Add regression test coverage ensuring request trailers are not forwarded to the backend

Improve CI speed
Add an option to remove request headers with underscores
2026-06-28 04:18:52 +00:00 · 2026-06-25 10:28:05 +02:00 · 2026-06-24 10:34:05 +02:00 · 2026-06-19 16:48:05 +02:00 · 2026-06-19 14:16:05 +02:00 · 2026-06-19 10:34:05 +02:00
1644 changed files with 74782 additions and 135394 deletions
@@ -1,3 +0,0 @@
-# These are supported funding model platforms
-
-github: traefik
@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.

 Documentation fixes or enhancements:
 - for Traefik v2: use branch v2.11
- for Traefik v3: use branch v3.3
+- for Traefik v3: use branch v3.0

 Bug fixes:
 - for Traefik v2: use branch v2.11
- for Traefik v3: use branch v3.3
+- for Traefik v3: use branch v3.0

 Enhancements:
 - for Traefik v2: we only accept bug fixes
@@ -10,7 +10,6 @@ on:
      - 'script/gcg/**'

 env:
-  GO_VERSION: '1.23'
  CGO_ENABLED: 0

 jobs:
@@ -51,20 +50,37 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        env:
          ImageOS: ${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.goarm }}
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: '.go-version'
          check-latest: true
+          cache: false
+
+      - name: Restore go modules cache
+        uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-mod-
+
+      - name: Per-arch go build cache
+        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.goarm || 'na' }}-${{ hashFiles('**/go.mod', '**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.goarm || 'na' }}-

      - name: Artifact webui
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: webui.tar.gz

@@ -0,0 +1,61 @@
+name: Check Documentation
+
+on:
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - '.github/workflows/check_doc.yaml'
+      - 'docs/**'
+
+jobs:
+
+  docs:
+    name: lint, build and verify
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Install markdownlint
+        run: |
+          npm install --global markdownlint@0.29.0 markdownlint-cli@0.35.0
+
+      - name: Lint
+        run: ./docs/scripts/lint.sh docs
+
+      - name: Setup python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+          cache-dependency-path: "./docs/requirements.txt"
+
+      - name: Build documentation
+        working-directory: ./docs
+        run: |
+          pip install -r requirements.txt
+          mkdocs build --strict
+
+      - name: Setup ruby
+        uses: ruby/setup-ruby@90be1154f987f4dc0fe0dd0feedac9e473aa4ba8 # v1.286.0
+        with:
+          ruby-version: '3.4'
+
+      - name: Install html-proofer
+        run: |
+          gem install nokogiri --version 1.18.6 --no-document -- --use-system-libraries
+          gem install html-proofer --version 5.0.10 --no-document -- --use-system-libraries
+        env:
+          NOKOGIRI_USE_SYSTEM_LIBRARIES: "true"
+
+      # Comes from https://github.com/gjtorikian/html-proofer?tab=readme-ov-file#caching-with-continuous-integration
+      - name: Cache HTMLProofer
+        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: tmp/.htmlproofer
+          key: ${{ runner.os }}-htmlproofer
+
+      - name: Verify
+        run: ./docs/scripts/verify.sh docs/site
@@ -1,25 +0,0 @@
-name: Check Documentation
-
-on:
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-
-  docs:
-    name: Check, verify and build documentation
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Check documentation
-        run: make docs-pull-images docs
-        env:
-          # These variables are not passed to workflows that are triggered by a pull request from a fork.
-          DOCS_VERIFY_SKIP: ${{ vars.DOCS_VERIFY_SKIP }}
-          DOCS_LINT_SKIP: ${{ vars.DOCS_LINT_SKIP }}
@@ -0,0 +1,37 @@
+name: Close Organization Fork PR
+
+on:
+  pull_request_target:
+    types: [opened]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  close:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.head.repo.fork == true && github.event.pull_request.head.repo.owner.type == 'Organization' }}
+    steps:
+      - name: Close PR from organization fork
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+        run: |
+          gh pr comment "${{ github.event.pull_request.number }}" --body "## Pull Request Closed
+
+          Thank you for your contribution to Traefik!
+
+          Unfortunately, we are unable to accept pull requests originating from an organization fork. \
+          We rely on an automated bot to handle rebases and merges, and this workflow is not supported \
+          for pull requests coming from organization forks due to GitHub's permission model.
+
+          **Please re-open this pull request from a personal fork instead.**
+
+          Steps to do so:
+          1. Fork the repository under your personal GitHub account.
+          2. Push your changes to that personal fork.
+          3. Open a new pull request from your personal fork.
+
+          We apologize for the inconvenience and look forward to your contribution!"
+
+          gh pr close "${{ github.event.pull_request.number }}"
@@ -28,17 +28,19 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

    - name: setup go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
      if: ${{ matrix.language == 'go' }}
      with:
-        go-version-file: 'go.mod'
+        go-version-file: '.go-version'
+        check-latest: true
+        cache: false

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@38e701f46e33fb233075bf4238cb1e5d68e429e4 # v3.31.11
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,7 +54,7 @@ jobs:
    # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@38e701f46e33fb233075bf4238cb1e5d68e429e4 # v3.31.11

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -65,6 +67,6 @@ jobs:
    #     ./location_of_script_within_repo/buildscript.sh

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@38e701f46e33fb233075bf4238cb1e5d68e429e4 # v3.31.11
      with:
        category: "/language:${{matrix.language}}"
@@ -1,6 +1,7 @@
 name: Build and Publish Documentation

 on:
+  workflow_dispatch: {}
  push:
    branches:
      - master
@@ -19,12 +20,12 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

      - name: Login to DockerHub
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -39,14 +40,14 @@ jobs:
        run: curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b $HOME/bin ${MIXTUS_VERSION}

      - name: Build documentation
-        run: $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
-        env:
-          STRUCTOR_LATEST_TAG: ${{ vars.STRUCTOR_LATEST_TAG }}
+        run: |
+          STRUCTOR_LATEST_TAG=$(curl -s https://api.github.com/repos/traefik/traefik/releases/latest | jq -r '.tag_name')
+          $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug

      - name: Apply seo
        run: $HOME/bin/seo -path=./site -product=traefik

      - name: Publish documentation
-        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=traefik --src-repo-name=traefik
+        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
        env:
          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_REPO }}
@@ -7,7 +7,6 @@ on:
      - v*

 env:
-  GO_VERSION: '1.23'
  CGO_ENABLED: 0

 jobs:
@@ -23,17 +22,34 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        env:
          ImageOS: ${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.goarm }}
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: '.go-version'
          check-latest: true
+          cache: false
+
+      - name: Restore go modules cache
+        uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-mod-
+
+      - name: Restore go build cache
+        uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.mod', '**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-

      - name: Build
        run: make generate binary
@@ -42,19 +58,19 @@ jobs:
        run: echo ${GITHUB_REF##*/}

      - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

      - name: Artifact webui
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: webui.tar.gz

@@ -6,11 +6,10 @@ on:
      - 'v*.*.*'

 env:
-  GO_VERSION: '1.23'
  CGO_ENABLED: 0
  VERSION: ${{ github.ref_name }}
  TRAEFIKER_EMAIL: "traefiker@traefik.io"
-  CODENAME: saintnectaire
+  CODENAME: mimolette

 jobs:

@@ -24,27 +23,28 @@ jobs:

    strategy:
      matrix:
-        os: [ linux-amd64, linux-386, linux-arm, linux-arm64, linux-ppc64le, linux-s390x, linux-riscv64, darwin, windows-amd64, windows-arm64, windows-386, freebsd, openbsd ]
+        os: [ linux-amd64, linux-386, linux-arm, linux-arm64, linux-ppc64le, linux-s390x, linux-riscv64, darwin-amd64, darwin-arm64, windows-amd64, windows-arm64, windows-386, freebsd-amd64, freebsd-386, openbsd-amd64, openbsd-386, openbsd-riscv64 ]
    needs:
      - build-webui

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        env:
          # Ensure cache consistency on Linux, see https://github.com/actions/setup-go/pull/383
          ImageOS: ${{ matrix.os }}
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: '.go-version'
          check-latest: true
+          cache: false

      - name: Artifact webui
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: webui.tar.gz

@@ -63,7 +63,7 @@ jobs:
          echo "GORELEASER_CONFIG_FILE_PATH=$GORELEASER_CONFIG_FILE_PATH" >> $GITHUB_ENV

      - name: Build with goreleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
        with:
          distribution: goreleaser
          # 'latest', 'nightly', or a semver
@@ -71,7 +71,7 @@ jobs:
          args: release --clean --timeout="90m" --config "${{ env.GORELEASER_CONFIG_FILE_PATH }}"

      - name: Artifact binaries
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: ${{ matrix.os }}-binaries
          path: |
@@ -89,12 +89,12 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

      - name: Artifact webui
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: webui.tar.gz

@@ -111,7 +111,7 @@ jobs:
          echo "${TRAEFIKER_RSA}" | base64 --decode > ~/.ssh/traefiker_rsa

      - name: Download All Artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          path: dist/
          pattern: "*-binaries"
@@ -126,13 +126,10 @@ jobs:
          tar cfz "dist/traefik-${VERSION}.src.tar.gz" \
            --exclude-vcs \
            --exclude .idea \
-            --exclude .travis \
-            --exclude .semaphoreci \
            --exclude .github \
            --exclude dist .
-          
-          chown -R "$(id -u)":"$(id -g)" dist/
-          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION}
-          
-          ./script/deploy.sh

+          chown -R "$(id -u)":"$(id -g)" dist/
+          gh release create ${VERSION} ./dist/**/traefik*.{zip,tar.gz} ./dist/traefik*.{tar.gz,txt} --repo traefik/traefik --title ${VERSION} --notes ${VERSION} --latest=false
+
+          ./script/deploy.sh
@@ -1,26 +0,0 @@
-name: Sync Docker Images
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 0 * * *" # Run every day
-
-jobs:
-  sync:
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      contents: read
-    if: github.repository == 'traefik/traefik'
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: imjasonh/setup-crane@v0.4
-      
-      - name: Sync
-        run: |
-          EXCLUDED_TAGS="1.7.9-alpine v1.0.0-beta.392 v1.0.0-beta.404 v1.0.0-beta.704 v1.0.0-rc1 v1.7.9-alpine"
-          EXCLUDED_REGEX=$(echo $EXCLUDED_TAGS | sed 's/ /|/g')
-          diff <(crane ls traefik) <(crane ls ghcr.io/traefik/traefik) | grep '^<' | awk '{print $2}' | while read -r tag; do [[ "$tag" =~ ^($EXCLUDED_REGEX)$ ]] || (echo "Processing image: traefik:$tag"; crane cp "traefik:$tag" "ghcr.io/traefik/traefik:$tag"); done
-          crane cp traefik:latest ghcr.io/traefik/traefik:latest
@@ -1,6 +1,8 @@
 name: Build Web UI
 on:
  workflow_call: {}
+env:
+  SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 48  # 2 days
 jobs:

  build-webui:
@@ -8,21 +10,25 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Setup node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: webui/.nvmrc
          cache: yarn
          cache-dependency-path: webui/yarn.lock

+      - name: Setup safe-chain
+        working-directory: ./webui
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
      - name: Build webui
        working-directory: ./webui
        run: |
-          yarn install
+          yarn install --ignore-scripts
          yarn build

      - name: Package webui
@@ -30,7 +36,7 @@ jobs:
          tar czvf webui.tar.gz ./webui/static/

      - name: Artifact webui
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: webui.tar.gz
          path: webui.tar.gz
@@ -1,39 +0,0 @@
-name: Test K8s Gateway API conformance
-
-on:
-  pull_request:
-    branches:
-      - '*'
-    paths:
-      - '.github/workflows/test-conformance.yaml'
-      - 'pkg/provider/kubernetes/gateway/**'
-      - 'integration/fixtures/k8s-conformance/**'
-      - 'integration/k8s_conformance_test.go'
-
-env:
-  GO_VERSION: '1.23'
-  CGO_ENABLED: 0
-
-jobs:
-
-  test-conformance:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: Avoid generating webui
-        run: touch webui/static/index.html
-
-      - name: K8s Gateway API conformance test and report
-        run: |
-          make test-gateway-api-conformance
-          git diff --exit-code
@@ -1,6 +1,10 @@
 name: Test Integration

 on:
+  push:
+    branches:
+      - master
+      - v*
  pull_request:
    branches:
      - '*'
@@ -10,7 +14,6 @@ on:
      - 'script/gcg/**'

 env:
-  GO_VERSION: '1.23'
  CGO_ENABLED: 0

 jobs:
@@ -20,59 +23,168 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: '.go-version'
          check-latest: true
+          cache: false
+
+      - name: Go modules cache
+        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-mod-
+
+      - name: Go build cache
+        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.mod', '**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-

      - name: Avoid generating webui
        run: touch webui/static/index.html

      - name: Build binary
-        run: make binary
+        run: make binary-linux-amd64
+
+      - name: Pre-compile integration test binaries
+        run: go test -c -o /dev/null ./integration
+
+      - name: Artifact traefik binary
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: traefik
+          path: ./dist/linux/amd64/traefik
+          retention-days: 1

  test-integration:
    runs-on: ubuntu-latest
    needs:
      - build
+    permissions:
+      contents: read
+      actions: read
    strategy:
-      fail-fast: true
+      fail-fast: false
      matrix:
        parallel: [12]
        index: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11]

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: '.go-version'
          check-latest: true
+          cache: false

      - name: Avoid generating webui
        run: touch webui/static/index.html

-      - name: Build binary
-        run: make binary
+      - name: Download traefik binary
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: traefik
+          path: ./dist/linux/amd64/
+
+      - name: Make binary executable
+        run: chmod +x ./dist/linux/amd64/traefik
+
+      - name: Restore go modules cache
+        uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-mod-
+
+      - name: Restore go build cache
+        uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.mod', '**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-
+
+      - name: Install gotestsum
+        run: go install gotest.tools/gotestsum@latest
+
+      - name: Find latest timing artifact run
+        id: latest_run
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          RUN_ID=$(gh api \
+            "/repos/${{ github.repository }}/actions/artifacts?name=integration-test-summary&per_page=1" \
+            --jq '.artifacts[0].workflow_run.id // ""')
+          echo "run_id=$RUN_ID" >> "$GITHUB_OUTPUT"
+
+      - name: Download previous test timing data
+        if: steps.latest_run.outputs.run_id != ''
+        continue-on-error: true
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: integration-test-summary
+          run-id: ${{ steps.latest_run.outputs.run_id }}
+          github-token: ${{ github.token }}
+
+      - name: Ensure timing data exists
+        run: |
+          [ -f integration-test-summary.xml ] || echo '<?xml version="1.0" encoding="UTF-8"?><testsuites></testsuites>' > integration-test-summary.xml

      - name: Generate go test Slice
        id: test_split
-        uses: hashicorp-forge/go-test-split-action@v2.0.0
+        uses: hashicorp-forge/go-test-split-action@3b2b67379b94f6bea96556b2e4e15929b57c10cf # v2.0.3
        with:
          packages: ./integration
          total: ${{ matrix.parallel }}
          index: ${{ matrix.index }}
+          junit-summary: ${{ github.workspace }}/integration-test-summary.xml

      - name: Run Integration tests
        run: |
          TESTS=$(echo "${{ steps.test_split.outputs.run}}" | sed 's/\$/\$\$/g')
-          TESTFLAGS="-run \"${TESTS}\"" make test-integration
+          gotestsum --junitfile shard-${{ matrix.index }}-results.xml --packages ./integration -- -test.timeout=20m -v -run "${TESTS}"
+
+      - name: Upload shard test results
+        if: always()
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: integration-shard-${{ matrix.index }}-results
+          path: shard-${{ matrix.index }}-results.xml
+          retention-days: 7
+
+  merge-test-results:
+    runs-on: ubuntu-latest
+    needs:
+      - test-integration
+    if: ${{ !cancelled() && needs.test-integration.result != 'skipped' }}
+    steps:
+      - name: Download all shard results
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          pattern: integration-shard-*-results
+          merge-multiple: true
+
+      - name: Merge JUnit XML results
+        run: npx --yes junit-report-merger@9.0.3 integration-test-summary.xml shard-*-results.xml
+
+      - name: Upload merged test summary
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: integration-test-summary
+          path: integration-test-summary.xml
+          retention-days: 30
@@ -1,6 +1,10 @@
 name: Test Unit

 on:
+  push:
+    branches:
+      - master
+      - v*
  pull_request:
    branches:
      - '*'
@@ -9,49 +13,48 @@ on:
      - '**.md'
      - 'script/gcg/**'

-env:
-  GO_VERSION: '1.23'
-
 jobs:

  test-unit:
+    name: Unit tests
    runs-on: ubuntu-latest

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: '.go-version'
          check-latest: true

      - name: Avoid generating webui
        run: touch webui/static/index.html

-      - name: Tests
-        run: make test-unit
+      - name: Run unit tests
+        run: go test -parallel 8 ./cmd/... ./pkg/...

  test-ui-unit:
    runs-on: ubuntu-latest

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Set up Node.js ${{ env.NODE_VERSION }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version-file: webui/.nvmrc
          cache: 'yarn'
          cache-dependency-path: webui/yarn.lock

+      - name: Setup safe-chain
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
      - name: UI unit tests
        run: |
-          yarn --cwd webui install
+          yarn --cwd webui install --ignore-scripts
          yarn --cwd webui test:unit:ci
@@ -6,9 +6,8 @@ on:
      - '*'

 env:
-  GO_VERSION: '1.23'
-  GOLANGCI_LINT_VERSION: v2.0.2
-  MISSPELL_VERSION: v0.6.0
+  GOLANGCI_LINT_VERSION: v2.10.1
+  MISSPELL_VERSION: v0.7.0

 jobs:

@@ -17,18 +16,33 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: '.go-version'
          check-latest: true
+          cache: false
+
+      - name: Restore go modules cache
+        uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-mod-
+
+      - name: Restore go build cache
+        uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.mod', '**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-

      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v7
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
        with:
          version: "${{ env.GOLANGCI_LINT_VERSION }}"

@@ -37,15 +51,30 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: '.go-version'
          check-latest: true
+          cache: false
+
+      - name: Restore go modules cache
+        uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-mod-
+
+      - name: Restore go build cache
+        uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.mod', '**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-

      - name: Install misspell ${{ env.MISSPELL_VERSION }}
        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/HEAD/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSPELL_VERSION}
@@ -61,26 +90,36 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: '.go-version'
          check-latest: true
+          cache: false
+
+      - name: Restore go modules cache
+        uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-mod-
+
+      - name: Restore go build cache
+        uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+        with:
+          path: ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.mod', '**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-

      - name: go generate
        run: |
          make generate
          git diff --exit-code

-      - name: go mod tidy
-        run: |
-          go mod tidy
-          git diff --exit-code
-
      - name: make generate-crd
        run: |
          make generate-crd
@@ -19,4 +19,3 @@ plugins-storage/
 plugins-local/
 traefik_changelog.md
 integration/tailscale.secret
-integration/conformance-reports/**/experimental-dev-default-report.yaml
@@ -0,0 +1 @@
+1.25
@@ -36,6 +36,7 @@ linters:
    - nilnil # Not relevant
    - nlreturn # Not relevant
    - noctx # Too strict
+    - noinlineerr # Too strict
    - nonamedreturns # Too strict
    - paralleltest # Not relevant
    - prealloc # Too many false-positive.
@@ -47,6 +48,7 @@ linters:
    - varnamelen # Not relevant
    - wrapcheck # Too strict
    - wsl # Too strict
+    - wsl_v5 # Too strict

  settings:
    depguard:
@@ -143,15 +145,17 @@ linters:
          alias: gatev1alpha2

        # Traefik Kubernetes rewrites:
-        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/traefikio/v1alpha1
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikcontainous/v1alpha1
+          alias: containousv1alpha1
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikio/v1alpha1
          alias: traefikv1alpha1
-        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned
          alias: traefikclientset
-        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/informers/externalversions
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/informers/externalversions
          alias: traefikinformers
-        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme
          alias: traefikscheme
-        - pkg: github.com/traefik/traefik/v3/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake
+        - pkg: github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake
          alias: traefikcrdfake
    misspell:
      locale: US
@@ -212,7 +216,6 @@ linters:
    staticcheck:
      checks:
        - all
-        - '-SA1019'
        - '-ST1000'
        - '-ST1003'
        - '-ST1016'
@@ -291,31 +294,42 @@ linters:
        source: 'errors.New\("Nomad provider'
        text: 'ST1005: error strings should not be capitalized'
      - path: (.+)\.go
-        text: 'struct-tag: unknown option ''inline'' in JSON tag'
+        text: 'omitzero: Omitempty has no effect on nested struct field'
+        linters:
+          - modernize
+      - path: (.+)\.go
+        text: 'struct-tag: unknown option "inline" in json tag'
        linters:
          - revive
      - path: (.+)\.go
-        text: 'struct-tag: unknown option ''omitzero'' in TOML tag'
+        text: 'struct-tag: unknown option "omitzero" in toml tag'
+        linters:
+          - revive
+      - path: (pkg/types/.+|pkg/api/.+)\.go
+        text: 'var-naming: avoid meaningless package names'
+        linters:
+          - revive
+      - path: ((cmd|pkg)/version/.*|pkg/config/runtime/.*|pkg/log/.*|pkg/(middlewares/)?metrics/.*|pkg/muxer/http/.+|pkg/provider/http/.+|pkg/tls/.+)\.go
+        text: 'var-naming: avoid package names that conflict with Go standard library package names'
        linters:
          - revive
      - path: (.+)\.go$
        text: 'SA1019: http.CloseNotifier has been deprecated' # FIXME must be fixed
+      - path: (.+)\.go$
+        text: 'SA1019: dynamic.(TCPIPWhiteList|IPWhiteList) is deprecated: please use IPAllowList instead.'
+      - path: (.+)\.go$
+        text: 'SA1019: middlewareTCP.Spec.IPWhiteList is deprecated: please use IPAllowList instead.'
      - path: (.+)\.go$
        text: 'SA1019: cfg.(SSLRedirect|SSLTemporaryRedirect|SSLHost|SSLForceHost|FeaturePolicy) is deprecated'
      - path: (.+)\.go$
        text: 'SA1019: c.Providers.(ConsulCatalog|Consul|Nomad).Namespace is deprecated'
-      - path: (.+)\.go$
-        text: 'SA1019: dockertypes.ContainerNode is deprecated'
-      - path: pkg/provider/kubernetes/crd/kubernetes.go
-        text: "Function 'loadConfigurationFromCRD' has too many statements"
+      - path: pkg/middlewares/auth/basic_auth_test.go
+        text: 'SA1008: keys in http.Header are canonicalized, "x-user" is not canonical; fix the constant or use http.CanonicalHeaderKey'
+      - path: pkg/middlewares/auth/digest_auth_test.go
+        text: 'SA1008: keys in http.Header are canonicalized, "x-user" is not canonical; fix the constant or use http.CanonicalHeaderKey'
+      - path: pkg/server/conncontext.go
        linters:
-          - funlen
-      - path: pkg/plugins/middlewarewasm.go
-        text: 'the methods of "wasmMiddlewareBuilder" use pointer receiver and non-pointer receiver.'
-        linters:
-          - recvcheck
-      - path: pkg/proxy/httputil/bufferpool.go
-        text: 'SA6002: argument should be pointer-like to avoid allocations'
+          - fatcontext
    paths:
      - pkg/provider/kubernetes/crd/generated/

@@ -14,7 +14,7 @@ builds:
    env:
      - CGO_ENABLED=0
    ldflags:
-      - -s -w -X github.com/traefik/traefik/v3/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v3/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v3/pkg/version.BuildDate={{.Date}}
+      - -s -w -X github.com/traefik/traefik/v2/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v2/pkg/version.BuildDate={{.Date}}
    flags:
      - -trimpath
    goos:
@@ -54,10 +54,12 @@ changelog:
 archives:
  - id: traefik
    name_template: '{{ .ProjectName }}_v{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
-    format: tar.gz
+    formats:
+      - tar.gz
    format_overrides:
      - goos: windows
-        format: zip
+        formats:
+          - zip
    files:
      - LICENSE.md
      - CHANGELOG.md
@@ -1,13 +0,0 @@
-version: v1.0
-name: Traefik Release - deprecated
-agent:
-  machine:
-    type: f1-standard-2
-    os_image: ubuntu2204
-blocks:
-  - name: 'Do nothing'
-    task:
-      jobs:
-        - name: 'Do nothing'
-          commands:
-            - echo "Do nothing"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.2
-FROM alpine:3.21
+FROM alpine:3.24

 RUN apk add --no-cache --no-progress ca-certificates tzdata

@@ -13,6 +13,7 @@ DATE := $(shell date -u '+%Y-%m-%d_%I:%M:%S%p')
 # Default build target
 GOOS := $(shell go env GOOS)
 GOARCH := $(shell go env GOARCH)
+GOGC ?=

 LINT_EXECUTABLES = misspell shellcheck

@@ -56,10 +57,10 @@ generate:
 #? binary: Build the binary
 binary: generate-webui dist
 	@echo SHA: $(VERSION) $(CODENAME) $(DATE)
-	CGO_ENABLED=0 GOGC=off GOOS=${GOOS} GOARCH=${GOARCH} go build ${FLAGS[*]} -ldflags "-s -w \
-    -X github.com/traefik/traefik/v3/pkg/version.Version=$(VERSION) \
-    -X github.com/traefik/traefik/v3/pkg/version.Codename=$(CODENAME) \
-    -X github.com/traefik/traefik/v3/pkg/version.BuildDate=$(DATE)" \
+	CGO_ENABLED=0 GOGC=${GOGC} GOOS=${GOOS} GOARCH=${GOARCH} go build ${FLAGS} -ldflags "-s -w \
+    -X github.com/traefik/traefik/v2/pkg/version.Version=$(VERSION) \
+    -X github.com/traefik/traefik/v2/pkg/version.Codename=$(CODENAME) \
+    -X github.com/traefik/traefik/v2/pkg/version.BuildDate=$(DATE)" \
    -installsuffix nocgo -o "./dist/${GOOS}/${GOARCH}/$(BIN_NAME)" ./cmd/traefik

 binary-linux-arm64: export GOOS := linux
@@ -94,15 +95,9 @@ test-unit:

 .PHONY: test-integration
 #? test-integration: Run the integration tests
-test-integration: binary
+test-integration:
 	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -test.timeout=20m -failfast -v $(TESTFLAGS)

-.PHONY: test-gateway-api-conformance
-#? test-gateway-api-conformance: Run the conformance tests
-test-gateway-api-conformance: build-image-dirty
-	# In case of a new Minor/Major version, the k8sConformanceTraefikVersion needs to be updated.
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.3" $(TESTFLAGS)
-
 .PHONY: test-ui-unit
 #? test-ui-unit: Run the unit tests for the webui
 test-ui-unit:
@@ -182,11 +177,6 @@ generate-crd:
 generate-genconf:
 	go run ./cmd/internal/gen/

-.PHONY: release-packages
-#? release-packages: Create packages for the release
-release-packages: generate-webui
-	$(CURDIR)/script/release-packages.sh
-
 .PHONY: fmt
 #? fmt: Format the Code
 fmt:
@@ -7,7 +7,6 @@
    </picture>
 </p>

-[![Build Status SemaphoreCI](https://traefik-oss.semaphoreci.com/badges/traefik/branches/master.svg?style=shields)](https://traefik-oss.semaphoreci.com/projects/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
 [![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
@@ -15,7 +14,7 @@
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)

 Traefik (pronounced _traffic_) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
-Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher v2](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
+Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
 Pointing Traefik at your orchestrator should be the _only_ configuration step you need.

 ---
@@ -35,8 +34,7 @@ Pointing Traefik at your orchestrator should be the _only_ configuration step yo

 ---

-:warning: When migrating to a new major version of Traefik, please refer to the [migration guide](https://doc.traefik.io/traefik/migration/v2-to-v3/) to ensure a smooth transition and to be aware of any breaking changes.
-
+:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://doc.traefik.io/traefik/).

 ## Overview

@@ -59,11 +57,11 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t

 - Continuously updates its configuration (No restarts!)
 - Supports multiple load balancing algorithms
- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org) (wildcard certificates support)
+- Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org)  (wildcard certificates support)
 - Circuit breakers, retry
 - See the magic through its clean web UI
- WebSocket, HTTP/2, gRPC ready
- Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB 2.X)
+- WebSocket, HTTP/2, GRPC ready
+- Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB)
 - Keeps access logs (JSON, CLF)
 - Fast
 - Exposes a Rest API
@@ -73,6 +71,8 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t

 - [Docker](https://doc.traefik.io/traefik/providers/docker/) / [Swarm mode](https://doc.traefik.io/traefik/providers/docker/)
 - [Kubernetes](https://doc.traefik.io/traefik/providers/kubernetes-crd/)
+- [Marathon](https://doc.traefik.io/traefik/providers/marathon/)
+- [Rancher](https://doc.traefik.io/traefik/providers/rancher/) (Metadata)
 - [ECS](https://doc.traefik.io/traefik/providers/ecs/)
 - [File](https://doc.traefik.io/traefik/providers/file/)

@@ -88,7 +88,7 @@ You can access the simple HTML frontend of Traefik.

 ## Documentation

-You can find the complete documentation of Traefik v3 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).
+You can find the complete documentation of Traefik v2 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).

