">`traefik/udp/routers/<router_name>/service`</a> | See [UDP Router](../udp/routing/rules-priority.md#configuration-example) for more information. | `foobar`  |

 #### Services

-| Key (Path)                                                       | Description                                                       | Value |
-|------------------------------------------------------------------|------------------------------------------------------------------|-------|
-| <a id="opt-traefikudpservicesloadBalancerserversnaddress" href="#opt-traefikudpservicesloadBalancerserversnaddress" title="#opt-traefikudpservicesloadBalancerserversnaddress">`traefik/udp/services/loadBalancer/servers/<n>/address`</a> | See [UDP Service](../udp/service.md) for more information. | `foobar`  |
-| <a id="opt-traefikudpservicesweightedservices0name" href="#opt-traefikudpservicesweightedservices0name" title="#opt-traefikudpservicesweightedservices0name">`traefik/udp/services/weighted/services/0/name`</a> | See [UDP Service](../udp/service.md) for more information. | `foobar`  |
-| <a id="opt-traefikudpservicesweightedservers0weight" href="#opt-traefikudpservicesweightedservers0weight" title="#opt-traefikudpservicesweightedservers0weight">`traefik/udp/services/weighted/servers/0/weight`</a> |See [UDP Service](../udp/service.md) for more information. | `42`  | 
+| Key (Path)                                                                                                                                                                                                                                                                                    | Description                                                       | Value |
+|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------|-------|
+| <a id="opt-traefikudpservicesservice-nameloadBalancerserversnaddress" href="#opt-traefikudpservicesservice-nameloadBalancerserversnaddress" title="#opt-traefikudpservicesservice-nameloadBalancerserversnaddress">`traefik/udp/services/<service_name>/loadBalancer/servers/<n>/address`</a> | See [UDP Service](../udp/service.md) for more information. | `foobar`  |
+| <a id="opt-traefikudpservicesservice-nameweightedservices0name" href="#opt-traefikudpservicesservice-nameweightedservices0name" title="#opt-traefikudpservicesservice-nameweightedservices0name">`traefik/udp/services/<service_name>/weighted/services/0/name`</a> | See [UDP Service](../udp/service.md) for more information. | `foobar`  |
+| <a id="opt-traefikudpservicesservice-nameweightedservices0weight" href="#opt-traefikudpservicesservice-nameweightedservices0weight" title="#opt-traefikudpservicesservice-nameweightedservices0weight">`traefik/udp/services/<service_name>/weighted/services/0/weight`</a> |See [UDP Service](../udp/service.md) for more information. | `42`  | 

 ## TLS

@@ -271,7 +271,7 @@ More information about available middlewares in the dedicated [middlewares secti
    ```yaml
    # ...
    # Declaring a middleware
-    traefik.tcp.middlewares.test-inflightconn.amount=10
+    traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10
    # Referencing a middleware
    traefik.tcp.routers.my-service.middlewares=test-inflightconn
    ```
@@ -307,7 +307,7 @@ More information about available middlewares in the dedicated [middlewares secti
    ```yaml
    # ...
    # Declaring a middleware
-    traefik.tcp.middlewares.test-inflightconn.amount=10
+    traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10
    # Referencing a middleware
    traefik.tcp.routers.my-service.middlewares=test-inflightconn
    ```
@@ -52,4 +52,4 @@ spec:

 | Field | Description | Default | Required |
 |:------|:------------|------------------|-------|
-| <a id="opt-amount" href="#opt-amount" title="#opt-amount">`amount`</a> | The `amount` option defines the maximum amount of allowed simultaneous connections. <br /> The middleware closes the connection if there are already `amount` connections opened. | "" | Yes |
+| <a id="opt-amount" href="#opt-amount" title="#opt-amount">`amount`</a> | The `amount` option defines the maximum amount of allowed simultaneous connections. <br /> The middleware closes the connection if there are already `amount` connections opened. | 0 | Yes |
@@ -36,7 +36,7 @@ labels:
 {
  //...
  "Tags" : [
-    "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"s
+    "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
  ]
 }
 ```
@@ -87,7 +87,7 @@ metadata:
  name: foo-ip-allowlist
 spec:
  ipAllowList:
-    sourcerange:
+    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7

@@ -90,6 +90,7 @@ labels:
 |--------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|----------|
 | <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | The list of entry points to which the router is attached. If not specified, TCP routers are attached to all TCP entry points.                                                                                                                                                                                        | All TCP entry points | No       |
 | <a id="opt-rule" href="#opt-rule" title="#opt-rule">`rule`</a> | Rules are a set of matchers configured with values, that determine if a particular connection matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the connection to the service. See [Rules & Priority](./rules-and-priority.md) for details.        |                      | Yes      |
+| <a id="opt-ruleSyntax" href="#opt-ruleSyntax" title="#opt-ruleSyntax">`ruleSyntax`</a> | **Deprecated.** Specifies the syntax used for the `rule` field to support v2→v3 migrations. Do not use this field in new configurations; rewrite router rules to use the v3 syntax instead. |                      | No       |
 | <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid rule overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. Negative values are supported. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length          | No       |
 | <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | The list of middlewares that are applied to the router. Middlewares are applied in the order they are declared. See [TCP Middlewares overview](../middlewares/overview.md) for available TCP middlewares.                                                                                                            |                      | No       |
 | <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | TLS configuration for the router. When specified, the router will only handle TLS connections. See [TLS configuration](../tls.md) for detailed TLS options.                                                                                                                                                          |                      | No       |
@@ -158,16 +158,16 @@ ALPN(`h2`)
          rule = "ClientIP(`192.168.0.0/24`)"
          entryPoints = ["web"]
          priority = 1
-          service = "service-2
+          service = "service-2"
      ```

    ```yaml tab="Labels"
       labels:
-        - "traefik.tcp.routers.Router-1.rule="ClientIP(`192.168.0.12`)"
+        - 'traefik.tcp.routers.Router-1.rule=ClientIP(`192.168.0.12`)'
        - "traefik.tcp.routers.Router-1.entryPoints=web"
        - "traefik.tcp.routers.Router-1.service=service-1"
        - "traefik.tcp.routers.Router-1.priority=2"
-        - "traefik.tcp.routers.Router-2.rule="ClientIP(`192.168.0.0/24`)"
+        - 'traefik.tcp.routers.Router-2.rule=ClientIP(`192.168.0.0/24`)'
        - "traefik.tcp.routers.Router-2.entryPoints=web"
        - "traefik.tcp.routers.Router-2.service=service-2"
        - "traefik.tcp.routers.Router-2.priority=1"
@@ -22,14 +22,14 @@ tcp:
          - "/path/to/cert1.pem"
          - "/path/to/cert2.pem"
        insecureSkipVerify: true
-        rootcas:
+        rootCAs:
          - "/path/to/rootca.pem"
        peerCertURI: "spiffe://example.org/peer"
-      spiffe:
-        ids:
-          - "spiffe://example.org/id1"
-          - "spiffe://example.org/id2"
-        trustDomain: "example.org"
+        spiffe:
+          ids:
+            - "spiffe://example.org/id1"
+            - "spiffe://example.org/id2"
+          trustDomain: "example.org"
 ```

 ```toml tab="Structured (TOML)"
@@ -42,10 +42,10 @@ tcp:
    serverName = "example.com"
    certificates = ["/path/to/cert1.pem", "/path/to/cert2.pem"]
    insecureSkipVerify = true
-    rootcas = ["/path/to/rootca.pem"]
+    rootCAs = ["/path/to/rootca.pem"]
    peerCertURI = "spiffe://example.org/peer"

-  [tcp.serversTransports.mytransport.spiffe]
+  [tcp.serversTransports.mytransport.tls.spiffe]
    ids = ["spiffe://example.org/id1", "spiffe://example.org/id2"]
    trustDomain = "example.org"
 ```
@@ -95,11 +95,11 @@ labels:
 | <a id="opt-serverstransport-tls-serverName" href="#opt-serverstransport-tls-serverName" title="#opt-serverstransport-tls-serverName">`serverstransport.`<br />`tls`<br />`.serverName`</a> | Configures the server name that will be used for SNI.                                                                                                                                                              |         | No       |
 | <a id="opt-serverstransport-tls-certificates" href="#opt-serverstransport-tls-certificates" title="#opt-serverstransport-tls-certificates">`serverstransport.`<br />`tls`<br />`.certificates`</a> | Defines the list of certificates (as file paths, or data bytes) that will be set as client certificates for mTLS.                                                                                                  |         | No       |
 | <a id="opt-serverstransport-tls-insecureSkipVerify" href="#opt-serverstransport-tls-insecureSkipVerify" title="#opt-serverstransport-tls-insecureSkipVerify">`serverstransport.`<br />`tls`<br />`.insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified.                                                                                                                                         | false   | No       |
-| <a id="opt-serverstransport-tls-rootcas" href="#opt-serverstransport-tls-rootcas" title="#opt-serverstransport-tls-rootcas">`serverstransport.`<br />`tls`<br />`.rootcas`</a> | Defines the root certificate authorities to use when verifying server certificates. (for mTLS connections).                                                                                                        |         | No       |
-| <a id="opt-serverstransport-tls-peerCertURI" href="#opt-serverstransport-tls-peerCertURI" title="#opt-serverstransport-tls-peerCertURI">`serverstransport.`<br />`tls.`<br />`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification.                                                                                                                       | false   | No       |
-| <a id="opt-serverstransport-spiffe" href="#opt-serverstransport-spiffe" title="#opt-serverstransport-spiffe">`serverstransport.`<br />`spiffe`</a> | Defines the SPIFFE configuration. An empty `spiffe` section enables SPIFFE (that allows any SPIFFE ID).                                                                                                            |         | No       |
-| <a id="opt-serverstransport-spiffe-ids" href="#opt-serverstransport-spiffe-ids" title="#opt-serverstransport-spiffe-ids">`serverstransport.`<br />`spiffe`<br />`.ids`</a> | Allow SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain.                                                                                                                                          |         | No       |
-| <a id="opt-serverstransport-spiffe-trustDomain" href="#opt-serverstransport-spiffe-trustDomain" title="#opt-serverstransport-spiffe-trustDomain">`serverstransport.`<br />`spiffe`<br />`.trustDomain`</a> | Allow SPIFFE trust domain.                                                                                                                                                                                         | ""      | No       |
+| <a id="opt-serverstransport-tls-rootCAs" href="#opt-serverstransport-tls-rootCAs" title="#opt-serverstransport-tls-rootCAs">`serverstransport.`<br />`tls`<br />`.rootCAs`</a> | Defines the root certificate authorities to use when verifying server certificates. (for mTLS connections).                                                                                                        |         | No       |
+| <a id="opt-serverstransport-tls-peerCertURI" href="#opt-serverstransport-tls-peerCertURI" title="#opt-serverstransport-tls-peerCertURI">`serverstransport.`<br />`tls.`<br />`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification.                                                                                                                       | ""      | No       |
+| <a id="opt-serverstransport-tls-spiffe" href="#opt-serverstransport-tls-spiffe" title="#opt-serverstransport-tls-spiffe">`serverstransport.`<br />`tls.spiffe`</a> | Defines the SPIFFE configuration. An empty `spiffe` section enables SPIFFE (that allows any SPIFFE ID).                                                                                                            |         | No       |
+| <a id="opt-serverstransport-tls-spiffe-ids" href="#opt-serverstransport-tls-spiffe-ids" title="#opt-serverstransport-tls-spiffe-ids">`serverstransport.`<br />`tls.spiffe`<br />`.ids`</a> | Allow SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain.                                                                                                                                          |         | No       |
+| <a id="opt-serverstransport-tls-spiffe-trustDomain" href="#opt-serverstransport-tls-spiffe-trustDomain" title="#opt-serverstransport-tls-spiffe-trustDomain">`serverstransport.`<br />`tls.spiffe`<br />`.trustDomain`</a> | Allow SPIFFE trust domain.                                                                                                                                                                                         | ""      | No       |

 !!! note "SPIFFE"

@@ -95,7 +95,7 @@ Below are the available options for the health check mechanism:
 | <a id="opt-send" href="#opt-send" title="#opt-send">`send`</a> | Defines the payload to send to the server during the health check. | "" | No |
 | <a id="opt-expect" href="#opt-expect" title="#opt-expect">`expect`</a> | Defines the expected response payload from the server. | "" | No |
 | <a id="opt-interval" href="#opt-interval" title="#opt-interval">`interval`</a> | Defines the frequency of the health check calls for healthy targets. | 30s | No |
-| <a id="opt-unhealthyInterval" href="#opt-unhealthyInterval" title="#opt-unhealthyInterval">`unhealthyInterval`</a> | Defines the frequency of the health check calls for unhealthy targets. When not defined, it defaults to the `interval` value. | 30s | No |
+| <a id="opt-unhealthyInterval" href="#opt-unhealthyInterval" title="#opt-unhealthyInterval">`unhealthyInterval`</a> | Defines the frequency of the health check calls for unhealthy targets. When not defined, it defaults to the `interval` value. | - | No |
 | <a id="opt-timeout" href="#opt-timeout" title="#opt-timeout">`timeout`</a> | Defines the maximum duration Traefik will wait for a health check connection before considering the server unhealthy. | 5s | No |

 ## Weighted Round Robin
@@ -59,7 +59,7 @@ labels:
 {
  //...