 ## Support

@@ -1,10 +1,5 @@
 # Security Policy

-You can join our security mailing list to be aware of the latest announcements from our security team.
-You can subscribe by sending an email to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
-
-Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
-
 ## Supported Versions

 - We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
@@ -17,10 +12,10 @@ We use [Semantic Versioning](https://semver.org/).

 | Version   | Supported          |
 |-----------|--------------------|
-| `2.2.x`   | :white_check_mark: |
-| `< 2.2.x` | :x:                |
-| `1.7.x`   | :white_check_mark: |
-| `< 1.7.x` | :x:                |
+| `3.6.x`   | :white_check_mark: |
+| `< 3.6.x` | :x:                |
+| `2.11.x`   | :white_check_mark: |
+| `< 2.11.x` | :x:                |

 ## Reporting a Vulnerability

@@ -28,3 +23,5 @@ We want to keep Traefik safe for everyone.
 If you've discovered a security vulnerability in Traefik,
 we appreciate your help in disclosing it to us in a responsible manner,
 by creating a [security advisory](https://github.com/traefik/traefik/security/advisories).
+
+Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
@@ -4,12 +4,13 @@ import (
 	"time"

 	ptypes "github.com/traefik/paerser/types"
-	"github.com/traefik/traefik/v3/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )

 // TraefikCmdConfiguration wraps the static configuration and extra parameters.
 type TraefikCmdConfiguration struct {
 	static.Configuration `export:"true"`
+
 	// ConfigFile is the path to the configuration file.
 	ConfigFile string `description:"Configuration file to use. If specified all other flags are ignored." export:"true"`
 }
@@ -28,10 +29,6 @@ func NewTraefikConfiguration() *TraefikCmdConfiguration {
 			ServersTransport: &static.ServersTransport{
 				MaxIdleConnsPerHost: 200,
 			},
-			TCPServersTransport: &static.TCPServersTransport{
-				DialTimeout:   ptypes.Duration(30 * time.Second),
-				DialKeepAlive: ptypes.Duration(15 * time.Second),
-			},
 		},
 		ConfigFile: "",
 	}
@@ -8,7 +8,7 @@ import (
 	"time"

 	"github.com/traefik/paerser/cli"
-	"github.com/traefik/traefik/v3/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )

 // NewCmd builds a new HealthCheck command.
@@ -158,7 +158,7 @@ func (c Centrifuge) run(sc *types.Scope, rootPkg string, pkgName string) map[str

 func (c Centrifuge) writeStruct(name string, obj *types.Struct, rootPkg string, elt *File) string {
 	b := strings.Builder{}
-	b.WriteString(fmt.Sprintf("type %s struct {\n", name))
+	fmt.Fprintf(&b, "type %s struct {\n", name)

 	for i := range obj.NumFields() {
 		field := obj.Field(i)
@@ -175,7 +175,7 @@ func (c Centrifuge) writeStruct(name string, obj *types.Struct, rootPkg string,
 		fType := c.TypeCleaner(field.Type(), rootPkg)

 		if field.Embedded() {
-			b.WriteString(fmt.Sprintf("\t%s\n", fType))
+			fmt.Fprintf(&b, "\t%s\n", fType)
 			continue
 		}

@@ -184,10 +184,10 @@ func (c Centrifuge) writeStruct(name string, obj *types.Struct, rootPkg string,
 			continue
 		}

-		b.WriteString(fmt.Sprintf("\t%s %s", field.Name(), fType))
+		fmt.Fprintf(&b, "\t%s %s", field.Name(), fType)

 		if ok {
-			b.WriteString(fmt.Sprintf(" `json:\"%s\"`", strings.Join(values, ",")))
+			fmt.Fprintf(&b, " `json:\"%s\"`", strings.Join(values, ","))
 		}

 		b.WriteString("\n")
@@ -11,7 +11,7 @@ import (
 	"strings"
 )

-const rootPkg = "github.com/traefik/traefik/v3/pkg/config/dynamic"
+const rootPkg = "github.com/traefik/traefik/v2/pkg/config/dynamic"

 const (
 	destModuleName = "github.com/traefik/genconf"
@@ -57,8 +57,8 @@ func run(dest string) error {
 	}

 	centrifuge.IncludedImports = []string{
-		"github.com/traefik/traefik/v3/pkg/tls",
-		"github.com/traefik/traefik/v3/pkg/types",
+		"github.com/traefik/traefik/v2/pkg/tls",
+		"github.com/traefik/traefik/v2/pkg/types",
 	}

 	centrifuge.ExcludedTypes = []string{
@@ -71,8 +71,8 @@ func run(dest string) error {
 	}

 	centrifuge.ExcludedFiles = []string{
-		"github.com/traefik/traefik/v3/pkg/types/logs.go",
-		"github.com/traefik/traefik/v3/pkg/types/metrics.go",
+		"github.com/traefik/traefik/v2/pkg/types/logs.go",
+		"github.com/traefik/traefik/v2/pkg/types/metrics.go",
 	}

 	centrifuge.TypeCleaner = cleanType
@@ -83,15 +83,15 @@ func run(dest string) error {
 		return err
 	}

-	return os.WriteFile(filepath.Join(dest, "marshaler.go"), []byte(fmt.Sprintf(marsh, destPkg)), 0o666)
+	return os.WriteFile(filepath.Join(dest, "marshaler.go"), fmt.Appendf(nil, marsh, destPkg), 0o666)
 }

 func cleanType(typ types.Type, base string) string {
-	if typ.String() == "github.com/traefik/traefik/v3/pkg/types.FileOrContent" {
+	if typ.String() == "github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
 		return "string"
 	}

-	if typ.String() == "[]github.com/traefik/traefik/v3/pkg/types.FileOrContent" {
+	if typ.String() == "[]github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
 		return "[]string"
 	}

@@ -103,8 +103,8 @@ func cleanType(typ types.Type, base string) string {
 		return strings.ReplaceAll(typ.String(), base+".", "")
 	}

-	if strings.Contains(typ.String(), "github.com/traefik/traefik/v3/pkg/") {
-		return strings.ReplaceAll(typ.String(), "github.com/traefik/traefik/v3/pkg/", "")
+	if strings.Contains(typ.String(), "github.com/traefik/traefik/v2/pkg/") {
+		return strings.ReplaceAll(typ.String(), "github.com/traefik/traefik/v2/pkg/", "")
 	}

 	return typ.String()
@@ -114,9 +114,9 @@ func cleanPackage(src string) string {
 	switch src {
 	case "github.com/traefik/paerser/types":
 		return ""
-	case "github.com/traefik/traefik/v3/pkg/tls":
+	case "github.com/traefik/traefik/v2/pkg/tls":
 		return path.Join(destModuleName, destPkg, "tls")
-	case "github.com/traefik/traefik/v3/pkg/types":
+	case "github.com/traefik/traefik/v2/pkg/types":
 		return path.Join(destModuleName, destPkg, "types")
 	default:
 		return src
@@ -1,113 +0,0 @@
-package main
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	stdlog "log"
-	"os"
-	"strings"
-	"time"
-
-	"github.com/rs/zerolog"
-	"github.com/rs/zerolog/log"
-	"github.com/sirupsen/logrus"
-	"github.com/traefik/traefik/v3/pkg/config/static"
-	"github.com/traefik/traefik/v3/pkg/logs"
-	"gopkg.in/natefinch/lumberjack.v2"
-)
-
-func init() {
-	// hide the first logs before the setup of the logger.
-	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
-}
-
-func setupLogger(staticConfiguration *static.Configuration) error {
-	// Validate that the experimental flag is set up at this point,
-	// rather than validating the static configuration before the setupLogger call.
-	// This ensures that validation messages are not logged using an un-configured logger.
-	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil &&
-		(staticConfiguration.Experimental == nil || !staticConfiguration.Experimental.OTLPLogs) {
-		return errors.New("the experimental OTLPLogs feature must be enabled to use OTLP logging")
-	}
-
-	// configure log format
-	w := getLogWriter(staticConfiguration)
-
-	// configure log level
-	logLevel := getLogLevel(staticConfiguration)
-	zerolog.SetGlobalLevel(logLevel)
-
-	// create logger
-	logCtx := zerolog.New(w).With().Timestamp()
-	if logLevel <= zerolog.DebugLevel {
-		logCtx = logCtx.Caller()
-	}
-
-	log.Logger = logCtx.Logger().Level(logLevel)
-
-	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
-		var err error
-		log.Logger, err = logs.SetupOTelLogger(log.Logger, staticConfiguration.Log.OTLP)
-		if err != nil {
-			return fmt.Errorf("setting up OpenTelemetry logger: %w", err)
-		}
-	}
-
-	zerolog.DefaultContextLogger = &log.Logger
-
-	// Global logrus replacement (related to lib like go-rancher-metadata, docker, etc.)
-	logrus.StandardLogger().Out = logs.NoLevel(log.Logger, zerolog.DebugLevel)
-
-	// configure default standard log.
-	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
-	stdlog.SetOutput(logs.NoLevel(log.Logger, zerolog.DebugLevel))
-
-	return nil
-}
-
-func getLogWriter(staticConfiguration *static.Configuration) io.Writer {
-	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
-		return io.Discard
-	}
-
-	var w io.Writer = os.Stdout
-	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
-		_, _ = os.OpenFile(staticConfiguration.Log.FilePath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o666)
-		w = &lumberjack.Logger{
-			Filename:   staticConfiguration.Log.FilePath,
-			MaxSize:    staticConfiguration.Log.MaxSize,
-			MaxBackups: staticConfiguration.Log.MaxBackups,
-			MaxAge:     staticConfiguration.Log.MaxAge,
-			Compress:   true,
-		}
-	}
-
-	if staticConfiguration.Log == nil || staticConfiguration.Log.Format != "json" {
-		w = zerolog.ConsoleWriter{
-			Out:        w,
-			TimeFormat: time.RFC3339,
-			NoColor:    staticConfiguration.Log != nil && (staticConfiguration.Log.NoColor || len(staticConfiguration.Log.FilePath) > 0),
-		}
-	}
-
-	return w
-}
-
-func getLogLevel(staticConfiguration *static.Configuration) zerolog.Level {
-	levelStr := "error"
-	if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
-		levelStr = strings.ToLower(staticConfiguration.Log.Level)
-	}
-
-	logLevel, err := zerolog.ParseLevel(strings.ToLower(levelStr))
-	if err != nil {
-		log.Error().Err(err).
-			Str("logLevel", levelStr).
-			Msg("Unspecified or invalid log level, setting the level to default (ERROR)...")
-
-		logLevel = zerolog.ErrorLevel
-	}
-
-	return logLevel
-}
@@ -3,8 +3,8 @@ package main
 import (
 	"fmt"

-	"github.com/traefik/traefik/v3/pkg/config/static"
-	"github.com/traefik/traefik/v3/pkg/plugins"
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/plugins"
 )

 const outputDir = "./plugins-storage/"
@@ -3,60 +3,54 @@ package main
 import (
 	"context"
 	"crypto/x509"
-	"encoding/json"
 	"fmt"
-	"io"
 	stdlog "log"
-	"maps"
 	"net/http"
 	"os"
 	"os/signal"
-	"slices"
+	"path/filepath"
 	"sort"
 	"strings"
 	"syscall"
 	"time"

 	"github.com/coreos/go-systemd/v22/daemon"
-	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v5/challenge"
 	gokitmetrics "github.com/go-kit/kit/metrics"
-	"github.com/rs/zerolog/log"
 	"github.com/sirupsen/logrus"
-	"github.com/spiffe/go-spiffe/v2/workloadapi"
 	"github.com/traefik/paerser/cli"
-	"github.com/traefik/traefik/v3/cmd"
-	"github.com/traefik/traefik/v3/cmd/healthcheck"
-	cmdVersion "github.com/traefik/traefik/v3/cmd/version"
-	tcli "github.com/traefik/traefik/v3/pkg/cli"
-	"github.com/traefik/traefik/v3/pkg/collector"
-	"github.com/traefik/traefik/v3/pkg/config/dynamic"
-	"github.com/traefik/traefik/v3/pkg/config/runtime"
-	"github.com/traefik/traefik/v3/pkg/config/static"
-	"github.com/traefik/traefik/v3/pkg/logs"
-	"github.com/traefik/traefik/v3/pkg/metrics"
-	"github.com/traefik/traefik/v3/pkg/middlewares/accesslog"
-	"github.com/traefik/traefik/v3/pkg/provider/acme"
-	"github.com/traefik/traefik/v3/pkg/provider/aggregator"
-	"github.com/traefik/traefik/v3/pkg/provider/tailscale"
-	"github.com/traefik/traefik/v3/pkg/provider/traefik"
-	"github.com/traefik/traefik/v3/pkg/proxy"
-	"github.com/traefik/traefik/v3/pkg/proxy/httputil"
-	"github.com/traefik/traefik/v3/pkg/safe"
-	"github.com/traefik/traefik/v3/pkg/server"
-	"github.com/traefik/traefik/v3/pkg/server/middleware"
-	"github.com/traefik/traefik/v3/pkg/server/service"
-	"github.com/traefik/traefik/v3/pkg/tcp"
-	traefiktls "github.com/traefik/traefik/v3/pkg/tls"
-	"github.com/traefik/traefik/v3/pkg/tracing"
-	"github.com/traefik/traefik/v3/pkg/types"
-	"github.com/traefik/traefik/v3/pkg/version"
+	"github.com/traefik/traefik/v2/cmd"
+	"github.com/traefik/traefik/v2/cmd/healthcheck"
+	cmdVersion "github.com/traefik/traefik/v2/cmd/version"
+	tcli "github.com/traefik/traefik/v2/pkg/cli"
+	"github.com/traefik/traefik/v2/pkg/collector"
+	"github.com/traefik/traefik/v2/pkg/config/dynamic"
+	"github.com/traefik/traefik/v2/pkg/config/runtime"
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v2/pkg/metrics"
+	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
+	"github.com/traefik/traefik/v2/pkg/provider/acme"
+	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
+	"github.com/traefik/traefik/v2/pkg/provider/traefik"
+	"github.com/traefik/traefik/v2/pkg/redactor"
+	"github.com/traefik/traefik/v2/pkg/safe"
+	"github.com/traefik/traefik/v2/pkg/server"
+	"github.com/traefik/traefik/v2/pkg/server/middleware"
+	"github.com/traefik/traefik/v2/pkg/server/service"
+	traefiktls "github.com/traefik/traefik/v2/pkg/tls"
+	"github.com/traefik/traefik/v2/pkg/tracing"
+	"github.com/traefik/traefik/v2/pkg/tracing/jaeger"
+	"github.com/traefik/traefik/v2/pkg/types"
+	"github.com/traefik/traefik/v2/pkg/version"
+	"github.com/vulcand/oxy/v2/roundrobin"
 )

 func main() {
 	// traefik config inits
 	tConfig := cmd.NewTraefikConfiguration()

-	loaders := []cli.ResourceLoader{&tcli.DeprecationLoader{}, &tcli.FileLoader{}, &tcli.FlagLoader{}, &tcli.EnvLoader{}}
+	loaders := []cli.ResourceLoader{&tcli.FileLoader{}, &tcli.FlagLoader{}, &tcli.EnvLoader{}}

 	cmdTraefik := &cli.Command{
 		Name: "traefik",
@@ -83,7 +77,7 @@ Complete documentation is available at https://traefik.io`,

 	err = cli.Execute(cmdTraefik)
 	if err != nil {
-		log.Error().Err(err).Msg("Command error")
+		stdlog.Println(err)
 		logrus.Exit(1)
 	}

@@ -91,26 +85,31 @@ Complete documentation is available at https://traefik.io`,
 }

 func runCmd(staticConfiguration *static.Configuration) error {
-	if err := setupLogger(staticConfiguration); err != nil {
-		return fmt.Errorf("setting up logger: %w", err)
-	}
+	configureLogging(staticConfiguration)
+
+	log.WithoutContext().Warn("Traefik can reject some encoded characters in the request path." +
+		"When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986)," +
+		"it is recommended to set these options to `false` to avoid split-view situation." +
+		"Refer to the documentation for more details: https://doc.traefik.io/traefik/v2.11/migration/v2/#encoded-characters-configuration-default-values")

 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment

+	if err := roundrobin.SetDefaultWeight(0); err != nil {
+		log.WithoutContext().Errorf("Could not set round robin default weight: %v", err)
+	}
+
 	staticConfiguration.SetEffectiveConfiguration()
 	if err := staticConfiguration.ValidateConfiguration(); err != nil {
 		return err
 	}

-	log.Info().Str("version", version.Version).
-		Msgf("Traefik version %s built on %s", version.Version, version.BuildDate)
+	log.WithoutContext().Infof("Traefik version %s built on %s", version.Version, version.BuildDate)

-	jsonConf, err := json.Marshal(staticConfiguration)
+	redactedStaticConfiguration, err := redactor.RemoveCredentials(staticConfiguration)
 	if err != nil {
-		log.Error().Err(err).Msg("Could not marshal static configuration")
-		log.Debug().Interface("staticConfiguration", staticConfiguration).Msg("Static configuration loaded [struct]")
+		log.WithoutContext().Errorf("Could not redact static configuration: %v", err)
 	} else {
-		log.Debug().RawJSON("staticConfiguration", jsonConf).Msg("Static configuration loaded [json]")
+		log.WithoutContext().Debugf("Static configuration loaded %s", redactedStaticConfiguration)
 	}

 	if staticConfiguration.Global.CheckNewVersion {
@@ -135,16 +134,16 @@ func runCmd(staticConfiguration *static.Configuration) error {

 	sent, err := daemon.SdNotify(false, "READY=1")
 	if !sent && err != nil {
-		log.Error().Err(err).Msg("Failed to notify")
+		log.WithoutContext().Errorf("Failed to notify: %v", err)
 	}

 	t, err := daemon.SdWatchdogEnabled(false)
 	if err != nil {
-		log.Error().Err(err).Msg("Could not enable Watchdog")
+		log.WithoutContext().Errorf("Could not enable Watchdog: %v", err)
 	} else if t != 0 {
 		// Send a ping each half time given
 		t /= 2
-		log.Info().Msgf("Watchdog activated with timer duration %s", t)
+		log.WithoutContext().Infof("Watchdog activated with timer duration %s", t)
 		safe.Go(func() {
 			tick := time.Tick(t)
 			for range tick {
@@ -155,17 +154,17 @@ func runCmd(staticConfiguration *static.Configuration) error {

 				if staticConfiguration.Ping == nil || errHealthCheck == nil {
 					if ok, _ := daemon.SdNotify(false, "WATCHDOG=1"); !ok {
-						log.Error().Msg("Fail to tick watchdog")
+						log.WithoutContext().Error("Fail to tick watchdog")
 					}
 				} else {
-					log.Error().Err(errHealthCheck).Send()
+					log.WithoutContext().Error(errHealthCheck)
 				}
 			}
 		})
 	}

 	svr.Wait()
-	log.Info().Msg("Shutting down")
+	log.WithoutContext().Info("Shutting down")
 	return nil
 }

@@ -194,28 +193,9 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	acmeProviders := initACMEProvider(staticConfiguration, providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider, routinesPool)

-	// Tailscale
-
-	tsProviders := initTailscaleProviders(staticConfiguration, providerAggregator)
-
-	// Observability
-
-	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
-	var semConvMetricRegistry *metrics.SemConvMetricsRegistry
-	if staticConfiguration.Metrics != nil && staticConfiguration.Metrics.OTLP != nil {
-		semConvMetricRegistry, err = metrics.NewSemConvMetricRegistry(ctx, staticConfiguration.Metrics.OTLP)
-		if err != nil {
-			return nil, fmt.Errorf("unable to create SemConv metric registry: %w", err)
-		}
-	}
-	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
-	accessLog := setupAccessLog(staticConfiguration.AccessLog)
-	tracer, tracerCloser := setupTracing(staticConfiguration.Tracing)
-	observabilityMgr := middleware.NewObservabilityMgr(*staticConfiguration, metricsRegistry, semConvMetricRegistry, accessLog, tracer, tracerCloser)
-
 	// Entrypoints

-	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver, metricsRegistry)
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver)
 	if err != nil {
 		return nil, err
 	}
@@ -225,29 +205,19 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}

+	if staticConfiguration.Pilot != nil {
+		log.WithoutContext().Warn("Traefik Pilot has been removed.")
+	}
+
 	if staticConfiguration.API != nil {
 		version.DisableDashboardAd = staticConfiguration.API.DisableDashboardAd
 	}

 	// Plugins
-	pluginLogger := log.Ctx(ctx).With().Logger()
-	hasPlugins := staticConfiguration.Experimental != nil && (staticConfiguration.Experimental.Plugins != nil || staticConfiguration.Experimental.LocalPlugins != nil)
-	if hasPlugins {
-		pluginsList := slices.Collect(maps.Keys(staticConfiguration.Experimental.Plugins))
-		pluginsList = append(pluginsList, slices.Collect(maps.Keys(staticConfiguration.Experimental.LocalPlugins))...)
-
-		pluginLogger = pluginLogger.With().Strs("plugins", pluginsList).Logger()
-		pluginLogger.Info().Msg("Loading plugins...")
-	}

 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
-	if err != nil && staticConfiguration.Experimental != nil && staticConfiguration.Experimental.AbortOnPluginFailure {
-		return nil, fmt.Errorf("plugin: failed to create plugin builder: %w", err)
-	}
 	if err != nil {
-		pluginLogger.Err(err).Msg("Plugins are disabled because an error has occurred.")
-	} else if hasPlugins {
-		pluginLogger.Info().Msg("Plugins loaded.")
+		log.WithoutContext().WithError(err).Error("Plugins are disabled because an error has occurred.")
 	}

 	// Providers plugins
@@ -268,41 +238,24 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		}
 	}

+	// Metrics
+
+	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
+	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
+
 	// Service manager factory

-	var spiffeX509Source *workloadapi.X509Source
-	if staticConfiguration.Spiffe != nil && staticConfiguration.Spiffe.WorkloadAPIAddr != "" {
-		log.Info().Str("workloadAPIAddr", staticConfiguration.Spiffe.WorkloadAPIAddr).
-			Msg("Waiting on SPIFFE SVID delivery")
-
-		spiffeX509Source, err = workloadapi.NewX509Source(
-			ctx,
-			workloadapi.WithClientOptions(
-				workloadapi.WithAddr(
-					staticConfiguration.Spiffe.WorkloadAPIAddr,
-				),
-			),
-		)
-		if err != nil {
-			return nil, fmt.Errorf("unable to create SPIFFE x509 source: %w", err)
-		}
-		log.Info().Msg("Successfully obtained SPIFFE SVID.")
-	}
-
-	transportManager := service.NewTransportManager(spiffeX509Source)
-
-	var proxyBuilder service.ProxyBuilder = httputil.NewProxyBuilder(transportManager, semConvMetricRegistry)
-	if staticConfiguration.Experimental != nil && staticConfiguration.Experimental.FastProxy != nil {
-		proxyBuilder = proxy.NewSmartBuilder(transportManager, proxyBuilder, *staticConfiguration.Experimental.FastProxy)
-	}
-
-	dialerManager := tcp.NewDialerManager(spiffeX509Source)
+	roundTripperManager := service.NewRoundTripperManager()
 	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
-	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, observabilityMgr, transportManager, proxyBuilder, acmeHTTPHandler)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry, roundTripperManager, acmeHTTPHandler)

 	// Router factory

-	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, observabilityMgr, pluginBuilder, dialerManager)
+	accessLog := setupAccessLog(staticConfiguration.AccessLog)
+	tracer := setupTracing(staticConfiguration.Tracing)
+
+	chainBuilder := middleware.NewChainBuilder(metricsRegistry, accessLog, tracer)
+	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder, metricsRegistry)

 	// Watcher

@@ -332,9 +285,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	// Server Transports
 	watcher.AddListener(func(conf dynamic.Configuration) {
-		transportManager.Update(conf.HTTP.ServersTransports)
-		proxyBuilder.Update(conf.HTTP.ServersTransports)
-		dialerManager.Update(conf.TCP.ServersTransports)
+		roundTripperManager.Update(conf.HTTP.ServersTransports)
 	})

 	// Switch router
@@ -354,22 +305,13 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	// TLS challenge
 	watcher.AddListener(tlsChallengeProvider.ListenConfiguration)

-	// Certificate Resolvers
-
-	resolverNames := map[string]struct{}{}
-
 	// ACME
+	resolverNames := map[string]struct{}{}
 	for _, p := range acmeProviders {
 		resolverNames[p.ResolverName] = struct{}{}
 		watcher.AddListener(p.ListenConfiguration)
 	}

-	// Tailscale
-	for _, p := range tsProviders {
-		resolverNames[p.ResolverName] = struct{}{}
-		watcher.AddListener(p.HandleConfigUpdate)
-	}
-
 	// Certificate resolver logs
 	watcher.AddListener(func(config dynamic.Configuration) {
 		for rtName, rt := range config.HTTP.Routers {
@@ -378,13 +320,12 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 			}

 			if _, ok := resolverNames[rt.TLS.CertResolver]; !ok {
-				log.Error().Err(err).Str(logs.RouterName, rtName).Str("certificateResolver", rt.TLS.CertResolver).
-					Msg("Router uses a nonexistent certificate resolver")
+				log.WithoutContext().Errorf("Router %s uses a nonexistent resolver: %s", rtName, rt.TLS.CertResolver)
 			}
 		}
 	})

-	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, observabilityMgr), nil
+	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, chainBuilder, accessLog), nil
 }

 func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvider http.Handler) http.Handler {
@@ -400,27 +341,11 @@ func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvid

 func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string {
 	var defaultEntryPoints []string
-
-	// Determines if at least one EntryPoint is configured to be used by default.
-	var hasDefinedDefaults bool
-	for _, ep := range staticConfiguration.EntryPoints {
-		if ep.AsDefault {
-			hasDefinedDefaults = true
-			break
-		}
-	}
-
 	for name, cfg := range staticConfiguration.EntryPoints {
-		// By default all entrypoints are considered.
-		// If at least one is flagged, then only flagged entrypoints are included.
-		if hasDefinedDefaults && !cfg.AsDefault {
-			continue
-		}
-
 		protocol, err := cfg.GetProtocol()
 		if err != nil {
 			// Should never happen because Traefik should not start if protocol is invalid.
-			log.Error().Err(err).Msg("Invalid protocol")
+			log.WithoutContext().Errorf("Invalid protocol: %v", err)
 		}

 		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
@@ -443,7 +368,7 @@ func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP serv
 	}
 }

-// initACMEProvider creates and registers acme.Provider instances corresponding to the configured ACME certificate resolvers.
+// initACMEProvider creates an acme provider from the ACME part of globalConfiguration.
 func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider, routinesPool *safe.Pool) []*acme.Provider {
 	localStores := map[string]*acme.LocalStore{}

@@ -466,7 +391,7 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 		}

 		if err := providerAggregator.AddProvider(p); err != nil {
-			log.Error().Err(err).Str("resolver", name).Msg("The ACME resolve is skipped from the resolvers list")
+			log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
 			continue
 		}

@@ -480,27 +405,6 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 	return resolvers
 }

-// initTailscaleProviders creates and registers tailscale.Provider instances corresponding to the configured Tailscale certificate resolvers.
-func initTailscaleProviders(cfg *static.Configuration, providerAggregator *aggregator.ProviderAggregator) []*tailscale.Provider {
-	var providers []*tailscale.Provider
-	for name, resolver := range cfg.CertificatesResolvers {
-		if resolver.Tailscale == nil {
-			continue
-		}
-
-		tsProvider := &tailscale.Provider{ResolverName: name}
-
-		if err := providerAggregator.AddProvider(tsProvider); err != nil {
-			log.Error().Err(err).Str(logs.ProviderName, name).Msg("Unable to create Tailscale provider")
-			continue
-		}
-
-		providers = append(providers, tsProvider)
-	}
-
-	return providers
-}
-
 func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	if metricsConfig == nil {
 		return nil
@@ -509,59 +413,42 @@ func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	var registries []metrics.Registry

 	if metricsConfig.Prometheus != nil {
-		logger := log.With().Str(logs.MetricsProviderName, "prometheus").Logger()
-
-		prometheusRegister := metrics.RegisterPrometheus(logger.WithContext(context.Background()), metricsConfig.Prometheus)
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "prometheus"))
+		prometheusRegister := metrics.RegisterPrometheus(ctx, metricsConfig.Prometheus)
 		if prometheusRegister != nil {
 			registries = append(registries, prometheusRegister)
-			logger.Debug().Msg("Configured Prometheus metrics")
+			log.FromContext(ctx).Debug("Configured Prometheus metrics")
 		}
 	}

 	if metricsConfig.Datadog != nil {
-		logger := log.With().Str(logs.MetricsProviderName, "datadog").Logger()
-
-		registries = append(registries, metrics.RegisterDatadog(logger.WithContext(context.Background()), metricsConfig.Datadog))
-		logger.Debug().
-			Str("address", metricsConfig.Datadog.Address).
-			Str("pushInterval", metricsConfig.Datadog.PushInterval.String()).
-			Msgf("Configured Datadog metrics")
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "datadog"))
+		registries = append(registries, metrics.RegisterDatadog(ctx, metricsConfig.Datadog))
+		log.FromContext(ctx).Debugf("Configured Datadog metrics: pushing to %s once every %s",
+			metricsConfig.Datadog.Address, metricsConfig.Datadog.PushInterval)
 	}

 	if metricsConfig.StatsD != nil {
-		logger := log.With().Str(logs.MetricsProviderName, "statsd").Logger()
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "statsd"))
+		registries = append(registries, metrics.RegisterStatsd(ctx, metricsConfig.StatsD))
+		log.FromContext(ctx).Debugf("Configured StatsD metrics: pushing to %s once every %s",
+			metricsConfig.StatsD.Address, metricsConfig.StatsD.PushInterval)
+	}

-		registries = append(registries, metrics.RegisterStatsd(logger.WithContext(context.Background()), metricsConfig.StatsD))
-		logger.Debug().
-			Str("address", metricsConfig.StatsD.Address).
-			Str("pushInterval", metricsConfig.StatsD.PushInterval.String()).
-			Msg("Configured StatsD metrics")
+	if metricsConfig.InfluxDB != nil {
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb"))
+		registries = append(registries, metrics.RegisterInfluxDB(ctx, metricsConfig.InfluxDB))
+		log.FromContext(ctx).Debugf("Configured InfluxDB metrics: pushing to %s once every %s",
+			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
 	}

 	if metricsConfig.InfluxDB2 != nil {
-		logger := log.With().Str(logs.MetricsProviderName, "influxdb2").Logger()
-
-		influxDB2Register := metrics.RegisterInfluxDB2(logger.WithContext(context.Background()), metricsConfig.InfluxDB2)
+		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb2"))
+		influxDB2Register := metrics.RegisterInfluxDB2(ctx, metricsConfig.InfluxDB2)
 		if influxDB2Register != nil {
 			registries = append(registries, influxDB2Register)
-			logger.Debug().
-				Str("address", metricsConfig.InfluxDB2.Address).
-				Str("bucket", metricsConfig.InfluxDB2.Bucket).
-				Str("organization", metricsConfig.InfluxDB2.Org).
-				Str("pushInterval", metricsConfig.InfluxDB2.PushInterval.String()).
-				Msg("Configured InfluxDB v2 metrics")
-		}
-	}
-
-	if metricsConfig.OTLP != nil {
-		logger := log.With().Str(logs.MetricsProviderName, "openTelemetry").Logger()
-
-		openTelemetryRegistry := metrics.RegisterOpenTelemetry(logger.WithContext(context.Background()), metricsConfig.OTLP)
-		if openTelemetryRegistry != nil {
-			registries = append(registries, openTelemetryRegistry)
-			logger.Debug().
-				Str("pushInterval", metricsConfig.OTLP.PushInterval.String()).
-				Msg("Configured OpenTelemetry metrics")
+			log.FromContext(ctx).Debugf("Configured InfluxDB v2 metrics: pushing to %s (%s org/%s bucket) once every %s",
+				metricsConfig.InfluxDB2.Address, metricsConfig.InfluxDB2.Org, metricsConfig.InfluxDB2.Bucket, metricsConfig.InfluxDB2.PushInterval)
 		}
 	}

@@ -589,25 +476,130 @@ func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {

 	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
 	if err != nil {
-		log.Warn().Err(err).Msg("Unable to create access logger")
+		log.WithoutContext().Warnf("Unable to create access logger: %v", err)
 		return nil
 	}

 	return accessLoggerMiddleware
 }

-func setupTracing(conf *static.Tracing) (*tracing.Tracer, io.Closer) {
+func setupTracing(conf *static.Tracing) *tracing.Tracing {
 	if conf == nil {
-		return nil, nil
+		return nil
 	}

-	tracer, closer, err := tracing.NewTracing(conf)
+	var backend tracing.Backend
+
+	if conf.Jaeger != nil {
+		backend = conf.Jaeger
+	}
+
+	if conf.Zipkin != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Zipkin backend.")
+		} else {
+			backend = conf.Zipkin
+		}
+	}
+
+	if conf.Datadog != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Datadog backend.")
+		} else {
+			backend = conf.Datadog
+		}
+	}
+
+	if conf.Instana != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Instana backend.")
+		} else {
+			backend = conf.Instana
+		}
+	}
+
+	if conf.Haystack != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Haystack backend.")
+		} else {
+			backend = conf.Haystack
+		}
+	}
+
+	if conf.Elastic != nil {
+		if backend != nil {
+			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Elastic backend.")
+		} else {
+			backend = conf.Elastic
+		}
+	}
+
+	if backend == nil {
+		log.WithoutContext().Debug("Could not initialize tracing, using Jaeger by default")
+		defaultBackend := &jaeger.Config{}
+		defaultBackend.SetDefaults()
+		backend = defaultBackend
+	}
+
+	tracer, err := tracing.NewTracing(conf.ServiceName, conf.SpanNameLimit, backend)
 	if err != nil {
-		log.Warn().Err(err).Msg("Unable to create tracer")
-		return nil, nil
+		log.WithoutContext().Warnf("Unable to create tracer: %v", err)
+		return nil
+	}
+	return tracer
+}
+
+func configureLogging(staticConfiguration *static.Configuration) {
+	// configure default log flags
+	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
+
+	// configure log level
+	// an explicitly defined log level always has precedence. if none is
+	// given and debug mode is disabled, the default is ERROR, and DEBUG
+	// otherwise.
+	levelStr := "error"
+	if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
+		levelStr = strings.ToLower(staticConfiguration.Log.Level)
 	}

-	return tracer, closer
+	level, err := logrus.ParseLevel(levelStr)
+	if err != nil {
+		log.WithoutContext().Errorf("Error getting level: %v", err)
+	}
+	log.SetLevel(level)
+
+	var logFile string
+	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
+		logFile = staticConfiguration.Log.FilePath
+	}
+
+	// configure log format
+	var formatter logrus.Formatter
+	if staticConfiguration.Log != nil && staticConfiguration.Log.Format == "json" {
+		formatter = &logrus.JSONFormatter{}
+	} else {
+		disableColors := len(logFile) > 0
+		formatter = &logrus.TextFormatter{DisableColors: disableColors, FullTimestamp: true, DisableSorting: true}
+	}
+	log.SetFormatter(formatter)
+
+	if len(logFile) > 0 {
+		dir := filepath.Dir(logFile)
+
+		if err := os.MkdirAll(dir, 0o755); err != nil {
+			log.WithoutContext().Errorf("Failed to create log path %s: %s", dir, err)
+		}
+
+		err = log.OpenFile(logFile)
+		logrus.RegisterExitHandler(func() {
+			if err := log.CloseFile(); err != nil {
+				log.WithoutContext().Errorf("Error while closing log: %v", err)
+			}
+		})
+		if err != nil {
+			log.WithoutContext().Errorf("Error while opening log file %s: %v", logFile, err)
+		}
+	}
 }

 func checkNewVersion() {
@@ -620,16 +612,16 @@ func checkNewVersion() {
 }

 func stats(staticConfiguration *static.Configuration) {
-	logger := log.With().Logger()
+	logger := log.WithoutContext()

 	if staticConfiguration.Global.SendAnonymousUsage {
-		logger.Info().Msg(`Stats collection is enabled.`)
-		logger.Info().Msg(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
-		logger.Info().Msg(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Info().Msg(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
+		logger.Info(`Stats collection is enabled.`)
+		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
+		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
+		logger.Info(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
-		logger.Info().Msg(`
+		logger.Info(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
 More details on: https://doc.traefik.io/traefik/contributing/data-collection/
@@ -642,7 +634,7 @@ func collect(staticConfiguration *static.Configuration) {
 	safe.Go(func() {
 		for time.Sleep(10 * time.Minute); ; <-ticker {
 			if err := collector.Collect(staticConfiguration); err != nil {
-				log.Debug().Err(err).Send()
+				log.WithoutContext().Debug(err)
 			}
 		}
 	})
@@ -9,7 +9,6 @@ import (
 	"github.com/go-kit/kit/metrics"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/traefik/traefik/v3/pkg/config/static"
 )