  "Tags": [
-    "traefik.tcp.routers.my-tls-router.tls=true"
+    "traefik.tcp.routers.my-tls-router.tls=true",
    "traefik.tcp.routers.my-tls-router.rule=HostSNI(`example.com`)",
    "traefik.tcp.routers.my-tls-router.service=my-tcp-service",
    "traefik.tcp.routers.my-tls-router.tls.passthrough=true",
@@ -4,8 +4,6 @@ description: "In Traefik Proxy, a router is in charge of connecting incoming req
 ---

 A router is in charge of connecting incoming requests to the services that can handle them.
-In the process, routers may use pieces of [middleware](../../http/middlewares/overview.md) to update the request,
-or act before forwarding the request to the service.

 Similarly to TCP, as UDP is the transport layer, there is no concept of a request,
 so there is no notion of an URL path prefix to match an incoming UDP packet with.
@@ -8,7 +8,7 @@ description: "A service is in charge of connecting incoming requests to the Serv
 Each of the fields of the service section represents a kind of service.
 Which means, that for each specified service, one of the fields, and only one,
 has to be enabled to define what kind of service is created.
-Currently, the available kind is `LoadBalancer`.
+Currently, the two available kinds are `LoadBalancer`, and `Weighted`.

 ## Servers Load Balancer

@@ -41,4 +41,66 @@ udp:
      address = "xx.xx.xx.xx:xx"
 ```

+## Weighted Round Robin
+
+The Weighted Round Robin (alias `WRR`) load-balancer of services is in charge of balancing the connections between multiple services based on provided weights.
+
+This strategy is only available to load balance between [services](./service.md) and not between servers.
+
+!!! info "Supported Providers"
+
+    This strategy can currently be defined with the [File provider](../../install-configuration/providers/others/file.md) 
+    and the [Kubernetes CRD provider (IngressRouteUDP)](../kubernetes/crd/udp/ingressrouteudp.md).
+
+```yaml tab="Structured (YAML)"
+udp:
+  services:
+    app:
+      weighted:
+        services:
+          - name: appv1
+            weight: 3
+          - name: appv2
+            weight: 1
+
+    appv1:
+      loadBalancer:
+        servers:
+          - address: "xxx.xxx.xxx.xxx:8080"
+
+    appv2:
+      loadBalancer:
+        servers:
+          - address: "xxx.xxx.xxx.xxx:8080"
+```
+
+```toml tab="Structured (TOML)"
+[udp.services]
+  [udp.services.app]
+    [[udp.services.app.weighted.services]]
+      name = "appv1"
+      weight = 3
+    [[udp.services.app.weighted.services]]
+      name = "appv2"
+      weight = 1
+
+  [udp.services.appv1]
+    [udp.services.appv1.loadBalancer]
+      [[udp.services.appv1.loadBalancer.servers]]
+        address = "xxx.xxx.xxx.xxx:8080"
+
+  [udp.services.appv2]
+    [udp.services.appv2.loadBalancer]
+      [[udp.services.appv2.loadBalancer.servers]]
+        address = "xxx.xxx.xxx.xxx:8080"
+```
+
+### Configuration Options
+
+| Field | Description | Default | Required |
+|-------|-------------|---------|----------|
+| <a id="opt-services" href="#opt-services" title="#opt-services">`services`</a> | Defines the list of services to load balance between. | | Yes |
+| <a id="opt-services-name" href="#opt-services-name" title="#opt-services-name">`services.name`</a> | The name of the service to load balance to. | "" | Yes |
+| <a id="opt-services-weight" href="#opt-services-weight" title="#opt-services-weight">`services.weight`</a> | The weight applied to the service when balancing connections. | 1 | No |
+
 {% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -178,12 +178,11 @@ gateway:
          group: ""

 # Enable Observability
-logs:
-  general:
-    level: INFO
-  # This enables access logs, outputting them to Traefik's standard output by default. The [Access Logs Documentation](https://doc.traefik.io/traefik/observability/access-logs/) covers formatting, filtering, and output options.
-  access:
-    enabled: true
+log:
+  level: INFO
+# This enables access logs, outputting them to Traefik's standard output by default. The [Access Logs Documentation](https://doc.traefik.io/traefik/observability/access-logs/) covers formatting, filtering, and output options.
+accessLog:
+  enabled: true

 # Enables Prometheus for Metrics
 metrics:
@@ -1,4 +1,4 @@
-FROM alpine:3.23
+FROM alpine:3.24

 ENV PATH="${PATH}:/venv/bin"

@@ -8,13 +8,13 @@ require (
 	github.com/abbot/go-http-auth v0.0.0-00010101000000-000000000000 // No tag on the repo.
 	github.com/andybalholm/brotli v1.2.0
 	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
-	github.com/aws/aws-sdk-go-v2 v1.41.6
-	github.com/aws/aws-sdk-go-v2/config v1.32.16
-	github.com/aws/aws-sdk-go-v2/credentials v1.19.15
+	github.com/aws/aws-sdk-go-v2 v1.41.8
+	github.com/aws/aws-sdk-go-v2/config v1.32.19
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.18
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.203.1
 	github.com/aws/aws-sdk-go-v2/service/ecs v1.53.15
 	github.com/aws/aws-sdk-go-v2/service/ssm v1.56.13
-	github.com/aws/smithy-go v1.25.0
+	github.com/aws/smithy-go v1.25.1
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/containerd/errdefs v1.0.0
 	github.com/containous/alice v0.0.0-20181107144136-d83ebdd94cbd // No tag on the repo.
@@ -23,7 +23,7 @@ require (
 	github.com/docker/go-connections v0.6.0
 	github.com/fatih/structs v1.1.0
 	github.com/fsnotify/fsnotify v1.10.1
-	github.com/go-acme/lego/v4 v4.35.2
+	github.com/go-acme/lego/v5 v5.2.2
 	github.com/go-kit/kit v0.13.0
 	github.com/go-kit/log v0.2.1
 	github.com/golang/protobuf v1.5.4
@@ -58,7 +58,8 @@ require (
 	github.com/prometheus/client_model v0.6.2
 	github.com/quic-go/quic-go v0.59.1
 	github.com/redis/go-redis/v9 v9.8.0
-	github.com/rs/zerolog v1.33.0
+	github.com/rs/zerolog v1.34.0
+	github.com/samber/slog-zerolog/v2 v2.9.2
 	github.com/sirupsen/logrus v1.9.4
 	github.com/spiffe/go-spiffe/v2 v2.6.0
 	github.com/stealthrocket/wasi-go v0.8.0
@@ -97,14 +98,14 @@ require (
 	go.opentelemetry.io/otel/sdk/metric v1.43.0
 	go.opentelemetry.io/otel/trace v1.43.0
 	golang.org/x/crypto v0.52.0
-	golang.org/x/mod v0.35.0
+	golang.org/x/mod v0.36.0
 	golang.org/x/net v0.55.0
 	golang.org/x/sync v0.20.0
 	golang.org/x/sys v0.45.0
 	golang.org/x/text v0.37.0
 	golang.org/x/time v0.15.0
 	golang.org/x/tools v0.44.0
-	google.golang.org/grpc v1.80.0
+	google.golang.org/grpc v1.81.1
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.34.3
@@ -127,56 +128,47 @@ require (
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
-	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.10.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
-	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.30 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 // indirect
-	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
-	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
-	github.com/Azure/go-autorest/autorest/to v0.4.1 // indirect
-	github.com/Azure/go-autorest/logger v0.2.1 // indirect
-	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0 // indirect
 	github.com/HdrHistogram/hdrhistogram-go v1.2.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.3.1 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/VividCortex/gohistogram v1.0.0 // indirect
-	github.com/akamai/AkamaiOPEN-edgegrid-golang/v13 v13.1.0 // indirect
-	github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5 // indirect
+	github.com/akamai/AkamaiOPEN-edgegrid-golang/v13 v13.2.0 // indirect
+	github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e // indirect
 	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
-	github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.16 // indirect
+	github.com/alibabacloud-go/darabonba-openapi/v2 v2.2.1 // indirect
 	github.com/alibabacloud-go/debug v1.0.1 // indirect
-	github.com/alibabacloud-go/tea v1.4.0 // indirect
+	github.com/alibabacloud-go/tea v1.5.0 // indirect
 	github.com/alibabacloud-go/tea-utils/v2 v2.0.9 // indirect
 	github.com/aliyun/credentials-go v1.4.7 // indirect
 	github.com/armon/go-metrics v0.4.1 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.22 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.22 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.22 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.23 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.8 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.22 // indirect
-	github.com/aws/aws-sdk-go-v2/service/lightsail v1.53.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/route53 v1.62.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/signin v1.0.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.30.16 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.20 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.42.0 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.24 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.24 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.24 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.25 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.24 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lightsail v1.54.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.62.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.1.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.18 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.36.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.42.2 // indirect
 	github.com/aziontech/azionapi-go-sdk v0.144.0 // indirect
-	github.com/baidubce/bce-sdk-go v0.9.265 // indirect
+	github.com/baidubce/bce-sdk-go v0.9.267 // indirect
 	github.com/benbjohnson/clock v1.3.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blendle/zapdriver v1.3.1 // indirect
-	github.com/bodgit/tsig v1.2.2 // indirect
+	github.com/bodgit/gssapi v0.0.3 // indirect
+	github.com/bodgit/tsig v1.3.1 // indirect
 	github.com/boombuler/barcode v1.0.1 // indirect
 	github.com/bytedance/sonic v1.15.1 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
@@ -191,9 +183,8 @@ require (
 	github.com/deepmap/oapi-codegen v1.9.1 // indirect
 	github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/dnsimple/dnsimple-go/v4 v4.0.0 // indirect
+	github.com/dnsimple/dnsimple-go/v9 v9.1.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.10.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
@@ -205,8 +196,8 @@ require (
 	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/gin-gonic/gin v1.9.1 // indirect
-	github.com/go-acme/alidns-20150109/v4 v4.7.0 // indirect
-	github.com/go-acme/esa-20240910/v2 v2.48.0 // indirect
+	github.com/go-acme/alidns-20150109/v5 v5.4.1 // indirect
+	github.com/go-acme/esa-20240910/v3 v3.2.2 // indirect
 	github.com/go-acme/jdcloud-sdk-go v1.64.0 // indirect
 	github.com/go-acme/tencentclouddnspod v1.3.24 // indirect
 	github.com/go-acme/tencentedgdeone v1.3.38 // indirect
@@ -223,7 +214,7 @@ require (
 	github.com/go-ozzo/ozzo-validation/v4 v4.3.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.23.0 // indirect
+	github.com/go-playground/validator/v10 v10.30.2 // indirect
 	github.com/go-resty/resty/v2 v2.17.2 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
 	github.com/go-zookeeper/zk v1.0.3 // indirect
@@ -240,8 +231,8 @@ require (
 	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
-	github.com/googleapis/gax-go/v2 v2.21.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.15 // indirect
+	github.com/googleapis/gax-go/v2 v2.22.0 // indirect
 	github.com/gophercloud/gophercloud v1.14.1 // indirect
 	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
 	github.com/gravitational/trace v1.5.1 // indirect
@@ -258,8 +249,7 @@ require (
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/hashicorp/serf v0.10.1 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
-	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.192 // indirect
-	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
+	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.198 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839 // indirect
 	github.com/infobloxopen/infoblox-go-client/v2 v2.11.0 // indirect
@@ -269,7 +259,6 @@ require (
 	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
 	github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect
 	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
-	github.com/jinzhu/copier v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
 	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
@@ -278,7 +267,7 @@ require (
 	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
 	github.com/labbsr0x/goh v1.0.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/linode/linodego v1.68.0 // indirect
+	github.com/linode/linodego v1.69.1 // indirect
 	github.com/liquidweb/liquidweb-cli v0.7.0 // indirect
 	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
 	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
@@ -288,7 +277,7 @@ require (
 	github.com/mailgun/timetools v0.0.0-20141028012446-7e6055773c51 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-isatty v0.0.21 // indirect
+	github.com/mattn/go-isatty v0.0.22 // indirect
 	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
@@ -309,15 +298,14 @@ require (
 	github.com/nrdcg/auroradns v1.2.0 // indirect
 	github.com/nrdcg/bunny-go v0.1.0 // indirect
 	github.com/nrdcg/desec v0.11.1 // indirect
-	github.com/nrdcg/dnspod-go v0.4.0 // indirect
 	github.com/nrdcg/freemyip v0.3.0 // indirect
 	github.com/nrdcg/goacmedns v0.2.0 // indirect
 	github.com/nrdcg/goinwx v0.12.0 // indirect
 	github.com/nrdcg/mailinabox v0.3.0 // indirect
 	github.com/nrdcg/namesilo v0.5.0 // indirect
 	github.com/nrdcg/nodion v0.1.0 // indirect
-	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.113.0 // indirect
-	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.113.0 // indirect
+	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.116.0 // indirect
+	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.116.0 // indirect
 	github.com/nrdcg/porkbun v0.4.0 // indirect
 	github.com/nrdcg/vegadns v0.3.0 // indirect
 	github.com/nzdjb/go-metaname v1.0.0 // indirect
@@ -341,10 +329,13 @@ require (
 	github.com/rs/dnscache v0.0.0-20230804202142-fc85eb664529 // indirect
 	github.com/sacloud/api-client-go v0.3.5 // indirect
 	github.com/sacloud/go-http v0.1.9 // indirect
-	github.com/sacloud/iaas-api-go v1.23.1 // indirect
-	github.com/sacloud/packages-go v0.0.12 // indirect
+	github.com/sacloud/iaas-api-go v1.29.1 // indirect
+	github.com/sacloud/packages-go v0.1.0 // indirect
+	github.com/sacloud/saclient-go v0.4.0 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/samber/lo v1.53.0 // indirect
+	github.com/samber/slog-common v0.21.0 // indirect
 	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.36 // indirect
 	github.com/selectel/domains-go v1.1.0 // indirect
 	github.com/selectel/go-selvpcclient/v4 v4.2.0 // indirect
@@ -352,31 +343,31 @@ require (
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/softlayer/softlayer-go v1.2.1 // indirect
 	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
-	github.com/sony/gobreaker v1.0.0 // indirect
+	github.com/sony/gobreaker/v2 v2.4.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/afero v1.15.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.7 // indirect
 	github.com/spf13/viper v1.18.2 // indirect
 	github.com/stretchr/objx v0.5.3 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.3.83 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.3.106 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/tklauser/go-sysconf v0.3.16 // indirect
 	github.com/tklauser/numcpus v0.11.0 // indirect
-	github.com/transip/gotransip/v6 v6.26.2 // indirect
-	github.com/ucloud/ucloud-sdk-go v0.22.63 // indirect
-	github.com/ultradns/ultradns-go-sdk v1.8.1-20250722213956-faef419 // indirect
+	github.com/transip/gotransip/v6 v6.27.1 // indirect
+	github.com/ucloud/ucloud-sdk-go v0.22.74 // indirect
+	github.com/ultradns/ultradns-go-sdk v1.8.2-20260507133303-3f324c7 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
-	github.com/vinyldns/go-vinyldns v0.9.17 // indirect
-	github.com/volcengine/volc-sdk-golang v1.0.242 // indirect
-	github.com/vultr/govultr/v3 v3.31.0 // indirect
+	github.com/vinyldns/go-vinyldns v0.9.18 // indirect
+	github.com/volcengine/volc-sdk-golang v1.0.249 // indirect
+	github.com/vultr/govultr/v3 v3.31.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	github.com/yandex-cloud/go-genproto v0.73.0 // indirect
-	github.com/yandex-cloud/go-sdk/services/dns v0.0.54 // indirect
-	github.com/yandex-cloud/go-sdk/v2 v2.92.0 // indirect
+	github.com/yandex-cloud/go-genproto v0.84.0 // indirect
+	github.com/yandex-cloud/go-sdk/services/dns v0.0.65 // indirect
+	github.com/yandex-cloud/go-sdk/v2 v2.114.0 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.etcd.io/etcd/api/v3 v3.6.4 // indirect
@@ -403,13 +394,13 @@ require (
 	golang.org/x/oauth2 v0.36.0 // indirect
 	golang.org/x/term v0.43.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/api v0.276.0 // indirect
+	google.golang.org/api v0.280.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260511170946-3700d4141b60 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/ini.v1 v1.67.1 // indirect
+	gopkg.in/ini.v1 v1.67.2 // indirect
 	gopkg.in/ns1/ns1-go.v2 v2.17.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
@@ -417,6 +408,7 @@ require (
 	nhooyr.io/websocket v1.8.7 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
+	software.sslmate.com/src/go-pkcs12 v0.7.1 // indirect
 )

 // Containous forks
@@ -611,8 +611,6 @@ github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8af
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 h1:Dy3M9aegiI7d7PF1LUdjbVigJReo+QOceYsMyFh9qoE=
 github.com/AdamSLevy/jsonrpc2/v14 v14.1.0/go.mod h1:ZakZtbCXxCz82NJvq7MoREtiQesnDfrtF6RFUGzQfLo=
-github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
-github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.1 h1:jHb/wfvRikGdxMXYV3QG/SzUOPYN9KEUUuC0Yd0/vC0=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.1/go.mod h1:pzBXCYn05zvYIrwLgtK8Ap8QcjRg+0i76tMQdWN6wOk=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4=
@@ -627,39 +625,16 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0 h1:2qsI