 // FooCert is a PEM-encoded TLS cert.
@@ -114,73 +113,3 @@ func TestAppendCertMetric(t *testing.T) {
 		})
 	}
 }
-
-func TestGetDefaultsEntrypoints(t *testing.T) {
-	testCases := []struct {
-		desc        string
-		entrypoints static.EntryPoints
-		expected    []string
-	}{
-		{
-			desc: "Skips special names",
-			entrypoints: map[string]*static.EntryPoint{
-				"web": {
-					Address: ":80",
-				},
-				"traefik": {
-					Address: ":8080",
-				},
-			},
-			expected: []string{"web"},
-		},
-		{
-			desc: "Two EntryPoints not attachable",
-			entrypoints: map[string]*static.EntryPoint{
-				"web": {
-					Address: ":80",
-				},
-				"websecure": {
-					Address: ":443",
-				},
-			},
-			expected: []string{"web", "websecure"},
-		},
-		{
-			desc: "Two EntryPoints only one attachable",
-			entrypoints: map[string]*static.EntryPoint{
-				"web": {
-					Address: ":80",
-				},
-				"websecure": {
-					Address:   ":443",
-					AsDefault: true,
-				},
-			},
-			expected: []string{"websecure"},
-		},
-		{
-			desc: "Two attachable EntryPoints",
-			entrypoints: map[string]*static.EntryPoint{
-				"web": {
-					Address:   ":80",
-					AsDefault: true,
-				},
-				"websecure": {
-					Address:   ":443",
-					AsDefault: true,
-				},
-			},
-			expected: []string{"web", "websecure"},
-		},
-	}
-
-	for _, test := range testCases {
-		t.Run(test.desc, func(t *testing.T) {
-			actual := getDefaultsEntrypoints(&static.Configuration{
-				EntryPoints: test.entrypoints,
-			})
-
-			assert.ElementsMatch(t, test.expected, actual)
-		})
-	}
-}
@@ -8,7 +8,7 @@ import (
 	"text/template"

 	"github.com/traefik/paerser/cli"
-	"github.com/traefik/traefik/v3/pkg/version"
+	"github.com/traefik/traefik/v2/pkg/version"
 )

 var versionTemplate = `Version:      {{.Version}}
@@ -21,7 +21,7 @@ docs: docs-clean docs-image docs-lint docs-build docs-verify
 # Writer Mode: build and serve docs on http://localhost:8000 with livereload
 .PHONY: docs-serve
 docs-serve: docs-image
-	docker run  $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOCS_BUILD_IMAGE) mkdocs serve
+	docker run  $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOCS_BUILD_IMAGE) mkdocs serve -a 0.0.0.0:8000

 ## Pull image for doc building
 .PHONY: docs-pull-images
@@ -1,4 +1,4 @@
-FROM alpine:3.21
+FROM alpine:3.24

 RUN apk --no-cache --no-progress add \
    build-base \
@@ -9,9 +9,7 @@ RUN apk --no-cache --no-progress add \
    ruby \
    ruby-bigdecimal \
    ruby-dev \
-    ruby-etc \
    ruby-ffi \
-    ruby-json \
    zlib-dev

 RUN gem install nokogiri --version 1.18.6 --no-document -- --use-system-libraries
@@ -1,4 +1,14 @@
 /* Highlight */
 (function(hljs) {
    hljs.initHighlightingOnLoad();
-})(hljs);
+})(hljs);
+
+/* Scarf Analytics - cookieless, anonymous company-level intelligence */
+(function() {
+    var img = document.createElement('img');
+    img.src = 'https://static.scarf.sh/a.png?x-pxid=1a49232a-b165-4015-8ed2-a1092f1f0d83';
+    img.referrerPolicy = 'no-referrer-when-downgrade';
+    img.loading = 'eager';
+    img.style.cssText = 'visibility:hidden;position:absolute;width:1px;height:1px;';
+    document.body.appendChild(img);
+})();
@@ -66,6 +66,7 @@ providers:
  docker:
    endpoint: "tcp://10.10.10.10:2375"
    exposedByDefault: true
+    swarmMode: true

    tls:
      ca: dockerCA
@@ -85,6 +86,7 @@ providers:
  docker:
    endpoint: "xxxx"
    exposedByDefault: true
+    swarmMode: true

    tls:
      ca: xxxx
@@ -15,7 +15,7 @@ Let's see how.

 ### General

-This [documentation](../../ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to the website of MkDocs").
+This [documentation](https://doc.traefik.io/traefik/ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to the website of MkDocs").

 ### Method 1: `Docker` and `make`

@@ -22,7 +22,6 @@ description: "Traefik Proxy is an open source software with a thriving community
 * Landry Benguigui [@lbenguigui](https://github.com/lbenguigui)
 * Simon Delicata [@sdelicata](https://github.com/sdelicata)
 * Baptiste Mayelle [@youkoulayley](https://github.com/youkoulayley)
-* Jesper Noordsij [@jnoordsij](https://github.com/jnoordsij)

 ## Past Maintainers

@@ -91,8 +91,6 @@ You must run these local verifications before you submit your pull request to pr
 Your PR will not be reviewed until these are green on the CI.

 * `make generate`
-* `make generate-crd`
-* `make test-gateway-api-conformance`
 * `make validate`
 * `make pull-images`
 * `make test`
@@ -2,19 +2,43 @@

 This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.

-| Feature                                                                                                              | Deprecated | End of Support | Removal |
-|----------------------------------------------------------------------------------------------------------------------|------------|----------------|---------|
-| [Kubernetes Ingress API Version `networking.k8s.io/v1beta1`](#kubernetes-ingress-api-version-networkingk8siov1beta1) | N/A        | N/A            | 3.0     |
-| [CRD API Version `apiextensions.k8s.io/v1beta1`](#kubernetes-ingress-api-version-networkingk8siov1beta1)             | N/A        | N/A            | 3.0     |
+| Feature                                                                                                     | Deprecated | End of Support | Removal |
+|-------------------------------------------------------------------------------------------------------------|------------|----------------|---------|
+| [Pilot](#pilot)                                                                                             | 2.7        | 2.8            | 2.9     |
+| [Consul Enterprise Namespace](#consul-enterprise-namespace)                                                 | 2.8        | N/A            | 3.0     |
+| [TLS 1.0 and 1.1 Support](#tls-10-and-11)                                                                   | N/A        | 2.8            | N/A     |
+| [Nomad Namespace](#nomad-namespace)                                                                         | 2.10       | N/A            | 3.0     |
+| [Kubernetes CRDs API Group `traefik.containo.us`](#kubernetes-crd-provider-api-group-traefikcontainous)     | 2.10       | N/A            | 3.0     |
+| [Kubernetes CRDs API Version `traefik.io/v1alpha1`](#kubernetes-crd-provider-api-version-traefikiov1alpha1) | 3.0        | N/A            | 4.0     |

 ## Impact

-### Kubernetes Ingress API Version `networking.k8s.io/v1beta1`
+### Pilot

-The Kubernetes Ingress API Version `networking.k8s.io/v1beta1` support is removed in v3. 
-Please use the API Group `networking.k8s.io/v1` instead.
+Metrics will continue to function normally up to 2.8, when they will be disabled.  
+In 2.9, the Pilot platform and all Traefik integration code will be permanently removed.

-### Traefik CRD Definitions API Version `apiextensions.k8s.io/v1beta1`
+Starting on 2.7 the pilot token will not be a requirement anymore for plugins.  
+Since 2.8, a [new plugin catalog](https://plugins.traefik.io) is available, decoupled from Pilot.

-The Traefik CRD definitions API Version `apiextensions.k8s.io/v1beta1` support is removed in v3.
-Please use the API Group `apiextensions.k8s.io/v1` instead.
+### Consul Enterprise Namespace
+
+Starting on 2.8 the `namespace` option of Consul and Consul Catalog providers is deprecated, 
+please use the `namespaces` options instead.  
+
+### TLS 1.0 and 1.1
+
+Starting on 2.8 the default TLS options will use the minimum version of TLS 1.2. Of course, it can still be overridden with custom configuration.  
+
+### Nomad Namespace
+
+Starting on 2.10 the `namespace` option of the Nomad provider is deprecated,
+please use the `namespaces` options instead.
+
+### Kubernetes CRD Provider API Group `traefik.containo.us`
+
+In v2.10, the Kubernetes CRD provider API Group `traefik.containo.us` is deprecated, and its support will end starting with Traefik v3. Please use the API Group `traefik.io` instead.
+
+### Kubernetes CRD Provider API Version `traefik.io/v1alpha1`
+
+The Kubernetes CRD provider API Version `traefik.io/v1alpha1` will subsequently be deprecated in Traefik v3. The next version will be `traefik.io/v1`.
@@ -6,11 +6,13 @@ Below is a non-exhaustive list of versions and their maintenance status:

 | Version | Release Date | Active Support     | Security Support  |
 |---------|--------------|--------------------|-------------------|
-| 3.3     | Jan 06, 2025 | Yes                | Yes               |
+| 3.5     | Jul 23, 2025 | Yes                | Yes               |
+| 3.4     | May 05, 2025 | Ended Jul 23, 2025 | No                |
+| 3.3     | Jan 06, 2025 | Ended May 05, 2025 | No                |
 | 3.2     | Oct 28, 2024 | Ended Jan 06, 2025 | No                |
 | 3.1     | Jul 15, 2024 | Ended Oct 28, 2024 | No                |
 | 3.0     | Apr 29, 2024 | Ended Jul 15, 2024 | No                |
-| 2.11    | Feb 12, 2024 | Ends  Apr 29, 2025 | Ends Feb 01, 2026 |
+| 2.11    | Feb 12, 2024 | Ended Apr 29, 2025 | Ends Feb 01, 2026 |
 | 2.10    | Apr 24, 2023 | Ended Feb 12, 2024 | No                |
 | 2.9     | Oct 03, 2022 | Ended Apr 24, 2023 | No                |
 | 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 | No                |
@@ -32,7 +34,7 @@ Below is a non-exhaustive list of versions and their maintenance status:

 This page is maintained and updated periodically to reflect our roadmap and any decisions affecting the end of support for Traefik Proxy.

-Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v2 to v3 migration guide](../migration/v2-to-v3.md).
+Please refer to our migration guides for specific instructions on upgrading between versions.

 !!! important "All target dates for end of support or feature removal announcements may be subject to change."

@@ -57,4 +57,4 @@ You no longer need to create and synchronize configuration files cluttered with
    Traefik is able to use your cluster API to discover the services and read the attached information.
    In Traefik, these connectors are called [providers](../providers/overview.md "Link to overview about Traefik providers") because they *provide* the configuration to Traefik.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -79,7 +79,7 @@ traefik --help
 # or

 docker run traefik[:version] --help
-# ex: docker run traefik:v3.3 --help
+# ex: docker run traefik:v2.11 --help
 ```

 Check the [CLI reference](../reference/static-configuration/cli.md "Link to CLI reference overview") for an overview about all available arguments.
@@ -94,4 +94,4 @@ All the configuration options are documented in their related section.

 You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -252,4 +252,4 @@ In which case, you should make sure your infrastructure is properly set up for a
 LEGO_DISABLE_CNAME_SUPPORT=true
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:

 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:

-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.3/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.3/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.11/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.11/traefik.sample.toml)

 ```shell
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.3
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.11
 ```

 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip

    * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v3.3`
+    ex: `traefik:v2.11`
    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
    * Any orchestrator using docker images can fetch the official Traefik docker image.

@@ -39,7 +39,7 @@ Traefik can be installed in Kubernetes using the Helm chart from <https://github

 Ensure that the following requirements are met:

-* Kubernetes 1.22+
+* Kubernetes 1.16+
 * Helm version 3.9+ is [installed](https://helm.sh/docs/intro/install/)

 Add Traefik Labs chart repository to Helm:
@@ -144,4 +144,4 @@ And run it:

 All the details are available in the [Contributing Guide](../contributing/building-testing.md)

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -35,19 +35,12 @@ rules:
      - ""
    resources:
      - services
+      - endpoints
      - secrets
-      - nodes
    verbs:
      - get
      - list
      - watch
-  - apiGroups:
-      - discovery.k8s.io
-    resources:
-      - endpointslices
-    verbs:
-      - list
-      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
@@ -67,6 +60,7 @@ rules:
      - update
  - apiGroups:
      - traefik.io
+      - traefik.containo.us
    resources:
      - middlewares
      - middlewaretcps
@@ -77,7 +71,6 @@ rules:
      - tlsoptions
      - tlsstores
      - serverstransports
-      - serverstransporttcps
    verbs:
      - get
      - list
@@ -154,7 +147,7 @@ spec:
      serviceAccountName: traefik-account
      containers:
        - name: traefik
-          image: traefik:v3.3
+          image: traefik:v2.11
          args:
            - --api.insecure
            - --providers.kubernetesingress
@@ -341,4 +334,4 @@ curl -v http://localhost/
    - Use [IngressRoute CRD](../providers/kubernetes-crd.md)
    - Protect [ingresses with TLS](../routing/providers/kubernetes-ingress.md#enabling-tls-via-annotations)
    
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -19,8 +19,8 @@ version: '3'

 services:
  reverse-proxy:
-    # The official v3 Traefik docker image
-    image: traefik:v3.3
+    # The official v2 Traefik docker image
+    image: traefik:v2.11
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
@@ -71,9 +71,9 @@ Start the `whoami` service with the following command:
 docker compose up -d whoami
 ```

-Browse `http://localhost:8080/api/rawdata` and see that Traefik has automatically detected the new container and updated its own configuration.
+Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new container and updated its own configuration.

-When Traefik detects new services, it creates the corresponding routes, so you can call them ... _let's see!_  (Here, you're using curl)
+When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_  (Here, you're using curl)

 ```shell
 curl -H Host:whoami.docker.localhost http://127.0.0.1
@@ -95,7 +95,7 @@ Run more instances of your `whoami` service with the following command:
 docker compose up -d --scale whoami=2
 ```

-Browse to `http://localhost:8080/api/rawdata` and see that Traefik has automatically detected the new instance of the container.
+Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new instance of the container.

 Finally, see that Traefik load-balances between the two instances of your service by running the following command twice:

@@ -121,4 +121,4 @@ IP: 172.27.0.4

    Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the user guides](../../user-guides/docker-compose/basic-example/ "Link to the user guides") and [the documentation](/ "Link to the docs landing page") and let Traefik work for you!

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -316,21 +316,31 @@ For complete details, refer to your provider's _Additional configuration_ link.

 | Provider Name                                                          | Provider Code      | Environment Variables                                                                                                                                                            |                                                                                 |
 |------------------------------------------------------------------------|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|
+| [1cloud.ru](https://1cloud.ru/)                                        | `onecloudru`       | `ONECLOUDRU_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/onecloudru)       |
+| [35.com/三五互联](https://www.35.cn/)                                  | `com35`            | `COM35_USERNAME`, `COM35_PASSWORD`                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/com35)            |
 | [ACME DNS](https://github.com/joohoi/acme-dns)                         | `acme-dns`         | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`, `ACME_DNS_STORAGE_BASE_URL`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)         |
 | [Active24](https://www.active24.cz)                                    | `active24`         | `ACTIVE24_API_KEY`, `ACTIVE24_SECRET`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/active24)         |
 | [Alibaba Cloud](https://www.alibabacloud.com)                          | `alidns`           | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)           |
+| [AlibabaCloud ESA](https://www.alibabacloud.com/en/product/esa)        | `aliesa`           | `ALIESA_RAM_ROLE` or `ALIESA_ACCESS_KEY`, `ALIESA_SECRET_KEY`, `ALIESA_REGION_ID`, `[ALIESA_SECURITY_TOKEN]`                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/aliesa)           |
 | [all-inkl](https://all-inkl.com)                                       | `allinkl`          | `ALL_INKL_LOGIN`, `ALL_INKL_PASSWORD`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/allinkl)          |
+| [Alwaysdata](https://alwaysdata.com/)                                  | `alwaysdata`       | `ALWAYSDATA_API_KEY`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/alwaysdata)       |
+| [Anexia CloudDNS](https://www.anexia-it.com/)                          | `anexia`           | `ANEXIA_TOKEN`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/anexia)           |
+| [ArtFiles](https://www.artfiles.de/extras/domains/)                    | `artfiles`         | `ARTFILES_USERNAME`, `ARTFILES_PASSWORD`                                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/artfiles)         |
 | [ArvanCloud](https://www.arvancloud.ir/en)                             | `arvancloud`       | `ARVANCLOUD_API_KEY`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)       |
 | [Auroradns](https://www.pcextreme.com/dns-health-checks)               | `auroradns`        | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)        |
 | [Autodns](https://www.internetx.com/domains/autodns/)                  | `autodns`          | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)          |
 | [Axelname](https://axelname.ru)                                        | `axelname`         | `AXELNAME_NICKNAME`, `AXELNAME_TOKEN`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/axelname)         |
-| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`                                        | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
+| [Azion](https://www.azion.com/en/products/edge-dns/)                   | `azion`            | `AZION_PERSONAL_TOKEN`                                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/azion)            |
+| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED)        | `azure`            | DEPRECATED use `azuredns` instead.                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
 | [AzureDNS](https://azure.microsoft.com/services/dns/)                  | `azuredns`         | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_ENVIRONMENT]`, `[AZURE_PRIVATE_ZONE]`, `[AZURE_ZONE_NAME]` | [Additional configuration](https://go-acme.github.io/lego/dns/azuredns)         |
 | [Baidu Cloud](https://cloud.baidu.com)                                 | `baiducloud`       | `BAIDUCLOUD_ACCESS_KEY_ID`, `BAIDUCLOUD_SECRET_ACCESS_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/baiducloud)       |
+| [Beget.com](https://beget.com/)                                        | `beget`            | `BEGET_USERNAME`, `BEGET_PASSWORD`                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/beget)            |
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)             | `bindman`          | `BINDMAN_MANAGER_ADDRESS`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)          |
+| [Binary Lane](https://www.binarylane.com.au/)                          | `binarylane`       | `BINARYLANE_API_TOKEN`                                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/binarylane)       |
 | [Blue Cat](https://www.bluecatnetworks.com/)                           | `bluecat`          | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)          |
+| [Bluecat v2](https://www.bluecatnetworks.com)                          | `bluecatv2`        | `BLUECATV2_SERVER_URL`, `BLUECATV2_USERNAME`, `BLUECATV2_PASSWORD`, `BLUECATV2_CONFIG_NAME`, `BLUECATV2_VIEW_NAME`                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/bluecatv2)        |
 | [BookMyName](https://www.bookmyname.com)                               | `bookmyname`       | `BOOKMYNAME_USERNAME`, `BOOKMYNAME_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/bookmyname)       |
-| [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | `BRANDIT_API_USERNAME`, `BRANDIT_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
+| [Brandit](https://www.brandit.com) (DEPRECATED)                        | `brandit`          | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/brandit)          |
 | [Bunny](https://bunny.net)                                             | `bunny`            | `BUNNY_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/bunny)            |
 | [Checkdomain](https://www.checkdomain.de/)                             | `checkdomain`      | `CHECKDOMAIN_TOKEN`,                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/)     |
 | [Civo](https://www.civo.com/)                                          | `civo`             | `CIVO_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/civo)             |
@@ -338,42 +348,55 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [CloudDNS](https://vshosting.eu/)                                      | `clouddns`         | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)         |
 | [Cloudflare](https://www.cloudflare.com)                               | `cloudflare`       | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)       |
 | [ClouDNS](https://www.cloudns.net/)                                    | `cloudns`          | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)          |
-| [CloudXNS](https://www.cloudxns.net) (DEPRECATED)                      | `cloudxns`         | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [CloudXNS](https://www.cloudxns.net) (DEPRECATED)                      | `cloudxns`         | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [ConoHa v3](https://www.conoha.jp/)                                    | `conohav3`         | `CONOHAV3_TENANT_ID`, `CONOHAV3_API_USER_ID`, `CONOHAV3_API_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conohav3)         |
 | [ConoHa](https://www.conoha.jp)                                        | `conoha`           | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)           |
 | [Constellix](https://constellix.com)                                   | `constellix`       | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)       |
 | [Core-Networks](https://www.core-networks.de)                          | `corenetworks`     | `CORENETWORKS_LOGIN`, `CORENETWORKS_PASSWORD`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/corenetworks)     |
 | [CPanel and WHM](https://cpanel.net/)                                  | `cpanel`           | `CPANEL_MODE`, `CPANEL_USERNAME`, `CPANEL_TOKEN`, `CPANEL_BASE_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cpanel)           |
+| [Czechia](https://www.czechia.com/)                                    | `czechia`          | `CZECHIA_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/czechia)          |
+| [DDnss (DynDNS Service)](https://ddnss.de/)                            | `ddnss`            | `DDNSS_KEY`                                                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/ddnss)            |
 | [Derak Cloud](https://derak.cloud/)                                    | `derak`            | `DERAK_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/derak)            |
 | [deSEC](https://desec.io)                                              | `desec`            | `DESEC_TOKEN`                                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/desec)            |
 | [DigitalOcean](https://www.digitalocean.com)                           | `digitalocean`     | `DO_AUTH_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean)     |
 | [DirectAdmin](https://www.directadmin.com)                             | `directadmin`      | `DIRECTADMIN_API_URL` , `DIRECTADMIN_USERNAME`, `DIRECTADMIN_PASSWORD`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/directadmin)      |
 | [DNS Made Easy](https://dnsmadeeasy.com)                               | `dnsmadeeasy`      | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)      |
+| [DNSExit](https://dnsexit.com)                                         | `dnsexit`          | `DNSEXIT_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/dnsexit)          |
 | [dnsHome.de](https://www.dnshome.de)                                   | `dnsHomede`        | `DNSHOMEDE_CREDENTIALS`                                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnshomede)        |
 | [DNSimple](https://dnsimple.com)                                       | `dnsimple`         | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)         |
-| [DNSPod](https://www.dnspod.com/)                                      | `dnspod`           | `DNSPOD_API_KEY`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
+| [DNSPod](https://www.dnspod.com/) (DEPRECATED)                         | `dnspod`           | DEPRECATED  use `tencentcloud` instead.                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
 | [Domain Offensive (do.de)](https://www.do.de/)                         | `dode`             | `DODE_TOKEN`                                                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dode)             |
 | [Domeneshop](https://domene.shop)                                      | `domeneshop`       | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)       |
 | [DreamHost](https://www.dreamhost.com/)                                | `dreamhost`        | `DREAMHOST_API_KEY`                                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)        |
 | [Duck DNS](https://www.duckdns.org/)                                   | `duckdns`          | `DUCKDNS_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)          |
 | [Dyn](https://dyn.com)                                                 | `dyn`              | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)              |
+| [DynDnsFree.de](https://www.dyndnsfree.de)                             | `dyndnsfree`       | `DYNDNSFREE_USERNAME`, `DYNDNSFREE_PASSWORD`                                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dyndnsfree)       |
 | [Dynu](https://www.dynu.com)                                           | `dynu`             | `DYNU_API_KEY`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)             |
 | [EasyDNS](https://easydns.com/)                                        | `easydns`          | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)          |
+| [EdgeCenter](https://edgecenter.ru/dns)                                | `edgecenter`       | `EDGECENTER_PERMANENT_API_TOKEN`                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/edgecenter)       |
 | [EdgeDNS](https://www.akamai.com/)                                     | `edgedns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
 | [Efficient IP](https://efficientip.com)                                | `efficientip`      | `EFFICIENTIP_USERNAME`, `EFFICIENTIP_PASSWORD`, `EFFICIENTIP_HOSTNAME`, `EFFICIENTIP_DNS_NAME`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/efficientip)      |
 | [Epik](https://www.epik.com)                                           | `epik`             | `EPIK_SIGNATURE`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/epik)             |
+| [EuroDNS](https://www.eurodns.com/)                                    | `eurodns`          | `EURODNS_APP_ID`, `EURODNS_API_KEY`                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/eurodns)          |
 | [Exoscale](https://www.exoscale.com)                                   | `exoscale`         | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)         |
+| [Excedo](https://excedo.se/)                                           | `excedo`           | `EXCEDO_API_URL`, `EXCEDO_API_KEY`                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/excedo)           |
 | [F5 XC](https://www.f5.com/products/distributed-cloud-services)        | `f5xc`             | `F5XC_API_TOKEN`, `F5XC_TENANT_NAME`, `F5XC_GROUP_NAME`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/f5xc)             |
 | [Fast DNS](https://www.akamai.com/)                                    | `fastdns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
 | [Freemyip.com](https://freemyip.com)                                   | `freemyip`         | `FREEMYIP_TOKEN`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/freemyip)         |
+| [FusionLayer NameSurfer](https://www.fusionlayer.com/)                 | `namesurfer`       | `NAMESURFER_BASE_URL`, `NAMESURFER_API_KEY`, `NAMESURFER_API_SECRET`, `[NAMESURFER_VIEW]`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/namesurfer)       |
 | [G-Core](https://gcore.com/dns/)                                       | `gcore`            | `GCORE_PERMANENT_API_TOKEN`                                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcore)            |
 | [Gandi v5](https://doc.livedns.gandi.net)                              | `gandiv5`          | `GANDIV5_PERSONAL_ACCESS_TOKEN`                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)          |
 | [Gandi](https://www.gandi.net)                                         | `gandi`            | `GANDI_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)            |
+| [Gigahost.no](https://gigahost.no/)                                    | `gigahostno`       | `GIGAHOSTNO_USERNAME`, `GIGAHOSTNO_PASSWORD`, `GIGAHOSTNO_SECRET`                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/gigahostno)       |
 | [Glesys](https://glesys.com/)                                          | `glesys`           | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)           |
 | [GoDaddy](https://www.godaddy.com)                                     | `godaddy`          | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)          |
 | [Google Cloud DNS](https://cloud.google.com/dns/docs/)                 | `gcloud`           | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)           |
-| [Google Domains](https://domains.google)                               | `googledomains`    | `GOOGLE_DOMAINS_ACCESS_TOKEN`                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/googledomains)    |
+| [Google Domains](https://domains.google) (DEPRECATED)                  | `googledomains`    | DEPRECATED                                                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/googledomains)    |
+| [Gravity](https://gravity.beryju.io/)                                  | `gravity`          | `GRAVITY_SERVER_URL`, `GRAVITY_USERNAME`, `GRAVITY_PASSWORD`                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/gravity)          |
 | [Hetzner](https://hetzner.com)                                         | `hetzner`          | `HETZNER_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)          |
 | [hosting.de](https://www.hosting.de)                                   | `hostingde`        | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)        |
+| [Hosting.nl](https://hosting.nl)                                       | `hostingnl`        | `HOSTINGNL_API_KEY`                                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/hostingnl)        |
+| [Hostinger](https://www.hostinger.com/)                                | `hostinger`        | `HOSTINGER_API_TOKEN`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/hostinger)        |
 | [Hosttech](https://www.hosttech.eu)                                    | `hosttech`         | `HOSTTECH_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)         |
 | [http.net](https://www.http.net/)                                      | `httpnet`          | `HTTPNET_API_KEY`                                                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/httpnet)          |
 | [Huawei Cloud](https://huaweicloud.com)                                | `huaweicloud`      | `HUAWEICLOUD_ACCESS_KEY_ID`, `HUAWEICLOUD_SECRET_ACCESS_KEY`, `HUAWEICLOUD_REGION`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/huaweicloud)      |
@@ -387,9 +410,15 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Internet.bs](https://internetbs.net)                                  | `internetbs`       | `INTERNET_BS_API_KEY`, `INTERNET_BS_PASSWORD`                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/internetbs)       |
 | [INWX](https://www.inwx.de/en)                                         | `inwx`             | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)             |
 | [ionos](https://ionos.com/)                                            | `ionos`            | `IONOS_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)            |
+| [Ionos Cloud](https://cloud.ionos.de/network/cloud-dns)                | `ionoscloud`       | `IONOSCLOUD_API_TOKEN`                                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/ionoscloud)       |
 | [IPv64](https://ipv64.net)                                             | `ipv64`            | `IPV64_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/ipv64)            |
+| [ISPConfig 3](https://www.ispconfig.org/)                              | `ispconfig`        | `ISPCONFIG_SERVER_URL`, `ISPCONFIG_USERNAME`, `ISPCONFIG_PASSWORD`                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ispconfig)        |
+| [ISPConfig 3 Dynamic DNS](https://www.ispconfig.org/)                  | `ispconfigddns`    | `ISPCONFIG_DDNS_SERVER_URL`, `ISPCONFIG_DDNS_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/ispconfigddns)    |
 | [iwantmyname](https://iwantmyname.com)                                 | `iwantmyname`      | `IWANTMYNAME_USERNAME` , `IWANTMYNAME_PASSWORD`                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/iwantmyname)      |
+| [JD Cloud](https://www.jdcloud.com/)                                   | `jdcloud`          | `JDCLOUD_ACCESS_KEY_ID`, `JDCLOUD_ACCESS_KEY_SECRET`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/jdcloud)          |
 | [Joker.com](https://joker.com)                                         | `joker`            | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/joker)            |
+| [KeyHelp](https://www.keyweb.de/en/keyhelp/keyhelp/)                   | `keyhelp`          | `KEYHELP_BASE_URL`, `KEYHELP_API_KEY`                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/keyhelp)          |
+| [Leaseweb](https://www.leaseweb.com/en/)                               | `leaseweb`         | `LEASEWEB_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/leaseweb)         |
 | [Liara](https://liara.ir)                                              | `liara`            | `LIARA_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/liara)            |
 | [Lightsail](https://aws.amazon.com/lightsail/)                         | `lightsail`        | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)        |
 | [Lima-City](https://www.lima-city.de)                                  | `limacity`         | `LIMACITY_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/limacity)         |
@@ -409,14 +438,18 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [name.com](https://www.name.com/)                                      | `namedotcom`       | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)       |
 | [Namecheap](https://www.namecheap.com)                                 | `namecheap`        | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)        |
 | [Namesilo](https://www.namesilo.com/)                                  | `namesilo`         | `NAMESILO_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)         |
+| [Neodigit](https://www.neodigit.net)                                   | `neodigit`         | `NEODIGIT_TOKEN`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/neodigit)         |
 | [NearlyFreeSpeech.NET](https://www.nearlyfreespeech.net/)              | `nearlyfreespeech` | `NEARLYFREESPEECH_API_KEY`, `NEARLYFREESPEECH_LOGIN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/nearlyfreespeech) |
 | [Netcup](https://www.netcup.eu/)                                       | `netcup`           | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)           |
 | [Netlify](https://www.netlify.com)                                     | `netlify`          | `NETLIFY_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)          |
+| [Netnod](https://www.netnod.se/dns/)                                   | `netnod`           | `NETNOD_TOKEN`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/netnod)           |
 | [Nicmanager](https://www.nicmanager.com)                               | `nicmanager`       | `NICMANAGER_API_EMAIL`, `NICMANAGER_API_PASSWORD`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/nicmanager)       |
 | [NIFCloud](https://cloud.nifty.com/service/dns.htm)                    | `nifcloud`         | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)         |
 | [Njalla](https://njal.la)                                              | `njalla`           | `NJALLA_TOKEN`                                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/njalla)           |
 | [Nodion](https://www.nodion.com)                                       | `nodion`           | `NODION_API_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/nodion)           |
 | [NS1](https://ns1.com/)                                                | `ns1`              | `NS1_API_KEY`                                                                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)              |
+| [Octenium](https://octenium.com/)                                      | `octenium`         | `OCTENIUM_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/octenium)         |
+| [Online.net](https://online.net/)                                      | `onlinenet`        | `ONLINENET_API_TOKEN`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/onlinenet)        |
 | [Open Telekom Cloud](https://cloud.telekom.de)                         | `otc`              | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/otc)              |
 | [Openstack Designate](https://docs.openstack.org/designate)            | `designate`        | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/designate)        |
 | [Oracle Cloud](https://cloud.oracle.com/home)                          | `oraclecloud`      | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID`                                      | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)      |
@@ -432,6 +465,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [RFC2136](https://tools.ietf.org/html/rfc2136)                         | `rfc2136`          | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)          |
 | [RimuHosting](https://rimuhosting.com)                                 | `rimuhosting`      | `RIMUHOSTING_API_KEY`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)      |
 | [Route 53](https://aws.amazon.com/route53/)                            | `route53`          | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/route53)          |
+| [RU Center](https://nic.ru/)                                           | `nicru`            | `NICRU_USER`, `NICRU_PASSWORD`, `NICRU_SERVICE_ID`, `NICRU_SECRET`, `NICRU_SERVICE_NAME`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/nicru)            |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                            | `sakuracloud`      | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)      |
 | [Scaleway](https://www.scaleway.com)                                   | `scaleway`         | `SCW_API_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
 | [Selectel v2](https://selectel.ru/en/)                                 | `selectelv2`       | `SELECTELV2_ACCOUNT_ID`, `SELECTELV2_PASSWORD`, `SELECTELV2_PROJECT_ID`, `SELECTELV2_USERNAME`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/selectelv2)       |
@@ -443,22 +477,29 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Sonic](https://www.sonic.com/)                                        | `sonic`            | `SONIC_USER_ID`, `SONIC_API_KEY`                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/sonic)            |
 | [Spaceship](https://spaceship.com)                                     | `spaceship`        | `SPACESHIP_API_KEY`, `SPACESHIP_API_SECRET`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/spaceship)        |
 | [Stackpath](https://www.stackpath.com/)                                | `stackpath`        | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)        |
+| [Syse](https://www.syse.no/)                                           | `syse`             | `SYSE_CREDENTIALS`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/syse)             |
 | [Technitium](https://technitium.com)                                   | `technitium`       | `TECHNITIUM_SERVER_BASE_URL`, `TECHNITIUM_API_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/technitium)       |
 | [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)             | `tencentcloud`     | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud)     |
+| [Tencent EdgeOne](https://edgeone.ai)                                  | `edgeone`          | `EDGEONE_SECRET_ID`, `EDGEONE_SECRET_KEY`, `[EDGEONE_REGION]`, `[EDGEONE_SESSION_TOKEN]`, `[EDGEONE_ZONES_MAPPING]`                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/edgeone)          |
 | [Timeweb Cloud](https://timeweb.cloud)                                 | `timewebcloud`     | `TIMEWEBCLOUD_AUTH_TOKEN`                                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/timewebcloud)     |
+| [TodayNIC/时代互联](https://www.todaynic.com/)                         | `todaynic`         | `TODAYNIC_AUTH_USER_ID`, `TODAYNIC_API_KEY`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/todaynic)         |
 | [TransIP](https://www.transip.nl/)                                     | `transip`          | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/transip)          |
+| [UCloud](https://www.ucloud.cn/)                                       | `ucloud`           | `UCLOUD_PUBLIC_KEY`, `UCLOUD_PRIVATE_KEY`, `[UCLOUD_REGION]`, `[UCLOUD_PROJECT_ID]`                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/ucloud)           |
 | [UKFast SafeDNS](https://docs.ukfast.co.uk/domains/safedns/index.html) | `safedns`          | `SAFEDNS_AUTH_TOKEN`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/safedns)          |
 | [Ultradns](https://neustarsecurityservices.com/dns-services)           | `ultradns`         | `ULTRADNS_USERNAME`, `ULTRADNS_PASSWORD`                                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ultradns)         |
+| [United-Domains](https://www.united-domains.de/)                       | `uniteddomains`    | `UNITEDDOMAINS_API_KEY`                                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/uniteddomains)    |
 | [Variomedia](https://www.variomedia.de/)                               | `variomedia`       | `VARIOMEDIA_API_TOKEN`                                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/variomedia)       |
 | [VegaDNS](https://github.com/shupp/VegaDNS-API)                        | `vegadns`          | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)          |
 | [Vercel](https://vercel.com)                                           | `vercel`           | `VERCEL_API_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vercel)           |
 | [Versio](https://www.versio.nl/domeinnamen)                            | `versio`           | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/versio)           |
 | [VinylDNS](https://www.vinyldns.io)                                    | `vinyldns`         | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST`                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns)         |
+| [Virtualname](https://www.virtualname.es/)                             | `virtualname`      | `VIRTUALNAME_TOKEN`                                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/virtualname)      |
 | [VK Cloud](https://mcs.mail.ru/)                                       | `vkcloud`          | `VK_CLOUD_PASSWORD`, `VK_CLOUD_PROJECT_ID`, `VK_CLOUD_USERNAME`                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/vkcloud)          |
 | [Volcano Engine](https://www.volcengine.com)                           | `volcengine`       | `VOLC_ACCESSKEY`, `VOLC_SECRETKEY`                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/volcengine)       |
 | [Vscale](https://vscale.io/)                                           | `vscale`           | `VSCALE_API_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)           |
 | [VULTR](https://www.vultr.com)                                         | `vultr`            | `VULTR_API_KEY`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)            |
 | [Webnames](https://www.webnames.ru/)                                   | `webnames`         | `WEBNAMES_API_KEY`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/webnames)         |
+| [webnames.ca](https://www.webnames.ca/)                                | `webnamesca`       | `WEBNAMESCA_API_USER`, `WEBNAMESCA_API_KEY`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/webnamesca)       |
 | [Websupport](https://websupport.sk)                                    | `websupport`       | `WEBSUPPORT_API_KEY`, `WEBSUPPORT_SECRET`                                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/websupport)       |
 | [WEDOS](https://www.wedos.com)                                         | `wedos`            | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/wedos)            |
 | [West.cn/西部数码](https://www.west.cn)                                    | `westcn`           | `WESTCN_USERNAME`, `WESTCN_PASSWORD`                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/westcn)           |
@@ -466,6 +507,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Yandex Cloud](https://cloud.yandex.com/en/)                           | `yandexcloud`      | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud)      |
 | [Yandex](https://yandex.com)                                           | `yandex`           | `YANDEX_PDD_TOKEN`                                                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)           |
 | [Zone.ee](https://www.zone.ee)                                         | `zoneee`           | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)           |
+| [ZoneEdit](https://www.zoneedit.com)                                   | `zoneedit`         | `ZONEEDIT_USER`, `ZONEEDIT_AUTH_TOKEN`                                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/zoneedit)         |
 | [Zonomi](https://zonomi.com)                                           | `zonomi`           | `ZONOMI_API_KEY`                                                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)           |
 | External Program                                                       | `exec`             | `EXEC_PATH`                                                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/exec)             |
 | HTTP request                                                           | `httpreq`          | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)          |
@@ -507,11 +549,11 @@ certificatesResolvers:
 --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 ```