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0/go.mod h1:AW8VEadnhw9xox+VaVd9sP7NjzOAnaZBLRH6Tq3cJ38=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 h1:yzrctSl9GMIQ5lHu7jc8olOsGjWDCsBpJhWqfGa/YIM=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0/go.mod h1:GE4m0rnnfwLGX0Y9A9A25Zx5N/90jneT5ABevqzhuFQ=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 h1:zLzoX5+W2l95UJoVwiyNS4dX8vHyQ6x2xRLoBBL9wMk=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0/go.mod h1:wVEOJfGTj0oPAUGA1JuRAvz/lxXQsWW16axmHPP47Bk=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.10.0 h1:+1fJwTilk/X7inNqwREnYEOgFCdg8ut7GULxARDbu34=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.10.0/go.mod h1:EGwSLlGqrrfYQhtCi9JcIkPQKl9WxsL6ZPJd+63Vy1A=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 h1:Dd+RhdJn0OTtVGaeDLZpcumkIVCtA/3/Fo42+eoYvVM=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0/go.mod h1:5kakwfW5CjC9KK+Q4wjXAg+ShuIm2mBMua0ZFj2C8PE=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
-github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
-github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA=
-github.com/Azure/go-autorest/autorest v0.11.30 h1:iaZ1RGz/ALZtN5eq4Nr1SOFSlf2E4pDI3Tcsl+dZPVE=
-github.com/Azure/go-autorest/autorest v0.11.30/go.mod h1:t1kpPIOpIVX7annvothKvb0stsrXa37i7b+xpmBW8Fs=
-github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
-github.com/Azure/go-autorest/autorest/adal v0.9.22 h1:/GblQdIudfEM3AWWZ0mrYJQSd7JS4S/Mbzh6F0ov0Xc=
-github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk=
-github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 h1:Ov8avRZi2vmrE2JcXw+tu5K/yB41r7xK9GZDiBF7NdM=
-github.com/Azure/go-autorest/autorest/azure/auth v0.5.13/go.mod h1:5BAVfWLWXihP47vYrPuBKKf4cS0bXI+KM9Qx6ETDJYo=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 h1:w77/uPk80ZET2F+AfQExZyEWtn+0Rk/uw17m9fv5Ajc=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.6/go.mod h1:piCfgPho7BiIDdEQ1+g4VmKyD5y+p/XtSNqE6Hc4QD0=
-github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
-github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
-github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
-github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw=
-github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU=
-github.com/Azure/go-autorest/autorest/to v0.4.1 h1:CxNHBqdzTr7rLtdrtb5CMjJcDut+WNGCVv7OmS5+lTc=
-github.com/Azure/go-autorest/autorest/to v0.4.1/go.mod h1:EtaofgU4zmtvn1zT2ARsjRFdq9vXx0YWtmElwL+GZ9M=
-github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg=
-github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
-github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
-github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0 h1:4iB+IesclUXdP0ICgAabvq2FYLXrJWKx1fJQ+GxSo3Y=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.7.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
 github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
@@ -693,15 +668,15 @@ github.com/ajstarks/deck v0.0.0-20200831202436-30c9fc6549a9/go.mod h1:JynElWSGnm
 github.com/ajstarks/deck/generate v0.0.0-20210309230005-c3f852c02e19/go.mod h1:T13YZdzov6OU0A1+RfKZiZN9ca6VeKdBdyDV+BY97Tk=
 github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw=
 github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b/go.mod h1:1KcenG0jGWcpt8ov532z81sp/kMMUG485J2InIOyADM=
-github.com/akamai/AkamaiOPEN-edgegrid-golang/v13 v13.1.0 h1:KvfpO2utLmpRq0fbC0UZRzdCERfLGLX1/dcYvG7pP7k=
-github.com/akamai/AkamaiOPEN-edgegrid-golang/v13 v13.1.0/go.mod h1:AxGyKKxAxaCNeGadscLgo+gBYEAKhNG6tRR5O0HjV30=
+github.com/akamai/AkamaiOPEN-edgegrid-golang/v13 v13.2.0 h1:LFe/58tcZv+uQTuOW/wnTm6y4t9D1bvq0vkn4XNhaTM=
+github.com/akamai/AkamaiOPEN-edgegrid-golang/v13 v13.2.0/go.mod h1:FFt6ELF13cBEF8SElNhtby7yWMbAQbYrmEZhmCHd2cc=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
-github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5 h1:P5U+E4x5OkVEKQDklVPmzs71WM56RTTRqV4OrDC//Y4=
-github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5/go.mod h1:976q2ETgjT2snVCf2ZaBnyBbVoPERGjUz+0sofzEfro=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/alibabacloud-go/alibabacloud-gateway-pop v0.0.6 h1:eIf+iGJxdU4U9ypaUfbtOWCsZSbTb8AUHvyPrxu6mAA=
 github.com/alibabacloud-go/alibabacloud-gateway-pop v0.0.6/go.mod h1:4EUIoxs/do24zMOGGqYVWgw0s9NtiylnJglOeEB5UJo=
 github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc=
@@ -713,10 +688,9 @@ github.com/alibabacloud-go/darabonba-encode-util v0.0.2 h1:1uJGrbsGEVqWcWxrS9MyC
 github.com/alibabacloud-go/darabonba-encode-util v0.0.2/go.mod h1:JiW9higWHYXm7F4PKuMgEUETNZasrDM6vqVr/Can7H8=
 github.com/alibabacloud-go/darabonba-map v0.0.2 h1:qvPnGB4+dJbJIxOOfawxzF3hzMnIpjmafa0qOTp6udc=
 github.com/alibabacloud-go/darabonba-map v0.0.2/go.mod h1:28AJaX8FOE/ym8OUFWga+MtEzBunJwQGceGQlvaPGPc=
-github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.13/go.mod h1:lxFGfobinVsQ49ntjpgWghXmIF0/Sm4+wvBJ1h5RtaE=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.14/go.mod h1:lxFGfobinVsQ49ntjpgWghXmIF0/Sm4+wvBJ1h5RtaE=
-github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.16 h1:LHhjxZkNWAKWepxcWyzgFgo0X6TUVhL7sC7ANc60p8A=
-github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.16/go.mod h1:lxFGfobinVsQ49ntjpgWghXmIF0/Sm4+wvBJ1h5RtaE=
+github.com/alibabacloud-go/darabonba-openapi/v2 v2.2.1 h1:R8b55YFS4K9x5P5IdgA+QWinVfVmulzqaJG/tr6HhxM=
+github.com/alibabacloud-go/darabonba-openapi/v2 v2.2.1/go.mod h1:OCFim1kMbp2m+V8WS5IBnnVrk6nXaJiDwZpg3uqw8Po=
 github.com/alibabacloud-go/darabonba-signature-util v0.0.7 h1:UzCnKvsjPFzApvODDNEYqBHMFt1w98wC7FOo0InLyxg=
 github.com/alibabacloud-go/darabonba-signature-util v0.0.7/go.mod h1:oUzCYV2fcCH797xKdL6BDH8ADIHlzrtKVjeRtunBNTQ=
 github.com/alibabacloud-go/darabonba-string v1.0.2 h1:E714wms5ibdzCqGeYJ9JCFywE5nDyvIXIIQbZVFkkqo=
@@ -738,8 +712,8 @@ github.com/alibabacloud-go/tea v1.1.17/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy
 github.com/alibabacloud-go/tea v1.1.20/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A=
 github.com/alibabacloud-go/tea v1.2.2/go.mod h1:CF3vOzEMAG+bR4WOql8gc2G9H3EkH3ZLAQdpmpXMgwk=
 github.com/alibabacloud-go/tea v1.3.13/go.mod h1:A560v/JTQ1n5zklt2BEpurJzZTI8TUT+Psg2drWlxRg=
-github.com/alibabacloud-go/tea v1.4.0 h1:MSKhu/kWLPX7mplWMngki8nNt+CyUZ+kfkzaR5VpMhA=
-github.com/alibabacloud-go/tea v1.4.0/go.mod h1:A560v/JTQ1n5zklt2BEpurJzZTI8TUT+Psg2drWlxRg=
+github.com/alibabacloud-go/tea v1.5.0 h1:8pUo8WzMChtJT+jpLIcN1vzMi6SW3rihzzBoihPGUvs=
+github.com/alibabacloud-go/tea v1.5.0/go.mod h1:hgSs82CkOiehSQMoiFN79dL6zsGX7pVGvnn9SIEs8/0=
 github.com/alibabacloud-go/tea-utils v1.3.1/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE=
 github.com/alibabacloud-go/tea-utils/v2 v2.0.5/go.mod h1:dL6vbUT35E4F4bFTHL845eUloqaerYBYPsdWR2/jhe4=
 github.com/alibabacloud-go/tea-utils/v2 v2.0.7/go.mod h1:qxn986l+q33J5VkialKMqT/TTs3E+U9MJpd001iWQ9I=
@@ -774,50 +748,50 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:W
 github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY=
 github.com/aws/aws-sdk-go v1.40.45/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
 github.com/aws/aws-sdk-go-v2 v1.9.1/go.mod h1:cK/D0BBs0b/oWPIcX/Z/obahJK1TT7IPVjy53i/mX/4=
-github.com/aws/aws-sdk-go-v2 v1.41.6 h1:1AX0AthnBQzMx1vbmir3Y4WsnJgiydmnJjiLu+LvXOg=
-github.com/aws/aws-sdk-go-v2 v1.41.6/go.mod h1:dy0UzBIfwSeot4grGvY1AqFWN5zgziMmWGzysDnHFcQ=
-github.com/aws/aws-sdk-go-v2/config v1.32.16 h1:Q0iQ7quUgJP0F/SCRTieScnaMdXr9h/2+wze1u3cNeM=
-github.com/aws/aws-sdk-go-v2/config v1.32.16/go.mod h1:duCCnJEFqpt2RC6no1iK6q+8HpwOAkiUua0pY507dQc=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.15 h1:fyvgWTszojq8hEnMi8PPBTvZdTtEVmAVyo+NFLHBhH4=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.15/go.mod h1:gJiYyMOjNg8OEdRWOf3CrFQxM2a98qmrtjx1zuiQfB8=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.22 h1:IOGsJ1xVWhsi+ZO7/NW8OuZZBtMJLZbk4P5HDjJO0jQ=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.22/go.mod h1:b+hYdbU+jGKfXE8kKM6g1+h+L/Go3vMvzlxBsiuGsxg=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.22 h1:GmLa5Kw1ESqtFpXsx5MmC84QWa/ZrLZvlJGa2y+4kcQ=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.22/go.mod h1:6sW9iWm9DK9YRpRGga/qzrzNLgKpT2cIxb7Vo2eNOp0=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.22 h1:dY4kWZiSaXIzxnKlj17nHnBcXXBfac6UlsAx2qL6XrU=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.22/go.mod h1:KIpEUx0JuRZLO7U6cbV204cWAEco2iC3l061IxlwLtI=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.23 h1:FPXsW9+gMuIeKmz7j6ENWcWtBGTe1kH8r9thNt5Uxx4=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.23/go.mod h1:7J8iGMdRKk6lw2C+cMIphgAnT8uTwBwNOsGkyOCm80U=
+github.com/aws/aws-sdk-go-v2 v1.41.8 h1:sRs7nG6/RiEBZ/K5UO2sNw0w40U02Nmz1VtARloTZXk=
+github.com/aws/aws-sdk-go-v2 v1.41.8/go.mod h1:4LAfZOPHNVNQEckOACQx60Y8pSRjIkNZQz1w92xpMJc=
+github.com/aws/aws-sdk-go-v2/config v1.32.19 h1:qRhIJMbevHUvIE7X4TK8N8zye5+5AhapcslPrvB+qKE=
+github.com/aws/aws-sdk-go-v2/config v1.32.19/go.mod h1:RbJ24nfoya63+Mf5VI+CGCGk9vEdv28xPeii+gojRYs=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.18 h1:GcXQz2M/0ZvMo0v5DakUqbDBeBM1ZNaivkolEF4Esgw=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.18/go.mod h1:sHJ06tMGcD3ZpmMyJqV+VBsGilhSIZPIN+ZFy5Dg0C4=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.24 h1:FQm5ApnyzkuJdXLGskPce83CK1CQKC4RUnIHKVe4BU4=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.24/go.mod h1:JsC7dqQc55MlZ5mvNsDMMge71u8pVcSzU3RNz2h/5yQ=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.24 h1:u6kJU2i0va1AgtJsH3RdWKWqHULlTh7zHwb35Womf74=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.24/go.mod h1:7GY+xLcXOFUpCkNwDReft9qOAVg54A4/AnjHIU7sSAY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.24 h1:Xhbcf3KugX6vX7SDyUK205Oicyfg7EGuvoVNyP5L6DM=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.24/go.mod h1:rwDgb2HNOGZsnTHylOUedM7Vnl+bCfnXDqUNPsFWYfk=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.25 h1:54CTMmlJ71Rk2dYvM9qZOob+39wjlVja2zDLxCu69Ew=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.25/go.mod h1:BZaHqxsS9vN1fvV5EfEl0OBLOk5+AajWsMu6MjqnZB4=
 github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.8.1/go.mod h1:CM+19rL1+4dFWnOQKwDc7H1KwXTz+h61oUSHyhV0b3o=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.203.1 h1:ZgY9zeVAe+54Qa7o1GXKRNTez79lffCeJSSinhl+qec=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.203.1/go.mod h1:0naMk66LtdeTmE+1CWQTKwtzOQ2t8mavOhMhR0Pv1m0=
 github.com/aws/aws-sdk-go-v2/service/ecs v1.53.15 h1:uH0DMwDjLGgjjYMk3M1MXHggk37trTiJIvwyJNP17Ig=
 github.com/aws/aws-sdk-go-v2/service/ecs v1.53.15/go.mod h1:49tE5yYdlAHqZIO8u5+u9Xy9k8IaV0v5cstZrjnX5+c=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.8 h1:HtOTYcbVcGABLOVuPYaIihj6IlkqubBwFj10K5fxRek=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.8/go.mod h1:VsK9abqQeGlzPgUr+isNWzPlK2vKe9INMLWnY65f5Xs=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.22 h1:PUmZeJU6Y1Lbvt9WFuJ0ugUK2xn6hIWUBBbKuOWF30s=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.22/go.mod h1:nO6egFBoAaoXze24a2C0NjQCvdpk8OueRoYimvEB9jo=
-github.com/aws/aws-sdk-go-v2/service/lightsail v1.53.1 h1:2EYcA+XS5fkOW69b0PCRfVw47wKj+g3fwr+wDkndUjQ=
-github.com/aws/aws-sdk-go-v2/service/lightsail v1.53.1/go.mod h1:CIWHmMlKECdIPOG0JASCovH6JKf7dfuf75LH+wWz8Ks=
-github.com/aws/aws-sdk-go-v2/service/route53 v1.62.6 h1:6b+KS0uVMMsCUKlW8OPNxmcEmoEUtqP1LfnzSzWmuQM=
-github.com/aws/aws-sdk-go-v2/service/route53 v1.62.6/go.mod h1:+wmraHmxwqi7feUL/41uULJWl8V1HxtxzOJH6a4ZRg4=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.10 h1:a1Fq/KXn75wSzoJaPQTgZO0wHGqE9mjFnylnqEPTchA=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.10/go.mod h1:p6+MXNxW7IA6dMgHfTAzljuwSKD0NCm/4lbS4t6+7vI=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9 h1:FLudkZLt5ci0ozzgkVo8BJGwvqNaZbTWb3UcucAateA=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9/go.mod h1:w7wZ/s9qK7c8g4al+UyoF1Sp/Z45UwMGcqIzLWVQHWk=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.24 h1:CQW2FTrflfoslYWLf3fv7vG28Q219+v8YJS5QTQb2+Y=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.24/go.mod h1:Xfx13T+u3nH6EEzgl9fBSO6nDRmze1FvnZNYkctQ2zw=
+github.com/aws/aws-sdk-go-v2/service/lightsail v1.54.1 h1:TA/8uCWJQzeNy8fTf8ojFxZuvWA+R20CMu0b7IxYcp0=
+github.com/aws/aws-sdk-go-v2/service/lightsail v1.54.1/go.mod h1:F0RbBQMzN+pD4BswikBhagVqSQWqjMnmx14plgRsxKA=
+github.com/aws/aws-sdk-go-v2/service/route53 v1.62.8 h1:1QC1xoZg5XSes1CXQ20Y0qTaaeDj12e7bB0/Yw9sQwI=
+github.com/aws/aws-sdk-go-v2/service/route53 v1.62.8/go.mod h1:+GpgmfX7rnzQ8WMbMCMnI+VOjPZCf9yaUlBmRTvQgFE=
+github.com/aws/aws-sdk-go-v2/service/signin v1.1.0 h1:yQo3eZ5qFaL1sJWqs1nL6j3yPHA2/R7c6tQ4T+0IO10=
+github.com/aws/aws-sdk-go-v2/service/signin v1.1.0/go.mod h1:3Zzou41Qt/ueXfIzHvTEjDNuR5IjCUBVF01SNhrt1e8=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.56.13 h1:JfPeW7F6Y+VqBg6p+8zQv4wlgceguYu5ZT0USEGZ89g=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.56.13/go.mod h1:EonGQFn66wZkJJrrKXrryrxoS3V30rcHvaWvc6oGHCI=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.16 h1:x6bKbmDhsgSZwv6q19wY/u3rLk/3FGjJWyqKcIRufpE=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.16/go.mod h1:CudnEVKRtLn0+3uMV0yEXZ+YZOKnAtUJ5DmDhilVnIw=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.20 h1:oK/njaL8GtyEihkWMD4k3VgHCT64RQKkZwh0DG5j8ak=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.20/go.mod h1:JHs8/y1f3zY7U5WcuzoJ/yAYGYtNIVPKLIbp61euvmg=
-github.com/aws/aws-sdk-go-v2/service/sts v1.42.0 h1:ks8KBcZPh3PYISr5dAiXCM5/Thcuxk8l+PG4+A0exds=
-github.com/aws/aws-sdk-go-v2/service/sts v1.42.0/go.mod h1:pFw33T0WLvXU3rw1WBkpMlkgIn54eCB5FYLhjDc9Foo=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.18 h1:ApLTFdAZfDhZSiY5uskwECKHkSNNF83y2Ru2r7SezWA=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.18/go.mod h1:A9K9qx2l6nK89hp+a350FdGfRkrkH5HdiEjHbiy/Q/c=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.36.1 h1:4VD7TIZOGzehrgQ8vDE+1c6BQW4ErZPGY8ohZT5LXEE=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.36.1/go.mod h1:er0SFJfdV89Rit5hIJu/EXtv+qC2XMnxoksLmcUFkqM=
+github.com/aws/aws-sdk-go-v2/service/sts v1.42.2 h1:XKnxlM4KZH1gktcsh3zSWc7GW4KivEv/OkifmHOhCUY=
+github.com/aws/aws-sdk-go-v2/service/sts v1.42.2/go.mod h1:KJYmkQaFB3SUW2j3aBkPsxNmAb4ZsSOvbvCpuxzHJA0=
 github.com/aws/smithy-go v1.8.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
-github.com/aws/smithy-go v1.25.0 h1:Sz/XJ64rwuiKtB6j98nDIPyYrV1nVNJ4YU74gttcl5U=
-github.com/aws/smithy-go v1.25.0/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
+github.com/aws/smithy-go v1.25.1 h1:J8ERsGSU7d+aCmdQur5Txg6bVoYelvQJgtZehD12GkI=
+github.com/aws/smithy-go v1.25.1/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/aziontech/azionapi-go-sdk v0.144.0 h1:T+/w18o+FCiZsk3Z0ACBVVe7c/5EGLG15S3P8JfuPfo=
 github.com/aziontech/azionapi-go-sdk v0.144.0/go.mod h1:OKxP/R0iVXnJJakYwMhh2BGAXnud8Ruy55Ak9ANuWoU=
-github.com/baidubce/bce-sdk-go v0.9.265 h1:xZeLhmADeOmmV+Zlt+3TelazS0czBNXELYSPrbtU3zE=
-github.com/baidubce/bce-sdk-go v0.9.265/go.mod h1:zbYJMQwE4IZuyrJiFO8tO8NbtYiKTFTbwh4eIsqjVdg=
+github.com/baidubce/bce-sdk-go v0.9.267 h1:0l3UipFvWVsEv+FcontxWRs6ny8xvBeRISLbdNtO/bw=
+github.com/baidubce/bce-sdk-go v0.9.267/go.mod h1:zbYJMQwE4IZuyrJiFO8tO8NbtYiKTFTbwh4eIsqjVdg=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/benbjohnson/clock v1.3.5 h1:VvXlSJBzZpA/zum6Sj74hxwYI2DIxRWuNIoXAzHZz5o=
 github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
@@ -829,8 +803,10 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
 github.com/blendle/zapdriver v1.3.1 h1:C3dydBOWYRiOk+B8X9IVZ5IOe+7cl+tGOexN4QqHfpE=
 github.com/blendle/zapdriver v1.3.1/go.mod h1:mdXfREi6u5MArG4j9fewC+FGnXaBR+T4Ox4J2u4eHCc=
-github.com/bodgit/tsig v1.2.2 h1:RgxTCr8UFUHyU4D8Ygb2UtXtS4niw4B6XYYBpgCjl0k=
-github.com/bodgit/tsig v1.2.2/go.mod h1:rIGNOLZOV/UA03fmCUtEFbpWOrIoaOuETkpaeTvnLF4=
+github.com/bodgit/gssapi v0.0.3 h1:CtNl14kFo6aQE4tld//yBZ4xgJIPW32YxlOob0TG1y8=
+github.com/bodgit/gssapi v0.0.3/go.mod h1:DXyzvSyncJX6mT8WYYWYGzO/SrT+ijMi1ebfQHsWMNo=
+github.com/bodgit/tsig v1.3.1 h1:wvyR60AWCH0wdJiloB9dPfg8M3NV42HGW8dce3Z0GDE=
+github.com/bodgit/tsig v1.3.1/go.mod h1:Ez+xu0W5Ew/D28XqthucLOX8k9A0UGVPETvagYxbIHU=
 github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/boombuler/barcode v1.0.1 h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs=
@@ -938,12 +914,10 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZm
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
-github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U=
-github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/dnsimple/dnsimple-go/v4 v4.0.0 h1:nUCICZSyZDiiqimAAL+E8XL+0sKGks5VRki5S8XotRo=
-github.com/dnsimple/dnsimple-go/v4 v4.0.0/go.mod h1:AXT2yfAFOntJx6iMeo1J/zKBw0ggXFYBt4e97dqqPnc=
+github.com/dnsimple/dnsimple-go/v9 v9.1.0 h1:y9ZacZk+fv3cUWDPVh8mdgvwin9DwQl8aQFBHWytC9E=
+github.com/dnsimple/dnsimple-go/v9 v9.1.0/go.mod h1:OcXRl+Ozh0ukD9Et8/IbfZv1ny4CpiUrHYk//yXR2q0=
 github.com/docker/cli v29.4.0+incompatible h1:+IjXULMetlvWJiuSI0Nbor36lcJ5BTcVpUmB21KBoVM=
 github.com/docker/cli v29.4.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
@@ -963,7 +937,6 @@ github.com/eknkc/amber v0.0.0-20171010120322-cdade1c07385 h1:clC1lXBpe2kTj2VHdaI
 github.com/eknkc/amber v0.0.0-20171010120322-cdade1c07385/go.mod h1:0vRUJqYpeSZifjYj7uP3BG/gKcuzL9xWVV/Y+cK33KM=
 github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes=
 github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/enceve/crypto v0.0.0-20160707101852-34d48bb93815/go.mod h1:wYFFK4LYXbX7j+76mOq7aiC/EAw2S22CrzPHqgsisPw=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -1025,14 +998,14 @@ github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwv
 github.com/gin-gonic/gin v1.7.4/go.mod h1:jD2toBW3GZUr5UMcdrwQA10I7RuaFOl/SGeDjXkfUtY=
 github.com/gin-gonic/gin v1.9.1 h1:4idEAncQnU5cB7BeOkPtxjfCSye0AAm1R0RVIqJ+Jmg=
 github.com/gin-gonic/gin v1.9.1/go.mod h1:hPrL7YrpYKXt5YId3A/Tnip5kqbEAP+KLuI3SUcPTeU=
-github.com/go-acme/alidns-20150109/v4 v4.7.0 h1:PqJ/wR0JTpL4v0Owu1uM7bPQ1Yww0eQLAuuSdLjjQaQ=
-github.com/go-acme/alidns-20150109/v4 v4.7.0/go.mod h1:btQvB6xZoN6ykKB74cPhiR+uvhrEE2AFVXm6RDmCHm0=
-github.com/go-acme/esa-20240910/v2 v2.48.0 h1:muSDyhjDTejxUGe3FTthCPCqRaEdYY9cG3N/AmU52Lc=
-github.com/go-acme/esa-20240910/v2 v2.48.0/go.mod h1:shPb6hzc1rJL15IJBY8HQ4GZk4E8RC52+52twutEwIg=
+github.com/go-acme/alidns-20150109/v5 v5.4.1 h1:Bp+EDtIGxBVKnIq1hPECBFf6eueTiESYqsHkY+T+CIQ=
+github.com/go-acme/alidns-20150109/v5 v5.4.1/go.mod h1:L+SrZRmoQFx2UzOqng3z3+LA/gNgFCaLXrwr/ndyW6g=
+github.com/go-acme/esa-20240910/v3 v3.2.2 h1:dZ+HKddDMUcPr46gkFYdn5FbtJwIic59+MEaCaH/cxM=
+github.com/go-acme/esa-20240910/v3 v3.2.2/go.mod h1:qn4WK9pNgXoS5ypmiZfCWSYdOtWcte9GDuhDjKP752A=