-#### `propagation.delayBeforeChecks`
+#### `delayBeforeCheck`

 By default, the `provider` verifies the TXT record _before_ letting ACME verify.

-You can delay this operation by specifying a delay (in seconds) with `delayBeforeChecks` (value must be greater than zero).
+You can delay this operation by specifying a delay (in seconds) with `delayBeforeCheck` (value must be greater than zero).

 This option is useful when internal networks block external DNS queries.

@@ -522,9 +564,7 @@ certificatesResolvers:
      # ...
      dnsChallenge:
        # ...
-        propagation:
-          # ...
-          delayBeforeChecks: 2s
+        delayBeforeCheck: 2s
 ```

 ```toml tab="File (TOML)"
@@ -532,21 +572,19 @@ certificatesResolvers:
  # ...
  [certificatesResolvers.myresolver.acme.dnsChallenge]
    # ...
-    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
-      # ...
-      delayBeforeChecks = "2s"
+    delayBeforeCheck = "2s"
 ```

 ```bash tab="CLI"
 # ...
--certificatesresolvers.myresolver.acme.dnschallenge.propagation.delayBeforeChecks=2s
+--certificatesresolvers.myresolver.acme.dnschallenge.delayBeforeCheck=2s
 ```

-#### `propagation.disableChecks`
+#### `disablePropagationCheck`

-Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready. 
+**Not recommended**

-Please note that disabling checks can prevent the challenge from succeeding.
+Disable the TXT records propagation checks before notifying ACME that the DNS challenge is ready. 

 ```yaml tab="File (YAML)"
 certificatesResolvers:
@@ -555,9 +593,7 @@ certificatesResolvers:
      # ...
      dnsChallenge:
        # ...
-        propagation:
-          # ...
-          disableChecks: true
+        disablePropagationCheck: true
 ```

 ```toml tab="File (TOML)"
@@ -565,90 +601,12 @@ certificatesResolvers:
  # ...
  [certificatesResolvers.myresolver.acme.dnsChallenge]
    # ...
-    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
-      # ...
-      disableChecks = true
+    disablePropagationCheck = true
 ```

 ```bash tab="CLI"
 # ...
--certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableChecks=true
-```
-
-#### `propagation.requireAllRNS`
-
-Requires the challenge TXT record to be propagated to all recursive nameservers.
-
-!!! note
-
-    If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`),
-    it is recommended to check all recursive nameservers instead.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
-  myresolver:
-    acme:
-      # ...
-      dnsChallenge:
-        # ...
-        propagation:
-          # ...
-          requireAllRNS: true
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  [certificatesResolvers.myresolver.acme.dnsChallenge]
-    # ...
-    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
-      # ...
-      requireAllRNS = true
-```
-
-```bash tab="CLI"
-# ...
--certificatesresolvers.myresolver.acme.dnschallenge.propagation.requireAllRNS=true
-```
-
-#### `propagation.disableANSChecks`
-
-Disables the challenge TXT record propagation checks against authoritative nameservers.
-
-This option will skip the propagation check against the nameservers of the authority (SOA).
-
-It should be used only if the nameservers of the authority are not reachable.
-
-!!! note
-
-    If you have disabled authoritative nameservers checks,
-    it is recommended to check all recursive nameservers instead.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
-  myresolver:
-    acme:
-      # ...
-      dnsChallenge:
-        # ...
-        propagation:
-          # ...
-          disableANSChecks: true
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  [certificatesResolvers.myresolver.acme.dnsChallenge]
-    # ...
-    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
-      # ...
-      disableANSChecks = true
-```
-
-```bash tab="CLI"
-# ...
--certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableANSChecks=true
+--certificatesresolvers.myresolver.acme.dnschallenge.disablePropagationCheck=true
 ```

 #### Wildcard Domains
@@ -778,7 +736,6 @@ It defaults to `2160` (90 days) to follow Let's Encrypt certificates' duration.
 |----------------------|-------------------|-------------------------|
 | >= 1 year            | 4 months          | 1 week                  |
 | >= 90 days           | 30 days           | 1 day                   |
-| >= 30 days           | 10 days           | 12 hours                |
 | >= 7 days            | 1 day             | 1 hour                  |
 | >= 24 hours          | 6 hours           | 10 min                  |
 | < 24 hours           | 20 min            | 1 min                   |
@@ -866,109 +823,6 @@ certificatesResolvers:
 # ...
 ```

-### `caCertificates`
-
-_Optional, Default=[]_
-
-The `caCertificates` option specifies the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
-  myresolver:
-    acme:
-      # ...
-      caCertificates:
-        - path/certificates1.pem
-        - path/certificates2.pem
-      # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  caCertificates = [ "path/certificates1.pem", "path/certificates2.pem" ]
-  # ...
-```
-
-```bash tab="CLI"
-# ...
--certificatesresolvers.myresolver.acme.caCertificates="path/certificates1.pem,path/certificates2.pem"
-# ...
-```
-
-??? note "LEGO Environment Variable"
-
-    It can be defined globally by using the environment variable `LEGO_CA_CERTIFICATES`.
-    This environment variable is neither a fallback nor an override of the configuration option.
-
-### `caSystemCertPool`
-
-_Optional, Default=false_
-
-The `caSystemCertPool` option defines if the certificates pool must use a copy of the system cert pool.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
-  myresolver:
-    acme:
-      # ...
-      caSystemCertPool: true
-      # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  caSystemCertPool = true
-  # ...
-```
-
-```bash tab="CLI"
-# ...
--certificatesresolvers.myresolver.acme.caSystemCertPool=true
-# ...
-```
-
-??? note "LEGO Environment Variable"
-
-    It can be defined globally by using the environment variable `LEGO_CA_SYSTEM_CERT_POOL`.
-    `LEGO_CA_SYSTEM_CERT_POOL` is ignored if `LEGO_CA_CERTIFICATES` is not set or empty.
-    This environment variable is neither a fallback nor an override of the configuration option.
-
-### `caServerName`
-
-_Optional, Default=""_
-
-The `caServerName` option specifies the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
-  myresolver:
-    acme:
-      # ...
-      caServerName: "my-server"
-      # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
-  # ...
-  caServerName = "my-server"
-  # ...
-```
-
-```bash tab="CLI"
-# ...
--certificatesresolvers.myresolver.acme.caServerName="my-server"
-# ...
-```
-
-??? note "LEGO Environment Variable"
-
-    It can be defined globally by using the environment variable `LEGO_CA_SERVER_NAME`.
-    `LEGO_CA_SERVER_NAME` is ignored if `LEGO_CA_CERTIFICATES` is not set or empty.
-    This environment variable is neither a fallback nor an override of the configuration option.
-
 ## Fallback

 If Let's Encrypt is not reachable, the following certificates will apply:
@@ -980,4 +834,4 @@ If Let's Encrypt is not reachable, the following certificates will apply:
 !!! important
    For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -1,5 +1,5 @@

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 ## Dynamic configuration
 labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
@@ -9,6 +9,18 @@ labels:
  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
 ```

+```yaml tab="Docker (Swarm)"
+## Dynamic configuration
+deploy:
+  labels:
+    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
+    - traefik.http.routers.blog.tls=true
+    - traefik.http.routers.blog.tls.certresolver=myresolver
+    - traefik.http.routers.blog.tls.domains[0].main=example.com
+    - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
+```
+
 ```yaml tab="Kubernetes"
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
@@ -31,6 +43,27 @@ spec:
      - '*.example.org'
 ```

+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.routers.blog.tls.domains[0].main": "example.com",
+  "traefik.http.routers.blog.tls.domains[0].sans": "*.example.org",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+  - traefik.http.routers.blog.tls.domains[0].main=example.com
+  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
+```
+
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:
@@ -1,5 +1,5 @@

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 ## Dynamic configuration
 labels:
  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
@@ -35,6 +35,23 @@ spec:
    certResolver: myresolver
 ```

+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:
@@ -1,5 +1,5 @@

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 ## Dynamic configuration
 labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
@@ -35,6 +35,23 @@ spec:
    certResolver: myresolver
 ```

+```json tab="Marathon"
+labels: {
+  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
+  "traefik.http.routers.blog.tls": "true",
+  "traefik.http.routers.blog.tls.certresolver": "myresolver",
+  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
+}
+```
+
+```yaml tab="Rancher"
+## Dynamic configuration
+labels:
+  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
+  - traefik.http.routers.blog.tls=true
+  - traefik.http.routers.blog.tls.certresolver=myresolver
+```
+
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:
@@ -20,4 +20,4 @@ That is to say, how to obtain [TLS certificates](./tls.md#certificates-definitio
 either through a definition in the dynamic configuration, or through [Let's Encrypt](./acme.md) (ACME).
 And how to configure [TLS options](./tls.md#tls-options), and [certificates stores](./tls.md#certificates-stores).

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -1,56 +0,0 @@
---
-title: "Traefik SPIFFE Documentation"
-description: "Learn how to configure Traefik to use SPIFFE. Read the technical documentation."
---
-
-# SPIFFE
-
-Secure the backend connection with SPIFFE.
-{: .subtitle }
-
-[SPIFFE](https://spiffe.io/docs/latest/spiffe-about/overview/) (Secure Production Identity Framework For Everyone), 
-provides a secure identity in the form of a specially crafted X.509 certificate, 
-to every workload in an environment.
-
-Traefik is able to connect to the Workload API to obtain an x509-SVID used to secure the connection with SPIFFE enabled backends.
-
-## Configuration
-
-### General
-
-Enabling SPIFFE is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
-It can be defined by using a file (YAML or TOML) or CLI arguments.
-
-### Workload API
-
-The `workloadAPIAddr` configuration defines the address of the SPIFFE [Workload API](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-workload-api).
-
-!!! info "Enabling SPIFFE in ServersTransports"
-
-    Enabling SPIFFE does not imply that backend connections are going to use it automatically.
-    Each [ServersTransport](../routing/services/index.md#serverstransport_1) or [TCPServersTransport](../routing/services/index.md#serverstransport_2),
-	that is meant to be secured with SPIFFE,
-	must explicitly enable it (see [SPIFFE with ServersTransport](../routing/services/index.md#spiffe) or [SPIFFE with TCPServersTransport](../routing/services/index.md#spiffe_1)).
-
-!!! warning "SPIFFE can cause Traefik to stall"
-	When using SPIFFE,
-	Traefik will wait for the first SVID to be delivered before starting.
-	If Traefik is hanging when waiting on SPIFFE SVID delivery,
-	please double check that it is correctly registered as workload in your SPIFFE infrastructure.
-
-```yaml tab="File (YAML)"
-## Static configuration
-spiffe:
-    workloadAPIAddr: localhost
-```
-
-```toml tab="File (TOML)"
-## Static configuration
-[spiffe]
-    workloadAPIAddr: localhost
-```
-
-```bash tab="CLI"
-## Static configuration
--spiffe.workloadAPIAddr=localhost
-```
@@ -1,207 +0,0 @@
---
-title: "Traefik Tailscale Documentation"
-description: "Learn how to configure Traefik Proxy to resolve TLS certificates for your Tailscale services. Read the technical documentation."
---
-
-# Tailscale
-
-Provision TLS certificates for your internal Tailscale services.
-{: .subtitle }
-
-To protect a service with TLS, a certificate from a public Certificate Authority is needed.
-In addition to its vpn role, Tailscale can also [provide certificates](https://tailscale.com/kb/1153/enabling-https/) for the machines in your Tailscale network.
-
-## Certificate resolvers
-
-To obtain a TLS certificate from the Tailscale daemon,
-a Tailscale certificate resolver needs to be configured as below.
-
-!!! info "Referencing a certificate resolver"
-
-    Defining a certificate resolver does not imply that routers are going to use it automatically.
-    Each router or entrypoint that is meant to use the resolver must explicitly [reference](../routing/routers/index.md#certresolver) it.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
-    myresolver:
-        tailscale: {}
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.tailscale]
-```
-
-```bash tab="CLI"
--certificatesresolvers.myresolver.tailscale=true
-```
-
-## Domain Definition
-
-A certificate resolver requests certificates for a set of domain names inferred from routers, according to the following:
-
- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
-  then the certificate resolver derives this router domain name from the `main` option of `tls.domains`.
-
- Otherwise, the certificate resolver derives the domain name from any `Host()` or `HostSNI()` matchers
-  in the [router's rule](../routing/routers/index.md#rule).
-
-!!! info "Tailscale Domain Format"
-
-    The domain is only taken into account if it is a Tailscale-specific one,
-    i.e. of the form `machine-name.domains-alias.ts.net`.
-
-## Configuration Example
-
-!!! example "Enabling Tailscale certificate resolution"
-
-    ```yaml tab="File (YAML)"
-    entryPoints:
-      web:
-        address: ":80"
-
-      websecure:
-        address: ":443"
-
-    certificatesResolvers:
-      myresolver:
-        tailscale: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [entryPoints]
-      [entryPoints.web]
-        address = ":80"
-
-      [entryPoints.websecure]
-        address = ":443"
-
-    [certificatesResolvers.myresolver.tailscale]
-    ```
-
-    ```bash tab="CLI"
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
-    # ...
-    --certificatesresolvers.myresolver.tailscale=true
-    ```
-
-!!! example "Domain from Router's Rule Example"
-
-    ```yaml tab="Docker & Swarm"
-    ## Dynamic configuration
-    labels:
-      - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
-      - traefik.http.routers.blog.tls.certresolver=myresolver
-    ```
-
-    ```yaml tab="Docker (Swarm)"
-    ## Dynamic configuration
-    deploy:
-      labels:
-        - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
-        - traefik.http.routers.blog.tls.certresolver=myresolver
-    ```
-
-    ```yaml tab="Kubernetes"
-    apiVersion: traefik.io/v1alpha1
-    kind: IngressRoute
-    metadata:
-      name: blogtls
-    spec:
-      entryPoints:
-        - websecure
-      routes:
-        - match: Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
-          kind: Rule
-          services:
-            - name: blog
-              port: 8080
-      tls:
-        certResolver: myresolver
-    ```
-
-    ```yaml tab="File (YAML)"
-    ## Dynamic configuration
-    http:
-      routers:
-        blog:
-          rule: "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
-          tls:
-            certResolver: myresolver
-    ```
-
-    ```toml tab="File (TOML)"
-    ## Dynamic configuration
-    [http.routers]
-      [http.routers.blog]
-      rule = "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
-      [http.routers.blog.tls]
-        certResolver = "myresolver"
-    ```
-
-!!! example "Domain from Router's tls.domain Example"
-
-    ```yaml tab="Docker & Swarm"
-    ## Dynamic configuration
-    labels:
-      - traefik.http.routers.blog.rule=Path(`/metrics`)
-      - traefik.http.routers.blog.tls.certresolver=myresolver
-      - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
-    ```
-
-    ```yaml tab="Docker (Swarm)"
-    ## Dynamic configuration
-    deploy:
-      labels:
-        - traefik.http.routers.blog.rule=Path(`/metrics`)
-        - traefik.http.routers.blog.tls.certresolver=myresolver
-        - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
-    ```
-
-    ```yaml tab="Kubernetes"
-    apiVersion: traefik.io/v1alpha1
-    kind: IngressRoute
-    metadata:
-      name: blogtls
-    spec:
-      entryPoints:
-        - websecure
-      routes:
-        - match: Path(`/metrics`)
-          kind: Rule
-          services:
-            - name: blog
-              port: 8080
-      tls:
-        certResolver: myresolver
-        domains:
-          - main: monitoring.yak-bebop.ts.net
-    ```
-
-    ```yaml tab="File (YAML)"
-    ## Dynamic configuration
-    http:
-      routers:
-        blog:
-          rule: "Path(`/metrics`)"
-          tls:
-            certResolver: myresolver
-            domains:
-              - main: "monitoring.yak-bebop.ts.net"
-    ```
-
-    ```toml tab="File (TOML)"
-    ## Dynamic configuration
-    [http.routers]
-      [http.routers.blog]
-        rule = "Path(`/metrics`)"
-        [http.routers.blog.tls]
-          certResolver = "myresolver"
-          [[http.routers.blog.tls.domains]]
-            main = "monitoring.yak-bebop.ts.net"
-    ```
-
-## Automatic Renewals
-
-Traefik automatically tracks the expiry date of each Tailscale certificate it fetches,
-and starts to renew a certificate 14 days before its expiry to match Tailscale daemon renew policy.
@@ -211,7 +211,7 @@ spec:
        - bar.example.org
 ```

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 ## Dynamic configuration
 labels:
  - "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
@@ -219,6 +219,14 @@ labels:
  - "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org"
 ```

+```json tab="Marathon"
+labels: {
+  "traefik.tls.stores.default.defaultgeneratedcert.resolver": "myresolver",
+  "traefik.tls.stores.default.defaultgeneratedcert.domain.main": "example.org",
+  "traefik.tls.stores.default.defaultgeneratedcert.domain.sans": "foo.example.org, bar.example.org",
+}
+```
+
 ## TLS Options

 The TLS options allow one to configure some parameters of the TLS connection.
@@ -234,7 +242,7 @@ The TLS options allow one to configure some parameters of the TLS connection.

 !!! important "TLSOption in Kubernetes"

-    When using the [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
+    When using the [TLSOption resource](../../routing/providers/kubernetes-crd/#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
    if not explicitly overwritten, should apply to all ingresses.  
    To achieve that, you'll have to create a TLSOption resource with the name `default`.
    There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
@@ -384,11 +392,11 @@ spec:

 ### Curve Preferences

-This option allows to set the preferred elliptic curves in a specific order.
+This option allows to set the enabled elliptic curves for key exchange.

 The names of the curves defined by [`crypto`](https://godoc.org/crypto/tls#CurveID) (e.g. `CurveP521`) and the [RFC defined names](https://tools.ietf.org/html/rfc8446#section-4.2.7) (e. g. `secp521r1`) can be used.

-See [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.
+See [CurvePreferences](https://godoc.org/crypto/tls#Config.CurvePreferences) and [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.

 ```yaml tab="File (YAML)"
 # Dynamic configuration
@@ -553,4 +561,4 @@ spec:
    clientAuthType: RequireAndVerifyClientCert
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -1,3 +0,0 @@
-Traefik follows the [Kubernetes support policy](https://kubernetes.io/releases/version-skew-policy/#supported-versions),
-and supports at least the latest three minor versions of Kubernetes.
-General functionality cannot be guaranteed for older versions.
@@ -1,53 +1,28 @@
 ---
 title: "Traefik Proxy Documentation"
-description: "Traefik Proxy, an open-source Edge Router, auto-discovers configurations and supports major orchestrators, like Kubernetes. Read the technical documentation."
+description: "Traefik Proxy, an open source Edge Router, auto-discovers configurations and supports major orchestrators, like Kubernetes. Read the technical documentation."
 ---

-# What is Traefik?
+# Welcome

 ![Architecture](assets/img/traefik-architecture.png)

 Traefik is an [open-source](https://github.com/traefik/traefik) *Application Proxy* that makes publishing your services a fun and easy experience. 
-It receives requests on behalf of your system, identifies which components are responsible for handling them, and routes them securely. 
+It receives requests on behalf of your system and identifies which components are responsible for handling them, and routes them securely. 

 What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
 The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request. 

-Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker Swarm, AWS, and [the list goes on](./reference/install-configuration/providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
+Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker Swarm, AWS, Mesos, Marathon, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
 
 With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions).
 With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.

 And if your needs change, you can add API gateway and API management capabilities seamlessly to your existing Traefik deployments. It takes less than a minute, there’s no rip-and-replace, and all your configurations are preserved. See this in action in [our API gateway demo video](https://info.traefik.io/watch-traefik-api-gw-demo?cta=docs).

-!!! quote "From the Traefik Maintainer Team" 
-    When developing Traefik, our main goal is to make it easy to use, and we're sure you'll enjoy it.
+Developing Traefik, our main goal is to make it effortless to use, and we're sure you'll enjoy it.

-## Personas
-
-Traefik supports different needs depending on your background. We keep three user personas in mind as we build and organize these docs:
-
- **Beginners**: You are new to Traefik or new to reverse proxies. You want simple, guided steps to set things up without diving too deep into advanced topics.
- **DevOps Engineers**: You manage infrastructure or clusters (Docker, Kubernetes, or other orchestrators). You integrate Traefik into your environment and value reliability, performance, and streamlined deployments.
- **Developers**: You create and deploy applications or APIs. You focus on how to expose your services through Traefik, apply routing rules, and integrate it with your development workflow.
-
-## Core Concepts
-
-Traefik’s main concepts help you understand how requests flow to your services:
-
- [Entrypoints](./reference/install-configuration/entrypoints.md) are the network entry points into Traefik. They define the port that will receive the packets and whether to listen for TCP or UDP.
- [Routers](./reference/routing-configuration/http/router/rules-and-priority.md) are in charge of connecting incoming requests to the services that can handle them. In the process, routers may use pieces of [middleware](./reference/routing-configuration/http/middlewares/overview.md) to update the request or act before forwarding the request to the service.
- [Services](./reference/routing-configuration/http/load-balancing/service.md) are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
- [Providers](./reference/install-configuration/providers/overview.md) are infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores. The idea is that Traefik queries the provider APIs in order to find relevant information about routing, and when Traefik detects a change, it dynamically updates the routes.
-
-These concepts work together to manage your traffic from the moment a request arrives until it reaches your application.
-
-## How to Use the Documentation
-
- **Navigation**: Each main section focuses on a specific stage of working with Traefik - installing, exposing services, observing, extending & migrating. 
-Use the sidebar to navigate to the section that is most appropriate for your needs.
- **Practical Examples**: You will see code snippets and configuration examples for different environments (YAML/TOML, Labels, & Tags).
- **Reference**: When you need to look up technical details, our reference section provides a deep dive into configuration options and key terms.
+-- The Traefik Maintainer Team 

 !!! info

@@ -14,7 +14,7 @@ The AddPrefix middleware updates the path of a request before forwarding it.