 github.com/go-acme/jdcloud-sdk-go v1.64.0 h1:AW9j5khk8tRYbpBJPxKmqdwIqgLs2Fz3HUK3hn2YXjs=
 github.com/go-acme/jdcloud-sdk-go v1.64.0/go.mod h1:qc/m8HNX1Zgd7GAv2DSEinup8fwy3Ted3/VVx7LB5bU=
-github.com/go-acme/lego/v4 v4.35.2 h1:uVQg+KC/yj9R2g7Q9W5wDqhvQvxV5SMu5eqFVoN5xZU=
-github.com/go-acme/lego/v4 v4.35.2/go.mod h1:pX2jN5n8OphMGY1IaMjYm5DAEzguBaKRt8AvJAgJXpc=
+github.com/go-acme/lego/v5 v5.2.2 h1:KqFas/Ak2QDdU+Qm7MO9OEnS35zC000kPmM+5tLdZKk=
+github.com/go-acme/lego/v5 v5.2.2/go.mod h1:H/hb7OJKmpVGa8zypgZh0ys5P4VUu++ZNgAEcOwq+OI=
 github.com/go-acme/tencentclouddnspod v1.3.24 h1:uCSiOW1EJttcnOON+MVVyVDJguFL/Q4NIGkq1CrT9p8=
 github.com/go-acme/tencentclouddnspod v1.3.24/go.mod h1:RKcB2wSoZncjBA0OEFj59s1ko1XDy+ZsAtk+9uMxUF0=
 github.com/go-acme/tencentedgdeone v1.3.38 h1:5YsVl0H4A+cwtiUqR1eZbKFdr4OWfYp2KYJopifzKyQ=
@@ -1068,7 +1041,6 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG
 github.com/go-logfmt/logfmt v0.5.1 h1:otpy5pqBCBZ1ng9RQ0dPu4PN7ba75Y/aA+UpowDyNVA=
 github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -1104,8 +1076,8 @@ github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91
 github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI=
 github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn9GlaMV7XkbRSipzJ0Ii4=
 github.com/go-playground/validator/v10 v10.9.0/go.mod h1:74x4gJWsvQexRdW8Pn3dXSGrTK4nAUsbPlLADvpJkos=
-github.com/go-playground/validator/v10 v10.23.0 h1:/PwmTwZhS0dPkav3cdK9kV1FsAmrL8sThn8IHr/sO+o=
-github.com/go-playground/validator/v10 v10.23.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
+github.com/go-playground/validator/v10 v10.30.2 h1:JiFIMtSSHb2/XBUbWM4i/MpeQm9ZK2xqPNk8vgvu5JQ=
+github.com/go-playground/validator/v10 v10.30.2/go.mod h1:mAf2pIOVXjTEBrwUMGKkCWKKPs9NheYGabeB04txQSc=
 github.com/go-resty/resty/v2 v2.17.2 h1:FQW5oHYcIlkCNrMD2lloGScxcHJ0gkjshV3qcQAyHQk=
 github.com/go-resty/resty/v2 v2.17.2/go.mod h1:kCKZ3wWmwJaNc7S29BRtUhJwy7iqmn+2mLtQrOyQlVA=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
@@ -1144,8 +1116,6 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
-github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
-github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
@@ -1264,8 +1234,8 @@ github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY
 github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg=
 github.com/googleapis/enterprise-certificate-proxy v0.2.1/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
 github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
-github.com/googleapis/enterprise-certificate-proxy v0.3.14 h1:yh8ncqsbUY4shRD5dA6RlzjJaT4hi3kII+zYw8wmLb8=
-github.com/googleapis/enterprise-certificate-proxy v0.3.14/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
+github.com/googleapis/enterprise-certificate-proxy v0.3.15 h1:xolVQTEXusUcAA5UgtyRLjelpFFHWlPQ4XfWGc7MBas=
+github.com/googleapis/enterprise-certificate-proxy v0.3.15/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
@@ -1278,8 +1248,8 @@ github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMd
 github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8=
 github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
 github.com/googleapis/gax-go/v2 v2.8.0/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
-github.com/googleapis/gax-go/v2 v2.21.0 h1:h45NjjzEO3faG9Lg/cFrBh2PgegVVgzqKzuZl/wMbiI=
-github.com/googleapis/gax-go/v2 v2.21.0/go.mod h1:But/NJU6TnZsrLai/xBAQLLz+Hc7fHZJt/hsCz3Fih4=
+github.com/googleapis/gax-go/v2 v2.22.0 h1:PjIWBpgGIVKGoCXuiCoP64altEJCj3/Ei+kSU5vlZD4=
+github.com/googleapis/gax-go/v2 v2.22.0/go.mod h1:irWBbALSr0Sk3qlqb9SyJ1h68WjgeFuiOzI4Rqw5+aY=
 github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
 github.com/gophercloud/gophercloud v1.3.0/go.mod h1:aAVqcocTSXh2vYFZ1JTvx4EQmfgzxRcNupUfxZbBNDM=
@@ -1296,6 +1266,7 @@ github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7Fsg
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
 github.com/gravitational/trace v1.5.1 h1:CdSymAjkE1VOef+lsC5x29jX9WbgI0fBtnRqeT4Fh+c=
@@ -1384,20 +1355,24 @@ github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/J
 github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk=
 github.com/hashicorp/serf v0.10.1 h1:Z1H2J60yRKvfDYAOZLd2MU0ND4AH/WDz7xYHDWQsIPY=
 github.com/hashicorp/serf v0.10.1/go.mod h1:yL2t6BqATOLGc5HF7qbFkTfXoPIY0WZdWHfEvMqbG+4=
+github.com/hashicorp/terraform-plugin-framework v1.19.0 h1:q0bwyhxAOR3vfdgbk9iplv3MlTv/dhBHTXjQOtQDoBA=
+github.com/hashicorp/terraform-plugin-framework v1.19.0/go.mod h1:YRXOBu0jvs7xp4AThBbX4mAzYaMJ1JgtFH//oGKxwLc=
+github.com/hashicorp/terraform-plugin-go v0.31.0 h1:0Fz2r9DQ+kNNl6bx8HRxFd1TfMKUvnrOtvJPmp3Z0q8=
+github.com/hashicorp/terraform-plugin-go v0.31.0/go.mod h1:A88bDhd/cW7FnwqxQRz3slT+QY6yzbHKc6AOTtmdeS8=
+github.com/hashicorp/terraform-plugin-log v0.10.0 h1:eu2kW6/QBVdN4P3Ju2WiB2W3ObjkAsyfBsL3Wh1fj3g=
+github.com/hashicorp/terraform-plugin-log v0.10.0/go.mod h1:/9RR5Cv2aAbrqcTSdNmY1NRHP4E3ekrXRGjqORpXyB0=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/http-wasm/http-wasm-host-go v0.7.0 h1:+1KrRyOO6tWiDB24QrtSYyDmzFLBBs3jioKaUT0mq1c=
 github.com/http-wasm/http-wasm-host-go v0.7.0/go.mod h1:adXKcLmL7yuavH/e0kBAp7b3TgAHTo/enCduyN5bXGM=
 github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.192 h1:xgKdmcALGqLGBrBG8stMli0k+irufCeNPenn76Y4U9o=
-github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.192/go.mod h1:M+yna96Fx9o5GbIUnF3OvVvQGjgfVSyeJbV9Yb1z/wI=
+github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.198 h1:/Qcq965fQ5AjM0lg8ndczox8jqAqp+5J8r4KFrfpb3Y=
+github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.198/go.mod h1:M+yna96Fx9o5GbIUnF3OvVvQGjgfVSyeJbV9Yb1z/wI=
 github.com/hudl/fargo v1.4.0/go.mod h1:9Ai6uvFy5fQNq6VPKtg+Ceq1+eTY4nKUlR2JElEOcDo=
 github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df h1:MZf03xP9WdakyXhOWuAD5uPK3wHh96wCsqe3hCMKh8E=
-github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df/go.mod h1:QMZY7/J/KSQEhKWFeDesPjMj+wCHReeknARU3wqlyN4=
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
@@ -1424,14 +1399,10 @@ github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nD
 github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
 github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
 github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aWNYyvBVK62bc=
-github.com/jcmturner/gokrb5/v8 v8.4.3/go.mod h1:dqRwJGXznQrzw6cWmyo6kH+E7jksEQG/CyVWsJEsJO0=
 github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
-github.com/jinzhu/copier v0.3.5/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
-github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
-github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
@@ -1520,8 +1491,8 @@ github.com/lestrrat-go/httpcc v1.0.0/go.mod h1:tGS/u00Vh5N6FHNkExqGGNId8e0Big+++
 github.com/lestrrat-go/iter v1.0.1/go.mod h1:zIdgO1mRKhn8l9vrZJZz9TUMMFbQbLeTsbqPDrJ/OJc=
 github.com/lestrrat-go/jwx v1.2.7/go.mod h1:bw24IXWbavc0R2RsOtpXL7RtMyP589yZ1+L7kd09ZGA=
 github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
-github.com/linode/linodego v1.68.0 h1:lAsXuHm/cwQT3KCbVpMGtRiH8IpQl4hUuBOXpqkuNwo=
-github.com/linode/linodego v1.68.0/go.mod h1:X7nmTNq1GmZT4bG6w9aiuVrOnhVxYaywrzxM+buC/qU=
+github.com/linode/linodego v1.69.1 h1:f45N2MHR/oece2/ktTTCYmrlfse4//k3NgwcF5zbGZ0=
+github.com/linode/linodego v1.69.1/go.mod h1:Fha0NYsQSx5VZK1HQNJY/z/dIxxkFp+vb5veawbmAUw=
 github.com/liquidweb/go-lwApi v0.0.0-20190605172801-52a4864d2738/go.mod h1:0sYF9rMXb0vlG+4SzdiGMXHheCZxjguMq+Zb4S2BfBs=
 github.com/liquidweb/go-lwApi v0.0.5/go.mod h1:0sYF9rMXb0vlG+4SzdiGMXHheCZxjguMq+Zb4S2BfBs=
 github.com/liquidweb/liquidweb-cli v0.6.9/go.mod h1:cE1uvQ+x24NGUL75D0QagOFCG8Wdvmwu8aL9TLmA/eQ=
@@ -1571,8 +1542,8 @@ github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Ky
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-isatty v0.0.21 h1:xYae+lCNBP7QuW4PUnNG61ffM4hVIfm+zUzDuSzYLGs=
-github.com/mattn/go-isatty v0.0.21/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
+github.com/mattn/go-isatty v0.0.22 h1:j8l17JJ9i6VGPUFUYoTUKPSgKe/83EYU2zBC7YNKMw4=
+github.com/mattn/go-isatty v0.0.22/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
 github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
@@ -1585,7 +1556,6 @@ github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKju
 github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
 github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
 github.com/miekg/dns v1.1.47/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
-github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
 github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
 github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
 github.com/mimuret/golang-iij-dpf v0.9.1 h1:Gj6EhHJkOhr+q2RnvRPJsPMcjuVnWPSccEHyoEehU34=
@@ -1675,8 +1645,6 @@ github.com/nrdcg/bunny-go v0.1.0 h1:GAHTRpHaG/TxfLZlqoJ8OJFzw8rI74+jOTkzxWh0uHA=
 github.com/nrdcg/bunny-go v0.1.0/go.mod h1:u+C9dgsspgtWVaAz6QkyV17s9fxD8viwwKoxb9XMz1A=
 github.com/nrdcg/desec v0.11.1 h1:ilpKmCr4gGsLcyq3RHfHNmlRzm9fzT2XbWxoVaUCS0s=
 github.com/nrdcg/desec v0.11.1/go.mod h1:2LuxHlOcwML/7cntu0eimONmA1U+ZxFDAonoSXr4igQ=
-github.com/nrdcg/dnspod-go v0.4.0 h1:c/jn1mLZNKF3/osJ6mz3QPxTudvPArXTjpkmYj0uK6U=
-github.com/nrdcg/dnspod-go v0.4.0/go.mod h1:vZSoFSFeQVm2gWLMkyX61LZ8HI3BaqtHZWgPTGKr6KQ=
 github.com/nrdcg/freemyip v0.3.0 h1:0D2rXgvLwe2RRaVIjyUcQ4S26+cIS2iFwnhzDsEuuwc=
 github.com/nrdcg/freemyip v0.3.0/go.mod h1:c1PscDvA0ukBF0dwelU/IwOakNKnVxetpAQ863RMJoM=
 github.com/nrdcg/goacmedns v0.2.0 h1:ADMbThobzEMnr6kg2ohs4KGa3LFqmgiBA22/6jUWJR0=
@@ -1689,10 +1657,10 @@ github.com/nrdcg/namesilo v0.5.0 h1:6QNxT/XxE+f5B+7QlfWorthNzOzcGlBLRQxqi6YeBrE=
 github.com/nrdcg/namesilo v0.5.0/go.mod h1:4UkwlwQfDt74kSGmhLaDylnBrD94IfflnpoEaj6T2qw=
 github.com/nrdcg/nodion v0.1.0 h1:zLKaqTn2X0aDuBHHfyA1zFgeZfiCpmu/O9DM73okavw=
 github.com/nrdcg/nodion v0.1.0/go.mod h1:inbuh3neCtIWlMPZHtEpe43TmRXxHV6+hk97iCZicms=
-github.com/nrdcg/oci-go-sdk/common/v1065 v1065.113.0 h1:OLlJVGHkTHBCXdTGpNn5ay4DV3gOZrVLxlUM6xBQrIM=
-github.com/nrdcg/oci-go-sdk/common/v1065 v1065.113.0/go.mod h1:Gcs8GCaZXL3FdiDWgdnMxlOLEdRprJJnPYB22TX1jw8=
-github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.113.0 h1:bveOZN6gZZjjEM1T9o1TUm8de3zePyDbfuluMpaRJCE=
-github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.113.0/go.mod h1:Ff6Cxm43tuGJHyltQwD3EXLs7kKpkxzqy6DGQcaiS/0=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.116.0 h1:xyeyImO+D1FmWYI4BMcf6VTQsMPZb6urYLWw3tMk6R4=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.116.0/go.mod h1:8bOmK+tqjALlm0WH4PEp7kFflnnZaZQdIrhCWwV0mM8=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.116.0 h1:j15rh7oUMvrqSwFVAavKC1haG+vP+IMH7SyFqVKFT+I=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.116.0/go.mod h1:GMmUxJhLHleboAp7caAU3tDJ8yHs8dBpNmsp1CEtXsc=
 github.com/nrdcg/porkbun v0.4.0 h1:rWweKlwo1PToQ3H+tEO9gPRW0wzzgmI/Ob3n2Guticw=
 github.com/nrdcg/porkbun v0.4.0/go.mod h1:/QMskrHEIM0IhC/wY7iTCUgINsxdT2WcOphktJ9+Q54=
 github.com/nrdcg/vegadns v0.3.0 h1:11FQMw7xVIRUWO9o5+Z/5YZhmPWlm4oxUUH3F6EVqQU=
@@ -1840,9 +1808,9 @@ github.com/rs/cors v1.7.0 h1:+88SsELBHx5r+hZ8TCkggzSstaWNbDvThkVK8H6f9ik=
 github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
 github.com/rs/dnscache v0.0.0-20230804202142-fc85eb664529 h1:18kd+8ZUlt/ARXhljq+14TwAoKa61q6dX8jtwOf6DH8=
 github.com/rs/dnscache v0.0.0-20230804202142-fc85eb664529/go.mod h1:qe5TWALJ8/a1Lqznoc5BDHpYX/8HU60Hm2AwRmqzxqA=
-github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
-github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
-github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
+github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
+github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
+github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w=
@@ -1853,15 +1821,23 @@ github.com/sacloud/api-client-go v0.3.5 h1:0ALibvbC+6MBhN7t61k+RhguhiEQ8+NejqBjq
 github.com/sacloud/api-client-go v0.3.5/go.mod h1:akdcCOl6wszywa0YQ5X8cMnNgWTm+7N4EneODTdiH48=
 github.com/sacloud/go-http v0.1.9 h1:Xa5PY8/pb7XWhwG9nAeXSrYXPbtfBWqawgzxD5co3VE=
 github.com/sacloud/go-http v0.1.9/go.mod h1:DpDG+MSyxYaBwPJ7l3aKLMzwYdTVtC5Bo63HActcgoE=
-github.com/sacloud/iaas-api-go v1.23.1 h1:rjYG0vVoxWyETiwc7R8YdD7CIzs9vVNEOzu7w6dgGzc=
-github.com/sacloud/iaas-api-go v1.23.1/go.mod h1:EGIHOWRB9azOv7HPCVM8WpOEl28WIV9TNRbnEVg+Q3U=
-github.com/sacloud/packages-go v0.0.12 h1:MKeZNN3FQn1heqUSRBrbZw89YusZA1n4kammjMFZYvQ=
-github.com/sacloud/packages-go v0.0.12/go.mod h1:XNF5MCTWcHo9NiqWnYctVbASSSZR3ZOmmQORIzcurJ8=
+github.com/sacloud/iaas-api-go v1.29.1 h1:GlcYaFJUt0z12hZmbNEYCRtyZoXjeIGgNN6Ert+jVmY=
+github.com/sacloud/iaas-api-go v1.29.1/go.mod h1:Z2LZiTqA1WiD/qW3NQOS7UzjzTqUBVp0MpmAwtrdtYw=
+github.com/sacloud/packages-go v0.1.0 h1:rixWcvkVUI4kX6UYTFJbQgZIoBoNhN48MivHIu3aYq0=
+github.com/sacloud/packages-go v0.1.0/go.mod h1:ntmPnjF8+mGWNtxgBmO0CrLphUlmRkpy+DztjlECp8M=
+github.com/sacloud/saclient-go v0.4.0 h1:d4CqjKDU0muPVukZ2qGB9Me6ANEcMg73z5tIqXIyGWA=
+github.com/sacloud/saclient-go v0.4.0/go.mod h1:5CqxypkPgUW6qZxBGRdKX3I+mVx/OWbbFrrRm6LBNeE=
 github.com/sagikazarmark/crypt v0.10.0/go.mod h1:gwTNHQVoOS3xp9Xvz5LLR+1AauC5M6880z5NWzdhOyQ=
 github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ=
 github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4=
 github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
+github.com/samber/lo v1.53.0 h1:t975lj2py4kJPQ6haz1QMgtId2gtmfktACxIXArw3HM=
+github.com/samber/lo v1.53.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
+github.com/samber/slog-common v0.21.0 h1:Wo2hTly1Br5RjYqX/BTWJJeDnTE85oWk/7vqlpZuAUc=
+github.com/samber/slog-common v0.21.0/go.mod h1:d/6OaSlzdkl9PFpfRLgn8FwY1OW6EFmPtBpsHX4MrU0=
+github.com/samber/slog-zerolog/v2 v2.9.2 h1:DIFzfzDTxHeRyGlfg/D7b2by7VVzcsBTybRPrzjWF4c=
+github.com/samber/slog-zerolog/v2 v2.9.2/go.mod h1:2q6cYK2OcN6YfQE/WyCnUtigc+yYf3ozqGsGmRwZR6I=
 github.com/scaleway/scaleway-sdk-go v1.0.0-beta.36 h1:ObX9hZmK+VmijreZO/8x9pQ8/P/ToHD/bdSb4Eg4tUo=
 github.com/scaleway/scaleway-sdk-go v1.0.0-beta.36/go.mod h1:LEsDu4BubxK7/cWhtlQWfuxwL4rf/2UEpxXz1o1EMtM=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUtVbo7ada43DJhG55ua/hjS5I=
@@ -1897,8 +1873,8 @@ github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e h1:3OgWYFw7jxCZPc
 github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e/go.mod h1:fKZCUVdirrxrBpwd9wb+lSoVixvpwAu8eHzbQB2tums=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
 github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
-github.com/sony/gobreaker v1.0.0 h1:feX5fGGXSl3dYd4aHZItw+FpHLvvoaqkawKjVNiFMNQ=
-github.com/sony/gobreaker v1.0.0/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
+github.com/sony/gobreaker/v2 v2.4.0 h1:g2KJRW1Ubty3+ZOcSEUN7K+REQJdN6yo6XvaML+jptg=
+github.com/sony/gobreaker/v2 v2.4.0/go.mod h1:pTyFJgcZ3h2tdQVLZZruK2C0eoFL1fb/G83wK1ZQl+s=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
@@ -1908,8 +1884,8 @@ github.com/spf13/afero v1.4.1/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
 github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ=
-github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
-github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
+github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
+github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.5.1/go.mod h1:b9PdjNptOpzXr7Rq1q9gJML/2cdGQAo69NKzQ10KN48=
@@ -1971,8 +1947,8 @@ github.com/tailscale/tscert v0.0.0-20230806124524-28a91b69a046 h1:8rUlviSVOEe7TM
 github.com/tailscale/tscert v0.0.0-20230806124524-28a91b69a046/go.mod h1:kNGUQ3VESx3VZwRwA9MSCUegIl6+saPL8Noq82ozCaU=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.3.24/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
 github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.3.38/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
-github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.3.83 h1:C8ro7XQVV17O+A7zUTe28VK02NuyazuaY0CB2CH5Scw=
-github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.3.83/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.3.106 h1:YjsxDQwoiB+C0ISjnVk22Wbks02Ir+7Z5wmujcz69Vg=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.3.106/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
 github.com/testcontainers/testcontainers-go v0.42.0 h1:He3IhTzTZOygSXLJPMX7n44XtK+qhjat1nI9cneBbUY=
 github.com/testcontainers/testcontainers-go v0.42.0/go.mod h1:vZjdY1YmUA1qEForxOIOazfsrdyORJAbhi0bp8plN30=
 github.com/testcontainers/testcontainers-go/modules/k3s v0.42.0 h1:bTVmcnYaSHesN6HXXxV/k0+BMkyfo3VBy4w4yRqOIgE=
@@ -2000,13 +1976,13 @@ github.com/traefik/paerser v0.2.2 h1:cpzW/ZrQrBh3mdwD/jnp6aXASiUFKOVr6ldP+keJTcQ
 github.com/traefik/paerser v0.2.2/go.mod h1:7BBDd4FANoVgaTZG+yh26jI6CA2nds7D/4VTEdIsh24=
 github.com/traefik/yaegi v0.16.1 h1:f1De3DVJqIDKmnasUF6MwmWv1dSEEat0wcpXhD2On3E=
 github.com/traefik/yaegi v0.16.1/go.mod h1:4eVhbPb3LnD2VigQjhYbEJ69vDRFdT2HQNrXx8eEwUY=
-github.com/transip/gotransip/v6 v6.26.2 h1:pnbDXrkFevOngpi6ertLw6e57lOW+Rk3djJ9AewmJ94=
-github.com/transip/gotransip/v6 v6.26.2/go.mod h1:x0/RWGRK/zob817O3tfO2xhFoP1vu8YOHORx6Jpk80s=
+github.com/transip/gotransip/v6 v6.27.1 h1:J8DfGAxnFZxNYdIRj59D6uFm0FPOkx9tF1aCkGgXeR8=
+github.com/transip/gotransip/v6 v6.27.1/go.mod h1:x0/RWGRK/zob817O3tfO2xhFoP1vu8YOHORx6Jpk80s=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/ucloud/ucloud-sdk-go v0.22.63 h1:lcRazDZwOrK7pdWuqcREVhLWNTR+biiBoRdyXgxSfOI=
-github.com/ucloud/ucloud-sdk-go v0.22.63/go.mod h1:dyLmFHmUfgb4RZKYQP9IArlvQ2pxzFthfhwxRzOEPIw=
+github.com/ucloud/ucloud-sdk-go v0.22.74 h1:RhJWIQANkEv+goWsXFs8fmgAIqIXiHkezdr2Sb1tNTM=
+github.com/ucloud/ucloud-sdk-go v0.22.74/go.mod h1:dyLmFHmUfgb4RZKYQP9IArlvQ2pxzFthfhwxRzOEPIw=
 github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
 github.com/ugorji/go v1.2.6 h1:tGiWC9HENWE2tqYycIqFTNorMmFRVhNwCpDOpWqnk8E=
 github.com/ugorji/go v1.2.6/go.mod h1:anCg0y61KIhDlPZmnH+so+RQbysYVyDko0IMgJv0Nn0=
@@ -2014,8 +1990,8 @@ github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLY
 github.com/ugorji/go/codec v1.2.6/go.mod h1:V6TCNZ4PHqoHGFZuSG1W8nrCzzdgA2DozYxWFFpvxTw=
 github.com/ugorji/go/codec v1.2.11 h1:BMaWp1Bb6fHwEtbplGBGJ498wD+LKlNSl25MjdZY4dU=
 github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
-github.com/ultradns/ultradns-go-sdk v1.8.1-20250722213956-faef419 h1:/VaznPrb/b68e3iMvkr27fU7JqPKU4j7tIITZnjQX1k=
-github.com/ultradns/ultradns-go-sdk v1.8.1-20250722213956-faef419/go.mod h1:QN0/PdenvYWB0GRMz6JJbPeZz2Lph2iys1p8AFVHm2c=