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Prefixing with /foo
 labels:
  - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
@@ -36,6 +36,18 @@ spec:
 - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.add-foo.addprefix.prefix": "/foo"
+}
+```
+
+```yaml tab="Rancher"
+# Prefixing with /foo
+labels:
+  - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
+```
+
 ```yaml tab="File (YAML)"
 # Prefixing with /foo
 http:
@@ -12,9 +12,15 @@ Adding Basic Authentication

 The BasicAuth middleware grants access to services to authorized users only.

+!!! warning "Timing attacks"
+
+    The BasicAuth middleware is vulnerable to timing attacks when the configured users' password hashes do not use the same algorithm and cost.
+    However, when the configured user's password hashes are of the same algorithm and cost, the middleware guarantees the same comparison time between existing and non-existing users.
+    This prevents an attacker from leveraging the time difference to determine whether a user exists.
+
 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Declaring the user list
 #
 # Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
@@ -41,6 +47,18 @@ spec:
 - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -88,7 +106,7 @@ The `users` option is an array of authorized users. Each user must be declared u
    Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than other methods.
    You can find more information on the [Kubernetes Basic Authentication Secret Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret)

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Declaring the user list
 #
 # Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
@@ -145,6 +163,18 @@ data:
 - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
+```
+
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -177,7 +207,7 @@ The file content is a list of `name:hashed-password`.
    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
 ```
@@ -208,6 +238,17 @@ data:
 - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.usersfile": "/path/to/my/usersfile"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -233,7 +274,7 @@ http:

 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
 ```
@@ -252,6 +293,17 @@ spec:
 - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.realm": "MyRealm"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -270,7 +322,7 @@ http:

 You can define a header field to store the authenticated user using the `headerField`option.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
 ```
@@ -290,6 +342,12 @@ spec:
 - "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.my-auth.basicauth.headerField": "X-WebAuth-User"
+}
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -309,7 +367,7 @@ http:

 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
 ```
@@ -328,6 +386,17 @@ spec:
 - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.basicauth.removeheader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -341,5 +410,4 @@ http:
  [http.middlewares.test-auth.basicAuth]
    removeHeader = true
 ```
-
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -18,7 +18,7 @@ This can help services avoid large amounts of data (`multipart/form-data` for ex

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Sets the maximum request body to 2MB
 labels:
  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
@@ -40,6 +40,18 @@ spec:
 - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+# Sets the maximum request body to 2MB
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
 ```yaml tab="File (YAML)"
 # Sets the maximum request body to 2MB
 http:
@@ -66,7 +78,7 @@ The `maxRequestBodyBytes` option configures the maximum allowed body size for th

 If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a `413` (Request Entity Too Large) response.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```
@@ -85,6 +97,17 @@ spec:
 - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -105,7 +128,7 @@ _Optional, Default=1048576_

 You can configure a threshold (in bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
 ```
@@ -124,6 +147,17 @@ spec:
 - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.memRequestBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -146,7 +180,7 @@ The `maxResponseBodyBytes` option configures the maximum allowed response size f

 If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `500` (Internal Server Error) response instead.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
 ```
@@ -165,6 +199,17 @@ spec:
 - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -185,7 +230,7 @@ _Optional, Default=1048576_

 You can configure a threshold (in bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
 ```
@@ -204,6 +249,17 @@ spec:
 - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.limit.buffering.memResponseBodyBytes": "2000000"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -226,7 +282,7 @@ You can have the Buffering middleware replay the request using `retryExpression`

 ??? example "Retries once in the case of a network error"

-    ```yaml tab="Docker & Swarm"
+    ```yaml tab="Docker"
    labels:
      - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
    ```
@@ -245,6 +301,17 @@ You can have the Buffering middleware replay the request using `retryExpression`
    - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
    ```

+    ```json tab="Marathon"
+    "labels": {
+      "traefik.http.middlewares.limit.buffering.retryExpression": "IsNetworkError() && Attempts() < 2"
+    }
+    ```
+
+    ```yaml tab="Rancher"
+    labels:
+      - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
+    ```
+
    ```yaml tab="File (YAML)"
    http:
      middlewares:
@@ -267,4 +334,4 @@ The retry expression is defined as a logical combination of the functions below

 ### Content-Length

-See [Best Practices: Content‑Length](../../security/best-practices/content-length.md)
+See [Best Practices: Content‑Length](../../security/content-length.md)
@@ -15,9 +15,9 @@ It makes reusing the same groups easier.

 ## Configuration Example

-Below is an example of a Chain containing `AllowList`, `BasicAuth`, and `RedirectScheme`.
+Below is an example of a Chain containing `WhiteList`, `BasicAuth`, and `RedirectScheme`.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.routers.router1.service=service1"
  - "traefik.http.routers.router1.middlewares=secured"
@@ -25,7 +25,7 @@ labels:
  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-  - "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
  - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

@@ -80,7 +80,7 @@ kind: Middleware
 metadata:
  name: known-ips
 spec:
-  ipAllowList:
+  ipWhiteList:
    sourceRange:
    - 192.168.1.7
    - 127.0.0.1/32
@@ -93,10 +93,35 @@ spec:
 - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
 - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
 - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
+- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
 - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.routers.router1.service": "service1",
+  "traefik.http.routers.router1.middlewares": "secured",
+  "traefik.http.routers.router1.rule": "Host(`mydomain`)",
+  "traefik.http.middlewares.secured.chain.middlewares": "https-only,known-ips,auth-users",
+  "traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
+  "traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
+  "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
+  "traefik.http.services.service1.loadbalancer.server.port": "80"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.routers.router1.service=service1"
+  - "traefik.http.routers.router1.middlewares=secured"
+  - "traefik.http.routers.router1.rule=Host(`mydomain`)"
+  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
+  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "traefik.http.services.service1.loadbalancer.server.port=80"
+```
+
 ```yaml tab="File (YAML)"
 # ...
 http:
@@ -125,7 +150,7 @@ http:
        scheme: https

    known-ips:
-      ipAllowList:
+      ipWhiteList:
        sourceRange:
          - "192.168.1.7"
          - "127.0.0.1/32"
@@ -155,7 +180,7 @@ http:
  [http.middlewares.https-only.redirectScheme]
    scheme = "https"

-  [http.middlewares.known-ips.ipAllowList]
+  [http.middlewares.known-ips.ipWhiteList]
    sourceRange = ["192.168.1.7", "127.0.0.1/32"]

 [http.services]
@@ -30,7 +30,7 @@ To assess if your system is healthy, the circuit breaker constantly monitors the

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Latency Check
 labels:
  - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
@@ -52,6 +52,18 @@ spec:
 - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.latency-check.circuitbreaker.expression": "LatencyAtQuantileMS(50.0) > 100"
+}
+```
+
+```yaml tab="Rancher"
+# Latency Check
+labels:
+  - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
+```
+
 ```yaml tab="File (YAML)"
 # Latency Check
 http:
@@ -85,7 +97,6 @@ At specified intervals (`checkPeriod`), the circuit breaker evaluates `expressio
 ### Open

 While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
-The fallback mechanism returns a `HTTP 503` (or `ResponseCode`) to the client.
 After this duration, it enters the recovering state.

 ### Recovering
@@ -180,9 +191,3 @@ The duration for which the circuit breaker will wait before trying to recover (f
 _Optional, Default="10s"_

 The duration for which the circuit breaker will try to recover (as soon as it is in recovering state).
-
-### `ResponseCode`
-
-_Optional, Default="503"_
-
-The status code that the circuit breaker will return while it is in the open state.
@@ -5,24 +5,23 @@ description: "Traefik Proxy's HTTP middleware lets you compress responses before

 # Compress

-Compress Allows Compressing Responses before Sending them to the Client
+Compress Responses before Sending them to the Client
 {: .subtitle }

 ![Compress](../../assets/img/middleware/compress.png)

-The Compress middleware supports Gzip, Brotli and Zstandard compression.
-The activation of compression, and the compression method choice rely (among other things) on the request's `Accept-Encoding` header.
+The Compress middleware uses gzip compression.

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
-# Enable compression
+```yaml tab="Docker"
+# Enable gzip compression
 labels:
  - "traefik.http.middlewares.test-compress.compress=true"
 ```

 ```yaml tab="Kubernetes"
-# Enable compression
+# Enable gzip compression
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -32,12 +31,24 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
-# Enable compression
+# Enable gzip compression
 - "traefik.http.middlewares.test-compress.compress=true"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-compress.compress": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Enable gzip compression
+labels:
+  - "traefik.http.middlewares.test-compress.compress=true"
+```
+
 ```yaml tab="File (YAML)"
-# Enable compression
+# Enable gzip compression
 http:
  middlewares:
    test-compress:
@@ -45,7 +56,7 @@ http:
 ```

 ```toml tab="File (TOML)"
-# Enable compression
+# Enable gzip compression
 [http.middlewares]
  [http.middlewares.test-compress.compress]
 ```
@@ -54,39 +65,24 @@ http:

    Responses are compressed when the following criteria are all met:

-    * The `Accept-Encoding` request header contains `gzip`, and/or `*`, and/or `br`, and/or `zstd` with or without [quality values](https://developer.mozilla.org/en-US/docs/Glossary/Quality_values).
-    If the `Accept-Encoding` request header is absent and no [defaultEncoding](#defaultencoding) is configured, the response won't be encoded.
-    If it is present, but its value is the empty string, then compression is disabled.
+    * The response body is larger than the configured minimum amount of bytes (default is `1024`).
+    * The `Accept-Encoding` request header contains `gzip`.
    * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
-    * The response`Content-Type` header is not one among the [excludedContentTypes options](#excludedcontenttypes), or is one among the [includedContentTypes options](#includedcontenttypes).
-    * The response body is larger than the [configured minimum amount of bytes](#minresponsebodybytes) (default is `1024`).
+
+    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
+    It will also set the `Content-Type` header according to the detected MIME type.

 ## Configuration Options

 ### `excludedContentTypes`

-_Optional, Default=""_ 
-
 `excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests and responses before compressing.

 The responses with content types defined in `excludedContentTypes` are not compressed.

 Content types are compared in a case-insensitive, whitespace-ignored manner.

-!!! info 
-
-    The `excludedContentTypes` and `includedContentTypes` options are mutually exclusive.
-
-!!! info "In the case of gzip"
-
-    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
-    It will also set the `Content-Type` header according to the detected MIME type.
-
-!!! info "gRPC"
-
-    Note that `application/grpc` is never compressed.
-
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
 ```
@@ -106,6 +102,17 @@ spec:
 - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-compress.compress.excludedcontenttypes": "text/event-stream"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -121,74 +128,15 @@ http:
    excludedContentTypes = ["text/event-stream"]
 ```

-### `includedContentTypes`
-
-_Optional, Default=""_
-
-`includedContentTypes` specifies a list of content types to compare the `Content-Type` header of the responses before compressing.
-
-The responses with content types defined in `includedContentTypes` are compressed. 
-
-Content types are compared in a case-insensitive, whitespace-ignored manner.
-
-!!! info
-
-    The `excludedContentTypes` and `includedContentTypes` options are mutually exclusive.
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-compress.compress.includedcontenttypes=application/json,text/html,text/plain"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-compress
-spec:
-  compress:
-    includedContentTypes:
-      - application/json
-      - text/html
-      - text/plain
-```
-
-```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-compress.compress.includedcontenttypes=application/json,text/html,text/plain"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-compress:
-      compress:
-        includedContentTypes:
-          - application/json
-          - text/html
-          - text/plain
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-compress.compress]
-    includedContentTypes = ["application/json","text/html","text/plain"]
-```
-
 ### `minResponseBodyBytes`

-_Optional, Default=1024_
-
 `minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.
+
+The default value is `1024`, which should be a reasonable value for most cases.
+
 Responses smaller than the specified values will not be compressed.

-!!! tip "Streaming"
-
-    When data is sent to the client on flush, the `minResponseBodyBytes` configuration is ignored and the data is compressed.
-    This is particularly the case when data is streamed to the client when using `Transfer-encoding: chunked` response.
-
-When chunked data is sent to the client on flush, it will be compressed by default even if the received data has not reached  
-
-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
 ```
@@ -207,6 +155,17 @@ spec:
 - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-compress.compress.minresponsebodybytes": 1200
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -220,89 +179,3 @@ http:
  [http.middlewares.test-compress.compress]
    minResponseBodyBytes = 1200
 ```
-
-### `defaultEncoding`
-
-_Optional, Default=""_
-
-`defaultEncoding` specifies the default encoding if the `Accept-Encoding` header is not in the request or contains a wildcard (`*`).
-
-There is no fallback on the `defaultEncoding` when the header value is empty or unsupported.
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-compress.compress.defaultEncoding=gzip"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-compress
-spec:
-  compress:
-    defaultEncoding: gzip
-```
-
-```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-compress.compress.defaultEncoding=gzip"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-compress:
-      compress:
-        defaultEncoding: gzip
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-compress.compress]
-    defaultEncoding = "gzip"
-```
-
-### `encodings`
-
-_Optional, Default="gzip, br, zstd"_
-
-`encodings` specifies the list of supported compression encodings.
-At least one encoding value must be specified, and valid entries are `gzip` (Gzip), `br` (Brotli), and `zstd` (Zstandard).
-The order of the list also sets the priority, the top entry has the highest priority.
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-compress.compress.encodings=zstd,br"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-compress
-spec:
-  compress:
-    encodings:
-      - zstd
-      - br
-```
-
-```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-compress.compress.encodings=zstd,br"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-compress:
-      compress:
-        encodings:
-          - zstd
-          - br
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-compress.compress]
-    encodings = ["zstd","br"]
-```
@@ -1,6 +1,6 @@
 ---
 title: "Traefik ContentType Documentation"
-description: "Traefik Proxy's HTTP middleware automatically sets the `Content-Type` header value when it is not set by the backend. Read the technical documentation."
+description: "Traefik Proxy's HTTP middleware can automatically specify the content-type header if it has not been defined by the backend. Read the technical documentation."
 ---

 # ContentType
@@ -8,60 +8,84 @@ description: "Traefik Proxy's HTTP middleware automatically sets the `Content-Ty
 Handling Content-Type auto-detection
 {: .subtitle }

-The Content-Type middleware sets the `Content-Type` header value to the media type detected from the response content,
-when it is not set by the backend.
+The Content-Type middleware - or rather its `autoDetect` option -
+specifies whether to let the `Content-Type` header,
+if it has not been defined by the backend,
+be automatically set to a value derived from the contents of the response.
+
+As a proxy, the default behavior should be to leave the header alone,
+regardless of what the backend did with it.
+However, the historic default was to always auto-detect and set the header if it was not already defined,
+and altering this behavior would be a breaking change which would impact many users.
+
+This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.

 !!! info

+    As explained above, for compatibility reasons the default behavior on a router (without this middleware),
+    is still to automatically set the `Content-Type` header.
+    Therefore, given the default value of the `autoDetect` option (false),
+    simply enabling this middleware for a router switches the router's behavior.
+
    The scope of the Content-Type middleware is the MIME type detection done by the core of Traefik (the server part).
    Therefore, it has no effect against any other `Content-Type` header modifications (e.g.: in another middleware such as compress).

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
-# Enable auto-detection
+```yaml tab="Docker"
+# Disable auto-detection
 labels:
-  - "traefik.http.middlewares.autodetect.contenttype=true"
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
 ```

 ```yaml tab="Kubernetes"
-# Enable auto-detection
+# Disable auto-detection
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: autodetect
 spec:
-  contentType: {}
+  contentType:
+    autoDetect: false
 ```

 ```yaml tab="Consul Catalog"
-# Enable auto-detection
- "traefik.http.middlewares.autodetect.contenttype=true"
+# Disable auto-detection
+- "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.autodetect.contenttype.autodetect": "false"
+}
+```
+
+```yaml tab="Rancher"
+# Disable auto-detection
+labels:
+  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
 ```

 ```yaml tab="File (YAML)"
-# Enable auto-detection
+# Disable auto-detection
 http:
  middlewares:
    autodetect:
-      contentType: {}
+      contentType:
+        autoDetect: false
 ```

 ```toml tab="File (TOML)"
-# Enable auto-detection
+# Disable auto-detection
 [http.middlewares]
  [http.middlewares.autodetect.contentType]
+     autoDetect=false
 ```

 ## Configuration Options

 ### `autoDetect`

-!!! warning
-
-    `autoDetect` option is deprecated and should not be used.
-    Moreover, it is redundant with an empty ContentType middleware declaration.
-
 `autoDetect` specifies whether to let the `Content-Type` header,
 if it has not been set by the backend,
 be automatically set to a value derived from the contents of the response.
@@ -14,7 +14,7 @@ The DigestAuth middleware grants access to services to authorized users only.

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Declaring the user list
 labels:
  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
@@ -36,6 +36,18 @@ spec:
 - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+}
+```
+
+```yaml tab="Rancher"
+# Declaring the user list
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -72,7 +84,7 @@ The `users` option is an array of authorized users. Each user will be declared u
    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```
@@ -102,6 +114,17 @@ data:
 - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -132,7 +155,7 @@ The file content is a list of `name:realm:encoded-password`.
    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
    - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
 ```
@@ -163,6 +186,17 @@ data:
 - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.usersfile": "/path/to/my/usersfile"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -188,7 +222,7 @@ http:

 You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
 ```
@@ -207,6 +241,17 @@ spec:
 - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.realm": "MyRealm"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -225,7 +270,7 @@ http:

 You can customize the header field for the authenticated user using the `headerField`option.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
 ```
@@ -245,6 +290,17 @@ spec:
 - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.my-auth.digestauth.headerField": "X-WebAuth-User"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -264,7 +320,7 @@ http:

 Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
 ```
@@ -283,6 +339,17 @@ spec:
 - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.digestauth.removeheader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -18,12 +18,13 @@ The Errors middleware returns a custom page in lieu of the default, according to

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Dynamic Custom Error Page for 5XX Status Code
 labels:
  - "traefik.http.middlewares.test-errors.errors.status=500,501,503,505-599"
  - "traefik.http.middlewares.test-errors.errors.service=serviceError"
  - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
+  - "traefik.http.middlewares.test-errors.errors.errorRequestHeaders=X-Request-Id,Cookie"
 ```

 ```yaml tab="Kubernetes"
@@ -42,6 +43,9 @@ spec:
    service:
      name: whoami
      port: 80
+    errorRequestHeaders:
+      - "X-Request-Id"
+      - "Cookie"
 ```

 ```yaml tab="Consul Catalog"
@@ -49,6 +53,25 @@ spec:
 - "traefik.http.middlewares.test-errors.errors.status=500,501,503,505-599"
 - "traefik.http.middlewares.test-errors.errors.service=serviceError"
 - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
+- "traefik.http.middlewares.test-errors.errors.errorRequestHeaders=X-Request-Id,Cookie"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-errors.errors.status": "500,501,503,505-599",
+  "traefik.http.middlewares.test-errors.errors.service": "serviceError",
+  "traefik.http.middlewares.test-errors.errors.query": "/{status}.html",
+  "traefik.http.middlewares.test-errors.errors.errorRequestHeaders": "X-Request-Id,Cookie"
+}
+```
+
+```yaml tab="Rancher"
+# Dynamic Custom Error Page for 5XX Status Code excluding 502 and 504
+labels:
+  - "traefik.http.middlewares.test-errors.errors.status=500,501,503,505-599"
+  - "traefik.http.middlewares.test-errors.errors.service=serviceError"
+  - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
+  - "traefik.http.middlewares.test-errors.errors.errorRequestHeaders=X-Request-Id,Cookie"
 ```

 ```yaml tab="File (YAML)"
@@ -64,6 +87,9 @@ http:
          - "505-599"
        service: serviceError
        query: "/{status}.html"
+        errorRequestHeaders:
+          - "X-Request-Id"
+          - "Cookie"

  services:
    # ... definition of error-handler-service and my-service
@@ -76,6 +102,7 @@ http:
    status = ["500","501","503","505-599"]
    service = "serviceError"
    query = "/{status}.html"
+    errorRequestHeaders = ["X-Request-Id","Cookie"]

 [http.services]
  # ... definition of error-handler-service and my-service
@@ -127,3 +154,12 @@ The table below lists all the available variables and their associated values.
 |------------|--------------------------------------------------------------------|
 | `{status}` | The response status code.                                          |
 | `{url}`    | The [escaped](https://pkg.go.dev/net/url#QueryEscape) request URL. |
+
+### `errorRequestHeaders`
+
+Defines the list of original request headers forwarded to the error page service.
+
+By default (`errorRequestHeaders` not set), all request headers — including authentication material such as `Authorization` and `Cookie` — are forwarded.
+If the error page service is in a separate trust domain, use this option to restrict which headers cross the service boundary.
+
+Set to an explicit list to forward only those headers, or set to an empty list (`errorRequestHeaders: []`) to forward no headers.
@@ -16,7 +16,7 @@ Otherwise, the response from the authentication server is returned.

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Forward authentication to example.com
 labels:
  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
@@ -38,6 +38,18 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
+}
+```
+
+```yaml tab="Rancher"
+# Forward authentication to example.com
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
+```
+
 ```yaml tab="File (YAML)"
 # Forward authentication to example.com
 http:
@@ -72,7 +84,7 @@ The following request properties are provided to the forward-auth target endpoin

 The `address` option defines the authentication server address.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```
@@ -91,6 +103,17 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -107,9 +130,25 @@ http:

 ### `trustForwardHeader`

+!!! warning
+
+    If `trustForwardHeader` is not explicitly set, Traefik will log a warning at startup and use a legacy behavior where some `X-Forwarded-*` headers (e.g. `X-Forwarded-For`, `X-Forwarded-Proto`) are removed but others (e.g. `X-Forwarded-Prefix`) are forwarded untouched.
+    To silence this warning, explicitly set `trustForwardHeader` to `true` or `false`.
+
+!!! tip "Recommended configuration"
+
+    The recommended approach is to configure trusted IPs at the [EntryPoint level](../../routing/entrypoints.md#forwarded-headers) using `forwardedHeaders.trustedIPs`, and set `trustForwardHeader: true` on this middleware.
+
+    With this setup, the EntryPoint is responsible for sanitizing incoming `X-Forwarded-*` headers:
+    it strips any such headers sent by untrusted clients and only preserves those coming from trusted upstream proxies.
+    By the time the ForwardAuth middleware processes the request, all `X-Forwarded-*` headers are guaranteed to be trustworthy,
+    including those intentionally added by other middlewares in the chain — for example, the `X-Forwarded-Prefix` header set by the [StripPrefix](stripprefix.md) middleware.
+
+    Setting `trustForwardHeader: true` on this middleware then simply tells ForwardAuth to forward all those (already sanitized) headers to the authentication server.
+
 Set the `trustForwardHeader` option to `true` to trust all `X-Forwarded-*` headers.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```
@@ -129,6 +168,17 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -150,7 +200,7 @@ http:
 The `authResponseHeaders` option is the list of headers to copy from the authentication server response and set on
 forwarded request, replacing any existing conflicting headers.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
 ```
@@ -172,6 +222,17 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders": "X-Auth-User,X-Secret"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -197,7 +258,7 @@ set on forwarded request, after stripping all headers that match the regex.
 It allows partial matching of the regular expression against the header key.
 The start of string (`^`) and end of string (`$`) anchors should be used to ensure a full match against the header key.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
 ```
@@ -217,6 +278,17 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex": "^X-"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -245,7 +317,7 @@ The `authRequestHeaders` option is the list of the headers to copy from the requ
 It allows filtering headers that should not be passed to the authentication server.
 If not set or empty then all request headers are passed.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
 ```
@@ -267,6 +339,17 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders": "Accept,X-CustomHeader"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -285,147 +368,6 @@ http:
    authRequestHeaders = "Accept,X-CustomHeader"
 ```

-### `addAuthCookiesToResponse`
-
-The `addAuthCookiesToResponse` option is the list of cookies to copy from the authentication server to the response, 
-replacing any existing conflicting cookie from the forwarded response.
-
-!!! info
-
-    Please note that all backend cookies matching the configured list will not be added to the response.
-
-```yaml tab="Docker"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.addAuthCookiesToResponse=Session-Cookie,State-Cookie"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-auth
-spec:
-  forwardAuth:
-    address: https://example.com/auth
-    addAuthCookiesToResponse:
-      - Session-Cookie
-      - State-Cookie
-```
-
-```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.forwardauth.addAuthCookiesToResponse=Session-Cookie,State-Cookie"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-auth:
-      forwardAuth:
-        address: "https://example.com/auth"
-        addAuthCookiesToResponse:
-          - "Session-Cookie"
-          - "State-Cookie"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    addAuthCookiesToResponse = ["Session-Cookie", "State-Cookie"]
-```
-
-### `forwardBody`
-
-_Optional, Default=false_
-
-Set the `forwardBody` option to `true` to send Body.
-
-!!! info
-
-    As body is read inside Traefik before forwarding, this breaks streaming.
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-auth
-spec:
-  forwardAuth:
-    address: https://example.com/auth
-    forwardBody: true
-```
-
-```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-auth:
-      forwardAuth:
-        address: "https://example.com/auth"
-        forwardBody: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    forwardBody = true
-```
-
-### `maxBodySize`
-
-_Optional, Default=-1_
-
-Set the `maxBodySize` to limit the body size in bytes.
-If body is bigger than this, it returns a 401 (unauthorized).
-Default is `-1`, which means no limit.
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-auth
-spec:
-  forwardAuth:
-    address: https://example.com/auth
-    forwardBody: true
-    maxBodySize: 1000
-```
-
-```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-auth:
-      forwardAuth:
-        address: "https://example.com/auth"
-        maxBodySize: 1000
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    forwardBody = true
-    maxBodySize = 1000
-```
-
 ### `tls`

 _Optional_
@@ -439,7 +381,7 @@ _Optional_
 `ca` is the path to the certificate authority used for the secured connection to the authentication server,
 it defaults to the system bundle.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
 ```
@@ -471,6 +413,17 @@ data:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -496,7 +449,7 @@ _Optional_
 `cert` is the path to the public certificate used for the secure connection to the authentication server.
 When using this option, setting the `key` option is required.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
@@ -530,6 +483,19 @@ data:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -561,7 +527,7 @@ _Optional_
 `key` is the path to the private key used for the secure connection to the authentication server.
 When using this option, setting the `cert` option is required.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
@@ -595,6 +561,19 @@ data:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
+  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -625,7 +604,7 @@ _Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to the authentication server accepts any certificate presented by the server regardless of the hostnames it covers.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify=true"
 ```
@@ -646,6 +625,17 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -664,15 +654,17 @@ http:
      insecureSkipVerify: true
 ```

-### `headerField`
+### `maxResponseBodySize`

-_Optional_
+_Optional, Default=-1_

-You can define a header field to store the authenticated user using the `headerField`option.
+The `maxResponseBodySize` option defines the maximum allowed response body size in bytes from the authentication server.
+If the response body exceeds the configured limit, the request is rejected with a 401 (Unauthorized) status.
+If left unset, the request body size is unrestricted which can have performance or security implications.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.headerField=X-WebAuth-User"
+  - "traefik.http.middlewares.test-auth.forwardauth.maxResponseBodySize=10000"
 ```

 ```yaml tab="Kubernetes"
@@ -682,53 +674,23 @@ metadata:
  name: test-auth
 spec:
  forwardAuth:
-    # ...
-    headerField: X-WebAuth-User
+    address: https://example.com/auth
+    maxResponseBodySize: 10000
 ```

-```json tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.forwardauth.headerField=X-WebAuth-User"
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.maxResponseBodySize=10000"
 ```

-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-auth:
-      forwardAuth:
-        # ...
-        headerField: "X-WebAuth-User"
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.maxResponseBodySize": "10000"
+}
 ```

-```toml tab="File (TOML)"
-[http.middlewares.test-auth.forwardAuth]
-  # ...
-  headerField = "X-WebAuth-User"
-```
-
-### `preserveLocationHeader`
-
-_Optional, Default=false_
-
-`preserveLocationHeader` defines whether to forward the `Location` header to the client as is or prefix it with the domain name of the authentication server.
-
-```yaml tab="Docker & Swarm"
+```yaml tab="Rancher"
 labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.preserveLocationHeader=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-auth
-spec:
-  forwardAuth:
-    # ...
-    preserveLocationHeader: true
-```
-
-```json tab="Consul Catalog"
- "traefik.http.middlewares.test-auth.forwardauth.preserveLocationHeader=true"
+  - "traefik.http.middlewares.test-auth.forwardauth.maxResponseBodySize=10000"
 ```

 ```yaml tab="File (YAML)"
@@ -736,15 +698,20 @@ http:
  middlewares:
    test-auth:
      forwardAuth:
-        # ...
-        preserveLocationHeader: true
+        address: "https://example.com/auth"
+        maxResponseBodySize: 10000
 ```

 ```toml tab="File (TOML)"
-[http.middlewares.test-auth.forwardAuth]
-  # ...
-  preserveLocationHeader = true
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    maxResponseBodySize = 10000
 ```

+!!! warning

-{!traefik-for-business-applications.md!}
+    It is strongly recommended to set this option to a suitable value.
+    Not setting it (or setting it to `-1`) allows unlimited response body sizes which can lead to DoS attacks and memory exhaustion.
+
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -1,66 +0,0 @@
---
-title: "Traefik GrpcWeb Documentation"
-description: "In Traefik Proxy's HTTP middleware, GrpcWeb converts a gRPC Web requests to HTTP/2 gRPC requests. Read the technical documentation."
---
-
-# GrpcWeb
-
-Converting gRPC Web requests to HTTP/2 gRPC requests.
-{: .subtitle }
-
-The GrpcWeb middleware converts gRPC Web requests to HTTP/2 gRPC requests before forwarding them to the backends.
-
-!!! tip
-
-    Please note, that Traefik needs to communicate using gRPC with the backends (h2c or HTTP/2 over TLS).
-    Check out the [gRPC](../../user-guides/grpc.md) user guide for more details.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-grpcweb.grpcweb.allowOrigins=*"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-grpcweb
-spec:
-  grpcWeb:
-    allowOrigins:
-      - "*"
-```
-
-```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-grpcweb.grpcWeb.allowOrigins=*"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-grpcweb:
-      grpcWeb:
-        allowOrigins:
-          - "*"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-grpcweb.grpcWeb]
-    allowOrigins = ["*"]
-```
-
-## Configuration Options
-
-### `allowOrigins`
-
-The `allowOrigins` contains the list of allowed origins.
-A wildcard origin `*` can also be configured to match all requests.
-
-More information including how to use the settings can be found at:
-
- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
@@ -20,7 +20,7 @@ A set of forwarded headers are automatically added by default. See the [FAQ](../

 The following example adds the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` header to the response

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Script-Name=test"
  - "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=value"
@@ -44,6 +44,19 @@ spec:
 - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
+  "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "value"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -69,7 +82,7 @@ http:
 In the following example, requests are proxied with an extra `X-Script-Name` header while their `X-Custom-Request-Header` header gets stripped,
 and responses are stripped of their `X-Custom-Response-Header` header.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
@@ -96,6 +109,21 @@ spec:
 - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
+  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header": "",
+  "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "",
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
+  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
+  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -123,7 +151,7 @@ http:
 Security-related headers (HSTS headers, Browser XSS filter, etc) can be managed similarly to custom headers as shown above.
 This functionality makes it possible to easily use security features by adding headers.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.testHeader.headers.framedeny=true"
  - "traefik.http.middlewares.testHeader.headers.browserxssfilter=true"
@@ -145,6 +173,19 @@ spec:
 - "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.testheader.headers.framedeny": "true",
+  "traefik.http.middlewares.testheader.headers.browserxssfilter": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.testheader.headers.framedeny=true"
+  - "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -170,7 +211,7 @@ instead the response will be generated and sent back to the client directly.
 Please note that the example below is by no means authoritative or exhaustive,
 and should not be used as is for production.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
  - "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
@@ -207,6 +248,25 @@ spec:
 - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
+  "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*",
+  "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist": "https://foo.bar.org,https://example.org",
+  "traefik.http.middlewares.testheader.headers.accesscontrolmaxage": "100",
+  "traefik.http.middlewares.testheader.headers.addvaryheader": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
+  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -394,10 +454,6 @@ This overrides the `BrowserXssFilter` option.

 The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.

-### `contentSecurityPolicyReportOnly`
-
-The `contentSecurityPolicyReportOnly` option allows the `Content-Security-Policy-Report-Only` header value to be set with a custom value.
-
 ### `publicKey`

 The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
@@ -410,7 +466,7 @@ The `referrerPolicy` allows sites to control whether browsers forward the `Refer

 !!! warning

-    Deprecated in favor of [`permissionsPolicy`](#permissionsPolicy)
+    Deprecated in favor of `permissionsPolicy`

 The `featurePolicy` allows sites to control browser features.

@@ -424,4 +480,4 @@ Set `isDevelopment` to `true` when developing to mitigate the unwanted effects o
 Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.
 If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false`.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -14,7 +14,7 @@ To proactively prevent services from being overwhelmed with high load, the numbe

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
@@ -34,6 +34,18 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
+}
+```
+
+```yaml tab="Rancher"
+# Limiting to 10 simultaneous connections
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
 ```yaml tab="File (YAML)"
 # Limiting to 10 simultaneous connections
 http:
@@ -57,7 +69,7 @@ http:
 The `amount` option defines the maximum amount of allowed simultaneous in-flight request.
 The middleware responds with `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```
@@ -77,6 +89,18 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
+}
+```
+
+```yaml tab="Rancher"
+# Limiting to 10 simultaneous connections
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
+```
+
 ```yaml tab="File (YAML)"
 # Limiting to 10 simultaneous connections
 http:
@@ -101,7 +125,7 @@ If none are set, the default is to use the `requestHost`.

 #### `sourceCriterion.ipStrategy`

-The `ipStrategy` option defines three parameters that configures how Traefik determines the client IP: `depth`, `excludedIPs` and `ipv6Subnet`.
+The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.

 !!! important "As a middleware, InFlightReq happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through the middleware. Therefore, during InFlightReq, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be used and/or relied upon."

@@ -112,9 +136,6 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and select
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
 - `depth` is ignored if its value is less than or equal to 0.