+github.com/ultradns/ultradns-go-sdk v1.8.2-20260507133303-3f324c7 h1:Mkvb+FtIIV92zHL2HMn9JuA9u08ukeEG5JbJmWwxAUs=
+github.com/ultradns/ultradns-go-sdk v1.8.2-20260507133303-3f324c7/go.mod h1:QN0/PdenvYWB0GRMz6JJbPeZz2Lph2iys1p8AFVHm2c=
 github.com/unrolled/render v1.0.2 h1:dGS3EmChQP3yOi1YeFNO/Dx+MbWZhdvhQJTXochM5bs=
 github.com/unrolled/render v1.0.2/go.mod h1:gN9T0NhL4Bfbwu8ann7Ry/TGHYfosul+J0obPf6NBdM=
 github.com/unrolled/secure v1.0.9 h1:BWRuEb1vDrBFFDdbCnKkof3gZ35I/bnHGyt0LB0TNyQ=
@@ -2029,16 +2005,20 @@ github.com/valyala/fasthttp v1.69.0 h1:fNLLESD2SooWeh2cidsuFtOcrEi4uB4m1mPrkJMZy
 github.com/valyala/fasthttp v1.69.0/go.mod h1:4wA4PfAraPlAsJ5jMSqCE2ug5tqUPwKXxVj8oNECGcw=
 github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=
 github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=
-github.com/vinyldns/go-vinyldns v0.9.17 h1:hfPZfCaxcRBX6Gsgl42rLCeoal58/BH8kkvJShzjjdI=
-github.com/vinyldns/go-vinyldns v0.9.17/go.mod h1:pwWhE9K/leGDOIduVhRGvQ3ecVMHWRfEnKYUTEU3gB4=
-github.com/volcengine/volc-sdk-golang v1.0.242 h1:YEnYLl8mn83JCdO/X5GRDvxfxGvpUqk5j0Mj4VhwM6Y=
-github.com/volcengine/volc-sdk-golang v1.0.242/go.mod h1:zHJlaqiMbIB+0mcrsZPTwOb3FB7S/0MCfqlnO8R7hlM=
+github.com/vinyldns/go-vinyldns v0.9.18 h1:U3Nl1NEeqhbaQ4W1+V6Qm6iSmAEfEHaOgN/zSV4DtNY=
+github.com/vinyldns/go-vinyldns v0.9.18/go.mod h1:pwWhE9K/leGDOIduVhRGvQ3ecVMHWRfEnKYUTEU3gB4=
+github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8=
+github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
+github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
+github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
+github.com/volcengine/volc-sdk-golang v1.0.249 h1:BNFGca7CI2t9DktB+FlXBg7GZFezS3NnKAPLmRirLlw=
+github.com/volcengine/volc-sdk-golang v1.0.249/go.mod h1:zHJlaqiMbIB+0mcrsZPTwOb3FB7S/0MCfqlnO8R7hlM=
 github.com/vulcand/oxy/v2 v2.1.0 h1:JnFb/qz+o96E6NEl4X6WSmNmcrlccPmCIyhAZLBVLWM=
 github.com/vulcand/oxy/v2 v2.1.0/go.mod h1:9kY0wYBlMqrgXCZTNYCwE89NYwGGdM3sSD+w59CKMhw=
 github.com/vulcand/predicate v1.3.0 h1:jtNe4PHbLJ649dR7Gl+MSAzUhLGtLspAkWlSjoOiXg8=
 github.com/vulcand/predicate v1.3.0/go.mod h1:opzv9MetRuMNnuoPeTSWtwzjcXsxQC00/fuWzkPTn4s=
-github.com/vultr/govultr/v3 v3.31.0 h1:xSRqIQEnB3tjgpIOADWQOhOedDsqZj9qawW+mAoq7/8=
-github.com/vultr/govultr/v3 v3.31.0/go.mod h1:2zyUw9yADQaGwKnwDesmIOlBNLrm7edsCfWHFJpWKf8=
+github.com/vultr/govultr/v3 v3.31.2 h1:2l3/KDvfemG+4azw4LLquJoh9mFOAVEdBXtPPzix3ac=
+github.com/vultr/govultr/v3 v3.31.2/go.mod h1:2zyUw9yADQaGwKnwDesmIOlBNLrm7edsCfWHFJpWKf8=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
@@ -2049,12 +2029,12 @@ github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gi
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
-github.com/yandex-cloud/go-genproto v0.73.0 h1:skB6cTUqgjFULeNWVfwVG9XjnxfgevEIn9PAa7aT5bQ=
-github.com/yandex-cloud/go-genproto v0.73.0/go.mod h1:0LDD/IZLIUIV4iPH+YcF+jysO3jkSvADFGm4dCAuwQo=
-github.com/yandex-cloud/go-sdk/services/dns v0.0.54 h1:I6Y/cTuGgXtfXarHLuHFcIQ4OQcZ0d0tB9jARBEeCjs=
-github.com/yandex-cloud/go-sdk/services/dns v0.0.54/go.mod h1:BWW+s95kl4rAlMIbD+7q86VlaqsWVdTD45J1NIS+dw0=
-github.com/yandex-cloud/go-sdk/v2 v2.92.0 h1:QCCVU/hMIDu6fHc52nVlgM8PBymngMhCnvuxhVo0VQY=
-github.com/yandex-cloud/go-sdk/v2 v2.92.0/go.mod h1:ZbJGsuUl4VKSaxxQ8KWNKZ2QaU8zfmDGbLhquYf/Ugc=
+github.com/yandex-cloud/go-genproto v0.84.0 h1:lzptMyo1wleGBGNkkEb8bzpgbnW3xPlha0f94g4prBE=
+github.com/yandex-cloud/go-genproto v0.84.0/go.mod h1:0LDD/IZLIUIV4iPH+YcF+jysO3jkSvADFGm4dCAuwQo=
+github.com/yandex-cloud/go-sdk/services/dns v0.0.65 h1:7jhZMHsK1GThGzAKC7Mjq8wu/Xbr/TbhRUoNFzot4K4=
+github.com/yandex-cloud/go-sdk/services/dns v0.0.65/go.mod h1:Qm5HbUbmFI2Y8eDv8tcwr7OHgNumHuN/RtK3icd3bYU=
+github.com/yandex-cloud/go-sdk/v2 v2.114.0 h1:gx03giWYrzMhgpFK4NJNuOnASSgdCuv4nkLUFejnCSs=
+github.com/yandex-cloud/go-sdk/v2 v2.114.0/go.mod h1:XrF79/a3olVf0YUUCMYePI8Ik0m4KDcQlTooHGGZJB0=
 github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
@@ -2236,7 +2216,6 @@ golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0
 golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
@@ -2306,8 +2285,8 @@ golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
-golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
+golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
+golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -2373,7 +2352,6 @@ golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220725212005-46097bf591d3/go.mod h1:AaygXjzTFtRAg2ttMY5RMuhpJ3cNnI0XpyFJD1iQRSM=
 golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
@@ -2569,7 +2547,6 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
@@ -2592,7 +2569,6 @@ golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
-golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
@@ -2789,8 +2765,8 @@ google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60c
 google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0=
 google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg=
 google.golang.org/api v0.122.0/go.mod h1:gcitW0lvnyWjSp9nKxAbdHKIZ6vF4aajGueeslZOyms=
-google.golang.org/api v0.276.0 h1:nVArUtfLEihtW+b0DdcqRGK1xoEm2+ltAihyztq7MKY=
-google.golang.org/api v0.276.0/go.mod h1:Fnag/EWUPIcJXuIkP1pjoTgS5vdxlk3eeemL7Do6bvw=
+google.golang.org/api v0.280.0 h1:F4OfEHZhZh6a7uTufJAXXVd/2TQ8EjM4vZH+jX/vFYk=
+google.golang.org/api v0.280.0/go.mod h1:oGKmPZRDoD3vdkf6MA7F4VNkR1rxCiuaPSkhsf3EolU=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -2935,8 +2911,8 @@ google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7 h1:XzmzkmB14QhVhgn
 google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:L43LFes82YgSonw6iTXTxXUX1OlULt4AQtkik4ULL/I=
 google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA=
 google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260511170946-3700d4141b60 h1:seT2EwLWM78plQ7wcDfuWBc/4FAEAXDDiaSol4ku4qo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260511170946-3700d4141b60/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -2979,8 +2955,8 @@ google.golang.org/grpc v1.52.0/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5v
 google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw=
 google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
 google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8=
-google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
-google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
+google.golang.org/grpc v1.81.1 h1:VnnIIZ88UzOOKLukQi+ImGz8O1Wdp8nAGGnvOfEIWQQ=
+google.golang.org/grpc v1.81.1/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@@ -3019,8 +2995,8 @@ gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/ini.v1 v1.67.1 h1:tVBILHy0R6e4wkYOn3XmiITt/hEVH4TFMYvAX2Ytz6k=
-gopkg.in/ini.v1 v1.67.1/go.mod h1:x/cyOwCgZqOkJoDIJ3c1KNHMo10+nLGAhh+kn3Zizss=
+gopkg.in/ini.v1 v1.67.2 h1:JtOSMb9OuaCZKr7h5D/h6iii14sK0hLbplTc6frx4Ss=
+gopkg.in/ini.v1 v1.67.2/go.mod h1:x/cyOwCgZqOkJoDIJ3c1KNHMo10+nLGAhh+kn3Zizss=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
@@ -3129,3 +3105,5 @@ sigs.k8s.io/structured-merge-diff/v6 v6.3.1/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099Yo
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
+software.sslmate.com/src/go-pkcs12 v0.7.1 h1:bxkUPRsvTPNRBZa4M/aSX4PyMOEbq3V8I6hbkG4F4Q8=
+software.sslmate.com/src/go-pkcs12 v0.7.1/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Sheddy	2c827c979f	Fix inaccuracies in reference documentation	2026-06-19 11:34:05 +02:00
Harold Ozouf	848ece098e	Create the redis rate limiter script lazily	2026-06-18 17:12:06 +02:00
SEONGHYUN HONG	4cedb8e27d	Fix broken CRD reference links in IngressRoute page	2026-06-18 14:36:07 +02:00
mihuross	57e5db2b2d	Fix Host header not being modified by RequestHeaderModifier	2026-06-18 12:10:05 +02:00
romain	263684b85f	Merge branch v2.11 into v3.6	2026-06-18 10:46:51 +02:00
Michel Loiseleur	cd4b97a2f8	Clarify entryPoint middleware reference format	2026-06-18 09:36:07 +02:00
Nicolas Mengin	5f8f0e9a29	Add Kubernetes Ingress NGINX to the providers list	2026-06-18 09:26:10 +02:00
Michel Loiseleur	d709a9c210	Align Helm chart documented values with chart v41	2026-06-17 17:40:13 +02:00
Romain	3d7a770c22	Fix nondeterministic TLS certificate selection on shared SAN	2026-06-17 17:30:08 +02:00
Julien Salleyron	21a6476477	adds documentations on maxHeaderBytes	2026-06-16 14:28:06 +02:00
stffabi	9f7bd55ddf	Fix connection upgrades when backend server is using h2c scheme	2026-06-16 09:32:07 +02:00
Jenthe Noordsij	3e0dc4928e	Update Dockerfiles to Alpine 3.24	2026-06-16 09:16:07 +02:00
Gina A.	6336f6e9a8	Fix request scheme derivation when Gateway API RequestRedirect omits scheme	2026-06-15 18:24:12 +02:00
Julien Salleyron	d270272f51	Configurable max request header size	2026-06-15 15:22:07 +02:00
Arpit Jain	bf20c4f7f3	ci: declare workflow-level `contents: read` on the 9 build/test workflows	2026-06-15 15:12:07 +02:00
Julien Salleyron	c84f3ffd13	Bump github.com/go-acme/lego/v5	2026-06-15 11:22:08 +02:00
Ludovic Fernandez	4ccedcb639	chore: bump github.com/go-acme/lego/v5	2026-06-15 09:58:06 +02:00
Anatole Lucet	4a20cfb838	Add missing Gateway API features in conformance tests	2026-06-12 16:14:07 +02:00
Julien Salleyron	7ae92d8c2c	fix x-forwarded-port in forward-auth	2026-06-11 16:48:06 +02:00