-If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
-See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
-
 !!! example "Example of Depth & X-Forwarded-For"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
@@ -125,7 +146,7 @@ See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
 ```
@@ -146,6 +167,17 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -179,7 +211,7 @@ http:
    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
@@ -202,6 +234,17 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -221,68 +264,11 @@ http:
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```

-##### `ipStrategy.ipv6Subnet`
-
-This strategy applies to `Depth` and `RemoteAddr` strategy only.
-If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
-
-This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
-
- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
-
-!!! example "Example of ipv6Subnet"
-
-    If `ipv6Subnet` is provided, the IP is transformed in the following way.
-
-    | `IP`                      | `ipv6Subnet` | clientIP              |
-    |---------------------------|--------------|-----------------------|
-    | `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
-    | `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
-    | `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-inflightreq
-spec:
-  inFlightReq:
-    sourceCriterion:
-      ipStrategy:
-        ipv6Subnet: 64
-```
-
-```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-inflightreq:
-      inFlightReq:
-        sourceCriterion:
-          ipStrategy:
-            ipv6Subnet: 64
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-inflightreq.inflightreq]
-    [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
-      ipv6Subnet = 64
-```
-
 #### `sourceCriterion.requestHeaderName`

 Name of the header used to group incoming requests.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
 ```
@@ -302,6 +288,17 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername": "username"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -322,7 +319,7 @@ http:

 Whether to consider the request host as the source.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```
@@ -342,6 +339,17 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -35,6 +35,18 @@ spec:
 - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+# Accepts request from defined IP
+labels:
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
 ```yaml tab="File (YAML)"
 # Accepts request from defined IP
 http:
@@ -75,9 +87,6 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
 - `depth` is ignored if its value is less than or equal to 0.

-If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
-See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
-
 !!! example "Examples of Depth & X-Forwarded-For"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).
@@ -116,6 +125,20 @@ spec:
 - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+labels:
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
+```
+
 ```yaml tab="File (YAML)"
 # Allowlisting Based on `X-Forwarded-For` with `depth=2`
 http:
@@ -184,6 +207,20 @@ spec:
 - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+# Exclude from `X-Forwarded-For`
+labels:
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```yaml tab="File (YAML)"
 # Exclude from `X-Forwarded-For`
 http:
@@ -207,60 +244,3 @@ http:
    [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
-
-#### `ipStrategy.ipv6Subnet`
-
-This strategy applies to `Depth` and `RemoteAddr` strategy only.
-If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
-
-This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
-
- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
-
-!!! example "Example of ipv6Subnet"
-
-    If `ipv6Subnet` is provided, the IP is transformed in the following way.
-
-    | `IP`                      | `ipv6Subnet` | clientIP              |
-    |---------------------------|--------------|-----------------------|
-    | `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
-    | `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
-    | `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-ipallowlist
-spec:
-  ipallowlist:
-    sourceCriterion:
-      ipStrategy:
-        ipv6Subnet: 64
-```
-
-```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-ipallowlist:
-      ipallowlist:
-        sourceCriterion:
-          ipStrategy:
-            ipv6Subnet: 64
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ipallowlist.ipallowlist]
-    [http.middlewares.test-ipallowlist.ipallowlist.sourceCriterion.ipStrategy]
-      ipv6Subnet = 64
-```
@@ -41,6 +41,18 @@ spec:
 - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+# Accepts request from defined IP
+labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
 ```yaml tab="File (YAML)"
 # Accepts request from defined IP
 http:
@@ -81,9 +93,6 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
 - `depth` is ignored if its value is less than or equal to 0.

-If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
-See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
-
 !!! example "Examples of Depth & X-Forwarded-For"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
@@ -122,6 +131,20 @@ spec:
 - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+```
+
 ```yaml tab="File (YAML)"
 # Whitelisting Based on `X-Forwarded-For` with `depth=2`
 http:
@@ -190,6 +213,20 @@ spec:
 - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+# Exclude from `X-Forwarded-For`
+labels:
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```yaml tab="File (YAML)"
 # Exclude from `X-Forwarded-For`
 http:
@@ -213,60 +250,3 @@ http:
    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
-
-#### `ipStrategy.ipv6Subnet`
-
-This strategy applies to `Depth` and `RemoteAddr` strategy only.
-If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
-
-This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
-
- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
-
-!!! example "Example of ipv6Subnet"
-
-    If `ipv6Subnet` is provided, the IP is transformed in the following way.
-
-    | `IP`                      | `ipv6Subnet` | clientIP              |
-    |---------------------------|--------------|-----------------------|
-    | `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
-    | `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
-    | `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-ipWhiteList.ipWhiteList.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-ipWhiteList
-spec:
-  ipWhiteList:
-    sourceCriterion:
-      ipStrategy:
-        ipv6Subnet: 64
-```
-
-```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ipWhiteList.ipWhiteList.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-ipWhiteList:
-      ipWhiteList:
-        sourceCriterion:
-          ipStrategy:
-            ipv6Subnet: 64
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ipWhiteList.ipWhiteList]
-    [http.middlewares.test-ipWhiteList.ipWhiteList.sourceCriterion.ipStrategy]
-      ipv6Subnet = 64
-```
@@ -12,7 +12,7 @@ Controlling connections

 ## Configuration Example

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # As a Docker Label
 whoami:
  #  A container that exposes an API to show its IP address
@@ -26,6 +26,19 @@ whoami:

 ```yaml tab="IngressRoute"
 # As a Kubernetes Traefik IngressRoute
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: middlewares.traefik.io
+spec:
+  group: traefik.io
+  version: v1alpha1
+  names:
+    kind: Middleware
+    plural: middlewares
+    singular: middleware
+  scope: Namespaced
+
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
@@ -56,6 +69,22 @@ spec:
 - "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
+  "traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
+}
+```
+
+```yaml tab="Rancher"
+# As a Rancher Label
+labels:
+  # Create a middleware named `foo-add-prefix`
+  - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+  # Apply the middleware named `foo-add-prefix` to the router named `router1`
+  - "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
+```
+
 ```toml tab="File (TOML)"
 # As TOML Configuration File
 [http.routers]
@@ -113,7 +142,7 @@ http:
 | [Errors](errorpages.md)                   | Defines custom error pages                        | Request Lifecycle           |
 | [ForwardAuth](forwardauth.md)             | Delegates Authentication                          | Security, Authentication    |
 | [Headers](headers.md)                     | Adds / Updates headers                            | Security                    |
-| [IPAllowList](ipallowlist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
+| [IPWhiteList](ipwhitelist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
 | [InFlightReq](inflightreq.md)             | Limits the number of simultaneous connections     | Security, Request lifecycle |
 | [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header              | Security                    |
 | [RateLimit](ratelimit.md)                 | Limits the call frequency                         | Security, Request lifecycle |
@@ -129,4 +158,4 @@ http:

 Please take a look at the community-contributed plugins in the [plugin catalog](https://plugins.traefik.io/plugins).

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -18,7 +18,7 @@ PassTLSClientCert adds the selected data from the passed client TLS certificate

 Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 labels:
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
@@ -39,6 +39,18 @@ spec:
 - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
+labels:
+  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
+```
+
 ```yaml tab="File (YAML)"
 # Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 http:
@@ -57,7 +69,7 @@ http:

 ??? example "Pass the pem in the `X-Forwarded-Tls-Client-Cert` header"

-    ```yaml tab="Docker & Swarm"
+    ```yaml tab="Docker"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    labels:
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
@@ -134,6 +146,52 @@ http:
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
    ```

+    ```json tab="Marathon"
+    "labels": {
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
+    }
+    ```
+
+    ```yaml tab="Rancher"
+    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
+    labels:
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
+    ```
+
    ```yaml tab="File (YAML)"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    http:
@@ -14,7 +14,7 @@ It is based on a [token bucket](https://en.wikipedia.org/wiki/Token_bucket) impl

 ## Configuration Example

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Here, an average of 100 requests per second is allowed.
 # In addition, a burst of 200 requests is allowed.
 labels:
@@ -42,6 +42,21 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
+  "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "200"
+}
+```
+
+```yaml tab="Rancher"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 200 requests is allowed.
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=200"
+```
+
 ```yaml tab="File (YAML)"
 # Here, an average of 100 requests per second is allowed.
 # In addition, a burst of 200 requests is allowed.
@@ -73,7 +88,7 @@ It defaults to `0`, which means no rate limiting.
 The rate is actually defined by dividing `average` by `period`.
 So for a rate below 1 req/s, one needs to define a `period` larger than a second.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # 100 reqs/s
 labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
@@ -95,6 +110,17 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
+```
+
 ```yaml tab="File (YAML)"
 # 100 reqs/s
 http:
@@ -121,7 +147,7 @@ r = average / period

 It defaults to `1` second.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # 6 reqs/minute
 labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
@@ -146,6 +172,20 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "6",
+  "traefik.http.middlewares.test-ratelimit.ratelimit.period": "1m",
+}
+```
+
+```yaml tab="Rancher"
+# 6 reqs/minute
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
+```
+
 ```yaml tab="File (YAML)"
 # 6 reqs/minute
 http:
@@ -170,7 +210,7 @@ http:

 It defaults to `1`.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
 ```
@@ -189,6 +229,17 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "100",
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -211,7 +262,7 @@ If none are set, the default is to use the request's remote address field (as an

 #### `sourceCriterion.ipStrategy`

-The `ipStrategy` option defines three parameters that configures how Traefik determines the client IP: `depth`, `excludedIPs` and `ipv6Subnet`.
+The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.

 !!! important "As a middleware, rate-limiting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through rate-limiting. Therefore, during rate-limiting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be found and/or relied upon."

@@ -222,9 +273,6 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and select
 - If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
 - `depth` is ignored if its value is less than or equal to 0.

-If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.  
-See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
-
 !!! example "Example of Depth & X-Forwarded-For"

    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
@@ -235,7 +283,7 @@ See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3`     | `"11.0.0.1"` |
    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
 ```
@@ -256,6 +304,17 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth": "2"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -316,7 +375,7 @@ and the first IP that is _not_ in the pool (if any) is returned.
    | `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
    | `"10.0.0.1,11.0.0.1"`          | `"10.0.0.1,11.0.0.1"` | `""`         |

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
@@ -339,6 +398,17 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -358,70 +428,13 @@ http:
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```

-##### `ipStrategy.ipv6Subnet`
-
-This strategy applies to `Depth` and `RemoteAddr` strategy only.
-If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
-
-This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
-
- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
-
-!!! example "Example of ipv6Subnet"
-
-    If `ipv6Subnet` is provided, the IP is transformed in the following way.
-
-    | `IP`                      | `ipv6Subnet` | clientIP              |
-    |---------------------------|--------------|-----------------------|
-    | `"::abcd:1111:2222:3333"` | `64`         | `"::0:0:0:0"`         |
-    | `"::abcd:1111:2222:3333"` | `80`         | `"::abcd:0:0:0:0"`    |
-    | `"::abcd:1111:2222:3333"` | `96`         | `"::abcd:1111:0:0:0"` |
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-ratelimit
-spec:
-  ratelimit:
-    sourceCriterion:
-      ipStrategy:
-        ipv6Subnet: 64
-```
-
-```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    test-ratelimit:
-      ratelimit:
-        sourceCriterion:
-          ipStrategy:
-            ipv6Subnet: 64
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ratelimit.ratelimit]
-    [http.middlewares.test-ratelimit.ratelimit.sourceCriterion.ipStrategy]
-      ipv6Subnet = 64
-```
-
 #### `sourceCriterion.requestHeaderName`

 Name of the header used to group incoming requests.

 !!! important "If the header is not present, rate limiting will still be applied, but all requests without the specified header will be grouped together."

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
 ```
@@ -441,6 +454,17 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername": "username"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -461,7 +485,7 @@ http:

 Whether to consider the request host as the source.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
 ```
@@ -481,6 +505,17 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost": "true"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -16,7 +16,7 @@ The RedirectRegex redirects a request using regex matching and replacement.

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Redirect with domain replacement
 # Note: all dollar signs need to be doubled for escaping.
 labels:
@@ -43,6 +43,21 @@ spec:
 - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-redirectregex.redirectregex.regex": "^http://localhost/(.*)",
+  "traefik.http.middlewares.test-redirectregex.redirectregex.replacement": "http://mydomain/${1}"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect with domain replacement
+# Note: all dollar signs need to be doubled for escaping.
+labels:
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
+  - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
+```
+
 ```yaml tab="File (YAML)"
 # Redirect with domain replacement
 http:
@@ -85,4 +100,4 @@ The `replacement` option defines how to modify the URL to have the new target UR

    Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -25,7 +25,7 @@ The RedirectScheme middleware redirects the request if the request scheme is dif

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Redirect to https
 labels:
  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
@@ -51,6 +51,20 @@ labels:
  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -75,7 +89,7 @@ http:

 Set the `permanent` option to `true` to apply a permanent redirection.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Redirect to https
 labels:
  # ...
@@ -101,6 +115,20 @@ labels:
  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
 ```

+```json tab="Marathon"
+"labels": {
+
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
+```
+
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -123,7 +151,7 @@ http:

 The `scheme` option defines the scheme of the new URL.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Redirect to https
 labels:
  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
@@ -146,6 +174,18 @@ labels:
  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
+```
+
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -166,7 +206,7 @@ http:

 The `port` option defines the port of the new URL.

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Redirect to https
 labels:
  # ...
@@ -192,6 +232,20 @@ labels:
  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
 ```

+```json tab="Marathon"
+"labels": {
+
+  "traefik.http.middlewares.test-redirectscheme.redirectscheme.port": "443"
+}
+```
+
+```yaml tab="Rancher"
+# Redirect to https
+labels:
+  # ...
+  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
+```
+
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -16,7 +16,7 @@ Replace the path of the request URL.

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Replace the path with /foo
 labels:
  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
@@ -38,6 +38,18 @@ spec:
 - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-replacepath.replacepath.path": "/foo"
+}
+```
+
+```yaml tab="Rancher"
+# Replace the path with /foo
+labels:
+  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
+```
+
 ```yaml tab="File (YAML)"
 # Replace the path with /foo
 http:
@@ -16,7 +16,7 @@ The ReplaceRegex replaces the path of a URL using regex matching and replacement

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Replace path with regex
 labels:
  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
@@ -41,6 +41,20 @@ spec:
 - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex": "^/foo/(.*)",
+  "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement": "/bar/$1"
+}
+```
+
+```yaml tab="Rancher"
+# Replace path with regex
+labels:
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
+  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
+```
+
 ```yaml tab="File (YAML)"
 # Replace path with regex
 http:
@@ -21,7 +21,7 @@ The Retry middleware has an optional configuration to enable an exponential back

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Retry 4 times with exponential backoff
 labels:
  - "traefik.http.middlewares.test-retry.retry.attempts=4"
@@ -46,6 +46,20 @@ spec:
 - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-retry.retry.attempts": "4",
+  "traefik.http.middlewares.test-retry.retry.initialinterval": "100ms",
+}
+```
+
+```yaml tab="Rancher"
+# Retry 4 times with exponential backoff
+labels:
+  - "traefik.http.middlewares.test-retry.retry.attempts=4"
+  - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
+```
+
 ```yaml tab="File (YAML)"
 # Retry 4 times with exponential backoff
 http:
@@ -16,7 +16,7 @@ Remove the specified prefixes from the URL path.

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # Strip prefix /foobar and /fiibar
 labels:
  - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
@@ -40,6 +40,18 @@ spec:
 - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "/foobar,/fiibar"
+}
+```
+
+```yaml tab="Rancher"
+# Strip prefix /foobar and /fiibar
+labels:
+  - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
+```
+
 ```yaml tab="File (YAML)"
 # Strip prefix /foobar and /fiibar
 http:
@@ -81,12 +93,12 @@ Using the previous example, the backend should return `/products/shoes/image.png

 _Optional, Default=true_

-!!! warning
-
-    `forceSlash` option is deprecated and should not be used.
-
 The `forceSlash` option ensures the resulting stripped path is not the empty string, by replacing it with `/` when necessary.

+This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
+
+It is recommended to explicitly set `forceSlash` to `false`.
+
 ??? info "Behavior examples"

    - `forceSlash=true`
@@ -129,6 +141,19 @@ spec:
    forceSlash: false
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.example.stripprefix.prefixes": "/foobar",
+  "traefik.http.middlewares.example.stripprefix.forceSlash": "false"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
+  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -146,4 +171,4 @@ http:
    forceSlash = false
 ```

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -12,7 +12,7 @@ Remove the matching prefixes from the URL path.

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
 ```
@@ -32,6 +32,17 @@ spec:
 - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex": "/foo/[a-z0-9]+/[0-9]+/"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
+```
+
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -23,7 +23,7 @@ Middlewares that use the same protocol can be combined into chains to fit every

 ## Configuration Example

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # As a Docker Label
 whoami:
  #  A container that exposes an API to show its IP address
@@ -66,6 +66,22 @@ spec:
 - "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
+  "traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
+}
+```
+
+```yaml tab="Rancher"
+# As a Rancher Label
+labels:
+  # Create a middleware named `foo-add-prefix`
+  - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
+  # Apply the middleware named `foo-add-prefix` to the router named `router1`
+  - "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
+```
+
 ```yaml tab="File (YAML)"
 # As YAML Configuration File
 http:
@@ -114,4 +130,4 @@ A list of HTTP middlewares can be found [here](http/overview.md).

 A list of TCP middlewares can be found [here](tcp/overview.md).

-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -7,7 +7,7 @@ To proactively prevent services from being overwhelmed with high load, the numbe

 ## Configuration Examples

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 labels:
  - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
 ```
@@ -27,6 +27,18 @@ spec:
 - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount": "10"
+}
+```
+
+```yaml tab="Rancher"
+# Limiting to 10 simultaneous connections.
+labels:
+  - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
+```
+
 ```yaml tab="File (YAML)"
 # Limiting to 10 simultaneous connections.
 tcp:
@@ -39,6 +39,18 @@ spec:
 - "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

+```json tab="Marathon"
+"labels": {
+  "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
+}
+```
+
+```yaml tab="Rancher"
+# Accepts request from defined IP
+labels:
+  - "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+```
+
 ```toml tab="File (TOML)"
 # Accepts request from defined IP
 [tcp.middlewares]
@@ -12,27 +12,40 @@ Controlling connections

 ## Configuration Example

-```yaml tab="Docker & Swarm"
+```yaml tab="Docker"
 # As a Docker Label
 whoami:
  #  A container that exposes an API to show its IP address
  image: traefik/whoami
  labels:
-    # Create a middleware named `foo-ip-allowlist`
-    - "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
-    # Apply the middleware named `foo-ip-allowlist` to the router named `router1`
-    - "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@docker"
+    # Create a middleware named `foo-ip-whitelist`
+    - "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+    # Apply the middleware named `foo-ip-whitelist` to the router named `router1`
+    - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@docker"
 ```

 ```yaml tab="IngressRoute"
 # As a Kubernetes Traefik IngressRoute
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: middlewaretcps.traefik.io
+spec:
+  group: traefik.io
+  version: v1alpha1
+  names:
+    kind: MiddlewareTCP
+    plural: middlewaretcps
+    singular: middlewaretcp
+  scope: Namespaced
+
 ---
 apiVersion: traefik.io/v1alpha1
 kind: MiddlewareTCP
 metadata:
-  name: foo-ip-allowlist
+  name: foo-ip-whitelist
 spec:
-  ipAllowList:
+  ipWhiteList:
    sourcerange:
      - 127.0.0.1/32
      - 192.168.1.7
@@ -47,14 +60,30 @@ spec:
  routes:
    # more fields...
    middlewares:
-      - name: foo-ip-allowlist
+      - name: foo-ip-whitelist
 ```

 ```yaml tab="Consul Catalog"
-# Create a middleware named `foo-ip-allowlist`
- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
-# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@consulcatalog"
+# Create a middleware named `foo-ip-whitelist`
+- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
+- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@consulcatalog"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7",
+  "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@marathon"
+}
+```
+
+```yaml tab="Rancher"
+# As a Rancher Label
+labels:
+  # Create a middleware named `foo-ip-whitelist`
+  - "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  # Apply the middleware named `foo-ip-whitelist` to the router named `router1`
+  - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@rancher"
 ```

 ```toml tab="File (TOML)"
@@ -62,11 +91,11 @@ spec:
 [tcp.routers]
  [tcp.routers.router1]
    service = "myService"
-    middlewares = ["foo-ip-allowlist"]
+    middlewares = ["foo-ip-whitelist"]
    rule = "Host(`example.com`)"

 [tcp.middlewares]
-  [tcp.middlewares.foo-ip-allowlist.ipAllowList]
+  [tcp.middlewares.foo-ip-whitelist.ipWhiteList]
    sourceRange = ["127.0.0.1/32", "192.168.1.7"]

 [tcp.services]
@@ -85,12 +114,12 @@ tcp:
    router1:
      service: myService
      middlewares:
-        - "foo-ip-allowlist"
+        - "foo-ip-whitelist"
      rule: "Host(`example.com`)"

  middlewares:
-    foo-ip-allowlist:
-      ipAllowList:
+    foo-ip-whitelist:
+      ipWhiteList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.7"
@@ -108,4 +137,4 @@ tcp:
 | Middleware                                | Purpose                                           | Area                        |
 |-------------------------------------------|---------------------------------------------------|-----------------------------|
 | [InFlightConn](inflightconn.md)           | Limits the number of simultaneous connections.    | Security, Request lifecycle |
-| [IPAllowList](ipallowlist.md)             | Limit the allowed client IPs.                     | Security, Request lifecycle |
+| [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs.                     | Security, Request lifecycle |
@@ -38,7 +38,7 @@ Then any router can refer to an instance of the wanted middleware.

    !!! info "v1"

-    ```yaml tab="Docker & Swarm"
+    ```yaml tab="Docker"
    labels:
      - "traefik.frontend.rule=Host:test.localhost;PathPrefix:/test"
      - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
@@ -100,7 +100,7 @@ Then any router can refer to an instance of the wanted middleware.

    !!! info "v2"

-    ```yaml tab="Docker & Swarm"
+    ```yaml tab="Docker"
    labels:
      - "traefik.http.routers.router0.rule=Host(`test.localhost`) && PathPrefix(`/test`)"
      - "traefik.http.routers.router0.middlewares=auth"
@@ -317,7 +317,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
          namespace: default
    ```

-    ```yaml tab="Docker & Swarm"
+    ```yaml tab="Docker"
    labels:
      # myTLSOptions must be defined by another provider, in this instance in the File Provider.
      # see the cross provider section
@@ -428,7 +428,7 @@ To apply a redirection:

    !!! info "v2"

-    ```yaml tab="Docker & Swarm"
+    ```yaml tab="Docker"
    labels:
      traefik.http.routers.app.rule: Host(`example.net`)
      traefik.http.routers.app.entrypoints: web
@@ -556,7 +556,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo

    !!! info "v1"

-    ```yaml tab="Docker & Swarm"
+    ```yaml tab="Docker"
    labels:
      - "traefik.frontend.rule=Host:example.org;PathPrefixStrip:/admin"
    ```
@@ -588,7 +588,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo

    !!! info "v2"

-    ```yaml tab="Docker & Swarm"
+    ```yaml tab="Docker"
    labels:
      - "traefik.http.routers.admin.rule=Host(`example.org`) && PathPrefix(`/admin`)"
      - "traefik.http.routers.admin.middlewares=admin-stripprefix"
@@ -1044,7 +1044,7 @@ To activate the dashboard, you can either:

    !!! info "v2"

-    ```yaml tab="Docker & Swarm"
+    ```yaml tab="Docker"
    # dynamic configuration
    labels:
      - "traefik.http.routers.api.rule=Host(`traefik.docker.localhost`)"
@@ -1,751 +0,0 @@
---
-title: "Traefik V3 Migration Details"
-description: "Configuration changes and their details to successfully migrate from Traefik v2 to v3."
---
-
-# Configuration Details for Migrating from Traefik v2 to v3
-
-## Static Configuration Changes
-
-### SwarmMode
-
-In v3, the provider Docker has been split into 2 providers:
-
- Docker provider (without Swarm support)
- Swarm provider  (Swarm support only)
-
-??? example "An example usage of v2 Docker provider with Swarm"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      docker:
-        swarmMode: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.docker]
-        swarmMode=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.docker.swarmMode=true
-    ```
-
-This configuration is now unsupported and would prevent Traefik to start.
-
-#### Remediation
-
-In v3, the `swarmMode` should not be used with the Docker provider, and, to use Swarm, the Swarm provider should be used instead.
-
-??? example "An example usage of the Swarm provider"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      swarm:
-        endpoint: "tcp://127.0.0.1:2377"
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.swarm]
-        endpoint="tcp://127.0.0.1:2377"
-    ```
-
-    ```bash tab="CLI"
-    --providers.swarm.endpoint=tcp://127.0.0.1:2377
-    ```
-
-#### TLS.CAOptional
-
-Docker provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      docker:
-        tls: 
-          caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.docker.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.docker.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `tls.caOptional` option should be removed from the Docker provider static configuration.
-
-### Kubernetes Gateway API
-
-#### Experimental Channel Resources (TLSRoute and TCPRoute)
-
-In v3, the Kubernetes Gateway API provider does not enable support for the experimental channel API resources by default.
-
-##### Remediation
-
-The `experimentalChannel` option should be used to enable the support for the experimental channel API resources.
-
-??? example "An example usage of the Kubernetes Gateway API provider with experimental channel support enabled"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      kubernetesGateway:
-        experimentalChannel: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.kubernetesGateway]
-        experimentalChannel = true
-      # ...
-    ```
-
-    ```bash tab="CLI"
-    --providers.kubernetesgateway.experimentalchannel=true
-    ```
-
-### Experimental Configuration
-
-#### HTTP3
-
-In v3, HTTP/3 is no longer an experimental feature.
-It can be enabled on entry points without the associated `experimental.http3` option, which is now removed.
-It is now unsupported and would prevent Traefik to start.
-
-??? example "An example usage of v2 Experimental `http3` option"
-
-    ```yaml tab="File (YAML)"
-    experimental:
-      http3: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [experimental]
-        http3=true
-    ```
-
-    ```bash tab="CLI"
-    --experimental.http3=true
-    ```
-
-##### Remediation
-
-The `http3` option should be removed from the static configuration experimental section.
-To configure `http3`, please checkout the [entrypoint configuration documentation](../routing/entrypoints.md#http3_1).
-
-### Consul provider
-
-#### namespace
-
-The Consul provider `namespace` option was deprecated in v2 and is now removed in v3.
-It is now unsupported and would prevent Traefik to start.
-
-??? example "An example usage of v2 Consul `namespace` option"
-
-    ```yaml tab="File (YAML)"
-    consul:
-      namespace: foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [consul]
-        namespace=foobar
-    ```
-
-    ```bash tab="CLI"
-    --consul.namespace=foobar
-    ```
-
-##### Remediation
-
-In v3, the `namespaces` option should be used instead of the `namespace` option.
-
-??? example "An example usage of Consul `namespaces` option"
-
-    ```yaml tab="File (YAML)"
-    consul:
-      namespaces:
-        - foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [consul]
-        namespaces=["foobar"]
-    ```
-
-    ```bash tab="CLI"
-    --consul.namespaces=foobar
-    ```
-
-#### TLS.CAOptional
-
-Consul provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      consul:
-        tls: 
-          caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.consul.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.consul.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `tls.caOptional` option should be removed from the Consul provider static configuration.
-
-### ConsulCatalog provider
-
-#### namespace
-
-The ConsulCatalog provider `namespace` option was deprecated in v2 and is now removed in v3.
-It is now unsupported and would prevent Traefik to start.
-
-??? example "An example usage of v2 ConsulCatalog `namespace` option"
-
-    ```yaml tab="File (YAML)"
-    consulCatalog:
-      namespace: foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [consulCatalog]
-        namespace=foobar
-    ```
-
-    ```bash tab="CLI"
-    --consulCatalog.namespace=foobar
-    ```
-
-##### Remediation
-
-In v3, the `namespaces` option should be used instead of the `namespace` option.
-
-??? example "An example usage of ConsulCatalog `namespaces` option"
-
-    ```yaml tab="File (YAML)"
-    consulCatalog:
-      namespaces:
-        - foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [consulCatalog]
-        namespaces=["foobar"]
-    ```
-
-    ```bash tab="CLI"
-    --consulCatalog.namespaces=foobar
-    ```
-
-#### Endpoint.TLS.CAOptional
-
-ConsulCatalog provider `endpoint.tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the Endpoint.TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      consulCatalog:
-        endpoint:
-          tls: 
-            caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.consulCatalog.endpoint.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.consulCatalog.endpoint.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `endpoint.tls.caOptional` option should be removed from the ConsulCatalog provider static configuration.
-
-### Nomad provider
-
-#### namespace
-
-The Nomad provider `namespace` option was deprecated in v2 and is now removed in v3.
-It is now unsupported and would prevent Traefik to start.
-
-??? example "An example usage of v2 Nomad `namespace` option"
-
-    ```yaml tab="File (YAML)"
-    nomad:
-      namespace: foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [nomad]
-        namespace=foobar
-    ```
-
-    ```bash tab="CLI"
-    --nomad.namespace=foobar
-    ```
-
-##### Remediation
-
-In v3, the `namespaces` option should be used instead of the `namespace` option.
-
-??? example "An example usage of Nomad `namespaces` option"
-
-    ```yaml tab="File (YAML)"
-    nomad:
-      namespaces:
-        - foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [nomad]
-        namespaces=["foobar"]
-    ```
-
-    ```bash tab="CLI"
-    --nomad.namespaces=foobar
-    ```
-
-#### Endpoint.TLS.CAOptional
-
-Nomad provider `endpoint.tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the Endpoint.TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      nomad:
-        endpoint:
-          tls: 
-            caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.nomad.endpoint.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.nomad.endpoint.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `endpoint.tls.caOptional` option should be removed from the Nomad provider static configuration.
-
-### Rancher v1 Provider
-
-In v3, the Rancher v1 provider has been removed because Rancher v1 is [no longer actively maintained](https://rancher.com/docs/os/v1.x/en/support/),
-and Rancher v2 is supported as a standard Kubernetes provider.
-
-??? example "An example of Traefik v2 Rancher v1 configuration"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      rancher: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.rancher]
-    ```
-
-    ```bash tab="CLI"
-    --providers.rancher=true
-    ```
-
-This configuration is now unsupported and would prevent Traefik to start.
-
-#### Remediation
-
-Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
-As such, Rancher 2.x users should utilize the [Kubernetes CRD provider](../providers/kubernetes-crd.md) directly.
-
-Also, all Rancher provider related configuration should be removed from the static configuration.
-
-### Marathon provider
-
-Marathon maintenance [ended on October 31, 2021](https://github.com/mesosphere/marathon/blob/master/README.md).
-In v3, the Marathon provider has been removed.
-
-??? example "An example of v2 Marathon provider configuration"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      marathon: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.marathon]
-    ```
-
-    ```bash tab="CLI"
-    --providers.marathon=true
-    ```
-
-This configuration is now unsupported and would prevent Traefik to start.
-
-#### Remediation
-
-All Marathon provider related configuration should be removed from the static configuration.
-
-### HTTP Provider
-
-#### TLS.CAOptional
-
-HTTP provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      http:
-        tls: 
-          caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.http.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.http.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `tls.caOptional` option should be removed from the HTTP provider static configuration.
-
-### ETCD Provider
-
-#### TLS.CAOptional
-
-ETCD provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      etcd:
-        tls: 
-          caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.etcd.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.etcd.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `tls.caOptional` option should be removed from the ETCD provider static configuration.
-
-### Redis Provider
-
-#### TLS.CAOptional
-
-Redis provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      redis:
-        tls: 
-          caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.redis.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.redis.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `tls.caOptional` option should be removed from the Redis provider static configuration.
-
-### InfluxDB v1
-
-InfluxDB v1.x maintenance [ended in 2021](https://www.influxdata.com/blog/influxdb-oss-and-enterprise-roadmap-update-from-influxdays-emea/).
-In v3, the InfluxDB v1 metrics provider has been removed.
-
-??? example "An example of Traefik v2 InfluxDB v1 metrics configuration"
-
-    ```yaml tab="File (YAML)"
-    metrics:
-      influxDB: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [metrics.influxDB]
-    ```
-
-    ```bash tab="CLI"
-    --metrics.influxDB=true
-    ```
-
-This configuration is now unsupported and would prevent Traefik to start.
-
-#### Remediation
-
-All InfluxDB v1 metrics provider related configuration should be removed from the static configuration.
-
-### Pilot
-
-Traefik Pilot is no longer available since October 4th, 2022.
-
-??? example "An example of v2 Pilot configuration"
-
-    ```yaml tab="File (YAML)"
-    pilot:
-      token: foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [pilot]
-        token=foobar
-    ```
-
-    ```bash tab="CLI"
-    --pilot.token=foobar
-    ```
-
-In v2, Pilot configuration was deprecated and ineffective,
-it is now unsupported and would prevent Traefik to start.
-
-#### Remediation
-
-All Pilot related configuration should be removed from the static configuration.
-
-### Kubernetes Ingress Path Matching
-
-In v3, the Kubernetes Ingress default path matching does not support regexes anymore.
-
-#### Remediation
-
-Two levels of remediation are possible:
-
- Interpret the default path matcher `PathPrefix` with v2 syntax.
-This can done globally for all routers with the [static configuration](#configure-the-default-syntax-in-static-configuration) or on a per-router basis by using the [traefik.ingress.kubernetes.io/router.rulesyntax](../routing/providers/kubernetes-ingress.md#annotations) annotation.
-
- Adapt the path regex to be compatible with the Go regex syntax and change the default path matcher to use the `PathRegexp` matcher with the [`traefik.ingress.kubernetes.io/router.pathmatcher`](../routing/providers/kubernetes-ingress.md#annotations) annotation.
-
-## Operations Changes
-
-### Traefik RBAC Update
-
-In v3, the support of `TCPServersTransport` has been introduced.
-When using the KubernetesCRD provider, it is therefore necessary to update [RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-crd.md) manifests.
-
-### Content-Type Auto-Detection
-
-In v3, the `Content-Type` header is not auto-detected anymore when it is not set by the backend.
-One should use the `ContentType` middleware to enable the `Content-Type` header value auto-detection.
-
-### Observability
-
-#### Open Connections Metric
-
-In v3, the open connections metric has been replaced with a global one because it was erroneously at the HTTP level, and providing misleading information.
-While previously produced at the entryPoint, router, and service levels, it is now replaced with a global metric.
-The equivalent to `traefik_entrypoint_open_connections`, `traefik_router_open_connections` and `traefik_service_open_connections` is now `traefik_open_connections`.
-
-#### Configuration Reload Failures Metrics
-
-In v3, the `traefik_config_reloads_failure_total` and `traefik_config_last_reload_failure` metrics have been suppressed since they could not be implemented.
-
-#### gRPC Metrics
-
-In v3, the reported status code for gRPC requests is now the value of the `Grpc-Status` header.
-
-#### Tracing
-
-In v3, the tracing feature has been revamped and is now powered exclusively by [OpenTelemetry](https://opentelemetry.io/ "Link to website of OTel") (OTel).
-!!! warning "Important"
-    Traefik v3 **no** longer supports direct output formats for specific vendors such as Instana, Jaeger, Zipkin, Haystack, Datadog, and Elastic.
-    Instead, it focuses on pure OpenTelemetry implementation, providing a unified and standardized approach for observability.
-
-Here are two possible transition strategies:
-
-1. OTLP Ingestion Endpoints:
-
-    Most vendors now offer OpenTelemetry Protocol (OTLP) ingestion endpoints.
-    You can seamlessly integrate Traefik v3 with these endpoints to continue leveraging tracing capabilities.
-
-2. Legacy Stack Compatibility:
-
-    For legacy stacks that cannot immediately upgrade to the latest vendor agents supporting OTLP ingestion,
-    using OpenTelemetry (OTel) collectors with appropriate exporters configuration is a viable solution.
-    This allows continued compatibility with the existing infrastructure.
-
-Please check the [OpenTelemetry Tracing provider documention](../observability/tracing/opentelemetry.md) for more information.
-
-#### Internal Resources Observability
-
-In v3, observability for internal routers or services (e.g.: `ping@internal`) is disabled by default.
-To enable it one should use the new `addInternals` option for AccessLogs, Metrics or Tracing.
-Please take a look at the observability documentation for more information:
-
- [AccessLogs](../observability/access-logs.md#addinternals)
- [Metrics](../observability/metrics/overview.md#addinternals)
- [Tracing](../observability/tracing/overview.md#addinternals)
-
-#### Access logs
-
-In v3, the `ServiceURL` field is not an object anymore but a string representation.
-An update may be required if you index access logs.
-
-## Dynamic Configuration Changes
-
-### Router Rule Matchers
-
-In v3, a new rule matchers syntax has been introduced for HTTP and TCP routers.
-The default rule matchers syntax is now the v3 one, but for backward compatibility this can be configured.
-The v2 rule matchers syntax is deprecated and its support will be removed in the next major version.
-For this reason, we encourage migrating to the new syntax.
-
-By default, the `defaultRuleSyntax` static option is automatically set to `v3`, meaning that the default rule is the new one.
-
-#### New V3 Syntax Notable Changes
-
-The `Headers` and `HeadersRegexp` matchers have been renamed to `Header` and `HeaderRegexp` respectively.
-
-`PathPrefix` no longer uses regular expressions to match path prefixes.
-
-`QueryRegexp` has been introduced to match query values using a regular expression.
-
-`HeaderRegexp`, `HostRegexp`, `PathRegexp`, `QueryRegexp`, and `HostSNIRegexp` matchers now uses the [Go regexp syntax](https://golang.org/pkg/regexp/syntax/).
-
-All matchers now take a single value (except `Header`, `HeaderRegexp`, `Query`, and `QueryRegexp` which take two)
-and should be explicitly combined using logical operators to mimic previous behavior.
-
-`Query` can take a single value to match is the query value that has no value (e.g. `/search?mobile`).
-
-`HostHeader` has been removed, use `Host` instead.
-
-#### Remediation
-
-##### Configure the Default Syntax In Static Configuration
-
-The default rule matchers syntax is the expected syntax for any router that is not self opt-out from this default value.
-It can be configured in the static configuration.
-
-??? example "An example configuration for the default rule matchers syntax"
-
-    ```yaml tab="File (YAML)"
-    # static configuration
-    core:
-      defaultRuleSyntax: v2
-    ```
-
-    ```toml tab="File (TOML)"
-    # static configuration
-    [core]
-        defaultRuleSyntax="v2"
-    ```
-
-    ```bash tab="CLI"
-    # static configuration
-    --core.defaultRuleSyntax=v2
-    ```
-
-##### Configure the Syntax Per Router
-
-The rule syntax can also be configured on a per-router basis.
-This allows to have heterogeneous router configurations and ease migration.
-
-??? example "An example router with syntax configuration"
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.routers.test.ruleSyntax=v2"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: test.route
-  namespace: default
-
-spec:
-  routes:
-    - match: PathPrefix(`/foo`, `/bar`)
-      syntax: v2
-      kind: Rule
-```
-
-```yaml tab="Consul Catalog"
- "traefik.http.routers.test.ruleSyntax=v2"
-```
-
-```yaml tab="File (YAML)"
-http:
-  routers:
-    test:
-      ruleSyntax: v2
-```
-
-```toml tab="File (TOML)"
-[http.routers]
-  [http.routers.test]
-    ruleSyntax = "v2"
-```
-
-### IPWhiteList
-
-In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing anything to the configuration. 
-
-### Deprecated Options Removal
-
- The `tracing.datadog.globaltag` option has been removed.
- The `tls.caOptional` option has been removed from the ForwardAuth middleware, as well as from the HTTP, Consul, Etcd, Redis, ZooKeeper, Consul Catalog, and Docker providers.
- `sslRedirect`, `sslTemporaryRedirect`, `sslHost`, `sslForceHost` and `featurePolicy` options of the Headers middleware have been removed.
- The `forceSlash` option of the StripPrefix middleware has been removed.
- The `preferServerCipherSuites` option has been removed.
-
-### TCP LoadBalancer `terminationDelay` option
-
-The TCP LoadBalancer `terminationDelay` option has been removed.
-This option can now be configured directly on the `TCPServersTransport` level, please take a look at this [documentation](../routing/services/index.md#terminationdelay)
-
-### Kubernetes CRDs API Group `traefik.containo.us`
-
-In v3, the Kubernetes CRDs API Group `traefik.containo.us` has been removed. 
-Please use the API Group `traefik.io` instead.
-
-### Kubernetes Ingress API Group `networking.k8s.io/v1beta1`
-
-In v3, the Kubernetes Ingress API Group `networking.k8s.io/v1beta1` ([removed since Kubernetes v1.22](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122)) support has been removed.
-
-Please use the API Group `networking.k8s.io/v1` instead.
-
-### Traefik CRD API Version `apiextensions.k8s.io/v1beta1`
-
-In v3, the Traefik CRD API Version `apiextensions.k8s.io/v1beta1` ([removed since Kubernetes v1.22](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#customresourcedefinition-v122)) support has been removed.
-
-Please use the CRD definition with the API Version `apiextensions.k8s.io/v1` instead.
@@ -1,77 +0,0 @@
---
-title: "Traefik V3 Migration Documentation"
-description: "Migrate from Traefik Proxy v2 to v3 and update all the necessary configurations to take advantage of all the improvements. Read the technical documentation."
---
-
-# Migration Guide: From v2 to v3
-
-How to Migrate from Traefik v2 to Traefik v3.
-{: .subtitle }
-
-With Traefik v3, we are introducing a streamlined transition process from v2. Minimal breaking changes have been made to specific options in the [static configuration](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes"), and we are ensuring backward compatibility with v2 syntax in the [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes"). This will offer a gradual path for adopting the v3 syntax, allowing users to progressively migrate their Kubernetes ingress resources, Docker labels, etc., to the new format.
-
-Here are the steps to progressively migrate from Traefik v2 to v3:
-
-1. [Prepare configurations and test v3](#step-1-prepare-configurations-and-test-v3)
-1. [Migrate production instances to Traefik v3](#step-2-migrate-production-instances-to-traefik-v3)
-1. [Progressively migrate dynamic configuration](#step-3-progressively-migrate-dynamic-configuration)
-
-## Step 1: Prepare Configurations and Test v3
-
-Check the changes in [static configurations](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes") and [operations](./v2-to-v3-details.md#operations-changes "Link to operations changes") brought by Traefik v3.
-Modify your configurations accordingly.
-
-Then, add the following snippet to the static configuration:
-
-```yaml
-# static configuration
-core:
-  defaultRuleSyntax: v2
-```
-
-This snippet in the static configuration makes the [v2 format](../migration/v2-to-v3-details.md#configure-the-default-syntax-in-static-configuration "Link to configure default syntax in static config") the default rule matchers syntax.
-
-Start Traefik v3 with this new configuration to test it.
-
-If you don’t get any error logs while testing, you are good to go!
-Otherwise, follow the remaining migration options highlighted in the logs.
-
-Once your Traefik test instances are starting and routing to your applications, proceed to the next step.
-
-## Step 2: Migrate Production Instances to Traefik v3
-
-We strongly advise you to follow a progressive migration strategy ([Kubernetes rolling update mechanism](https://kubernetes.io/docs/tutorials/kubernetes-basics/update/update-intro/ "Link to the Kubernetes rolling update documentation"), for example) to migrate your production instances to v3.
-
-!!! Warning
-    Ensure you have a [real-time monitoring solution](https://traefik.io/blog/capture-traefik-metrics-for-apps-on-kubernetes-with-prometheus/ "Link to the blog on capturing Traefik metrics with Prometheus") for your ingress traffic to detect issues instantly.
-
-During the progressive migration, monitor your ingress traffic for any errors. Be prepared to rollback to a working state in case of any issues.
-
-If you encounter any issues, leverage debug and access logs provided by Traefik to understand what went wrong and how to fix it.
-
-Once every Traefik instance is updated, you will be on Traefik v3!
-
-## Step 3: Progressively Migrate Dynamic Configuration
-
-!!! info
-    This step can be done later in the process, as Traefik v3 is compatible with the v2 format for [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes").
-    Enable Traefik logs to get some help if any deprecated option is in use.
-
-Check the changes in [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes").
-
-Then, progressively [switch each router to the v3 syntax](./v2-to-v3-details.md#configure-the-syntax-per-router "Link to configuring the syntax per router").
-
-Test and update each Ingress resource and ensure that ingress traffic is not impacted.
-
-Once a v3 Ingress resource migration is validated, deploy the resource and delete the v2 Ingress resource.
-Repeat it until all Ingress resources are migrated.
-
-Now, remove the following snippet added to the static configuration in Step 1:
-
-```yaml
-# static configuration
-core:
-  defaultRuleSyntax: v2
-```
-
-You are now fully migrated to Traefik v3 🎉
@@ -77,7 +77,6 @@ rules:
      - tlsoptions
      - tlsstores
      - serverstransports
-      - serverstransporttcps
    verbs:
      - get
      - list
@@ -170,7 +169,6 @@ rules:
    verbs:
      - update
  - apiGroups:
-      - traefik.io
      - traefik.containo.us
    resources:
      - middlewares
@@ -182,7 +180,6 @@ rules:
      - tlsoptions
      - tlsstores
      - serverstransports
-      - serverstransporttcps
    verbs:
      - get
      - list
@@ -455,7 +452,7 @@ To enable HTTP/3 on an EntryPoint, please check out the [HTTP/3 configuration](.

 In `v2.6`, the [Kubernetes Gateway API provider](../providers/kubernetes-gateway.md) now only supports the version [v1alpha2](https://gateway-api.sigs.k8s.io/v1alpha2/guides/) of the specification and 
 [route namespaces](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.RouteNamespaces) selectors, which requires Traefik to fetch and watch the cluster namespaces.
-Therefore, the RBAC and CRD definitions must be updated.
+Therefore, the [RBAC](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-gateway.md#definitions) definitions must be updated.

 ## v2.6.0 to v2.6.1

@@ -553,7 +550,7 @@ The following ciphers have been removed from the default list:
 - `TLS_RSA_WITH_AES_128_GCM_SHA256`
 - `TLS_RSA_WITH_AES_256_GCM_SHA384`

-To enable these ciphers, please set the option `CipherSuites` in your [TLS configuration](../https/tls.md#cipher-suites) or set the environment variable `GODEBUG=tlsrsakex=1`.
+To enable these ciphers, please set the option `CipherSuites` in your [TLS configuration](https://doc.traefik.io/traefik/https/tls/#cipher-suites) or set the environment variable `GODEBUG=tlsrsakex=1`.

 ### Minimum TLS Version

@@ -562,7 +559,7 @@ To enable these ciphers, please set the option `CipherSuites` in your [TLS confi
 > This change can be reverted with the `tls10server=1 GODEBUG` setting.
 > (https://go.dev/doc/go1.22#crypto/tls)

-To enable TLS 1.0, please set the option `MinVersion` to `VersionTLS10` in your [TLS configuration](../https/tls.md#cipher-suites) or set the environment variable `GODEBUG=tls10server=1`.
+To enable TLS 1.0, please set the option `MinVersion` to `VersionTLS10` in your [TLS configuration](https://doc.traefik.io/traefik/https/tls/#cipher-suites) or set the environment variable `GODEBUG=tls10server=1`.

 ## v2.11.1

@@ -677,3 +674,231 @@ it can lead to unsafe routing when the `sanitizePath` option is set to `false`.

    Setting the `sanitizePath` option to `false` is not safe.
    Ensure every request is properly url encoded instead.
+
+## v2.11.25
+
+### Request Path Normalization
+
+Since `v2.11.25`, the request path is now normalized by decoding unreserved characters in the request path,
+and also uppercasing the percent-encoded characters.
+This follows [RFC 3986 percent-encoding normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2),
+and [RFC 3986 case normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1).
+
+The normalization happens before the request path is sanitized,
+and cannot be disabled.
+This notably helps with encoded dots characters (which are unreserved characters) to be sanitized properly.
+
+### Routing Path
+
+Since `v2.11.25`, the reserved characters [(as per RFC 3986)](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2) are kept encoded in the request path when matching the router rules.
+Those characters, when decoded, change the meaning of the request path for routing purposes,
+and Traefik now keeps them encoded to avoid any ambiguity.
+
+### Request Path Matching Examples
+
+| Request Path      | Router Rule            | Traefik v2.11.24 | Traefik v2.11.25 |
+|-------------------|------------------------|------------------|------------------|
+| `/foo%2Fbar`      | PathPrefix(`/foo/bar`) | Match            | No match         |
+| `/foo/../bar`     | PathPrefix(`/foo`)     | No match         | No match         |
+| `/foo/../bar`     | PathPrefix(`/bar`)     | Match            | Match            |
+| `/foo/%2E%2E/bar` | PathPrefix(`/foo`)     | Match            | No match         |
+| `/foo/%2E%2E/bar` | PathPrefix(`/bar`)     | No match         | Match            |
+
+## v2.11.28
+
+### MultiPath TCP
+
+Since `v2.11.28`, the MultiPath TCP support introduced with `v2.11.26` has been removed.
+It appears that enabling MPTCP on some platforms can cause Traefik to stop with the following error logs message:
+
+- `set tcp X.X.X.X:X->X.X.X.X:X: setsockopt: operation not supported`
+
+However, it can be re-enabled by setting the `multipathtcp` variable in the GODEBUG environment variable, see the related [go documentation](https://go.dev/doc/godebug#go-124).
+
+## v2.11.32
+
+### Encoded Characters in Request Path
+
+Since `v2.11.32`, for security reasons Traefik now rejects requests with a path containing a specific set of encoded characters by default.
+When such a request is received, Traefik responds with a `400 Bad Request` status code.
+Here is the list of the encoded characters that are rejected by default, along with the corresponding configuration option to allow them:
+
+| Encoded Character | Character               | Config option to allow the encoded character                                         |
+|-------------------|-------------------------|--------------------------------------------------------------------------------------|
+| `%2f` or `%2F`    | `/` (slash)             | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSlash`          |
+| `%5c` or `%5C`    | `\` (backslash)         | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedBackSlash`     |
+| `%00`             | `NULL` (null character) | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedNullCharacter` |
+| `%3b` or `%3B`    | `;` (semicolon)         | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSemicolon`     |
+| `%25`             | `%` (percent)           | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedPercent`       |
+| `%3f` or `%3F`    | `?` (question mark)     | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedQuestionMark`  |
+| `%23`             | `#` (hash)              | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedHash`          |
+
+Note: This check is not done against query parameters,
+but only against the request path as defined in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3).
+
+Please check out the entrypoint [encodedCharacters option](../routing/entrypoints.md#encoded-characters) documentation for more details.
+
+## v2.11.35
+
+### Encoded Characters Configuration Default Values
+
+Since `v2.11.35`, the options for encoded characters now have a `true` default value.
+This means that Traefik will not reject requests with a path containing a specific set of encoded characters by default.
+It is now up to the users to configure the security hardening of encoded characters.
+
+Here is the list of the encoded characters that can be configured to `false` to disallow them:
+
+| Encoded Character | Character               | Config options                                                                       | Default value |
+|-------------------|-------------------------|--------------------------------------------------------------------------------------|---------------|
+| `%2f` or `%2F`    | `/` (slash)             | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSlash`          | `true`        |
+| `%5c` or `%5C`    | `\` (backslash)         | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedBackSlash`     | `true`        |
+| `%00`             | `NULL` (null character) | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedNullCharacter` | `true`        |
+| `%3b` or `%3B`    | `;` (semicolon)         | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedSemicolon`     | `true`        |
+| `%25`             | `%` (percent)           | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedPercent`       | `true`        |
+| `%3f` or `%3F`    | `?` (question mark)     | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedQuestionMark`  | `true`        |
+| `%23`             | `#` (hash)              | `entryPoints.<name>`<br/>`.http.encodedCharacters`<br/>`.allowEncodedHash`          | `true`        |
+
+Note: This check is not done against query parameters,
+but only against the request path as defined
+in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3).
+
+Please check out the entrypoint [encodedCharacters option](../routing/entrypoints.md#encoded-characters) documentation
+for more details.
+
+## v2.11.38
+
+### `maxResponseBodySize` configuration on ForwardAuth middleware
+
+In `v2.11.38`, a new `maxResponseBodySize` option has been added to the ForwardAuth middleware configuration.
+The default value for this option is -1, which means there is no limit to the response body size.
+However, it is strongly recommended to set this option to a suitable value to avoid performance and security issues,
+such as DoS attacks and memory exhaustion.
+
+Please check out the [ForwardAuth](../middlewares/http/forwardauth.md#maxresponsebodysize) middleware documentation for more details.
+
+## v2.11.41
+
+### `maxResponseBodySize` configuration on HTTP provider
+
+In `v2.11.41`, a new `maxResponseBodySize` option has been added to the HTTP provider configuration.
+The default value for this option is -1, which means there is no limit to the response body size.
+However, it is strongly recommended to set this option to a suitable value to avoid performance issues such as memory exhaustion.
+
+Please check out the [HTTP](../providers/http.md#maxresponsebodysize) provider documentation for more details.
+
+## v2.11.43
+
+### Kubernetes CRD: Chain middleware and `allowCrossNamespace`
+
+In `v2.11.43`, the `Chain` middleware now honors the Kubernetes CRD provider's `allowCrossNamespace` option.
+Previously, a `Chain` could reference middlewares in other namespaces regardless of the `allowCrossNamespace` configuration.
+
+If `allowCrossNamespace` is set to `false` (the default) and a `Chain` middleware references a middleware in a different namespace from its own,
+the whole `Chain` is now rejected and an error is logged.
+
+### ForwardAuth middleware: `trustForwardHeader`
+
+In `v2.11.43`, when `trustForwardHeader` is not explicitly set, Traefik logs a warning as its behavior is inconsistent:
+some `X-Forwarded-*` headers (e.g. `X-Forwarded-For`, `X-Forwarded-Proto`) are removed while others (e.g. `X-Forwarded-Prefix`) are forwarded untouched.
+
+To silence the warning and avoid security concerns, explicitly set `trustForwardHeader` to `true` or `false` in your ForwardAuth middleware configuration.
+
+Please check out the [ForwardAuth](../middlewares/http/forwardauth.md#trustforwardheader) middleware documentation for more details.
+
+## v2.11.44
+
+In `v2.11.44`, a new `errorRequestHeaders` option has been added to the Errors middleware.
+
+By default, the behavior is unchanged: all original request headers are forwarded to the error page service.
+If the error page service is in a separate trust domain, consider using `errorRequestHeaders` to restrict which headers are forwarded.
+
+Please check out the [Error Pages](../middlewares/http/errorpages.md#forwardheaders) middleware documentation for more details.
+
+## v2.11.45
+
+### Docker provider: minimum Docker Engine version
+
+Starting with `v2.11.45`, the Docker provider requires Docker API version v1.40 or
+above ([Docker Engine v19.03](https://docs.docker.com/reference/api/engine/#api-version-matrix)).
+Users running older (end of life) versions of Docker Engine should update their
+Docker Engine or use the [`DOCKER_API_VERSION`](https://docs.docker.com/reference/api/engine/#versioned-api-and-sdk)
+environment variable to override the API version used by Traefik.
+
+## v2.11.46
+
+### Kubernetes Providers: `crossProviderNamespaces`
+
+In `v2.11.46`, a new `crossProviderNamespaces` option is available on the Kubernetes CRD, Ingress, and Gateway providers.
+
+Traefik offers the possibility to reference resources from one provider to another (cross-provider references).
+
+However, in the context of Kubernetes providers,
+those references (e.g. `myservice@kubernetescrd`) allow a user to cross namespace boundaries, 
+as well as exposing `@internal` services, that only the operator should be able to expose.
+
+This new `crossProviderNamespaces` option restricts in which namespaces Kubernetes resources are allowed to use cross-provider references.
+
+The behavior is as follows:
+
+| Value      | Behavior                                                                                  |
+|------------|-------------------------------------------------------------------------------------------|
+| not set    | All Kubernetes resources can declare cross-provider references.                           |
+| `[]`       | Every Kubernetes resource declaring a cross-provider reference is rejected.               |
+| `["ns-a"]` | Only Kubernetes resources in the listed namespaces can declare cross-provider references. |
+
+Please check out the [Kubernetes CRD](../providers/kubernetes-crd.md#crossprovidernamespaces), [Kubernetes Ingress](../providers/kubernetes-ingress.md#crossprovidernamespaces),
+and [Kubernetes Gateway](../providers/kubernetes-gateway.md#crossprovidernamespaces) provider documentation for more details.
+
+## v2.11.48
+
+### BasicAuth Middleware
+
+From version `v2.11.48` onwards, the BasicAuth middleware requires a non-empty users configuration in order to be built successfully.
+Previously, the middleware would be built successfully but always return a 401 status code for any request.
+Now, an error occurs and any routers using it will be unmounted. For the same request, a 404 status code is served instead of a 401 status code.
+
+### StripPrefix and StripPrefixRegex Middleware
+
+From version `v2.11.48` onwards, the StripPrefix middleware and the StripPrefixRegex middleware reject requests (`400 Bad Request`)
+when stripping the configured prefix produces a path that differs from its normalised form
+(i.e. a path containing `.` or `..` segments that would be collapsed by normalisation).
+
+This prevents the stripped path from being interpreted as a different resource by the upstream service.
+
+Examples with a configured prefix of `/api`:
+
+| Request path | Path after strip | Normalised path | Result       |
+|--------------|------------------|-----------------|--------------|
+| `/api/foo`   | `/foo`           | `/foo`          | `200` (sent) |
+| `/api/`      | `/`              | `/`             | `200` (sent) |
+| `/api./foo`  | `/./foo`         | `/foo`          | `400`        |
+| `/api../foo` | `/../foo`        | `/foo`          | `400`        |
+
+## v2.11.51
+
+### UnderscoreHeadersStrategy
+
+From version `v2.11.51` onwards, a new `underscoreHeadersStrategy` entry point option defines how request headers with
+underscores in their names are handled before routing:
+
+- `keep` (default): request headers with underscores are forwarded as is.
+- `delete`: any request header whose name contains an underscore character is silently removed from the request.
+- `reject`: any request carrying a header whose name contains an underscore character is rejected with a `400 Bad Request` response.
+
+The default value is `keep`, so the existing behavior is preserved.
+
+This option exists because underscores are valid characters in HTTP header names, but Go canonicalizes header names only on dashes.
+As a result, a middleware managing a header in its dash form (e.g. `X-Auth-User` set by the ForwardAuth `authResponseHeaders` option)
+does not see, and therefore cannot overwrite or remove, an underscore variant of that header (e.g. `X_Auth_User`).
+
+Many backends map both forms to the same variable (CGI, WSGI, PHP, NGINX, ...): for them, `X-Auth-User` and `X_Auth_User`
+are the same header. Against such a backend, a client can smuggle the underscore variant past a middleware that only manages
+the dash form, and have the backend read the spoofed value, bypassing the protection the middleware was meant to provide.
+
+!!! warning "Security"
+
+    When an entry point fronts a backend that interprets underscores and dashes in header names identically,
+    keeping the default `keep` strategy is not recommended, as it leaves the backend open to the header spoofing described above.
+    Set `underscoreHeadersStrategy` to `delete` or `reject` on such entry points.
+
+Please check out the entrypoint [underscoreHeadersStrategy option](../routing/entrypoints.md#underscoreheadersstrategy) documentation for more details.
@@ -1,217 +0,0 @@
---
-title: "Traefik Migration Documentation"
-description: "Learn the steps needed to migrate to new Traefik Proxy v3 versions. Read the technical documentation."
---
-
-# Migration: Steps needed between the versions
-
-## v3.0 to v3.1
-
-### Kubernetes Provider RBACs
-
-Starting with v3.1, the Kubernetes Providers now use the [EndpointSlices API](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/) (Kubernetes >=v1.21) to discover service endpoint addresses.
-It also brings NodePort load-balancing which requires Nodes resources lookup.
-
-Therefore, in the corresponding RBACs (see [KubernetesIngress](../routing/providers/kubernetes-ingress.md#configuration-example), [KubernetesCRD](../reference/dynamic-configuration/kubernetes-crd.md#rbac), and [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs):
-
- the `endpoints` right has to be removed and the following `endpointslices` right has to be added:
-
-```yaml
-  ... 
-  - apiGroups:
-      - discovery.k8s.io
-    resources:
-      - endpointslices
-    verbs:
-      - list
-      - watch
-  ...
-```
-
- the `nodes` right has to be added:
-
-```yaml
-  ...
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - get
-      - list
-      - watch
-  ...
-```
-
-#### Gateway API: KubernetesGateway Provider
-
-In v3.1, the KubernetesGateway Provider is no longer an experimental feature.
-It can be enabled without the associated `experimental.kubernetesgateway` option, which is now deprecated.
-
-??? example "An example of the experimental `kubernetesgateway` option"
-
-    ```yaml tab="File (YAML)"
-    experimental:
-      kubernetesgateway: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [experimental]
-        kubernetesgateway=true
-    ```
-
-    ```bash tab="CLI"
-    --experimental.kubernetesgateway=true
-    ```
-
-##### Remediation
-
-The `kubernetesgateway` option should be removed from the experimental section of the static configuration.
-To configure `kubernetesgateway`, please check out the [KubernetesGateway Provider documentation](../providers/kubernetes-gateway.md).
-
-## v3.1.0 to v3.1.1
-
-### IngressClass Lookup
-
-The Kubernetes Ingress provider option `disableIngressClassLookup` has been deprecated in v3.1.1, and will be removed in the next major version.
-Please use the `disableClusterScopeResources` option instead to avoid cluster scope resources discovery (IngressClass, Nodes).
-
-## v3.1 to v3.2
-
-### Kubernetes CRD Provider
-
-Starting with v3.2, the CRDs has been updated on [TraefikService](../../routing/services#mirroring-service) (PR [#11032](https://github.com/traefik/traefik/pull/11032)), on [RateLimit](../../middlewares/http/ratelimit) & [InFlightReq](../../middlewares/http/inflightreq) middlewares (PR [#9747](https://github.com/traefik/traefik/pull/9747)) and on [Compress](../../middlewares/http/compress) middleware (PR [#10943](https://github.com/traefik/traefik/pull/10943)).
-
-This update adds only new optional fields.
-CRDs can be updated with this command:
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-```
-
-### Kubernetes Gateway Provider Standard Channel
-
-Starting with v3.2, the Kubernetes Gateway Provider now supports [GRPCRoute](https://gateway-api.sigs.k8s.io/api-types/grpcroute/).
-
-Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
-the `grcroutes` and `grpcroutes/status` rights have to be added.
-
-```yaml
-  ...
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - grpcroutes
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - grpcroutes/status
-    verbs:
-      - update
-  ...
-```
-
-### Kubernetes Gateway Provider Experimental Channel
-
-!!! warning "Breaking changes"
-
-    Because of a breaking change introduced in Kubernetes Gateway [v1.2.0-rc1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0-rc1),
-    Traefik v3.3 only supports Kubernetes Gateway v1.2.x when experimental channel features are enabled.
-
-Starting with v3.2, the Kubernetes Gateway Provider now supports [BackendTLSPolicy](https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/).
-
-Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
-the `backendtlspolicies` and `backendtlspolicies/status` rights have to be added.
-
-```yaml
-  ...
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - backendtlspolicies
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - backendtlspolicies/status
-    verbs:
-      - update
-  ...
-```
-
-## v3.2.1
-
-### X-Forwarded-Prefix
-
-In `v3.2.1`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
-Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
-
-## v3.2.2
-
-### Swarm Provider
-
-In `v3.2.2`, the `traefik.docker.network` and `traefik.docker.lbswarm` labels have been deprecated,
-please use the `traefik.swarm.network` and `traefik.swarm.lbswarm` labels instead.
-
-## v3.2 to v3.3
-
-### ACME DNS Certificate Resolver
-
-In `v3.3`, the `acme.dnsChallenge.delaybeforecheck` and `acme.dnsChallenge.disablepropagationcheck` options of the ACME certificate resolver are deprecated, 
-please use respectively `acme.dnsChallenge.propagation.delayBeforeChecks` and `acme.dnsChallenge.propagation.disableChecks` options instead.
-
-### Tracing Global Attributes
-
-In `v3.3`, the `tracing.globalAttributes` option has been deprecated, please use the `tracing.resourceAttributes` option instead.
-The `tracing.globalAttributes` option is misleading as its name does not reflect the operation of adding resource attributes to be sent to the collector,
-and will be removed in the next major version.
-
-## v3.3.4
-
-### OpenTelemetry Request Duration metric
-
-In `v3.3.4`, the OpenTelemetry Request Duration metric (named `traefik_(entrypoint|router|service)_request_duration_seconds`) unit has been changed from milliseconds to seconds.
-To be consistent with the naming and other metrics providers, the metric now reports the duration in seconds.
-
-## v3.3.5
-
-### Compress Middleware
-
-In `v3.3.5`, the compress middleware `encodings` option default value is now `gzip, br, zstd`. 
-This change helps the algorithm selection to favor the `gzip` algorithm over the other algorithms.
-
-It impacts requests that do not specify their preferred algorithm,
-or has no order preference, in the `Accept-Encoding` header.
-
-## v3.3.6
-
-### Request Path Sanitization
-
-Since `v3.3.6`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends.
-Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed.
-
-If you want to disable this behavior, you can set the [`sanitizePath` option](../reference/install-configuration/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.
-This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
-For example, as base64 uses the “/” character internally,
-if it's not url encoded,
-it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
-
-!!! warning "Security"
-
-    Setting the `sanitizePath` option to `false` is not safe.
-    Ensure every request is properly url encoded instead.
@@ -26,26 +26,6 @@ accessLog: {}
 --accesslog=true
 ```

-### `addInternals`
-
-_Optional, Default="false"_
-
-Enables access logs for internal resources (e.g.: `ping@internal`).
-
-```yaml tab="File (YAML)"
-accesslog:
-  addInternals: true
-```
-
-```toml tab="File (TOML)"
-[accesslog]
-  addInternals = true
-```
-
-```bash tab="CLI"
--accesslog.addinternals
-```
-
 ### `filePath`

 By default access logs are written to the standard output.
@@ -204,7 +184,7 @@ accessLog:

  [accessLog.fields]
    defaultMode = "keep"
-
+    
    [accessLog.fields.names]
      "ClientUsername" = "drop"

@@ -264,9 +244,6 @@ accessLog:
    | `RetryAttempts`         | The amount of attempts the request was retried.                                                                                                                     |
    | `TLSVersion`            | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS).                                                                                         |
    | `TLSCipher`             | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS)                                                           |
-    | `TLSClientSubject`      | The string representation of the TLS client certificate's Subject (e.g. `CN=username,O=organization`)                                                               |
-    | `TraceId`               | A consistent identifier for tracking requests across services, including upstream ones managed by Traefik, shown as a 32-hex digit string                           |
-    | `SpanId`                | A unique identifier for Traefik’s root span (EntryPoint) within a request trace, formatted as a 16-hex digit string.                                                |

 ## Log Rotation

@@ -292,7 +269,7 @@ version: "3.7"

 services:
  traefik:
-    image: traefik:v3.3
+    image: traefik:v2.11
    environment:
      - TZ=US/Alaska
    command:
@@ -304,418 +281,4 @@ services:
      - /var/run/docker.sock:/var/run/docker.sock
 ```

-## OpenTelemetry
-
-!!! warning "Experimental Feature"
-
-    The OpenTelemetry access logs feature is currently experimental and must be explicitly enabled in the experimental section prior to use.
-    
-    ```yaml tab="File (YAML)"
-    experimental:
-      otlpLogs: true
-    ```
-    
-    ```toml tab="File (TOML)"
-    [experimental.otlpLogs]
-    ```
-    
-    ```bash tab="CLI"
-    --experimental.otlpLogs=true
-    ```
-
-To enable the OpenTelemetry Logger for access logs:
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp: {}
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp]
-```
-
-```bash tab="CLI"
--accesslog.otlp=true
-```
-
-!!! info "Default protocol"
-
-    The OpenTelemetry Logger exporter will export access logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.
-
-### HTTP configuration
-
-_Optional_
-
-This instructs the exporter to send access logs to the OpenTelemetry Collector using HTTP.
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp:
-    http: {}
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.http]
-```
-
-```bash tab="CLI"
--accesslog.otlp.http=true
-```
-
-#### `endpoint`
-
-_Optional, Default="`https://localhost:4318/v1/logs`", Format="`<scheme>://<host>:<port><path>`"_
-
-URL of the OpenTelemetry Collector to send access logs to.
-
-!!! info "Insecure mode"
-
-    To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp:
-    http:
-      endpoint: https://collector:4318/v1/logs
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.http]
-  endpoint = "https://collector:4318/v1/logs"
-```
-
-```bash tab="CLI"
--accesslog.otlp.http.endpoint=https://collector:4318/v1/logs
-```
-
-#### `headers`
-
-_Optional, Default={}_
-
-Additional headers sent with access logs by the exporter to the OpenTelemetry Collector.
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp:
-    http:
-      headers:
-        foo: bar
-        baz: buz
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.http.headers]
-  foo = "bar"
-  baz = "buz"
-```
-
-```bash tab="CLI"
--accesslog.otlp.http.headers.foo=bar --accesslog.otlp.http.headers.baz=buz
-```
-
-#### `tls`
-
-_Optional_
-
-Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector.
-
-##### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp:
-    http:
-      tls:
-        ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.http.tls]
-  ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
--accesslog.otlp.http.tls.ca=path/to/ca.crt
-```
-
-##### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp:
-    http:
-      tls:
-        cert: path/to/foo.cert
-        key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.http.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
--accesslog.otlp.http.tls.cert=path/to/foo.cert
--accesslog.otlp.http.tls.key=path/to/foo.key
-```
-
-##### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp:
-    http:
-      tls:
-        cert: path/to/foo.cert
-        key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.http.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
--accesslog.otlp.http.tls.cert=path/to/foo.cert
--accesslog.otlp.http.tls.key=path/to/foo.key
-```
-
-##### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`,
-the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp:
-    http:
-      tls:
-        insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.http.tls]
-  insecureSkipVerify = true
-```
-
-```bash tab="CLI"
--accesslog.otlp.http.tls.insecureSkipVerify=true
-```
-
-### gRPC configuration
-
-_Optional_
-
-This instructs the exporter to send access logs to the OpenTelemetry Collector using gRPC.
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp:
-    grpc: {}
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc]
-```
-
-```bash tab="CLI"
--accesslog.otlp.grpc=true
-```
-
-#### `endpoint`
-
-_Required, Default="localhost:4317", Format="`<host>:<port>`"_
-
-Address of the OpenTelemetry Collector to send access logs to.
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp:
-    grpc:
-      endpoint: localhost:4317
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc]
-  endpoint = "localhost:4317"
-```
-
-```bash tab="CLI"
--accesslog.otlp.grpc.endpoint=localhost:4317
-```
-
-#### `insecure`
-
-_Optional, Default=false_
-
-Allows exporter to send access logs to the OpenTelemetry Collector without using a secured protocol.
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp:
-    grpc:
-      insecure: true
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc]
-  insecure = true
-```
-
-```bash tab="CLI"
--accesslog.otlp.grpc.insecure=true
-```
-
-#### `headers`
-
-_Optional, Default={}_
-
-Additional headers sent with access logs by the exporter to the OpenTelemetry Collector.
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp:
-    grpc:
-      headers:
-        foo: bar
-        baz: buz
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc.headers]
-  foo = "bar"
-  baz = "buz"
-```
-
-```bash tab="CLI"
--accesslog.otlp.grpc.headers.foo=bar --accesslog.otlp.grpc.headers.baz=buz
-```
-
-#### `tls`
-
-_Optional_
-
-Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector.
-
-##### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp:
-    grpc:
-      tls:
-        ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc.tls]
-  ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
--accesslog.otlp.grpc.tls.ca=path/to/ca.crt
-```
-
-##### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp:
-    grpc:
-      tls:
-        cert: path/to/foo.cert
-        key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
--accesslog.otlp.grpc.tls.cert=path/to/foo.cert
--accesslog.otlp.grpc.tls.key=path/to/foo.key
-```
-
-##### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp:
-    grpc:
-      tls:
-        cert: path/to/foo.cert
-        key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
--accesslog.otlp.grpc.tls.cert=path/to/foo.cert
--accesslog.otlp.grpc.tls.key=path/to/foo.key
-```
-
-##### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`,
-the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-accesslog:
-  otlp:
-    grpc:
-      tls:
-        insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc.tls]
-  insecureSkipVerify = true
-```
-
-```bash tab="CLI"
--accesslog.otlp.grpc.tls.insecureSkipVerify=true
-```
-
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -66,7 +66,7 @@ log:

 By default, the `level` is set to `ERROR`.

-Alternative logging levels are `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`, and `PANIC`.
+Alternative logging levels are `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`, and `PANIC`.

 ```yaml tab="File (YAML)"
 log:
@@ -82,517 +82,12 @@ log:
 --log.level=DEBUG
 ```

-#### `noColor`
-
-When using the 'common' format, disables the colorized output.
-
-```yaml tab="File (YAML)"
-log:
-  noColor: true
-```
-
-```toml tab="File (TOML)"
-[log]
-  noColor = true
-```
-
-```bash tab="CLI"
--log.nocolor=true
-```
-
 ## Log Rotation

-The rotation of the log files can be configured with the following options.
+Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
+This allows the logs to be rotated and processed by an external program, such as `logrotate`.

-### `maxSize`
-
-`maxSize` is the maximum size in megabytes of the log file before it gets rotated.
-It defaults to 100 megabytes.
-
-```yaml tab="File (YAML)"
-log:
-  maxSize: 1
-```
-
-```toml tab="File (TOML)"
-[log]
-  maxSize = 1
-```
-
-```bash tab="CLI"
--log.maxsize=1
-```
-
-### `maxBackups`
-
-`maxBackups` is the maximum number of old log files to retain.
-The default is to retain all old log files (though `maxAge` may still cause them to get deleted).
-
-```yaml tab="File (YAML)"
-log:
-  maxBackups: 3
-```
-
-```toml tab="File (TOML)"
-[log]
-  maxBackups = 3
-```
-
-```bash tab="CLI"
--log.maxbackups=3
-```
-
-### `maxAge`
-
-`maxAge` is the maximum number of days to retain old log files based on the timestamp encoded in their filename.
-Note that a day is defined as 24 hours and may not exactly correspond to calendar days due to daylight savings, leap seconds, etc.
-The default is not to remove old log files based on age.
-
-```yaml tab="File (YAML)"
-log:
-  maxAge: 3
-```
-
-```toml tab="File (TOML)"
-[log]
-  maxAge = 3
-```
-
-```bash tab="CLI"
--log.maxage=3
-```
-
-### `compress`
-
-`compress` determines if the rotated log files should be compressed using gzip.
-The default is not to perform compression.
-
-```yaml tab="File (YAML)"
-log:
-  compress: true
-```
-
-```toml tab="File (TOML)"
-[log]
-  compress = true
-```
-
-```bash tab="CLI"
--log.compress=true
-```
-
-## OpenTelemetry
-
-!!! warning "Experimental Feature"
+!!! warning
+    This does not work on Windows due to the lack of USR signals.
    
-    The OpenTelemetry logs feature is currently experimental and must be explicitly enabled in the experimental section prior to use.
-    
-    ```yaml tab="File (YAML)"
-    experimental:
-      otlpLogs: true
-    ```
-    
-    ```toml tab="File (TOML)"
-    [experimental.otlpLogs]
-    ```
-    
-    ```bash tab="CLI"
-    --experimental.otlpLogs=true
-    ```
-
-To enable the OpenTelemetry Logger for logs:
-
-```yaml tab="File (YAML)"
-log:
-  otlp: {}
-```
-
-```toml tab="File (TOML)"
-[log.otlp]
-```
-
-```bash tab="CLI"
--log.otlp=true
-```
-
-!!! info "Default protocol"
-
-    The OpenTelemetry Logger exporter will export logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.
-
-### HTTP configuration
-
-_Optional_
-
-This instructs the exporter to send logs to the OpenTelemetry Collector using HTTP.
-
-```yaml tab="File (YAML)"
-log:
-  otlp:
-    http: {}
-```
-
-```toml tab="File (TOML)"
-[log.otlp.http]
-```
-
-```bash tab="CLI"
--log.otlp.http=true
-```
-
-#### `endpoint`
-
-_Optional, Default="`https://localhost:4318/v1/logs`", Format="`<scheme>://<host>:<port><path>`"_
-
-URL of the OpenTelemetry Collector to send logs to.
-
-!!! info "Insecure mode"
-
-    To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
-
-```yaml tab="File (YAML)"
-log:
-  otlp:
-    http:
-      endpoint: https://collector:4318/v1/logs
-```
-
-```toml tab="File (TOML)"
-[log.otlp.http]
-  endpoint = "https://collector:4318/v1/logs"
-```
-
-```bash tab="CLI"
--log.otlp.http.endpoint=https://collector:4318/v1/logs
-```
-
-#### `headers`
-
-_Optional, Default={}_
-
-Additional headers sent with logs by the exporter to the OpenTelemetry Collector.
-
-```yaml tab="File (YAML)"
-log:
-  otlp:
-    http:
-      headers:
-        foo: bar
-        baz: buz
-```
-
-```toml tab="File (TOML)"
-[log.otlp.http.headers]
-  foo = "bar"
-  baz = "buz"
-```
-
-```bash tab="CLI"
--log.otlp.http.headers.foo=bar --log.otlp.http.headers.baz=buz
-```
-
-#### `tls`
-
-_Optional_
-
-Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector.
-
-##### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-log:
-  otlp:
-    http:
-      tls:
-        ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[log.otlp.http.tls]
-  ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
--log.otlp.http.tls.ca=path/to/ca.crt
-```
-
-##### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-log:
-  otlp:
-    http:
-      tls:
-        cert: path/to/foo.cert
-        key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[log.otlp.http.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
--log.otlp.http.tls.cert=path/to/foo.cert
--log.otlp.http.tls.key=path/to/foo.key
-```
-
-##### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-log:
-  otlp:
-    http:
-      tls:
-        cert: path/to/foo.cert
-        key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[log.otlp.http.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
--log.otlp.http.tls.cert=path/to/foo.cert
--log.otlp.http.tls.key=path/to/foo.key
-```
-
-##### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`,
-the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-log:
-  otlp:
-    http:
-      tls:
-        insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[log.otlp.http.tls]
-  insecureSkipVerify = true
-```
-
-```bash tab="CLI"
--log.otlp.http.tls.insecureSkipVerify=true
-```
-
-### gRPC configuration
-
-_Optional_
-
-This instructs the exporter to send logs to the OpenTelemetry Collector using gRPC.
-
-```yaml tab="File (YAML)"
-log:
-  otlp:
-    grpc: {}
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc]
-```
-
-```bash tab="CLI"
--log.otlp.grpc=true
-```
-
-#### `endpoint`
-
-_Required, Default="localhost:4317", Format="`<host>:<port>`"_
-
-Address of the OpenTelemetry Collector to send logs to.
-
-```yaml tab="File (YAML)"
-log:
-  otlp:
-    grpc:
-      endpoint: localhost:4317
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc]
-  endpoint = "localhost:4317"
-```
-
-```bash tab="CLI"
--log.otlp.grpc.endpoint=localhost:4317
-```
-
-#### `insecure`
-
-_Optional, Default=false_
-
-Allows exporter to send logs to the OpenTelemetry Collector without using a secured protocol.
-
-```yaml tab="File (YAML)"
-log:
-  otlp:
-    grpc:
-      insecure: true
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc]
-  insecure = true
-```
-
-```bash tab="CLI"
--log.otlp.grpc.insecure=true
-```
-
-#### `headers`
-
-_Optional, Default={}_
-
-Additional headers sent with logs by the exporter to the OpenTelemetry Collector.
-
-```yaml tab="File (YAML)"
-log:
-  otlp:
-    grpc:
-      headers:
-        foo: bar
-        baz: buz
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc.headers]
-  foo = "bar"
-  baz = "buz"
-```
-
-```bash tab="CLI"
--log.otlp.grpc.headers.foo=bar --log.otlp.grpc.headers.baz=buz
-```
-
-#### `tls`
-
-_Optional_
-
-Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector.
-
-##### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-log:
-  otlp:
-    grpc:
-      tls:
-        ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc.tls]
-  ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
--log.otlp.grpc.tls.ca=path/to/ca.crt
-```
-
-##### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-log:
-  otlp:
-    grpc:
-      tls:
-        cert: path/to/foo.cert
-        key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
--log.otlp.grpc.tls.cert=path/to/foo.cert
--log.otlp.grpc.tls.key=path/to/foo.key
-```
-
-##### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-log:
-  otlp:
-    grpc:
-      tls:
-        cert: path/to/foo.cert
-        key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
--log.otlp.grpc.tls.cert=path/to/foo.cert
--log.otlp.grpc.tls.key=path/to/foo.key
-```
-
-##### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`,
-the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-log:
-  otlp:
-    grpc:
-      tls:
-        insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc.tls]
-  insecureSkipVerify = true
-```
-
-```bash tab="CLI"
--log.otlp.grpc.tls.insecureSkipVerify=true
-```
-
-{!traefik-for-business-applications.md!}
+{% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -27,10 +27,6 @@ _Required, Default="127.0.0.1:8125"_

 Address instructs exporter to send metrics to datadog-agent at this address.

-This address can be a Unix Domain Socket (UDS) in the following format: `unix:///path/to/datadog.socket`.
-When the prefix is set to `unix`, the socket type will be automatically determined. 
-To explicitly define the socket type and avoid automatic detection, you can use the prefixes `unixgram` for `SOCK_DGRAM` (datagram sockets) and `unixstream` for `SOCK_STREAM` (stream sockets), respectively.
-
 ```yaml tab="File (YAML)"
 metrics:
  datadog:
@@ -68,7 +64,6 @@ metrics:
 ```bash tab="CLI"
 --metrics.datadog.addEntryPointsLabels=true
 ```
-
 #### `addRoutersLabels`

 _Optional, Default=false_
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Julien Salleyron	86b5642f00	Add regression test coverage ensuring request trailers are not forwarded to the backend	2026-06-25 10:28:05 +02:00
Michael	55c328e807	Improve CI speed	2026-06-24 10:34:05 +02:00
Baptiste Mayelle	108a526447	Add an option to remove request headers with underscores	2026-06-19 16:48:05 +02:00
Emile Vauge	0056f09a0c	Add HTTP/2 header memory exhaustion security documentation	2026-06-19 14:16:05 +02:00
Gina A.	3d19bfc9f8	Bump axios to v1.18.0	2026-06-19 10:34:05 +02:00
Julien Salleyron	21a6476477	adds documentations on maxHeaderBytes	2026-06-16 14:28:06 +02:00
Jenthe Noordsij	3e0dc4928e	Update Dockerfiles to Alpine 3.24	2026-06-16 09:16:07 +02:00
Julien Salleyron	d270272f51	Configurable max request header size	2026-06-15 15:22:07 +02:00
Julien Salleyron	c84f3ffd13	Bump github.com/go-acme/lego/v5	2026-06-15 11:22:08 +02:00
Julien Salleyron	7ae92d8c2c	fix x-forwarded-port in forward-auth	2026-06-11 16:48:06 +02:00
Kevin Pollet	ad1c1fc2f2	Prepare release v2.11.50	2026-06-10 15:28:05 +02:00
Romain	0209f984eb	Fix snicheck for routers with no hosts Co-authored-by: Gina A. <70909035+gndz07@users.noreply.github.com>	2026-06-10 15:16:06 +02:00
Julien Salleyron	4ef4c09300	Fix routers with same host, different tlsoptions on different entryPoint Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2026-06-09 17:08:07 +02:00
Romain	ba8830fdef	Prepare release v2.11.49	2026-06-05 14:48:04 +02:00
Julien Salleyron	b6bb80f8ff	Fix snicheck with keepalive	2026-06-05 14:36:05 +02:00
Gina A.	5404f6fb25	Bump axios to v1.17.0	2026-06-05 11:22:05 +02:00
Romain	f32f05f811	Bump github.com/quic-go/quic-go to v0.59.1	2026-06-04 16:12:05 +02:00
Romain	2c436f3c23	Prepare release v2.11.48	2026-06-04 10:36:22 +02:00
Romain	a664812e9c	Compute resolved tlsOptions after applying models Co-authored-by: Gina A. <70909035+gndz07@users.noreply.github.com>	2026-06-04 10:16:05 +02:00
Romain	855561306f	Prepare release v2.11.47	2026-06-03 11:02:05 +02:00
Romain	f25d48e039	Bump golang.org/x/crypto to v0.52.0	2026-06-03 09:14:05 +02:00
Kevin Pollet	fc83948b1e	Bump golang.org/x/net to v0.55.0	2026-05-29 09:14:05 +02:00
Romain	892bcc288b	Reject requests with different paths after StripPrefix and StripPrefixRegex normalisation	2026-05-28 15:56:25 +02:00
Julien Salleyron	5026ca97d0	Move snicheck to ctx instead of simulated routing	2026-05-28 10:30:07 +02:00
Romain	f9d9b72380	Avoid ingress path matcher injection and backport `11d251415`	2026-05-27 16:32:10 +02:00
Romain	4d9031bdb2	Add error on basic auth build if users is empty	2026-05-18 15:06:09 +02:00
Kevin Pollet	22460f0a62	Prepare release v2.11.46	2026-05-11 14:20:05 +02:00
Kevin Pollet	83cc8fee5d	Make resolveReference method as a function	2026-05-11 11:14:06 +02:00
Romain	36a565a599	Fix cross-provider ref check for Kubernetes CRD provider	2026-05-07 16:58:05 +02:00
Romain	28604083a4	Add CrossProviderNamespaces option Co-authored-by: Gina A. <70909035+gndz07@users.noreply.github.com>	2026-05-06 14:49:23 +02:00
Kevin Pollet	ee94dc5343	Prepare release v2.11.45	2026-05-05 14:22:05 +02:00
Michael	e4537f8b04	Migrate to github.com/moby/moby modules	2026-05-04 16:06:05 +02:00
Gina A.	29d2340ca4	Bump Axios version	2026-05-04 14:54:05 +02:00
Romain	e6abf7c3c8	Remove cross-provider sanitization for Kubernetes service loading Co-authored-by: Gina A. <70909035+gndz07@users.noreply.github.com>	2026-05-04 11:12:05 +02:00
Romain	98cf988d30	Prepare release v2.11.44	2026-04-29 11:56:10 +02:00
Michael	ad4abde146	Bump github.com/go-acme/lego to v4.35.2	2026-04-29 11:44:05 +02:00
Tom Wieczorek	6a6d96d7fe	Make FLAGS Make variable usable	2026-04-27 15:46:05 +02:00
Gina A.	0fdea20eb1	Add errorRequestHeaders option to Errors middleware	2026-04-24 14:40:06 +02:00
Michael	a9ce32a8dc	Prepare release v2.11.43	2026-04-22 10:26:05 +02:00
Kevin Pollet	13302a212e	Cleanup and make ForwardAuth logs consistent	2026-04-21 10:22:05 +02:00
Julien Salleyron	5e1de22584	Fix trustForwardHeader on forward auth middleware	2026-04-17 15:42:05 +02:00
Michel Loiseleur	184de70aef	Remove duplicate step in CI	2026-04-17 10:52:06 +02:00
Kevin Pollet	1a43505387	Sanitize the request URL after stripping the prefix	2026-04-16 14:26:06 +02:00
Romain	df00d82fc7	Honor allowCrossNamespace with chain middleware CRD	2026-04-15 10:36:06 +02:00
Romain	61b5bc4ad1	Remove untrusted X headers with underscores	2026-04-14 16:38:06 +02:00
Romain	8c4fc89579	Remove map lookup making the basic auth notFoundSecret empty	2026-04-13 10:24:08 +02:00
Kevin Pollet	e4b2c648bf	Prepare release v2.11.42	2026-03-26 09:48:04 +01:00
Gina A.	f19aaa769c	Fix StripPrefix and StripPrefixRegex to slice the prefix using encoded prefix length Co-authored-by: Mathis Urien <contact.lbf38@gmail.com>	2026-03-24 17:06:05 +01:00
Julien Salleyron	51f6b0435f	Prevent duplicate user headers in basic and digest auth middleware	2026-03-20 16:24:05 +01:00
Michael	70c45a6f9c	Bump google.golang.org/grpc to v1.79.3	2026-03-20 09:12:05 +01:00
Romain	f2c198c9f3	Prepare release v2.11.41	2026-03-18 10:40:06 +01:00
Romain	122175ac2f	Make basic auth check timing constant Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2026-03-17 15:36:05 +01:00
Rémi BUISSON	a377b3aba1	Bump mkdocs-traefiklabs to use consent mode	2026-03-13 12:58:04 -03:00
Romain	832f48d9bf	Support fragmented TLS client hello Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2026-03-11 13:56:06 -03:00
Gina A.	b460351f7e	Add maxResponseBodySize configuration on HTTP provider	2026-03-11 10:24:05 -03:00
Michael	bb7bb49226	Prepare release v2.11.40	2026-03-06 11:10:04 -03:00
Michael	8291b1d049	Fix go-version for CI	2026-03-06 10:58:04 -03:00
Romain	86a8f87acd	Prepare release v2.11.39	2026-03-06 05:56:04 -03:00
Michael	1268d9bc22	Bump Docker and OpenTelemetry dependencies	2026-03-05 11:52:04 -03:00
Kevin Pollet	2b71f6f518	Bump golang.org/x/net to v0.51.0	2026-03-04 06:26:05 -03:00
Michael	7c55452b21	Prepare release v2.11.38	2026-02-23 16:28:04 +01:00
Michael	95b3f45311	Fix Go version pinning in CI workflows	2026-02-23 16:00:05 +01:00
Jesper Noordsij	c98fddbd03	Simplify Go version refs in CI templates	2026-02-23 15:08:05 +01:00
Julien Salleyron	7a3ffcc3d9	Fix TLS handshake error handling	2026-02-23 14:06:05 +01:00
Gina A.	4595c7a920	Add maxResponseBodySize configuration to forwardAuth middleware	2026-02-23 11:30:06 +01:00
Jesper Noordsij	288e4e2e2b	Upgrade golangci-lint	2026-02-23 11:04:04 +01:00
LBF38	7494b5c9ff	Fix case sensitivity on x-forwarded headers for Connection	2026-02-23 10:04:10 +01:00
Kevin Pollet	526a34c8ec	Remove deprecated swarm:1.0.0 image used in DockerSuite	2026-02-13 15:32:04 +01:00
Michael	7747b40310	Prepare release v2.11.37	2026-02-11 10:42:04 +01:00
Michael	72e2454e42	Cap TLS record length to RFC 8446 limit in ClientHello peeking	2026-02-11 09:22:04 +01:00
Romain	0beed101ec	Validate healthcheck path configuration Co-authored-by: Michael <michael.matur@gmail.com>	2026-02-10 14:52:05 +01:00
Romain	f1e850ae0b	Prepare release v2.11.36	2026-02-02 11:24:20 +01:00
Jesper Noordsij	c320bb4adb	Bump to go1.25	2026-01-30 17:30:05 +01:00
Michael	ed990f279a	Upgrade github action versions	2026-01-27 11:20:10 +01:00
Rémi BUISSON	7e5ee8988e	chore: pin GitHub Actions to SHA hashes for supply chain security	2026-01-26 15:14:05 +01:00
Julien Salleyron	85cd5485b7	Avoid recursion with services	2026-01-26 10:28:04 +01:00
Gina A.	9ac5d3ac1c	Bump dependencies of documentation and webui	2026-01-22 12:10:07 +01:00
Romain	d675b163b3	Bump github.com/containerd/containerd to v1.7.29	2026-01-22 09:54:04 +01:00
Romain	7cb25da31c	Remove extra dots in migration guide	2026-01-20 15:40:05 +01:00
Michael	51343bc15f	Upgrade golangci-lint	2026-01-14 17:26:08 +01:00
Kevin Pollet	9e5d4ba5a1	Prepare release v2.11.35	2026-01-14 10:28:04 +01:00
Gina A.	adf47fba31	Make encoded character options opt-in	2026-01-14 10:16:04 +01:00
Sheddy	ee265a8509	Add Scarf Analytics to documentation	2026-01-13 11:16:05 +01:00
Barbara Soraggi	fc67185987	Replace markdown-include dependency with mkdocs-include-markdown-plugin	2026-01-13 10:08:04 +01:00
Michel Loiseleur	e8067f4e01	Refactor CI on documentation	2026-01-09 17:24:04 +01:00
LBF38	e9f3089e90	Add timeout to ACME-TLS/1 challenge handshake Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2026-01-08 16:16:05 +01:00
Michael	47d7094dfb	Welcome 2026	2026-01-02 09:58:04 +01:00
Michael	d1765c7768	Prepare release v2.11.34	2025-12-29 15:56:04 +01:00
Romain	90ce858347	Fix deny encoded characters Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2025-12-23 16:00:05 +01:00
Jesper Noordsij	8ebab1b243	Update Dockerfiles to Alpine 3.23	2025-12-17 15:26:06 +01:00
Romain	5fe10e2098	Prepare release v2.11.33	2025-12-17 10:56:04 +01:00
Jesper Noordsij	fd36de5a0a	Bump webui to NodeJS v24	2025-12-17 10:36:05 +01:00
Romain	60b19b7b81	Print access logs for rejected requests and warn about new behavior	2025-12-16 16:20:05 +01:00
Romain	e0e49533ab	Clarify doc about encodedCharacters rejection	2025-12-09 15:28:04 +01:00
Romain	351dcbd186	Fix encodedCharacters entryPoint option documentation	2025-12-08 10:44:04 +01:00
Kevin Pollet	7f40f3cd58	Fix encoded characters option documentation	2025-12-05 15:06:04 +01:00
Michael	c63be08b07	Github action release split	2025-12-05 09:44:04 +01:00
Kevin Pollet	e931a71660	Fix migration guide indentation	2025-12-04 16:40:04 +01:00
Romain	63a6172ec4	Prepare release v2.11.32	2025-12-04 15:26:04 +01:00
Romain	4d7d627319	Reject suspicious encoded characters Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2025-12-04 15:10:05 +01:00
GreyXor	0b6438b7c0	Bump github.com/quic-go/quic-go to v0.57.1	2025-12-02 09:04:05 +01:00
Michel Loiseleur	e15c11961f	Protect CI against supply chain attack on nodejs	2025-12-01 14:58:05 +01:00
Emile Vauge	042feacf3e	Update SECURITY.md to streamline information	2025-11-24 15:32:04 +01:00
Chris Wayne	759e82c3c8	Update SECURITY.md	2025-11-24 11:56:04 +01:00
GreyXor	2d7262515d	Bump github.com/quic-go/quic-go to v0.57.0	2025-11-24 10:44:04 +01:00
Kevin Pollet	f3e199cd47	Bump golang.org/x/crypto to v0.45.0	2025-11-20 11:30:05 +01:00
Kevin Pollet	9232535cf6	Validate plugin module name Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2025-11-20 10:50:04 +01:00
Kevin Pollet	79bb320f4c	Prepare release v2.11.31	2025-11-13 10:42:16 +01:00
Kevin Pollet	058b194604	Auto-negotiate Docker API version	2025-11-12 16:32:06 +01:00
Kevin Pollet	effca0a603	Update letsencrypt/pebble to use ghcr image	2025-11-07 11:58:04 +01:00
Romain	998868450f	Prepare release v2.11.30	2025-10-28 09:44:04 +01:00
Kevin Pollet	ffd82c92cb	Fix KV key name used to check if connection is alive	2025-10-16 16:50:05 +02:00
Kevin Pollet	34d7091f31	Bump github.com/quic-go/quic-go to v0.55.0	2025-10-14 15:48:05 +02:00
Kevin Pollet	b04759a80b	Bump golang.org/x/net to v0.46.0	2025-10-10 17:22:04 +02:00
Hannah Kim	8441c476f1	Bump gopkg.in/DataDog/dd-trace-go.v1 to v1.74.6	2025-10-03 09:44:04 +01:00
Romain	4ff8eca572	Fix Swarm unit test for the nodeIP property	2025-08-27 09:40:05 +02:00
Romain	1986610363	Prepare release v2.11.29	2025-08-26 14:50:08 +02:00
Kevin Pollet	5cc2a8344c	Bump github.com/docker/docker to v28.3.3	2025-08-20 15:52:06 +02:00
Michael	fc5359b6f6	Remove Semaphore CI	2025-08-13 10:30:06 +02:00
Michael	c5d448fba9	chore: upgrade actions/checkout to v5	2025-08-13 09:22:04 +02:00
Ludovic Fernandez	c820d18ada	Bump github.com/go-acme/lego/v4 to v4.25.2	2025-08-11 14:44:05 +02:00
Michael	19a2e2efc5	Allow maintainers to run deploy documentation	2025-08-01 12:10:05 +02:00
Michel Loiseleur	bcdb70b689	Fix invalid links in documentation	2025-08-01 11:34:05 +02:00
Jesper Noordsij	9896192efb	Update releases docs for v3.5	2025-07-29 16:00:06 +02:00
Romain	c6daab54e3	Prepare release v2.11.28	2025-07-23 10:34:04 +02:00
Michael	a59bcb29b5	Improve integration tests	2025-07-23 09:56:04 +02:00
Jesper Noordsij	50931813f2	Remove all mentions of ordering for TLSOption CurvePreferences field	2025-07-22 15:44:05 +02:00
Zeroday BYTE	5ef853a0c5	Fix client arbitrary file access during archive extraction zipslip	2025-07-22 14:24:05 +02:00
Romain	b2b4b66b08	Disable MPTCP by default Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2025-07-22 11:10:05 +02:00
Harold Ozouf	27326e6569	Redact logged install configuration	2025-07-18 17:16:04 +02:00
Kevin Pollet	7ca90a4b18	Prepare release v2.11.27	2025-07-11 09:30:05 +02:00
Kevin Pollet	a3685ee9fa	Bump github.com/go-viper/mapstructure/v2 to v2.3.0	2025-07-10 16:10:05 +02:00
Romain	8ae0379171	Prepare release v2.11.26	2025-06-26 11:50:04 +02:00
Romain	b0d8e08e2b	Fix typo in redirect middleware documentation	2025-06-11 09:46:05 +02:00
Kevin Pollet	ae79d4e5f0	Do not log redis sentinel username and password	2025-06-04 12:08:04 +02:00
Romain	bfcef58a4f	Fix KV reference rendering	2025-06-03 16:56:04 +02:00
Jesper Noordsij	f7a6f32784	Update Dockerfiles to Alpine 3.22	2025-06-03 11:24:05 +02:00
Jesper Noordsij	92f798dfcd	Update supported versions	2025-06-02 16:08:04 +02:00
Michael	f174014d96	feat: parallelise unit tests	2025-06-02 11:00:05 +02:00
Kevin Pollet	cd16321dd9	Bump to go1.24 Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2025-06-02 10:36:05 +02:00
Romain	5f35c88805	Prepare release v2.11.25	2025-05-27 12:10:05 +02:00
Romain	23c7c78a1a	Add HTTP/2 maxConcurrentStream parameter test	2025-05-27 09:34:04 +02:00
Kevin Pollet	08d5dfee01	Normalize request path Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2025-05-23 15:10:05 +02:00
Romain	b669981018	Fix panic for ingress with backend resource Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2025-05-23 14:56:05 +02:00
Sheddy	aa5f2b92d4	Fix broken link in documentation	2025-05-16 12:02:04 +02:00
Michael	6b9738e675	GOGC empty default value for build	2025-05-14 09:32:04 +02:00
borja ortiz llamas	b82290ac5b	Adding garbage collector as variable in compilation	2025-05-13 16:02:04 +02:00
Patrick Evans	49b598d087	tests: create redis sentinel config with permissive perms	2025-05-12 14:30:04 +02:00
Sheddy	448785d830	Add multi-tenant TLS guidance to the docs	2025-05-07 09:16:04 +02:00
Romain	9bc71b0010	Add a note about how to disable connection reuse with backends	2025-04-28 09:10:04 +02:00